csrss.exe winlogin.exe. No description no username

cactusjack73 · December 15, 2013

in safe mode csrss.exe and winlogon look normal

However when Win 7 64bit pc is booted into normal mode there is no description for either and no username.

I can also not find the file location of either process.

Have run malwarebytes in normal mode as well as Kapersky 6 and have not found a virus.

Still suspicious though?

kevinf80 · December 15, 2013

Hello and

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Kevin

cactusjack73 · December 15, 2013

I'm not using any p2p software on this machine...

cactusjack73 · December 15, 2013

Running the program now

cactusjack73 · December 15, 2013

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-12-2013 01
Ran by JDMA (administrator) on RONNIE-PC on 15-12-2013 11:58:47
Running from C:\Users\JDMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M3YZOYML
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Safe Mode (with Networking)

==================== Processes (Whitelisted) =================

(Kaseya International Limited) C:\Program Files (x86)\Kaseya\KSAASC18937046960005\AgentMon.exe
( ) C:\Program Files (x86)\Kaseya\KSAASC18937046960005\extensions\Lua.exe
( ) C:\Program Files (x86)\Kaseya\KSAASC18937046960005\extensions\Lua.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\Monitor.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASC.exe
(IObit) C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCTray.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11786344 2011-03-28] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [LogMeIn GUI] - C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoDriveTypeAutoRun_KL_notset] 1
HKCU\...\Run: [Advanced SystemCare Ultimate] - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCTray.exe [512384 2012-11-07] (IObit)
HKLM-x32\...\Run: [intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [2643320 2012-10-25] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [sSBkgdUpdate] - C:\Program Files (x86)\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] - C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe [29984 2008-01-10] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [indexSearch] - C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe [46368 2008-01-10] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort11reminder] - C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini [296 2013-12-15] ()
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [KASHKSAASC18937046960005] - C:\Program Files (x86)\Kaseya\KSAASC18937046960005\KaUsrTsk.exe [577536 2013-05-30] (Kaseya International Limited)
HKLM-x32\...\Run: [AVP] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe [350552 2012-08-16] (Kaspersky Lab ZAO)
HKU\Ronnie\...\Run: [Google Update] - C:\Users\Ronnie\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-09-24] (Google Inc.)
HKU\Ronnie\...\Run: [GoogleDriveSync] - C:\Program Files (x86)\Google\Drive\googledrivesync.exe [20203904 2013-12-06] (Google)
AppInit_DLLs: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\x64\adialhk.dll [90576 2012-08-16] (Kaspersky Lab ZAO)
AppInit_DLLs-x32: c:\PROGRA~2\KASPER~1\KASPER~1.0FO\kloehk.dll, c:\PROGRA~2\KASPER~1\KASPER~1.0FO\adialhk.dll [86872 2012-08-16] (Kaspersky Lab ZAO)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Advanced SystemCare Browser Protection - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\BrowerProtect\ASCPlugin_Protection.dll (IObit)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {41565256-3700-A76A-76A7-7A786E7484D7} - No File
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - No File
Handler-x32: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\\SysWOW64\mscoree.dll (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{322FEC1B-EB31-4027-92EF-A56CD3AE08D5}: [NameServer]8.8.8.8,8.8.8.4

Chrome:
=======
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR Extension: (Ads Removal) - C:\Users\JDMA\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0
CHR HKLM-x32\...\Chrome\Extension: [nfengeggddojhakldhlpjdlddgkkjkdd] - C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\BrowerProtect\ASC_GhromePluginFor6.crx

==================== Services (Whitelisted) =================

S2 AdvancedSystemCareService6; C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascsvc.exe [1051088 2012-12-13] (IObit)
S2 ASCAntivirusSrv; C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe [623936 2013-07-08] (IOBit)
S2 AVP; c:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe [350552 2012-08-16] (Kaspersky Lab ZAO)
S2 ESC Connections Server; C:\Program Files (x86)\dESCO\ESC Connections Server\ESC Connections Server.exe [1061712 2013-09-13] (dESCO)
S2 IMFservice; C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe [341824 2013-11-11] (IObit)
R2 KAKSAASC18937046960005; C:\Program Files (x86)\Kaseya\KSAASC18937046960005\AgentMon.exe [1101824 2013-06-27] (Kaseya International Limited)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2013-10-28] (LogMeIn, Inc.)
S2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2013-10-28] (LogMeIn, Inc.)
S2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MSSQL$ESC; c:\Program Files\Microsoft SQL Server\MSSQL11.ESC\MSSQL\Binn\sqlservr.exe [191064 2012-02-11] (Microsoft Corporation)
S3 QuickBooksDB22; C:\Program Files (x86)\Intuit\QuickBooks 2012\QBDBMgrN.exe [679936 2011-12-06] (Intuit, Inc.)
S4 SQLAgent$ESC; c:\Program Files\Microsoft SQL Server\MSSQL11.ESC\MSSQL\Binn\SQLAGENT.EXE [597080 2012-02-11] (Microsoft Corporation)
S2 WDFME; C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [1066896 2011-03-09] ()
S2 WDSC; C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [491920 2011-03-09] ()

