Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with latest Zeus variant


  • Please log in to reply
9 replies to this topic

#1 catchineddies

catchineddies

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 25 June 2015 - 05:55 PM

Webroot reported finding a Zeus Trojan infection today.  At the same time the Windows desktop crashed (BSOD) from the process F35.tmp (infected file, removed by Webroot).  The user was in Internet Explorer at the time so I'm guessing it was an exploit.  Now I can see all kinds of bogus domains in the DNS cache but I can't find the infection.  I also cannot run MBAM, TDSSKILLER, or EmsisoftEmergencyKit. They just open then close immediately.  Webroot no longer finds anything. 

 

FRST runs..

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-06-2015
Ran by me (administrator) on badpc on 25-06-2015 16:27:39
Running from C:\LLC\Tools
Loaded Profiles: me (Available Profiles: other1 & other2 & me & pcadmin)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(Invincea, Inc.) C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\zRealTime\SAAZappr.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\SAAZDPMACTL.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\zRealTime\rtHlpDk.exe
(Continuum Managed Service LLC.) C:\Program Files (x86)\SAAZOD\SAAZScheduler.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\SAAZServerPlus.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\SAAZWatchDog.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(PFU Limited.) C:\Program Files (x86)\PFU\CardMinder V3.2\CardLauncher.exe
(PFU LIMITED) C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\zSCC\zAccEvt.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(PFU LIMITED) C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-19] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-07-29] (Realtek Semiconductor)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2015-05-01] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ScanSnap WIA Service Checker] => C:\Windows\SSDriver\fi5110\SsWiaChecker.exe [86016 2009-09-30] (PFU LIMITED)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3498728 2015-05-01] (Adobe Systems Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [WRSVC] => C:\Program Files (x86)\Webroot\WRSA.exe [817072 2015-05-11] (Webroot)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
IFEO\ehshell.exe: [Debugger] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CardMinder Viewer.lnk [2014-03-24]
ShortcutTarget: CardMinder Viewer.lnk -> C:\Program Files (x86)\PFU\CardMinder V3.2\CardLauncher.exe (PFU Limited.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScanSnap Manager.lnk [2014-03-24]
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SC_zAccEvt.lnk [2014-03-21]
ShortcutTarget: SC_zAccEvt.lnk -> C:\Program Files (x86)\SAAZOD\zSCC\zAccEvt.exe (Continuum Managed Services LLC.)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1648429977-2098931826-1415713722-5397\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
HKU\S-1-5-21-1648429977-2098931826-1415713722-5397\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
BHO: Invincea Web Redirector -> {1C52FA7C-51B7-4621-9D5A-11101BA13134} -> C:\Program Files (x86)\Invincea\Enterprise\X64\InvRedirHostIE64.dll [2015-02-12] (Invincea, Inc.)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2015-05-19] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2015-05-12] (Oracle Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-21] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2015-05-13] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2015-05-12] (Oracle Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Invincea Web Redirector -> {1C52FA7C-51B7-4621-9D5A-11101BA13134} -> C:\Program Files (x86)\Invincea\Enterprise\InvRedirHostIE.dll [2015-02-12] (Invincea, Inc.)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2015-05-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2015-05-09] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2015-05-13] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2015-05-09] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.10 192.168.0.11

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.80.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-05-12] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.80.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2015-05-12] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-28] (Adobe Systems)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-24] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-21] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-08-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-08-21] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.80.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-05-09] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.80.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2015-05-09] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-03-31] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28] (Adobe Systems)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-03-31] (Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-04-15]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\mozilla.cfg [2014-03-21] <==== ATTENTION

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2015-05-01]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
S4 InvProtectSvc; C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe [2150088 2015-02-12] (Invincea, Inc.)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-08-21] (Intel Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [417640 2015-06-01] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [234856 2015-06-01] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2012-07-31] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2012-07-31] (Hewlett-Packard) [File not signed]
R2 SAAZappr; C:\Program Files (x86)\SAAZOD\zRealTime\SAAZappr.exe [85296 2012-06-26] (Continuum Managed Services LLC.)
S4 SAAZapsc; C:\Program Files (x86)\SAAZOD\zRealTime\SAAZapsc.exe [85296 2012-06-26] (Continuum Managed Services LLC.)
R2 SAAZDPMACTL; C:\Program Files (x86)\SAAZOD\SAAZDPMACTL.exe [89392 2012-06-26] (Continuum Managed Services LLC.)
S4 SAAZRemoteSupport; C:\Program Files (x86)\SAAZOD\SAAZRemoteSupport.exe [81200 2012-06-26] (Continuum Managed Services LLC.)
R2 SAAZScheduler; C:\Program Files (x86)\SAAZOD\SAAZScheduler.exe [85296 2014-03-21] (Continuum Managed Service LLC.)
R2 SAAZServerPlus; C:\Program Files (x86)\SAAZOD\SAAZServerPlus.exe [85296 2012-06-26] (Continuum Managed Services LLC.)
R2 SAAZWatchDog; C:\Program Files (x86)\SAAZOD\SAAZWatchDog.exe [89392 2012-06-26] (Continuum Managed Services LLC.)
R2 SboxSvc; C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe [174792 2015-02-12] (Invincea, Inc.)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2013-11-21] (SoftThinks SAS)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-02-25] (Microsoft Corporation)
R2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [817072 2015-05-11] (Webroot)
S4 ZEvtSVC; C:\Program Files (x86)\SAAZOD\zSCC\ZEvtSVC.exe [237288 2015-01-14] (Continuum Managed Services LLC)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BS1119400407; C:\Users\other1\AppData\Local\Temp\Low\NTFS.sys [13192 2015-06-25] (Sysinternals) [File not signed]
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [2192088 2013-08-23] (Realtek Semiconductor Corp.)
S3 InvProtectDrv; C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys [52232 2015-02-12] (Invincea, Inc.)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-08-21] (Intel Corporation)
R3 SboxDrv; C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys [183816 2015-02-12] (Invincea, Inc.)
R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [116224 2015-05-11] (Webroot)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-25 16:27 - 2015-06-25 16:27 - 00000000 ____D C:\FRST
2015-06-25 16:16 - 2015-06-25 16:26 - 00000000 ____D C:\Users\me.SITE_City\AppData\Roaming\Adobe
2015-06-25 16:16 - 2015-06-25 16:26 - 00000000 ____D C:\Users\me.SITE_City\AppData\Local\Adobe
2015-06-25 16:16 - 2015-06-25 16:17 - 00000000 ____D C:\Users\me.SITE_City\AppData\Local\VirtualStore
2015-06-25 16:16 - 2015-06-25 16:16 - 00001419 _____ C:\Users\me.SITE_City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-06-25 16:16 - 2015-06-25 16:16 - 00000020 ___SH C:\Users\me.SITE_City\ntuser.ini
2015-06-25 16:16 - 2015-06-25 16:16 - 00000000 ____D C:\Users\me.SITE_City\AppData\Roaming\PFU
2015-06-25 16:16 - 2015-06-25 16:16 - 00000000 ____D C:\Users\me.SITE_City\AppData\Roaming\Apple Computer
2015-06-25 16:16 - 2015-06-25 16:16 - 00000000 ____D C:\Users\me.SITE_City\AppData\Local\LogMeIn
2015-06-25 16:16 - 2015-06-25 16:16 - 00000000 ____D C:\Users\me.SITE_City
2015-06-25 16:16 - 2015-02-26 09:36 - 00000000 ____D C:\Users\me.SITE_City\AppData\Roaming\Invincea
2015-06-25 16:16 - 2015-02-26 09:36 - 00000000 ____D C:\Users\me.SITE_City\AppData\Local\Invincea
2015-06-25 16:16 - 2014-03-21 13:44 - 00000000 ____D C:\Users\me.SITE_City\AppData\Local\Microsoft Help
2015-06-25 16:16 - 2009-07-13 23:54 - 00000000 ___RD C:\Users\me.SITE_City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-06-25 16:16 - 2009-07-13 23:49 - 00000000 ___RD C:\Users\me.SITE_City\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-06-25 16:07 - 2015-06-25 16:08 - 00282080 _____ C:\Windows\Minidump\062515-16988-01.dmp
2015-06-25 15:54 - 2015-06-25 15:54 - 00000000 ____D C:\LLC
2015-06-25 14:39 - 2015-06-25 14:39 - 00282080 _____ C:\Windows\Minidump\062515-75754-01.dmp
2015-06-25 14:27 - 2015-06-25 14:28 - 00282080 _____ C:\Windows\Minidump\062515-74303-01.dmp
2015-06-19 00:14 - 2015-05-27 21:04 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-06-19 00:14 - 2015-05-27 21:03 - 02237440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-06-19 00:14 - 2015-05-27 21:03 - 01409024 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-06-19 00:14 - 2015-05-27 21:03 - 00601600 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-06-19 00:14 - 2015-05-27 21:02 - 19291136 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-06-19 00:14 - 2015-05-27 21:02 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-06-19 00:14 - 2015-05-27 21:02 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-06-19 00:14 - 2015-05-27 21:02 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 02656768 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-06-19 00:14 - 2015-05-27 21:00 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-06-19 00:14 - 2015-05-27 19:45 - 01763328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-06-19 00:14 - 2015-05-27 19:45 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-06-19 00:14 - 2015-05-27 19:45 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-06-19 00:14 - 2015-05-27 19:44 - 14383104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-06-19 00:14 - 2015-05-27 19:44 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-06-19 00:14 - 2015-05-27 19:44 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-06-19 00:14 - 2015-05-27 19:44 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 13771776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 02865152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-06-19 00:14 - 2015-05-27 19:43 - 00690176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-06-19 00:14 - 2015-05-27 19:24 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-06-19 00:14 - 2015-05-27 19:23 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-06-19 00:14 - 2015-05-27 19:00 - 00441856 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-06-19 00:14 - 2015-05-27 18:55 - 00361984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-06-19 00:14 - 2015-05-27 18:34 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2015-06-19 00:14 - 2015-05-27 18:32 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2015-06-19 00:09 - 2015-04-29 13:22 - 14635008 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-06-19 00:09 - 2015-04-29 13:21 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-06-19 00:09 - 2015-04-29 13:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-06-19 00:09 - 2015-04-29 13:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-06-19 00:09 - 2015-04-29 13:19 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-06-19 00:09 - 2015-04-29 13:07 - 11411456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2015-06-19 00:09 - 2015-04-29 13:07 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2015-06-19 00:09 - 2015-04-29 13:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2015-06-19 00:09 - 2015-04-29 13:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2015-06-19 00:09 - 2015-04-29 13:05 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2015-06-17 00:13 - 2015-05-09 13:26 - 00493504 _____ (Microsoft Corporation) C:\Windows\system32\mcupdate_GenuineIntel.dll
2015-06-17 00:08 - 2015-04-27 14:23 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-06-17 00:08 - 2015-04-27 14:23 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-06-17 00:08 - 2015-04-27 14:23 - 00188416 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-06-17 00:08 - 2015-04-27 14:23 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2015-06-17 00:08 - 2015-04-27 14:05 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-06-17 00:08 - 2015-04-27 14:04 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-06-17 00:08 - 2015-04-27 14:04 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2015-06-17 00:08 - 2015-04-27 14:04 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2015-06-05 01:06 - 2015-04-12 22:28 - 00328704 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-06-05 01:05 - 2015-05-01 08:17 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-06-05 01:05 - 2015-05-01 08:16 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2015-06-03 00:23 - 2015-05-25 13:19 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-06-03 00:23 - 2015-05-25 13:18 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-06-03 00:23 - 2015-05-25 13:14 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-06-03 00:23 - 2015-05-25 13:14 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 13:01 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-06-03 00:23 - 2015-05-25 13:01 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-06-03 00:23 - 2015-05-25 12:57 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-06-03 00:23 - 2015-05-25 12:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 11:48 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 11:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-03 00:23 - 2015-05-25 11:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:24 - 05569984 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-06-03 00:22 - 2015-05-25 13:23 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-06-03 00:22 - 2015-05-25 13:23 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-06-03 00:22 - 2015-05-25 13:21 - 01728960 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 01255424 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 01162752 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00879104 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00728576 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\sechost.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-06-03 00:22 - 2015-05-25 13:19 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-06-03 00:22 - 2015-05-25 13:18 - 00879104 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-06-03 00:22 - 2015-05-25 13:18 - 00404992 _____ (Microsoft Corporation) C:\Windows\system32\tracerpt.exe
2015-06-03 00:22 - 2015-05-25 13:18 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-06-03 00:22 - 2015-05-25 13:18 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-06-03 00:22 - 2015-05-25 13:18 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-06-03 00:22 - 2015-05-25 13:18 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\logman.exe
2015-06-03 00:22 - 2015-05-25 13:18 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-06-03 00:22 - 2015-05-25 13:18 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\typeperf.exe
2015-06-03 00:22 - 2015-05-25 13:18 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-06-03 00:22 - 2015-05-25 13:18 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\relog.exe
2015-06-03 00:22 - 2015-05-25 13:18 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-06-03 00:22 - 2015-05-25 13:18 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\diskperf.exe
2015-06-03 00:22 - 2015-05-25 13:11 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 13:07 - 03989440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-06-03 00:22 - 2015-05-25 13:07 - 03934144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-06-03 00:22 - 2015-05-25 13:04 - 01310744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00641536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00635392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00551424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00092160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sechost.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-06-03 00:22 - 2015-05-25 13:01 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-06-03 00:22 - 2015-05-25 13:00 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tracerpt.exe
2015-06-03 00:22 - 2015-05-25 13:00 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\logman.exe
2015-06-03 00:22 - 2015-05-25 13:00 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-06-03 00:22 - 2015-05-25 13:00 - 00040448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\typeperf.exe
2015-06-03 00:22 - 2015-05-25 13:00 - 00037888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\relog.exe
2015-06-03 00:22 - 2015-05-25 13:00 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-06-03 00:22 - 2015-05-25 13:00 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\diskperf.exe
2015-06-03 00:22 - 2015-05-25 12:59 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-06-03 00:22 - 2015-05-25 12:59 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-06-03 00:22 - 2015-05-25 12:59 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-06-03 00:22 - 2015-05-25 12:59 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-06-03 00:22 - 2015-05-25 12:00 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-06-03 00:22 - 2015-05-25 11:50 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-06-03 00:22 - 2015-05-25 11:50 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-06-03 00:22 - 2015-05-25 11:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-06-03 00:16 - 2015-05-08 22:27 - 03147776 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2015-06-03 00:16 - 2015-05-08 22:27 - 02589184 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2015-06-03 00:16 - 2015-05-08 22:27 - 00696320 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2015-06-03 00:16 - 2015-05-08 22:27 - 00191488 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2015-06-03 00:16 - 2015-05-08 22:27 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2015-06-03 00:16 - 2015-05-08 22:27 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2015-06-03 00:16 - 2015-05-08 22:27 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2015-06-03 00:16 - 2015-05-08 22:26 - 00135168 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2015-06-03 00:16 - 2015-05-08 22:26 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2015-06-03 00:16 - 2015-05-08 22:26 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2015-06-03 00:16 - 2015-05-08 22:26 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\wu.upgrade.ps.dll
2015-06-03 00:16 - 2015-05-08 22:14 - 00566784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2015-06-03 00:16 - 2015-05-08 22:14 - 00173056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2015-06-03 00:16 - 2015-05-08 22:14 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2015-06-03 00:16 - 2015-05-08 22:14 - 00030208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2015-06-03 00:16 - 2015-05-08 22:13 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2015-06-03 00:11 - 2015-05-22 13:18 - 01021440 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-06-03 00:11 - 2015-05-22 13:18 - 00757248 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-06-03 00:11 - 2015-05-22 13:18 - 00700416 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-06-03 00:11 - 2015-05-22 13:18 - 00423424 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-06-03 00:11 - 2015-05-22 13:18 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-06-03 00:11 - 2015-05-22 13:18 - 00045568 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-06-03 00:11 - 2015-05-22 13:13 - 01119232 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-06-03 00:11 - 2015-05-21 08:19 - 00193536 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-25 16:27 - 2015-05-11 12:37 - 00000000 ____D C:\ProgramData\WRData
2015-06-25 16:25 - 2014-03-21 10:21 - 00000000 ____D C:\Program Files (x86)\SAAZOD
2015-06-25 16:15 - 2014-03-21 10:02 - 00000120 _____ C:\Windows\system32\config\netlogon.ftl
2015-06-25 16:13 - 2014-02-25 20:32 - 01478999 _____ C:\Windows\WindowsUpdate.log
2015-06-25 16:13 - 2009-07-13 23:45 - 00031312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-25 16:13 - 2009-07-13 23:45 - 00031312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-25 16:11 - 2014-03-21 10:27 - 00000990 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-06-25 16:10 - 2014-02-25 18:45 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2015-06-25 16:08 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-25 16:08 - 2009-07-13 23:51 - 00068395 _____ C:\Windows\setupact.log
2015-06-25 16:07 - 2014-03-21 10:39 - 00000000 ____D C:\Windows\Minidump
2015-06-25 16:07 - 2014-03-21 10:38 - 633705264 _____ C:\Windows\MEMORY.DMP
2015-06-25 15:51 - 2014-03-21 12:12 - 00004986 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for {5d255c29-b3da-4bc2-931d-7db2058e779b} badpc.SITE.com
2015-06-25 15:08 - 2014-07-16 01:05 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-25 14:54 - 2014-03-21 10:45 - 00000000 ____D C:\Users\other1\AppData\Local\Deployment
2015-06-25 07:31 - 2014-05-07 08:10 - 00000000 ____D C:\Users\other1\AppData\Local\CrashDumps
2015-06-25 00:15 - 2014-03-21 10:22 - 00002085 _____ C:\Windows\SysWOW64\ipstuffNew.txt
2015-06-25 00:09 - 2014-03-21 10:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-25 00:05 - 2014-03-21 10:58 - 00000000 ____D C:\ProgramData\LogMeIn
2015-06-18 06:46 - 2014-04-03 11:53 - 00000000 ____D C:\Users\other1\AppData\Roaming\Spam Soap
2015-06-17 01:53 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2015-06-15 15:59 - 2010-11-20 22:47 - 00292866 _____ C:\Windows\PFRO.log
2015-06-11 06:35 - 2009-07-14 00:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-10 09:01 - 2014-03-21 15:09 - 00000000 ____D C:\Windows\system32\MRT
2015-06-10 08:57 - 2014-03-21 15:09 - 140135120 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-06-10 08:55 - 2014-03-21 10:18 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-06-10 08:55 - 2014-03-21 10:16 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-06-10 07:58 - 2009-07-13 21:34 - 00000533 _____ C:\Windows\win.ini
2015-06-05 02:16 - 2014-03-21 10:09 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-06-05 02:16 - 2014-03-21 10:09 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-06-05 01:18 - 2014-03-21 10:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-06-03 15:43 - 2009-07-14 00:08 - 00032552 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-06-03 01:15 - 2014-12-10 03:15 - 00000000 ____D C:\Windows\system32\appraiser
2015-06-03 01:15 - 2014-04-23 00:07 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-06-03 01:15 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-06-03 00:12 - 2014-04-15 13:06 - 00002507 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat XI Standard.lnk
2015-06-03 00:12 - 2014-04-15 13:06 - 00002051 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller XI.lnk
2015-06-01 07:16 - 2014-03-21 10:58 - 00000000 ____D C:\Program Files (x86)\LogMeIn
2015-06-01 07:16 - 2014-03-21 10:27 - 00035688 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIport.dll
2015-06-01 07:16 - 2014-03-21 10:26 - 00092520 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll

==================== Files in the root of some directories =======

2013-11-26 02:56 - 2012-10-05 03:14 - 0003774 _____ () C:\Program Files (x86)\desktop.ico

Some files in TEMP:
====================
C:\Users\other1\AppData\Local\Temp\procexp64.exe
C:\Users\me.SITE_City\AppData\Local\Temp\procexp64.exe
C:\Users\me.SITE_City\AppData\Local\Temp\Procmon64.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-06-23 00:24

==================== End of log ============================



BC AdBot (Login to Remove)

 


m

#2 catchineddies

catchineddies
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 25 June 2015 - 07:42 PM

A little more into this with Process Explorer.. I see one svchost process making a periodic TCP call to localhost on port 9050 (possible Tor).  It will also make a separate call to 217.150.201.9 on port 80, but nothing is listening there (yet).  How can I see what is controlling this process?  I have no permissions to it.

 

Okay, I was able to suspend it.  That stopped the funny DNS queries.  I still can't get mbam or the others to run.

 

I could run GMER

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-06-25 19:56:24
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-75U6AA0 rev.19.01H19 465.76GB
Running: gmer_rookitfinder.exe; Driver: C:\Users\me.SITE\AppData\Local\Temp\kxldapod.sys

---- Threads - GMER 2.1 ----

Thread    [6664:6740]                                                                                                                                                                                        0000000077221415
Thread    [6664:5756]                                                                                                                                                                                        0000000077232855
Thread    [6664:5292]                                                                                                                                                                                        0000000077232855
Thread    [6664:3400]                                                                                                                                                                                        0000000077232855
Thread    [6664:5700]                                                                                                                                                                                        0000000077232855
---- Processes - GMER 2.1 ----

Library  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6CBCB9F1-33D7-4F60-8832-B35AA6EB7C98}\offreg.3104.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [3104] (FILE NOT FOUND)  000007fefa930000

---- EOF - GMER 2.1 ----


Edited by catchineddies, 25 June 2015 - 07:57 PM.


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 AM

Posted 30 June 2015 - 06:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/580812 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:18 AM

Posted 03 July 2015 - 11:10 AM

Hello catchineddies,

Welcome to Bleeping Computer! :welcome:

My name is Cody and I'll be helping you clean up your computer. :)

I will reply to your posts as soon as possible -- typically within 24 hours. In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, I just ask for notice ahead of time.

Please do note any time differences between us. If I do not respond within 48 hours, feel free to send me a private message.