==================== Drivers (Whitelisted) ====================

S3 KAPFA; C:\Windows\system32\drivers\KAPFA.SYS [33680 2013-05-16] (Kaseya)
S1 kl1; C:\Windows\System32\DRIVERS\kl1.sys [157712 2009-11-11] (Kaspersky Lab)
S3 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [30736 2009-09-03] (Kaspersky Lab)
S1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [273200 2012-02-27] (Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [32048 2011-09-01] (Kaspersky Lab ZAO)
S2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 radpms; C:\Windows\System32\DRIVERS\radpms.sys [14944 2013-04-30] (LogMeIn, Inc.)
S4 RsFx0200; C:\Windows\System32\DRIVERS\RsFx0200.sys [334936 2012-02-11] (Microsoft Corporation)
U3 aswMBR; \??\C:\Users\JDMA\AppData\Local\Temp\aswMBR.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-12-15 11:58 - 2013-12-15 11:58 - 00000000 ____D C:\FRST
2013-12-15 11:49 - 2013-12-15 11:49 - 00001626 _____ C:\Users\JDMA\Downloads\aswMBR.txt
2013-12-15 11:49 - 2013-12-15 11:49 - 00000512 _____ C:\Users\JDMA\Downloads\MBR.dat
2013-12-15 10:32 - 2013-12-15 10:32 - 04745728 _____ (AVAST Software) C:\Users\JDMA\Downloads\aswMBR.exe
2013-12-15 10:28 - 2013-12-15 10:28 - 00001316 _____ C:\Users\JDMA\AppData\Roaming\Microsoft\Windows\Start Menu\Uninstall Programs.lnk
2013-12-15 10:28 - 2013-12-15 10:28 - 00001277 _____ C:\Users\Public\Desktop\Advanced SystemCare Ultimate.lnk
2013-12-15 10:28 - 2013-12-15 10:28 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\Apple Computer
2013-12-15 10:28 - 2013-12-15 10:28 - 00000000 ____D C:\ProgramData\{D76294E6-03B8-4971-AF2E-3F846161A690}
2013-12-15 10:28 - 2013-12-15 10:28 - 00000000 ____D C:\ProgramData\{5A85B23A-4B58-47D1-9B9C-DFBD7866099F}
2013-12-15 10:28 - 2013-12-15 10:28 - 00000000 ____D C:\IObit
2013-12-15 10:27 - 2013-12-15 10:27 - 00001180 _____ C:\Users\Public\Desktop\IObit Malware Fighter.lnk
2013-12-15 10:26 - 2013-12-15 10:26 - 25563488 _____ (IObit ) C:\Users\JDMA\Downloads\imf-setup.exe
2013-12-15 10:25 - 2013-12-15 10:25 - 00000330 _____ C:\Users\JDMA\Downloads\Result.txt
2013-12-15 10:25 - 2013-12-15 10:25 - 00000036 _____ C:\Users\JDMA\AppData\Local\housecall.guid.cache
2013-12-15 10:25 - 2013-12-15 10:25 - 00000000 ____D C:\Users\JDMA\Downloads\TrendMicro AntiThreat Toolkit
2013-12-15 10:24 - 2013-12-15 10:24 - 08460744 _____ (Trend Micro Inc.) C:\Users\JDMA\Downloads\attk_far_gui_x64.exe
2013-12-15 10:02 - 2013-12-15 10:02 - 00000000 ____D C:\Users\JDMA\AppData\Local\Adobe
2013-12-14 22:12 - 2013-12-14 22:12 - 00000884 _____ C:\Windows\system32\Drivers\etc\hosts.txt
2013-12-14 22:02 - 2013-12-14 22:02 - 00000000 ____D C:\Users\JDMA\Downloads\tdsskiller
2013-12-14 22:01 - 2013-12-14 22:02 - 04101441 _____ C:\Users\JDMA\Downloads\tdsskiller.zip
2013-12-14 22:01 - 2013-12-14 22:01 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\JDMA\Downloads\madness.exe
2013-12-14 21:57 - 2013-12-14 21:57 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\Malwarebytes
2013-12-14 21:56 - 2013-12-14 21:56 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-14 21:56 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-12-14 21:53 - 2009-06-10 16:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.20131214-215346.backup
2013-12-14 21:35 - 2013-12-14 21:35 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\ScanSoft
2013-12-14 21:29 - 2013-12-15 10:28 - 00000000 ____D C:\ProgramData\IObit
2013-12-14 21:28 - 2013-12-15 10:28 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\IObit
2013-12-14 21:28 - 2013-12-15 10:28 - 00000000 ____D C:\Program Files (x86)\IObit
2013-12-14 21:10 - 2013-12-14 22:04 - 00004106 _____ C:\Users\JDMA\Desktop\Rkill.txt
2013-12-14 21:10 - 2013-12-14 21:10 - 00000000 ____D C:\Users\JDMA\Desktop\rkill
2013-12-14 21:00 - 2013-12-14 21:00 - 00000000 ____D C:\Users\Default\AppData\Local\Google
2013-12-14 21:00 - 2013-12-14 21:00 - 00000000 ____D C:\Users\Default User\AppData\Local\Google
2013-12-14 15:22 - 2013-12-14 21:55 - 00000711 _____ C:\Windows\wininit.ini
2013-12-14 14:13 - 2013-12-14 14:13 - 00000000 ____D C:\Users\JDMA\Documents\ProcessExplorer
2013-12-14 03:23 - 2013-12-15 10:08 - 00000224 _____ C:\Windows\setupact.log
2013-12-14 03:23 - 2013-12-15 09:38 - 00003788 _____ C:\Windows\PFRO.log
2013-12-14 03:23 - 2013-12-14 03:23 - 00000000 _____ C:\Windows\setuperr.log
2013-12-14 03:05 - 2013-12-15 10:14 - 00008049 _____ C:\Windows\IE11_main.log
2013-12-14 03:05 - 2013-05-10 00:56 - 14631424 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2013-12-14 03:05 - 2013-05-10 00:56 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2013-12-14 03:05 - 2013-05-09 23:56 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2013-12-14 03:05 - 2013-05-09 23:56 - 11410432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2013-12-14 03:04 - 2013-10-24 23:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-12-14 03:03 - 2013-10-25 01:19 - 02241536 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-12-14 03:03 - 2013-10-25 01:19 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-12-14 03:03 - 2013-10-25 01:19 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-12-14 03:03 - 2013-10-25 01:18 - 19271168 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-12-14 03:03 - 2013-10-25 01:18 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 15404032 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 03959808 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 02648576 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-12-14 03:03 - 2013-10-25 01:17 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-12-14 03:03 - 2013-10-24 23:45 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-12-14 03:03 - 2013-10-24 23:44 - 14356992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-12-14 03:03 - 2013-10-24 23:44 - 01140736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 13761536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 02049024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-12-14 03:03 - 2013-10-24 23:43 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-12-14 03:03 - 2013-10-24 22:41 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-12-14 03:03 - 2013-10-24 22:17 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-12-14 03:03 - 2013-10-24 21:49 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-12-14 00:38 - 2013-12-14 00:38 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-12-14 00:36 - 2013-12-15 09:38 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-12-14 00:36 - 2013-12-14 21:55 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-12-13 22:20 - 2013-10-29 21:32 - 00335360 _____ (Microsoft Corporation) C:\Windows\system32\msieftp.dll
2013-12-13 22:20 - 2013-10-29 21:19 - 00301568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msieftp.dll
2013-12-13 22:20 - 2013-10-29 20:24 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-12-13 22:19 - 2013-11-23 13:26 - 00417792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-12-13 22:19 - 2013-11-23 12:47 - 00465920 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2013-12-13 22:19 - 2013-10-18 21:18 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2013-12-13 22:19 - 2013-10-18 20:36 - 00159232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2013-12-13 22:19 - 2013-10-03 21:16 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2013-12-13 22:19 - 2013-10-03 20:36 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2013-12-13 22:17 - 2013-10-11 21:32 - 00150016 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2013-12-13 22:17 - 2013-10-11 21:31 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2013-12-13 22:17 - 2013-10-11 21:04 - 00121856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wshom.ocx
2013-12-13 22:17 - 2013-10-11 21:03 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrrun.dll
2013-12-13 22:17 - 2013-10-11 20:33 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2013-12-13 22:17 - 2013-10-11 20:33 - 00156160 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2013-12-13 22:17 - 2013-10-11 20:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2013-12-13 22:17 - 2013-10-11 20:15 - 00126976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cscript.exe
2013-12-13 13:33 - 2013-12-13 21:53 - 00000000 ____D C:\Users\JDMA\Downloads\Kaspersky Rescue2Usb
2013-12-13 13:26 - 2013-12-13 21:53 - 00000000 ____D C:\Users\JDMA\Desktop\Kaspersky Rescue2Usb
2013-12-13 13:24 - 2013-12-13 13:24 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\Macromedia
2013-12-13 12:10 - 2013-12-13 21:35 - 00000000 ____D C:\Users\JDMA\AppData\Local\Intuit
2013-12-13 12:10 - 2013-12-13 12:10 - 00114136 _____ C:\Users\JDMA\AppData\Local\GDIPFONTCACHEV1.DAT
2013-12-13 12:10 - 2013-12-13 12:10 - 00000000 ____D C:\Users\JDMA\AppData\Local\Western Digital
2013-12-13 12:10 - 2013-12-13 12:10 - 00000000 ____D C:\Users\JDMA\AppData\Local\Scansoft
2013-12-13 12:10 - 2013-12-13 12:10 - 00000000 ____D C:\Users\JDMA\AppData\Local\LogMeIn
2013-12-13 12:09 - 2013-12-15 10:02 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\Adobe
2013-12-13 12:09 - 2013-12-14 21:30 - 00000000 ____D C:\Users\JDMA\AppData\Local\Google
2013-12-13 12:09 - 2013-12-14 00:01 - 00000000 ____D C:\Users\JDMA\AppData\Local\VirtualStore
2013-12-13 10:53 - 2013-12-13 10:53 - 00000075 _____ C:\Users\Ronnie\Downloads\ATT00001.txt
2013-12-13 09:33 - 2013-12-14 21:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-13 09:33 - 2013-12-13 09:33 - 00000000 ____D C:\Users\Ronnie\AppData\Roaming\Malwarebytes
2013-12-13 09:33 - 2013-12-13 09:33 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-12-13 09:04 - 2013-12-13 11:39 - 00000000 ____D C:\kl.files
2013-12-12 11:26 - 2013-12-13 20:43 - 00000000 ____D C:\kworking1
2013-11-19 12:23 - 2013-12-13 20:44 - 00000000 ___RD C:\Users\Ronnie\Google Drive
2013-11-19 12:23 - 2013-11-19 12:23 - 00001665 _____ C:\Users\Ronnie\Desktop\Google Drive.lnk
2013-11-19 12:22 - 2013-12-14 21:01 - 00002049 _____ C:\Users\Public\Desktop\Google Slides.lnk
2013-11-19 12:22 - 2013-12-14 21:01 - 00002047 _____ C:\Users\Public\Desktop\Google Sheets.lnk
2013-11-19 12:22 - 2013-12-14 21:01 - 00002037 _____ C:\Users\Public\Desktop\Google Docs.lnk
2013-11-19 12:19 - 2013-11-19 12:19 - 00819136 _____ (Google Inc.) C:\Users\Ronnie\Downloads\googledrivesync.exe