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

I would like to see a fresh FRST log. :)

Note: You are currently running FRST.exe from C:\LLC\Tools. Please move FRST.exe to C:\Users\me\Desktop before continuing.

Farbar Recovery Scan Tool (FRST)

  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop.
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should.
  • Double click the icon.
  • Click Yes to the disclaimer.
  • Make sure the Addition.txt box is checked.
  • Click Scan and allow the program to run.
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen.
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply

Edited by TheShooter93, 03 July 2015 - 11:16 AM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#5 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:18 AM

Posted 06 July 2015 - 03:22 PM

3 Day Inactivity

This is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 48 hours, this thread will be closed due to inactivity.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#6 catchineddies

catchineddies
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 08 July 2015 - 11:12 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-06-2015
Ran by me-admin (administrator) on pcsystem on 08-07-2015 11:06:05
Running from C:\YNSEC\Tools
Loaded Profiles: me-admin (Available Profiles: me-admin & pcadmin)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Invincea, Inc.) C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\zRealTime\SAAZappr.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\SAAZDPMACTL.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\SAAZServerPlus.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\zRealTime\rtHlpDk.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\SAAZWatchDog.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Continuum Managed Service LLC.) C:\Program Files (x86)\SAAZOD\SAAZScheduler.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(PFU Limited.) C:\Program Files (x86)\PFU\CardMinder V3.2\CardLauncher.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(PFU LIMITED) C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe
(PFU LIMITED) C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Continuum Managed Services LLC.) C:\Program Files (x86)\SAAZOD\zSCC\zAccEvt.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-19] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-07-29] (Realtek Semiconductor)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-04-26] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2015-05-01] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ScanSnap WIA Service Checker] => C:\Windows\SSDriver\fi5110\SsWiaChecker.exe [86016 2009-09-30] (PFU LIMITED)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3498728 2015-05-01] (Adobe Systems Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [WRSVC] => C:\Program Files (x86)\Webroot\WRSA.exe [821704 2015-07-08] (Webroot)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1648429977-2098931826-1415713722-5397\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7799576 2015-05-15] (SUPERAntiSpyware)
IFEO\ehshell.exe: [Debugger] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CardMinder Viewer.lnk [2014-03-24]
ShortcutTarget: CardMinder Viewer.lnk -> C:\Program Files (x86)\PFU\CardMinder V3.2\CardLauncher.exe (PFU Limited.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScanSnap Manager.lnk [2014-03-24]
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SC_zAccEvt.lnk [2014-03-21]
ShortcutTarget: SC_zAccEvt.lnk -> C:\Program Files (x86)\SAAZOD\zSCC\zAccEvt.exe (Continuum Managed Services LLC.)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2010-11-20] (Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1648429977-2098931826-1415713722-5397\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1648429977-2098931826-1415713722-5397\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1648429977-2098931826-1415713722-5397\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
BHO: Invincea Web Redirector -> {1C52FA7C-51B7-4621-9D5A-11101BA13134} -> C:\Program Files (x86)\Invincea\Enterprise\X64\InvRedirHostIE64.dll [2015-02-12] (Invincea, Inc.)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2015-05-19] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-21] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2015-05-13] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Invincea Web Redirector -> {1C52FA7C-51B7-4621-9D5A-11101BA13134} -> C:\Program Files (x86)\Invincea\Enterprise\InvRedirHostIE.dll [2015-02-12] (Invincea, Inc.)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2015-05-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-06-25] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2015-05-13] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-06-25] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2013-12-21] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1648429977-2098931826-1415713722-5397 -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Tcpip\Parameters: [DhcpNameServer] 68.115.71.53 8.8.8.8

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-28] (Adobe Systems)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-21] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-08-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-08-21] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-06-25] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-06-25] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-03-31] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28] (Adobe Systems)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-03-31] (Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-04-15]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\mozilla.cfg [2014-03-21] <==== ATTENTION