==================== One Month Modified Files and Folders =======

2013-12-15 11:58 - 2013-12-15 11:58 - 00000000 ____D C:\FRST
2013-12-15 11:49 - 2013-12-15 11:49 - 00001626 _____ C:\Users\JDMA\Downloads\aswMBR.txt
2013-12-15 11:49 - 2013-12-15 11:49 - 00000512 _____ C:\Users\JDMA\Downloads\MBR.dat
2013-12-15 10:34 - 2013-10-17 09:55 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2013-12-15 10:32 - 2013-12-15 10:32 - 04745728 _____ (AVAST Software) C:\Users\JDMA\Downloads\aswMBR.exe
2013-12-15 10:28 - 2013-12-15 10:28 - 00001316 _____ C:\Users\JDMA\AppData\Roaming\Microsoft\Windows\Start Menu\Uninstall Programs.lnk
2013-12-15 10:28 - 2013-12-15 10:28 - 00001277 _____ C:\Users\Public\Desktop\Advanced SystemCare Ultimate.lnk
2013-12-15 10:28 - 2013-12-15 10:28 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\Apple Computer
2013-12-15 10:28 - 2013-12-15 10:28 - 00000000 ____D C:\ProgramData\{D76294E6-03B8-4971-AF2E-3F846161A690}
2013-12-15 10:28 - 2013-12-15 10:28 - 00000000 ____D C:\ProgramData\{5A85B23A-4B58-47D1-9B9C-DFBD7866099F}
2013-12-15 10:28 - 2013-12-15 10:28 - 00000000 ____D C:\IObit
2013-12-15 10:28 - 2013-12-14 21:29 - 00000000 ____D C:\ProgramData\IObit
2013-12-15 10:28 - 2013-12-14 21:28 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\IObit
2013-12-15 10:28 - 2013-12-14 21:28 - 00000000 ____D C:\Program Files (x86)\IObit
2013-12-15 10:27 - 2013-12-15 10:27 - 00001180 _____ C:\Users\Public\Desktop\IObit Malware Fighter.lnk
2013-12-15 10:27 - 2009-07-14 00:13 - 00902626 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-15 10:26 - 2013-12-15 10:26 - 25563488 _____ (IObit ) C:\Users\JDMA\Downloads\imf-setup.exe
2013-12-15 10:25 - 2013-12-15 10:25 - 00000330 _____ C:\Users\JDMA\Downloads\Result.txt
2013-12-15 10:25 - 2013-12-15 10:25 - 00000036 _____ C:\Users\JDMA\AppData\Local\housecall.guid.cache
2013-12-15 10:25 - 2013-12-15 10:25 - 00000000 ____D C:\Users\JDMA\Downloads\TrendMicro AntiThreat Toolkit
2013-12-15 10:24 - 2013-12-15 10:24 - 08460744 _____ (Trend Micro Inc.) C:\Users\JDMA\Downloads\attk_far_gui_x64.exe
2013-12-15 10:22 - 2013-10-17 09:15 - 00000000 ____D C:\kworking
2013-12-15 10:20 - 2012-08-31 12:30 - 01831597 _____ C:\Windows\WindowsUpdate.log
2013-12-15 10:17 - 2009-07-13 23:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-15 10:17 - 2009-07-13 23:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-15 10:15 - 2013-05-15 09:24 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-15 10:14 - 2013-12-14 03:05 - 00008049 _____ C:\Windows\IE11_main.log
2013-12-15 10:14 - 2013-05-15 09:24 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-15 10:14 - 2012-09-24 09:39 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-991406875-822118588-2862823848-1000UA.job
2013-12-15 10:09 - 2013-07-12 11:11 - 00000000 ____D C:\ProgramData\LogMeIn
2013-12-15 10:08 - 2013-12-14 03:23 - 00000224 _____ C:\Windows\setupact.log
2013-12-15 10:08 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-15 10:02 - 2013-12-15 10:02 - 00000000 ____D C:\Users\JDMA\AppData\Local\Adobe
2013-12-15 10:02 - 2013-12-13 12:09 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\Adobe
2013-12-15 09:38 - 2013-12-14 03:23 - 00003788 _____ C:\Windows\PFRO.log
2013-12-15 09:38 - 2013-12-14 00:36 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-12-14 22:12 - 2013-12-14 22:12 - 00000884 _____ C:\Windows\system32\Drivers\etc\hosts.txt
2013-12-14 22:04 - 2013-12-14 21:10 - 00004106 _____ C:\Users\JDMA\Desktop\Rkill.txt
2013-12-14 22:02 - 2013-12-14 22:02 - 00000000 ____D C:\Users\JDMA\Downloads\tdsskiller
2013-12-14 22:02 - 2013-12-14 22:01 - 04101441 _____ C:\Users\JDMA\Downloads\tdsskiller.zip
2013-12-14 22:01 - 2013-12-14 22:01 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\JDMA\Downloads\madness.exe
2013-12-14 21:57 - 2013-12-14 21:57 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\Malwarebytes
2013-12-14 21:56 - 2013-12-14 21:56 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-14 21:56 - 2013-12-13 09:33 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-12-14 21:55 - 2013-12-14 15:22 - 00000711 _____ C:\Windows\wininit.ini
2013-12-14 21:55 - 2013-12-14 00:36 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-12-14 21:35 - 2013-12-14 21:35 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\ScanSoft
2013-12-14 21:30 - 2013-12-13 12:09 - 00000000 ____D C:\Users\JDMA\AppData\Local\Google
2013-12-14 21:19 - 2013-09-26 09:07 - 00000000 ____D C:\Windows\system32\appmgmt
2013-12-14 21:10 - 2013-12-14 21:10 - 00000000 ____D C:\Users\JDMA\Desktop\rkill
2013-12-14 21:01 - 2013-11-19 12:22 - 00002049 _____ C:\Users\Public\Desktop\Google Slides.lnk
2013-12-14 21:01 - 2013-11-19 12:22 - 00002047 _____ C:\Users\Public\Desktop\Google Sheets.lnk
2013-12-14 21:01 - 2013-11-19 12:22 - 00002037 _____ C:\Users\Public\Desktop\Google Docs.lnk
2013-12-14 21:01 - 2013-05-15 09:24 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-14 21:00 - 2013-12-14 21:00 - 00000000 ____D C:\Users\Default\AppData\Local\Google
2013-12-14 21:00 - 2013-12-14 21:00 - 00000000 ____D C:\Users\Default User\AppData\Local\Google
2013-12-14 14:13 - 2013-12-14 14:13 - 00000000 ____D C:\Users\JDMA\Documents\ProcessExplorer
2013-12-14 09:14 - 2012-09-24 09:39 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-991406875-822118588-2862823848-1000Core.job
2013-12-14 03:24 - 2012-04-24 16:52 - 00000000 ____D C:\Windows\Panther
2013-12-14 03:23 - 2013-12-14 03:23 - 00000000 _____ C:\Windows\setuperr.log
2013-12-14 03:23 - 2009-07-13 23:45 - 00423592 _____ C:\Windows\system32\FNTCACHE.DAT
2013-12-14 03:05 - 2012-09-07 13:23 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-12-14 03:02 - 2013-08-15 02:01 - 00000000 ____D C:\Windows\system32\MRT
2013-12-14 03:01 - 2012-09-08 12:19 - 90708896 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-12-14 00:38 - 2013-12-14 00:38 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-12-14 00:13 - 2012-08-31 12:30 - 00000000 ____D C:\Users\Ronnie
2013-12-14 00:01 - 2013-12-13 12:09 - 00000000 ____D C:\Users\JDMA\AppData\Local\VirtualStore