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2015-05-01]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
S4 InvProtectSvc; C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe [2150088 2015-02-12] (Invincea, Inc.)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-08-21] (Intel Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [417640 2015-06-27] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [234856 2015-06-27] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2012-07-31] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2012-07-31] (Hewlett-Packard) [File not signed]
R2 SAAZappr; C:\Program Files (x86)\SAAZOD\zRealTime\SAAZappr.exe [85296 2012-06-26] (Continuum Managed Services LLC.)
S4 SAAZapsc; C:\Program Files (x86)\SAAZOD\zRealTime\SAAZapsc.exe [85296 2012-06-26] (Continuum Managed Services LLC.)
R2 SAAZDPMACTL; C:\Program Files (x86)\SAAZOD\SAAZDPMACTL.exe [89392 2012-06-26] (Continuum Managed Services LLC.)
S4 SAAZRemoteSupport; C:\Program Files (x86)\SAAZOD\SAAZRemoteSupport.exe [81200 2012-06-26] (Continuum Managed Services LLC.)
R2 SAAZScheduler; C:\Program Files (x86)\SAAZOD\SAAZScheduler.exe [85296 2014-03-21] (Continuum Managed Service LLC.)
R2 SAAZServerPlus; C:\Program Files (x86)\SAAZOD\SAAZServerPlus.exe [85296 2012-06-26] (Continuum Managed Services LLC.)
R2 SAAZWatchDog; C:\Program Files (x86)\SAAZOD\SAAZWatchDog.exe [89392 2012-06-26] (Continuum Managed Services LLC.)
R2 SboxSvc; C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe [174792 2015-02-12] (Invincea, Inc.)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2013-11-21] (SoftThinks SAS)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-02-25] (Microsoft Corporation)
R2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [821704 2015-07-08] (Webroot)
S4 ZEvtSVC; C:\Program Files (x86)\SAAZOD\zSCC\ZEvtSVC.exe [237288 2015-01-14] (Continuum Managed Services LLC)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [2192088 2013-08-23] (Realtek Semiconductor Corp.)
S3 InvProtectDrv; C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys [52232 2015-02-12] (Invincea, Inc.)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-08-21] (Intel Corporation)
R3 radpms; C:\Windows\System32\DRIVERS\radpms.sys [14944 2013-04-30] (LogMeIn, Inc.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SboxDrv; C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys [183816 2015-02-12] (Invincea, Inc.)
R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [116224 2015-07-08] (Webroot)
S3 BS1119400407; \??\C:\Users\tstubbe\AppData\Local\Temp\Low\NTFS.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-02 00:55 - 2015-07-08 00:52 - 00162015 _____ C:\Windows\IE10_main.log
2015-07-01 01:41 - 2013-10-14 18:00 - 00028368 _____ (Microsoft Corporation) C:\Windows\system32\IEUDINIT.EXE
2015-07-01 01:38 - 2015-07-01 01:41 - 00007584 _____ C:\Windows\IE11_main.log
2015-06-27 07:23 - 2015-07-06 09:13 - 01319012 _____ C:\Windows\system32\CFG1119400407
2015-06-25 22:52 - 2015-06-25 22:52 - 00000000 ____D C:\Program Files\HitmanPro
2015-06-25 22:51 - 2015-06-25 23:01 - 00000000 ____D C:\ProgramData\HitmanPro
2015-06-25 22:42 - 2015-06-25 22:42 - 00001810 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-06-25 22:42 - 2015-06-25 22:42 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\SUPERAntiSpyware.com
2015-06-25 22:42 - 2015-06-25 22:42 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2015-06-25 22:42 - 2015-06-25 22:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-06-25 22:42 - 2015-06-25 22:42 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-06-25 22:16 - 2015-06-25 22:16 - 00023194 _____ C:\ComboFix.txt
2015-06-25 21:59 - 2015-06-25 21:59 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Local\Apple Computer
2015-06-25 21:37 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2015-06-25 21:37 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2015-06-25 21:37 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-06-25 21:37 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-06-25 21:37 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-06-25 21:37 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2015-06-25 21:37 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2015-06-25 21:37 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2015-06-25 21:33 - 2015-06-25 22:16 - 00000000 ____D C:\Qoobox
2015-06-25 21:33 - 2015-06-25 21:44 - 00000000 ____D C:\Windows\erdnt
2015-06-25 21:09 - 2015-06-25 21:09 - 17258952 _____ (Bitdefender LLC) C:\Users\me-admin.localdom_WAUSAU\Downloads\RemovalToolUnifiedLauncher_sirefef.exe
2015-06-25 20:42 - 2015-06-25 20:42 - 00000000 ____D C:\ProgramData\Oracle
2015-06-25 20:40 - 2015-06-25 20:40 - 00111928 _____ C:\Users\me-admin.localdom_WAUSAU\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-25 20:19 - 2015-06-25 20:19 - 00282080 _____ C:\Windows\Minidump\062515-12776-01.dmp
2015-06-25 17:38 - 2015-06-25 17:38 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\Documents\Network Monitor 3
2015-06-25 17:37 - 2015-06-25 17:37 - 00001018 _____ C:\Users\Public\Desktop\Microsoft Network Monitor 3.4.lnk
2015-06-25 17:37 - 2015-06-25 17:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Network Monitor 3.4
2015-06-25 17:37 - 2015-06-25 17:37 - 00000000 ____D C:\Program Files\Microsoft Network Monitor 3
2015-06-25 16:36 - 2015-06-25 16:36 - 00000745 _____ C:\Users\me-admin.localdom_WAUSAU\Desktop\Start Emsisoft Emergency Kit.lnk
2015-06-25 16:35 - 2015-06-25 16:35 - 00000000 ____D C:\EEK
2015-06-25 16:27 - 2015-07-08 11:06 - 00000000 ____D C:\FRST
2015-06-25 16:16 - 2015-06-25 16:26 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\Adobe
2015-06-25 16:16 - 2015-06-25 16:26 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Local\Adobe
2015-06-25 16:16 - 2015-06-25 16:17 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Local\VirtualStore
2015-06-25 16:16 - 2015-06-25 16:16 - 00001419 _____ C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-06-25 16:16 - 2015-06-25 16:16 - 00000020 ___SH C:\Users\me-admin.localdom_WAUSAU\ntuser.ini
2015-06-25 16:16 - 2015-06-25 16:16 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\PFU
2015-06-25 16:16 - 2015-06-25 16:16 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\Apple Computer
2015-06-25 16:16 - 2015-06-25 16:16 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Local\LogMeIn
2015-06-25 16:16 - 2015-06-25 16:16 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU
2015-06-25 16:16 - 2015-02-26 09:36 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\Invincea
2015-06-25 16:16 - 2015-02-26 09:36 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Local\Invincea
2015-06-25 16:16 - 2014-03-21 13:44 - 00000000 ____D C:\Users\me-admin.localdom_WAUSAU\AppData\Local\Microsoft Help
2015-06-25 16:16 - 2009-07-13 23:54 - 00000000 ___RD C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-06-25 16:16 - 2009-07-13 23:49 - 00000000 ___RD C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-06-25 16:07 - 2015-06-25 16:08 - 00282080 _____ C:\Windows\Minidump\062515-16988-01.dmp
2015-06-25 15:54 - 2015-06-25 15:54 - 00000000 ____D C:\YNSEC
2015-06-25 14:39 - 2015-06-25 14:39 - 00282080 _____ C:\Windows\Minidump\062515-75754-01.dmp
2015-06-25 14:27 - 2015-06-25 14:28 - 00282080 _____ C:\Windows\Minidump\062515-74303-01.dmp
2015-06-19 00:14 - 2015-05-27 21:04 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-06-19 00:14 - 2015-05-27 21:03 - 02237440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-06-19 00:14 - 2015-05-27 21:03 - 01409024 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-06-19 00:14 - 2015-05-27 21:03 - 00601600 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-06-19 00:14 - 2015-05-27 21:02 - 19291136 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-06-19 00:14 - 2015-05-27 21:02 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-06-19 00:14 - 2015-05-27 21:02 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-06-19 00:14 - 2015-05-27 21:02 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 02656768 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-06-19 00:14 - 2015-05-27 21:01 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-06-19 00:14 - 2015-05-27 21:00 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-06-19 00:14 - 2015-05-27 19:45 - 01763328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-06-19 00:14 - 2015-05-27 19:45 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-06-19 00:14 - 2015-05-27 19:45 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-06-19 00:14 - 2015-05-27 19:44 - 14383104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-06-19 00:14 - 2015-05-27 19:44 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-06-19 00:14 - 2015-05-27 19:44 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-06-19 00:14 - 2015-05-27 19:44 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 13771776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 02865152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 02055680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-06-19 00:14 - 2015-05-27 19:43 - 00690176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-06-19 00:14 - 2015-05-27 19:43 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-06-19 00:14 - 2015-05-27 19:24 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-06-19 00:14 - 2015-05-27 19:23 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-06-19 00:14 - 2015-05-27 19:00 - 00441856 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-06-19 00:14 - 2015-05-27 18:55 - 00361984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-06-19 00:14 - 2015-05-27 18:34 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2015-06-19 00:14 - 2015-05-27 18:32 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2015-06-19 00:09 - 2015-04-29 13:22 - 14635008 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-06-19 00:09 - 2015-04-29 13:21 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-06-19 00:09 - 2015-04-29 13:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-06-19 00:09 - 2015-04-29 13:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-06-19 00:09 - 2015-04-29 13:19 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-06-19 00:09 - 2015-04-29 13:07 - 11411456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2015-06-19 00:09 - 2015-04-29 13:07 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2015-06-19 00:09 - 2015-04-29 13:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2015-06-19 00:09 - 2015-04-29 13:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2015-06-19 00:09 - 2015-04-29 13:05 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2015-06-17 00:13 - 2015-05-09 13:26 - 00493504 _____ (Microsoft Corporation) C:\Windows\system32\mcupdate_GenuineIntel.dll
2015-06-17 00:08 - 2015-04-27 14:23 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-06-17 00:08 - 2015-04-27 14:23 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-06-17 00:08 - 2015-04-27 14:23 - 00188416 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-06-17 00:08 - 2015-04-27 14:23 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2015-06-17 00:08 - 2015-04-27 14:05 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-06-17 00:08 - 2015-04-27 14:04 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-06-17 00:08 - 2015-04-27 14:04 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2015-06-17 00:08 - 2015-04-27 14:04 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-08 11:05 - 2015-05-11 12:37 - 00000000 ____D C:\ProgramData\WRData
2015-07-08 11:04 - 2014-03-21 10:58 - 00000000 ____D C:\ProgramData\LogMeIn
2015-07-08 11:02 - 2014-03-21 10:21 - 00000000 ____D C:\Program Files (x86)\SAAZOD
2015-07-08 11:00 - 2014-02-25 20:32 - 01193112 _____ C:\Windows\WindowsUpdate.log
2015-07-08 10:08 - 2014-07-16 01:05 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-08 01:00 - 2015-05-11 12:37 - 00166128 _____ (Webroot) C:\Windows\SysWOW64\WRusr.dll
2015-07-08 01:00 - 2015-05-11 12:37 - 00116224 _____ (Webroot) C:\Windows\system32\Drivers\WRkrn.sys
2015-07-08 01:00 - 2015-05-11 12:37 - 00103816 _____ (Webroot) C:\Windows\system32\WRusr.dll
2015-07-08 00:54 - 2014-03-21 10:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-07-07 00:19 - 2014-03-21 10:16 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-07-06 00:05 - 2014-03-21 10:27 - 00000990 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-07-06 00:02 - 2014-03-21 10:22 - 00002097 _____ C:\Windows\SysWOW64\ipstuffNew.txt
2015-07-03 03:36 - 2009-07-13 23:45 - 00031312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-03 03:36 - 2009-07-13 23:45 - 00031312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-02 01:05 - 2014-07-16 01:05 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-02 01:05 - 2014-02-25 18:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-02 01:05 - 2014-02-25 18:35 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-06-27 14:29 - 2014-03-21 10:58 - 00000000 ____D C:\Program Files (x86)\LogMeIn
2015-06-27 14:29 - 2014-03-21 10:27 - 00035688 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIport.dll
2015-06-27 14:29 - 2014-03-21 10:26 - 00092520 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll
2015-06-26 10:01 - 2009-07-13 23:51 - 00068877 _____ C:\Windows\setupact.log
2015-06-26 10:00 - 2014-02-25 18:45 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2015-06-26 09:58 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-26 05:53 - 2014-03-21 10:02 - 00000120 _____ C:\Windows\system32\config\netlogon.ftl
2015-06-25 22:35 - 2010-11-20 22:47 - 00294456 _____ C:\Windows\PFRO.log
2015-06-25 22:15 - 2009-07-13 21:34 - 00000215 _____ C:\Windows\system.ini
2015-06-25 21:44 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Default
2015-06-25 20:42 - 2015-05-09 00:19 - 00191400 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2015-06-25 20:42 - 2015-05-09 00:19 - 00190888 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2015-06-25 20:42 - 2015-05-09 00:19 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-06-25 20:42 - 2015-05-09 00:19 - 00000000 ____D C:\Program Files (x86)\Java
2015-06-25 20:19 - 2014-03-21 10:39 - 00000000 ____D C:\Windows\Minidump
2015-06-25 20:19 - 2014-03-21 10:38 - 438448944 _____ C:\Windows\MEMORY.DMP
2015-06-25 15:51 - 2014-03-21 12:12 - 00004986 _____ C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for {5d255c29-b3da-4bc2-931d-7db2058e779b} 9QYGH02.localdom.com
2015-06-25 14:54 - 2014-03-21 10:45 - 00000000 ____D C:\Users\tstubbe\AppData\Local\Deployment
2015-06-25 07:31 - 2014-05-07 08:10 - 00000000 ____D C:\Users\tstubbe\AppData\Local\CrashDumps
2015-06-18 06:46 - 2014-04-03 11:53 - 00000000 ____D C:\Users\tstubbe\AppData\Roaming\Spam Soap
2015-06-17 01:53 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2015-06-11 06:35 - 2009-07-14 00:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-10 09:01 - 2014-03-21 15:09 - 00000000 ____D C:\Windows\system32\MRT
2015-06-10 08:57 - 2014-03-21 15:09 - 140135120 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-06-10 08:55 - 2014-03-21 10:18 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-06-10 07:58 - 2009-07-13 21:34 - 00000533 _____ C:\Windows\win.ini

==================== Files in the root of some directories =======

2013-11-26 02:56 - 2012-10-05 03:14 - 0003774 _____ () C:\Program Files (x86)\desktop.ico

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-07-03 00:40

==================== End of log ============================

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:24-06-2015
Ran by me-admin at 2015-07-08 11:06:30
Running from C:\YNSEC\Tools
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2982915624-1876291330-597831357-500 - Administrator - Disabled)
Guest (S-1-5-21-2982915624-1876291330-597831357-501 - Limited - Disabled)
pcadmin (S-1-5-21-2982915624-1876291330-597831357-1000 - Administrator - Enabled) => C:\Users\pcadmin

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 13.2.1 - Hewlett-Packard) Hidden
Adobe Acrobat XI Standard (HKLM-x32\...\{AC76BA86-1033-FFFF-BA7E-000000000006}) (Version: 11.0.11 - Adobe Systems)
Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.194 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{21ECABC3-40B2-42DF-8E21-ACF3A4D0D95A}) (Version: 3.0.5 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{6AF2AC2A-3532-43FD-9F4D-BDC9C0D724C7}) (Version: 7.1.2.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CardMinder V3.2 (HKLM-x32\...\{D4F2AFD3-0167-4464-B92F-78AB6DA8A0AA}) (Version: V3.2L10 - PFU)
CardMinder V3.2 (x32 Version: 3.2.10.1 - PFU) Hidden
Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.6.2.0 - Dell Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.6.2.0 - Dell Inc.)
Dell Client System Update (HKLM-x32\...\{04566294-A6B6-4462-9721-031073EB3694}) (Version: 1.3.0 - Dell Inc.)
Dell Digital Delivery (HKLM-x32\...\{03A9F528-A754-460F-B2C1-AC125A147114}) (Version: 2.8.5000.0 - Dell Products, LP)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Protected Workspace (HKLM-x32\...\{E2CAA395-66B3-4772-85E3-6134DBAB244E}) (Version: 4.5.19821 - Invincea, Inc.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.13.1706 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.18.10.3234 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.0.19 - Intel Corporation)
ITSupport247- DPMA (HKLM-x32\...\SAAZOD) (Version: 5.2.8 - Continuum Managed Services LLC)
iTunes (HKLM\...\{33E28B58-7BA0-47B7-AA01-9225ABA2B8A9}) (Version: 11.3.0.54 - Apple Inc.)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Logitech Unifying Software 2.50 (HKLM\...\Logitech Unifying) (Version: 2.50.25 - Logitech)
LogMeIn (HKLM-x32\...\{CB7AF84A-1B7F-4C6B-8A58-EB7CDE48C23A}) (Version: 4.1.3268 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Network Monitor 3.4 (HKLM\...\{8C5B5A11-CBF8-451B-B201-77FAB0D0B77D}) (Version: 3.4.2350.0 - Microsoft Corporation)
Microsoft Network Monitor: NetworkMonitor Parsers 3.4 (HKLM\...\{963E5FEB-1367-46B9-851D-A957F1A3747F}) (Version: 3.4.2350.0 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM-x32\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Outils de vérification linguistique 2013 de Microsoft Office - Français (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5987 - Realtek Semiconductor Corp.)
ScanSnap (x32 Version: 5.1.30.19 - PFU Limited) Hidden
ScanSnap Manager (HKLM-x32\...\{DBCDB997-EEEB-4BE9-BAFF-26B4094DBDE6}) (Version: V5.1L30 - PFU)
ScanSnap Organizer (HKLM-x32\...\{E58F3B88-3B3E-4F85-9323-04789D979C15}) (Version: V3.2L14 - PFU)
ScanSnap Organizer (x32 Version: 3.2.12.1 - PFU LIMITED) Hidden
Spam Soap (HKLM-x32\...\Spam Soap) (Version: 5.0.0.52 - Spam Soap, Inc.)
Spam Soap (Version: 5.0.0.52 - Spam Soap, Inc.) Hidden
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1194 - SUPERAntiSpyware.com)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Update for Skype for Business 2015 (KB2889853) 32-Bit Edition (HKLM-x32\...\{90150000-012B-0409-0000-0000000FF1CE}_Office15.PROPLUS_{BF1B3F01-93F3-4B83-93DB-132EB1AED259}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3054791) 32-Bit Edition (HKLM-x32\...\{90150000-0011-0000-0000-0000000FF1CE}_Office15.PROPLUS_{04ADDEC1-208F-4295-AA61-16789EA56814}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3054791) 32-Bit Edition (HKLM-x32\...\{90150000-002A-0000-1000-0000000FF1CE}_Office15.PROPLUS_{04ADDEC1-208F-4295-AA61-16789EA56814}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB3054791) 32-Bit Edition (HKLM-x32\...\{90150000-012B-0409-0000-0000000FF1CE}_Office15.PROPLUS_{04ADDEC1-208F-4295-AA61-16789EA56814}) (Version:  - Microsoft)
Webroot SecureAnywhere (HKLM-x32\...\{98C3BECF-DD5F-44D2-8EF3-48A962583027}) (Version: 8.8.88 - Webroot)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