2013-12-13 23:14 - 2013-05-15 09:24 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-12-13 23:14 - 2013-05-15 09:24 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-12-13 23:14 - 2013-05-15 09:24 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-12-13 23:00 - 2013-10-16 14:32 - 00000000 ____D C:\ProgramData\boost_interprocess
2013-12-13 22:54 - 2013-05-15 09:24 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-12-13 22:54 - 2013-05-15 09:24 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-12-13 22:49 - 2013-05-15 09:24 - 00000000 ____D C:\Program Files\Google
2013-12-13 22:49 - 2013-05-15 09:24 - 00000000 ____D C:\Program Files (x86)\Google
2013-12-13 21:53 - 2013-12-13 13:33 - 00000000 ____D C:\Users\JDMA\Downloads\Kaspersky Rescue2Usb
2013-12-13 21:53 - 2013-12-13 13:26 - 00000000 ____D C:\Users\JDMA\Desktop\Kaspersky Rescue2Usb
2013-12-13 21:35 - 2013-12-13 12:10 - 00000000 ____D C:\Users\JDMA\AppData\Local\Intuit
2013-12-13 21:34 - 2013-10-16 12:35 - 00001420 _____ C:\Users\JDMA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-12-13 21:34 - 2013-10-16 12:35 - 00000000 ___RD C:\Users\JDMA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-12-13 21:34 - 2013-10-16 12:35 - 00000000 ___RD C:\Users\JDMA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-12-13 21:01 - 2013-03-29 08:08 - 00000000 ____D C:\Users\QBDataServiceUser22
2013-12-13 20:57 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\servicing
2013-12-13 20:50 - 2013-10-16 12:35 - 00000000 ____D C:\Users\JDMA
2013-12-13 20:50 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\addins
2013-12-13 20:50 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-12-13 20:50 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2013-12-13 20:50 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-12-13 20:50 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\DVD Maker
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 __RSD C:\Windows\Media
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\TAPI
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\Recovery
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\ras
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\InstallShield
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\com
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\ras
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\oobe
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Msdtc
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\migwiz
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Dism
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\com
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\System
2013-12-13 20:50 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Services
2013-12-13 20:49 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\system32\WinBioPlugIns
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\zh-HK
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\uk-UA
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\tr-TR
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\sr-Latn-CS
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\lv-LV
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\lt-LT
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\bg-BG
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\ar-SA
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\zh-HK
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\tr-TR
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\ro-RO
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\manifeststore
2013-12-13 20:49 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\lt-LT
2013-12-13 20:48 - 2010-11-21 02:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-12-13 20:48 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2013-12-13 20:48 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2013-12-13 20:48 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-12-13 20:48 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\bg-BG
2013-12-13 20:48 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\ar-SA
2013-12-13 20:48 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2013-12-13 20:48 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-12-13 20:48 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\L2Schemas
2013-12-13 20:45 - 2013-05-15 09:24 - 00000000 ____D C:\Windows\system32\Macromed
2013-12-13 20:45 - 2012-09-07 14:21 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2013-12-13 20:45 - 2012-04-24 17:12 - 00000000 ____D C:\Windows\SysWOW64\RTCOM
2013-12-13 20:45 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\WCN
2013-12-13 20:45 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\system32\WCN
2013-12-13 20:45 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\Msdtc
2013-12-13 20:45 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\spp
2013-12-13 20:45 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2013-12-13 20:44 - 2013-11-19 12:23 - 00000000 ___RD C:\Users\Ronnie\Google Drive
2013-12-13 20:44 - 2013-02-20 11:53 - 00000000 ____D C:\Users\Ronnie\AppData\Roaming\ESC
2013-12-13 20:44 - 2012-09-24 09:40 - 00000000 ____D C:\Users\Ronnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2013-12-13 20:44 - 2012-08-31 12:30 - 00000000 ___RD C:\Users\Ronnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-12-13 20:44 - 2012-08-31 12:30 - 00000000 ___RD C:\Users\Ronnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-12-13 20:44 - 2012-08-31 12:30 - 00000000 ___RD C:\Users\Ronnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-12-13 20:44 - 2012-08-31 12:30 - 00000000 ___RD C:\Users\Ronnie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-13 20:44 - 2012-05-04 08:40 - 00000000 ____D C:\Users\Ronnie\Documents\HVAC Guide
2013-12-13 20:44 - 2009-07-13 23:45 - 00000000 ____D C:\Windows\Setup
2013-12-13 20:44 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\security
2013-12-13 20:44 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\schemas
2013-12-13 20:44 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Resources