05-07-2015 00:18:14 Windows Update
05-07-2015 00:20:55 Windows Update
05-07-2015 00:23:36 Windows Update
05-07-2015 00:26:16 Windows Update
05-07-2015 00:29:00 Windows Update
05-07-2015 00:31:41 Windows Update
05-07-2015 00:34:23 Windows Update
05-07-2015 00:37:11 Windows Update
06-07-2015 00:13:33 Windows Update
06-07-2015 00:16:25 Windows Update
06-07-2015 00:19:07 Windows Update
06-07-2015 00:21:46 Windows Update
06-07-2015 00:24:25 Windows Update
06-07-2015 00:27:04 Windows Update
06-07-2015 00:29:43 Windows Update
06-07-2015 00:32:21 Windows Update
06-07-2015 00:35:02 Windows Update
06-07-2015 00:37:48 Windows Update
07-07-2015 00:15:48 Windows Update
07-07-2015 00:19:01 Windows Update
07-07-2015 00:19:14 Windows Update
07-07-2015 00:22:06 Windows Update
07-07-2015 00:24:48 Windows Update
07-07-2015 00:27:29 Windows Update
07-07-2015 00:30:09 Windows Update
07-07-2015 00:32:51 Windows Update
07-07-2015 00:35:32 Windows Update
07-07-2015 00:38:11 Windows Update
07-07-2015 00:40:52 Windows Update
07-07-2015 00:43:38 Windows Update
08-07-2015 00:17:02 Windows Update
08-07-2015 00:21:45 Windows Update
08-07-2015 00:27:06 Windows Update
08-07-2015 00:27:52 Windows Update
08-07-2015 00:30:49 Windows Update
08-07-2015 00:33:30 Windows Update
08-07-2015 00:36:12 Windows Update
08-07-2015 00:38:55 Windows Update
08-07-2015 00:41:37 Windows Update
08-07-2015 00:44:19 Windows Update
08-07-2015 00:47:02 Windows Update
08-07-2015 00:49:42 Windows Update
08-07-2015 00:52:28 Windows Update

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2015-06-25 21:43 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {14CA5165-9978-4CBE-916E-BE77A5D30585} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-24] (Microsoft Corporation)
Task: {1C07E24E-0AA6-437D-83F1-5E495D74C45F} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTask => C:\Windows\system32\Wat\WatAdminSvc.exe [2014-03-21] (Microsoft Corporation)
Task: {6B3AA5B6-36A6-4226-967B-12E5932E3F2D} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-24] (Microsoft Corporation)
Task: {9ACB9D1D-A55E-42E0-B3F5-F5D86D748AF4} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-21] (Microsoft Corporation)
Task: {AA1C2020-1806-42B2-8C37-0FED5B04C728} - System32\Tasks\Microsoft Office 15 Sync Maintenance for {5d255c29-b3da-4bc2-931d-7db2058e779b} 9QYGH02.localdom.com => C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe [2015-04-14] (Microsoft Corporation)
Task: {B0F3E040-1F19-43C2-8146-A2814ACC27D2} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-21] (Microsoft Corporation)
Task: {B831A00F-382F-49CA-B1B3-2D89C7ECAD84} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-02] (Adobe Systems Incorporated)
Task: {C1BB3513-094A-4E50-B84D-65C675AD88F5} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe
Task: {CC4EAE60-2FFE-446E-BC81-5EA15C19A906} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (Whitelisted) ==============

2015-03-18 14:08 - 2015-03-18 14:08 - 08898720 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-02-25 18:45 - 2013-08-19 10:21 - 00020256 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIcon.dll
2014-02-25 18:45 - 2013-08-19 10:21 - 00019232 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayNotBackuped.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-02-25 18:38 - 2013-08-21 18:33 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
2014-03-24 11:38 - 2005-01-19 18:48 - 00028672 _____ () C:\Program Files (x86)\PFU\CardMinder V3.2\CardPath.dll
2014-03-24 12:03 - 2011-04-08 13:53 - 00376832 _____ () C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsConfig.dll
2014-03-24 12:03 - 2011-03-16 15:30 - 00233472 _____ () C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsExtention.dll
2014-03-24 11:29 - 2003-03-26 18:46 - 00135168 _____ () C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsImgIO.dll
2014-03-24 11:29 - 2010-08-24 16:56 - 00167936 _____ () C:\Program Files (x86)\PFU\ScanSnap\Driver\SSsltsa.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:142
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:264
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3204
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3247
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3348
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:95

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "imagepath"=""C:\PROGRA~2\SAAZOD\zRealTime\SAAZappr.exe" SAAZappr"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "ObjectName"="LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "Start"="2"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZappr => "type"="110"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "imagepath"=""C:\PROGRA~2\SAAZOD\zRealTime\SAAZapsc.exe" SAAZapsc"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "ObjectName"="LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "Start"="2"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAAZapsc => "type"="110"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1648429977-2098931826-1415713722-5397\Control Panel\Desktop\\Wallpaper -> C:\Users\me-admin.localdom_WAUSAU\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 68.115.71.53 - 8.8.8.8