2013-12-13 20:44 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Globalization
2013-12-13 20:44 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppCompat
2013-12-13 20:44 - 2008-08-01 15:03 - 00000000 ____D C:\Users\Ronnie\Desktop\LinksysConnectPC
2013-12-13 20:44 - 2006-07-10 10:37 - 00000000 ____D C:\Users\Ronnie\Documents\QuickBooks Pro
2013-12-13 20:43 - 2013-12-12 11:26 - 00000000 ____D C:\kworking1
2013-12-13 20:43 - 2013-10-21 08:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-12-13 20:43 - 2013-02-20 11:42 - 00000000 ____D C:\SQL12ExpressFull
2013-12-13 20:43 - 2012-09-14 11:07 - 00000000 ____D C:\ProgramData\ScanSoft
2013-12-13 20:43 - 2012-09-07 14:25 - 00000000 ____D C:\ProgramData\SQL Anywhere 11
2013-12-13 20:43 - 2012-09-07 14:25 - 00000000 ____D C:\ProgramData\Intuit
2013-12-13 20:43 - 2012-09-07 13:23 - 00000000 ____D C:\Users\Ronnie\AppData\Local\Microsoft Help
2013-12-13 20:43 - 2012-05-04 08:26 - 00000000 ____D C:\HVAC Guide V3.02G
2013-12-13 20:43 - 2011-06-10 13:43 - 00000000 ____D C:\Labor Pricing for Profits
2013-12-13 20:43 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\MSBuild
2013-12-13 20:43 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2013-12-13 20:43 - 2009-07-13 22:20 - 00000000 ___RD C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-13 20:43 - 2009-07-13 22:20 - 00000000 ___RD C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-13 20:43 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-12-13 20:43 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files (x86)\Windows NT
2013-12-13 20:43 - 2008-10-10 14:52 - 00000000 ____D C:\Busplan3
2013-12-13 20:34 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2013-12-13 20:20 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\winrm
2013-12-13 20:20 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\SysWOW64\Printing_Admin_Scripts
2013-12-13 20:20 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\SysWOW64\WindowsPowerShell
2013-12-13 20:20 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Web
2013-12-13 20:20 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Vss
2013-12-13 20:19 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\NetworkList
2013-12-13 20:19 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\MUI
2013-12-13 20:19 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\IME
2013-12-13 20:18 - 2010-11-21 02:06 - 00000000 ____D C:\Windows\system32\winrm
2013-12-13 20:18 - 2009-07-14 00:32 - 00000000 ____D C:\Windows\system32\WindowsPowerShell
2013-12-13 20:18 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2013-12-13 20:17 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\sysprep
2013-12-13 20:17 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\spool
2013-12-13 20:17 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Speech
2013-12-13 20:12 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Speech
2013-12-13 20:10 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\IME
2013-12-13 20:10 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\Branding
2013-12-13 20:09 - 2007-10-02 14:59 - 00000000 ____D C:\Users\Ronnie\Documents\American Standard_files
2013-12-13 20:07 - 2013-10-16 12:35 - 00000000 ___RD C:\Users\JDMA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-13 20:07 - 2010-11-21 02:16 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-12-13 20:07 - 2009-07-13 22:20 - 00000000 __RHD C:\Users\Default
2013-12-13 20:06 - 2013-10-16 12:32 - 00000000 ____D C:\Program Files (x86)\Kaseya
2013-12-13 20:06 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files\Reference Assemblies
2013-12-13 20:06 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2013-12-13 20:06 - 2009-07-14 00:32 - 00000000 ____D C:\Program Files (x86)\Reference Assemblies
2013-12-13 20:06 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Windows NT
2013-12-13 20:06 - 2009-07-13 22:20 - 00000000 ____D C:\Program Files\Common Files\SpeechEngines
2013-12-13 20:05 - 2012-09-07 13:22 - 00000000 __RHD C:\MSOCache
2013-12-13 13:24 - 2013-12-13 13:24 - 00000000 ____D C:\Users\JDMA\AppData\Roaming\Macromedia
2013-12-13 12:10 - 2013-12-13 12:10 - 00114136 _____ C:\Users\JDMA\AppData\Local\GDIPFONTCACHEV1.DAT
2013-12-13 12:10 - 2013-12-13 12:10 - 00000000 ____D C:\Users\JDMA\AppData\Local\Western Digital
2013-12-13 12:10 - 2013-12-13 12:10 - 00000000 ____D C:\Users\JDMA\AppData\Local\Scansoft
2013-12-13 12:10 - 2013-12-13 12:10 - 00000000 ____D C:\Users\JDMA\AppData\Local\LogMeIn
2013-12-13 11:39 - 2013-12-13 09:04 - 00000000 ____D C:\kl.files
2013-12-13 10:53 - 2013-12-13 10:53 - 00000075 _____ C:\Users\Ronnie\Downloads\ATT00001.txt
2013-12-13 09:33 - 2013-12-13 09:33 - 00000000 ____D C:\Users\Ronnie\AppData\Roaming\Malwarebytes
2013-12-13 09:33 - 2013-12-13 09:33 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-12-11 13:31 - 2006-04-18 13:21 - 07782400 _____ C:\Users\Ronnie\Documents\Peak Heating Furnace Type.mdb
2013-12-09 11:36 - 2006-07-06 13:29 - 00000000 ____D C:\Users\Ronnie\Documents\New Flat Rate
2013-11-25 12:39 - 2013-10-21 08:36 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-11-23 13:26 - 2013-12-13 22:19 - 00417792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2013-11-23 12:47 - 2013-12-13 22:19 - 00465920 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2013-11-19 12:23 - 2013-11-19 12:23 - 00001665 _____ C:\Users\Ronnie\Desktop\Google Drive.lnk
2013-11-19 12:22 - 2012-09-24 09:39 - 00000000 ____D C:\Users\Ronnie\AppData\Local\Google
2013-11-19 12:19 - 2013-11-19 12:19 - 00819136 _____ (Google Inc.) C:\Users\Ronnie\Downloads\googledrivesync.exe
2013-11-19 10:39 - 2013-06-26 08:19 - 00000146 _____ C:\Users\Ronnie\Documents\Debug.log
2013-11-18 13:37 - 2011-03-15 08:24 - 00025600 ____C C:\Users\Ronnie\Documents\cost comparison of geothermal.xls
2013-11-15 09:41 - 2011-03-11 11:34 - 00023040 _____ C:\Users\Ronnie\Documents\2011 Buick Enclave #14.xls
2013-11-15 09:40 - 2011-01-19 09:01 - 00000000 ____D C:\Users\Ronnie\Documents\Truck Maintance
2013-11-15 08:39 - 2013-10-21 08:36 - 00000000 ____D C:\Users\Ronnie\AppData\Local\Thunderbird

Files to move or delete:
====================
C:\Users\Ronnie\gosetup.exe

Some content of TEMP:
====================
C:\Users\Ronnie\AppData\Local\Temp\0z4vwo0w.dll
C:\Users\Ronnie\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe
C:\Users\Ronnie\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\Ronnie\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\Ronnie\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Ronnie\AppData\Local\Temp\KcsSetup.exe
C:\Users\Ronnie\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-12-10 00:01

==================== End Of Log ============================

cactusjack73 · December 15, 2013

in safe mode not sure how to attach a document?

cactusjack73 · December 15, 2013

here is the addition.txt information

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-12-2013 01
Ran by JDMA at 2013-12-15 11:59:22
Running from C:\Users\JDMA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M3YZOYML
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Security Center ========================

AV: Kaspersky Anti-Virus (Disabled - Up to date) {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
AS: Kaspersky Anti-Virus (Disabled - Up to date) {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

Adobe Flash Player 11 ActiveX (x32 Version: 11.9.900.170)
Adobe Reader X (10.1.7) (x32 Version: 10.1.7)
Advanced SystemCare Ultimate 6 (x32 Version: 6.1.0)
D3DX10 (x32 Version: 15.4.2368.0902)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (x32)
Electronic Service Control (x32 Version: 9.00.0000)
ESC Accounting Server (x32 Version: 13.0.0)
ESC Connections Server (x32 Version: 13.0.17)
Google Drive (x32 Version: 1.13.5782.599)
Google Update Helper (x32 Version: 1.3.22.3)
Intel® Processor Graphics (x32 Version: 8.15.10.2618)
IObit Malware Fighter (x32 Version: 2.2.1)
Java 7 Update 45 (x32 Version: 7.0.450)
Java Auto Updater (x32 Version: 2.1.9.8)
Junk Mail filter update (x32 Version: 15.4.3502.0922)
Kaseya Agent (ronnie-pc.root.pkhvac - saas36.kaseya.net) (x32 Version: 6.3.0.19)
Kaspersky Anti-Virus 6.0 for Windows Workstations (x32 Version: 6.0.4.1611)
KONICA MINOLTA mc1690MF (FAX) (x32)
LogMeIn (x32 Version: 4.1.3268)
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300)
Mesh Runtime (x32 Version: 15.4.5722.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2010 (x32 Version: 14.0.4763.1000)
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000)
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Professional 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000)
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000)
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000)
Microsoft SQL Server 2008 Setup Support Files (Version: 10.1.2731.0)
Microsoft SQL Server 2012 (64-bit)
Microsoft SQL Server 2012 Native Client (Version: 11.0.2100.60)
Microsoft SQL Server 2012 RsFx Driver (Version: 11.0.2100.60)
Microsoft SQL Server 2012 Setup (English) (Version: 11.1.3000.0)
Microsoft SQL Server 2012 Transact-SQL ScriptDom (Version: 11.0.2100.60)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219)
Microsoft VSS Writer for SQL Server 2012 (Version: 11.0.2100.60)
Mozilla Maintenance Service (x32 Version: 24.0.1)
Mozilla Thunderbird 24.0.1 (x86 en-US) (x32 Version: 24.0.1)
MSVCRT (x32 Version: 15.4.2862.0708)
MSVCRT_amd64 (x32 Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (x32 Version: 4.20.9818.0)
PaperPort Image Printer 64-bit (Version: 1.00.0000)
QuickBooks (x32 Version: 22.0.4012.2206)
QuickBooks Pro 2012 (x32 Version: 22.0.4012.2206)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.6343)
ScanSoft PaperPort 11 (x32 Version: 11.1.0000)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32)
SQL Server 2012 Common Files (Version: 11.0.2100.60)
SQL Server 2012 Database Engine Services (Version: 11.0.2100.60)
SQL Server 2012 Database Engine Shared (Version: 11.0.2100.60)
SQL Server Browser for SQL Server 2012 (x32 Version: 11.0.2100.60)
Sql Server Customer Experience Improvement Program (Version: 11.0.2100.60)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (x32 Version: 3)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (x32 Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2836939v3) (x32 Version: 3)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (x32)
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition (x32)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (x32)
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition (x32)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (x32)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (x32)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (x32)
WD SmartWare (Version: 1.4.5.5)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3502.0922)
Windows Live Essentials (x32 Version: 15.4.3538.0513)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (x32 Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3538.0513)
Windows Live Mail (x32 Version: 15.4.3502.0922)
Windows Live Mesh (x32 Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (x32 Version: 15.4.5722.2)
Windows Live Messenger (x32 Version: 15.4.3538.0513)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (x32 Version: 15.4.3502.0922)
Windows Live Photo Common (x32 Version: 15.4.3502.0922)
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922)
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (x32 Version: 15.4.3502.0922)
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922)
Windows Live UX Platform (x32 Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109)
Windows Live Writer (x32 Version: 15.4.3502.0922)
Windows Live Writer Resources (x32 Version: 15.4.3502.0922)

==================== Restore Points =========================

12-12-2013 08:00:12 Windows Update
13-12-2013 08:00:10 Windows Update
13-12-2013 13:19:40 Windows Update
13-12-2013 13:46:38 Windows Update
13-12-2013 16:42:58 Windows Update
14-12-2013 00:59:20 Restore Operation
14-12-2013 03:16:22 Windows Update
14-12-2013 05:00:46 Installed HiJackThis
14-12-2013 05:21:39 Configured KONICA MINOLTA magicolor 1690MF Scanner
14-12-2013 08:00:22 Windows Update
15-12-2013 02:18:29 Removed HiJackThis
15-12-2013 02:19:44 Removed HiJackThis
15-12-2013 02:24:24 Removed HiJackThis
15-12-2013 15:11:57 Windows Update

==================== Hosts content: ==========================

2009-07-13 21:34 - 2013-12-14 21:53 - 00450639 ___RA C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com

There are 1000 more lines.