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{F3317C20-71AB-429C-A4A3-F1269D4A8F9C}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{D5E75F71-2F99-47C3-9ED7-C443EB4860F8}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{996A8816-77E5-4D60-AB2A-B0A12E1941E7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{376C2699-27CA-48A9-9156-FEC97D3190FC}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{6F71EB47-5A42-4B9F-A10C-E8526DBB04FF}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office15\lync.exe
FirewallRules: [{14B31376-372D-4202-A1DF-CC32BFCCA08F}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office15\lync.exe
FirewallRules: [{0927BC4C-F4A5-4010-89C8-56A9BE639538}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{B4FA7477-0AF1-4258-A47B-676F8C2C6F3E}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{81F70C10-3B93-4AB4-81FD-738EEB6700FD}] => (Allow) C:\Program Files (x86)\SAAZOD\BaseComponents\PatchManagement\zPMAMgmt.exe
FirewallRules: [{0A86954B-8A9B-4546-9283-89A26555943C}] => (Allow) C:\Program Files (x86)\SAAZOD\BaseComponents\PatchManagement\zPMAMgmt.exe
FirewallRules: [{271FEEDC-2B42-4723-B192-873620108058}] => (Allow) C:\Program Files (x86)\GFI Software\Deployment\MicroInstaller.exe
FirewallRules: [{6421B37B-D00C-4F04-9993-C79AA79E9DCF}] => (Allow) C:\Program Files (x86)\GFI Software\Deployment\MicroInstaller.exe
FirewallRules: [{75134E9E-3026-4E1B-BD33-76141A02562B}] => (Allow) C:\Program Files (x86)\GFI Software\Deployment\MicroInstaller.exe
FirewallRules: [{91AE3E6F-64ED-4172-93AF-D844F18D6F46}] => (Allow) C:\Program Files (x86)\GFI Software\Deployment\MicroInstaller.exe
FirewallRules: [{93EFE42D-E1ED-477F-A169-3BA29CDC99E2}] => (Allow) C:\Program Files (x86)\GFI Software\GFIAgent\SBAMSvc.exe
FirewallRules: [{424061F8-3374-4277-BB18-779CF48A7C7D}] => (Allow) C:\Program Files (x86)\GFI Software\GFIAgent\SBAMSvc.exe
FirewallRules: [{AA003308-CE53-48C5-A4D2-AF94BA48ECDB}] => (Allow) C:\Program Files (x86)\GFI Software\GFIAgent\SBAMSvc.exe
FirewallRules: [{29A49AA9-C56B-4755-A3E2-A0348360A2BD}] => (Allow) C:\Program Files (x86)\GFI Software\GFIAgent\SBAMSvc.exe
FirewallRules: [{BF7336A0-0965-4150-BED8-E09452BF2B2E}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [{71F61F6E-4A09-4B77-A8B6-4C22B05518EF}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office15\lync.exe
FirewallRules: [{374F5A6F-F8C1-44AB-AEEF-00099B45F77D}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office15\lync.exe
FirewallRules: [{2B3A8A18-A677-43BD-B721-13902D772F58}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{E8734344-4BFA-4F8F-AD94-8D45FFEA599F}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office15\UcMapi.exe

==================== Faulty Device Manager Devices =============

Name: LogMeIn Mirror Driver
Description: LogMeIn Mirror Driver
Class Guid: {4d36e968-e325-11ce-bfc1-08002be10318}
Manufacturer: LogMeIn, Inc.
Service: lmimirr
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/26/2015 10:00:04 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/25/2015 10:49:56 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifest.

Error: (06/25/2015 10:49:53 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifest.

Error: (06/25/2015 10:49:50 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifest.

Error: (06/25/2015 10:49:40 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifest.

Error: (06/25/2015 10:49:29 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifest.

Error: (06/25/2015 10:37:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/25/2015 10:10:19 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\wbem\wmiprvse.exe; Description = ComboFix created restore point; Error = 0x8007043c).

Error: (06/25/2015 10:10:19 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.

Operation:
   Instantiating VSS server

Error: (06/25/2015 10:10:19 PM) (Source: VSS) (EventID: 18) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]

Operation:
   Instantiating VSS server

System errors:
=============
Error: (07/08/2015 11:04:43 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: localdom_WAUSAU)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (07/08/2015 11:02:57 AM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (07/08/2015 09:39:37 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain localdom_WAUSAU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (07/08/2015 05:39:00 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain localdom_WAUSAU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (07/08/2015 01:38:25 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain localdom_WAUSAU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (07/08/2015 00:52:53 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 10 for Windows 7 for x64-based Systems.

Error: (07/08/2015 00:50:06 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 10 for Windows 7 for x64-based Systems.

Error: (07/08/2015 00:47:25 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 10 for Windows 7 for x64-based Systems.

Error: (07/08/2015 00:44:45 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 10 for Windows 7 for x64-based Systems.

Error: (07/08/2015 00:42:02 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 10 for Windows 7 for x64-based Systems.

Microsoft Office:
=========================
Error: (06/26/2015 10:00:04 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/25/2015 10:49:56 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifestC:\YNSEC\Tools\esetsmartinstaller_enu.exe

Error: (06/25/2015 10:49:53 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifestC:\YNSEC\Tools\esetsmartinstaller_enu.exe

Error: (06/25/2015 10:49:50 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifestC:\YNSEC\Tools\esetsmartinstaller_enu.exe

Error: (06/25/2015 10:49:40 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifestC:\YNSEC\Tools\esetsmartinstaller_enu.exe

Error: (06/25/2015 10:49:29 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_fa381d5f175bfb52.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18807_none_41e554362bd82458.manifestC:\YNSEC\Tools\esetsmartinstaller_enu.exe

Error: (06/25/2015 10:37:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/25/2015 10:10:19 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\wbem\wmiprvse.exeComboFix created restore point0x8007043c

Error: (06/25/2015 10:10:19 PM) (Source: VSS) (EventID: 8193) (User: )
Description: CoCreateInstance0x8007043c, This service cannot be started in Safe Mode

Operation:
   Instantiating VSS server

Error: (06/25/2015 10:10:19 PM) (Source: VSS) (EventID: 18) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x8007043c, This service cannot be started in Safe Mode

Operation:
   Instantiating VSS server

CodeIntegrity Errors:
===================================
  Date: 2015-06-25 21:43:23.567
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2015-06-25 21:43:23.505
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Core™ i5-4570 CPU @ 3.20GHz
Percentage of memory in use: 42%
Total physical RAM: 8110.77 MB
Available physical RAM: 4686.29 MB
Total Pagefile: 16221.55 MB
Available Pagefile: 13011.89 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:455.52 GB) (Free:372.11 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: E5161517)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=10.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=455.5 GB) - (Type=07 NTFS)

==================== End of log ============================



#7 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:18 AM

Posted 09 July 2015 - 08:06 PM

Hi catchineddies,

I apologize for the delay. I'm currently posting using my cell phone as my ISP is experiencing some issues and have no Internet connection at home.

I will try to post tomorrow when I am out of the house.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#8 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:18 AM

Posted 11 July 2015 - 02:18 PM

Hello cathineddies,

Please do the following.

Before proceeding, make sure to move FRST.exe to your Desktop. It is currently under C:\YNSEC\Tools.

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1648429977-2098931826-1415713722-5397\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\mozilla.cfg [2014-03-21] <==== ATTENTION
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

================================================

Also, have you tried running Malwarebytes Antimalware in Safe Mode?

Is it still closing after you launch it within Windows normally? 


Edited by TheShooter93, 11 July 2015 - 02:19 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#9 catchineddies

catchineddies
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 13 July 2015 - 10:13 AM

Well I came in this morning and the computer was frozen.  After power cycling it it kept returning to system recovery options.  Booting to Windows failed as did going back to restore points.  I am now restoring from factory image. 

 

That kills our attempt to learn about this infection.  Sorry :(



#10 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:02:18 AM

Posted 14 July 2015 - 07:06 AM

That kills our attempt to learn about this infection.  Sorry   :(

That's alright. At least now you will have a clean, working PC. Please read the information below.  :)

All Clean!

Congratulations on your clean PC!  :thumbup2:

For keeping your PC clean, there are a few main things to keep tabs on:

1) Make sure to keep your antivirus software up to date.

2) Keep Java, Adobe Flash Player, and Adobe Reader up to date.

3) Run periodic scans using your antivirus software and Malwarebyte's Antimalware.

4) Most importantly, practice safe browsing. You are the ultimate protection tool.

=======================================================================
 
Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:

In addition, here are some more links you might find of interest:

This thread will remain open for 48 hours after the posting of this "all-clean" for any questions you may have.


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users