==================== Scheduled Tasks (whitelisted) =============

Task: {23075BE8-DAA2-4927-91CA-0076EB1B56CB} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-05-15] (Google Inc.)
Task: {332B116C-B292-49F9-B1CA-065FADAA8311} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {3BBFBEB1-E553-4559-9BAB-96435CA6767D} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {4D588ABA-3CDA-4F08-8151-20D7D565A96A} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-991406875-822118588-2862823848-1000UA => C:\Users\Ronnie\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-24] (Google Inc.)
Task: {5010A0CB-2BDD-4C1B-9E48-B6A86125FC28} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {8F832665-4E16-4E24-9F9A-99BEBDCEF8F0} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-13] (Adobe Systems Incorporated)
Task: {ECF06627-CB40-457B-A905-A9911C88D30C} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-991406875-822118588-2862823848-1000Core => C:\Users\Ronnie\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-24] (Google Inc.)
Task: {FB8D4603-56F6-40DA-B578-F32BD9A16F04} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-05-15] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-991406875-822118588-2862823848-1000Core.job => C:\Users\Ronnie\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-991406875-822118588-2862823848-1000UA.job => C:\Users\Ronnie\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-12-15 10:28 - 2012-10-23 13:47 - 00160128 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCExtMenu_64.dll
2013-10-17 09:13 - 2011-11-07 13:21 - 00925696 _____ () C:\Program Files (x86)\Kaseya\KSAASC18937046960005\libkacm.dll
2013-10-17 09:54 - 2013-10-17 09:54 - 00167936 _____ () C:\Program Files (x86)\Kaseya\KSAASC18937046960005\lua5.1.dll
2013-10-17 09:13 - 2012-02-16 18:48 - 00110592 _____ () C:\Program Files (x86)\Kaseya\KSAASC18937046960005\extensions\scripts\socket\core.dll
2013-10-17 09:13 - 2012-02-16 18:48 - 00073728 _____ () C:\Program Files (x86)\Kaseya\KSAASC18937046960005\extensions\scripts\mime\core.dll
2013-12-15 10:28 - 2012-11-01 10:21 - 00350592 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\madExcept_.bpl
2013-12-15 10:28 - 2012-11-01 10:21 - 00182656 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\madBasic_.bpl
2013-12-15 10:28 - 2012-11-01 10:21 - 00050048 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\madDisAsm_.bpl
2013-12-15 10:28 - 2012-09-05 18:55 - 00892288 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\webres.dll
2013-12-15 10:28 - 2012-10-15 10:53 - 01229696 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\Scan.dll
2013-12-15 10:28 - 2012-09-05 18:55 - 00516480 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\sqlite3.dll
2013-12-15 10:28 - 2012-04-14 15:42 - 00224600 _____ () C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\Antivirus\Scan\smartscn.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KAKSAASC18937046960005 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\KAKSAASC18937046960005 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: kl1
Description: kl1
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: kl1
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (12/15/2013 10:23:39 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/15/2013 10:20:53 AM) (Source: ESC Connections Server) (User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

Error: (12/15/2013 10:20:48 AM) (Source: ESC Connections Server) (User: )
Description: Push Notification Processor:No properties object has been set Area:Initializing

Error: (12/15/2013 10:20:48 AM) (Source: ESC Connections Server) (User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

Error: (12/15/2013 10:20:47 AM) (Source: ESC Connections Server) (User: )
Description: Status Notification Processor:No properties object has been set Area:

Error: (12/15/2013 10:20:43 AM) (Source: ESC Connections Server) (User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

Error: (12/15/2013 10:20:38 AM) (Source: ESC Connections Server) (User: )
Description: Push Notification Processor:No properties object has been set Area:Initializing

Error: (12/15/2013 10:20:33 AM) (Source: ESC Connections Server) (User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

Error: (12/15/2013 10:20:28 AM) (Source: ESC Connections Server) (User: )
Description: Push Notification Processor:No properties object has been set Area:Initializing

Error: (12/15/2013 10:20:23 AM) (Source: ESC Connections Server) (User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

System errors:
=============
Error: (12/15/2013 10:28:28 AM) (Source: Service Control Manager) (User: )
Description: The Advanced SystemCare Service 6 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (12/15/2013 10:26:58 AM) (Source: DCOM) (User: )
Description: 1084MSIServer{000C101C-0000-0000-C000-000000000046}

Error: (12/15/2013 10:23:12 AM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (12/15/2013 10:23:11 AM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (12/15/2013 10:23:05 AM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (12/15/2013 10:22:58 AM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/15/2013 10:22:48 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
discache
kl1
KLIF
spldr
Wanarpv6

Error: (12/15/2013 10:17:03 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 11 for Windows 7 for x64-based Systems.

Error: (12/15/2013 10:17:03 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070490: Update for Windows 7 for x64-based Systems (KB2904266).

Error: (12/15/2013 10:02:17 AM) (Source: DCOM) (User: )
Description: 1084MSIServer{000C101C-0000-0000-C000-000000000046}

Microsoft Office Sessions:
=========================
Error: (12/15/2013 10:23:39 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/15/2013 10:20:53 AM) (Source: ESC Connections Server)(User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

Error: (12/15/2013 10:20:48 AM) (Source: ESC Connections Server)(User: )
Description: Push Notification Processor:No properties object has been set Area:Initializing

Error: (12/15/2013 10:20:48 AM) (Source: ESC Connections Server)(User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

Error: (12/15/2013 10:20:47 AM) (Source: ESC Connections Server)(User: )
Description: Status Notification Processor:No properties object has been set Area:

Error: (12/15/2013 10:20:43 AM) (Source: ESC Connections Server)(User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

Error: (12/15/2013 10:20:38 AM) (Source: ESC Connections Server)(User: )
Description: Push Notification Processor:No properties object has been set Area:Initializing

Error: (12/15/2013 10:20:33 AM) (Source: ESC Connections Server)(User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

Error: (12/15/2013 10:20:28 AM) (Source: ESC Connections Server)(User: )
Description: Push Notification Processor:No properties object has been set Area:Initializing

Error: (12/15/2013 10:20:23 AM) (Source: ESC Connections Server)(User: )
Description: Version 0013.0000.0017 of ESC Connections Server cannot connect database version 0013.0000.0049. Please confirm your ESC version matches your ESC Connections Server version.

==================== Memory info ===========================

Percentage of memory in use: 32%
Total physical RAM: 8119.09 MB
Available physical RAM: 5503.73 MB
Total Pagefile: 16236.37 MB
Available Pagefile: 13801.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.8 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:1862.82 GB) (Free:1797.79 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: C7FB0C4B)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=-198839227392) - (Type=07 NTFS)

==================== End Of Log ============================

kevinf80 · December 15, 2013

I see you have Advanced System Care installed maybe listed as 1OBit in the uninstall list. UNinstall all references to that security software....

Please see the following links and make up your own mind if you want to keep this on your system:

http://shanegowland.com/opinions/2012/iobit-is-a-sucky-company/

https://forums.malwarebytes.org/index.php?showtopic=29681

https://forums.malwarebytes.org/index.php?showtopic=30989

https://forums.malwarebytes.org/index.php?showtopic=33217

http://antivirus.about.com/od/antivirussoftwarereviews/a/iobittrustingantivirus.htm

http://news.softpedia.com/news/Malwarebytes-IObit-Stole-Our-Signatures-Database-125928.shtml

http://blogs.computerworld.com/15026/iobit_accused_of_stealing_from_malwarebytes

Next,

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Next,

Boot to Normal mode and run the following:

1.Download Malwarebytes Anti-Rootkit from this link:

http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

7. The following image opens, select Update

8. When the update completes select Next.

9. In the following window ensure "Targets" are ticked. Then select "Scan"

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

13. Verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log

Mbar - log Date and time of scan will also be shown

Thanks,

Kevin...

fixlist.txt

cactusjack73 · December 15, 2013

working on it now

cactusjack73 · December 15, 2013

fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-12-2013 01
Ran by JDMA at 2013-12-15 14:07:37 Run:1
Running from C:\FRST\Logs
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
Start
C:\Users\Ronnie\gosetup.exe
C:\Users\Ronnie\AppData\Local\Temp\0z4vwo0w.dll
C:\Users\Ronnie\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe
C:\Users\Ronnie\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\Ronnie\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\Ronnie\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Ronnie\AppData\Local\Temp\KcsSetup.exe
C:\Users\Ronnie\AppData\Local\Temp\ose00000.exe
End

*****************

C:\Users\Ronnie\gosetup.exe => Moved successfully.
C:\Users\Ronnie\AppData\Local\Temp\0z4vwo0w.dll => Moved successfully.
C:\Users\Ronnie\AppData\Local\Temp\FP_AX_MSI_INSTALLER.exe => Moved successfully.
C:\Users\Ronnie\AppData\Local\Temp\G2MInstallerExtractor.exe => Moved successfully.
C:\Users\Ronnie\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe => Moved successfully.
C:\Users\Ronnie\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\Ronnie\AppData\Local\Temp\KcsSetup.exe => Moved successfully.
C:\Users\Ronnie\AppData\Local\Temp\ose00000.exe => Moved successfully.

==== End of Fixlog ====

kevinf80 · December 15, 2013

Thanks for the update...

cactusjack73 · December 15, 2013

At instlal of malwarebytes AntiRootkit it said a _dll was found that needed to be removed.

(paraphrasing) The options were yes remove or

No do not, but if the system crashes restart and remove the _dll?

I said yes, but in hindsight did not know if this was a good or bad decision.

The program is otherwise working like the tutorial you setup.

kevinf80 · December 15, 2013

OK, we wait for the outcome...

cactusjack73 · December 15, 2013

System Log

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16750

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.093000 GHz
Memory total: 8513486848, free: 5557264384

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16750

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.093000 GHz
Memory total: 8513486848, free: 5151014912

Downloaded database version: v2013.12.15.05
Downloaded database version: v2013.10.11.02
=======================================
Initializing...
------------ Kernel report ------------
12/15/2013 14:17:58
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\klif.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\kl1.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\klim6.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\drivers\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\klfltdev.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\netr28x.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\drivers\serenum.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys
\??\C:\Windows\system32\drivers\LMIRfsDriver.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\drivers\KAPFA.SYS
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR4
Upper Device Object: 0xfffffa8009676790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000075\
Lower Device Object: 0xfffffa80095e9b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa80086ff790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000074\
Lower Device Object: 0xfffffa80095e8b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa8009679790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000073\
Lower Device Object: 0xfffffa80095e3b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8009678790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000072\
Lower Device Object: 0xfffffa80095f5b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800772b060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP3T0L0-3\
Lower Device Object: 0xfffffa80074ff060
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800772b060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800772bb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800772b060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80074ff060, DeviceName: \Device\Ide\IdeDeviceP3T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C7FB0C4B

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 409600
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 417690 Numsec = 3906609430

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

Disk Size: 2000398934016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-3907009168-3907029168)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xfffffa8009678790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80095e7b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8009678790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80095f5b60, DeviceName: \Device\00000072\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xfffffa8009679790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80095eab90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8009679790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80095e3b60, DeviceName: \Device\00000073\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa80086ff790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80095ebb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80086ff790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80095e8b60, DeviceName: \Device\00000074\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xfffffa8009676790, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80095ecb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8009676790, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80095e9b60, DeviceName: \Device\00000075\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished

cactusjack73 · December 15, 2013

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2013.12.15.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
JDMA :: RONNIE-PC [administrator]

12/15/2013 2:18:02 PM
mbar-log-2013-12-15 (14-18-02).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

cactusjack73 · December 15, 2013

this was the message I received at the start:

Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity.

Note Press "No" button if you're not sure. If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again.

Do you want to remove this value and restart the tool?

kevinf80 · December 15, 2013

Clean log, ok continue:

Run Malwarebytes, Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

Post the produced log

Next,

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that we may have missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

When the scan is complete

If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

If threats were found

click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

close program

copy and paste the report in next reply

Next,

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me see those logs, also give an update on any remaining issues or concerns...

Kevin....

cactusjack73 · December 15, 2013

Run the Eset scan after malwarebytes?

kevinf80 · December 15, 2013

Yes please, why do you ask?

cactusjack73 · December 15, 2013

I just wanted to make sure I interpreted the instructions correctly.

kevinf80 · December 15, 2013

Please note the ESET instructions regarding found threat entries:

Make sure that the option Remove found threats is unticked

The ESET scan is a "Look" only, we remove nothing until I see the log.....

cactusjack73 · December 15, 2013

malwarebytes

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.15.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
JDMA :: RONNIE-PC [administrator]

Protection: Enabled

12/15/2013 6:07:30 PM
mbam-log-2013-12-15 (18-07-30).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

cactusjack73 · December 15, 2013

I get a blank page after accepting the terms for Eset Online Scanner

kevinf80 · December 15, 2013

Did you run Internet Explorer with Admin status?

cactusjack73 · December 15, 2013

I switched back to safe mode. It is now working

csrss.exe winlogin.exe. No description no username

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information