Jump to content

szandman

Members
  • Posts

    11
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I am back - sorry the company shipped me out and I had no internet access for a bit there. Just flew home tonight. I am going to attempt this fix tomorrow night - please don't close the thread and thank you for your patience. Thanks!!
  2. Yes, it's basically the same thing my IT department would do - just a reimage. I have to complement you on your knowledge in this process. It's been awhile since I dealt with a virus, I am usually so careful. It's amazing how invasive they have become and how complicated finding them and removing them is. Thank you so much for the help!
  3. MrC, Just finished my reading on CryptoDefense. If I have no interest in recovering files and only want to salvage the laptop for future use - is the infection clear? Or will it continue to corrupt my files and hold them hostage? At this point I am considering sending this laptop in to my IT support for my company if we have not removed the threat. They don't go through this process - they just reimage the entire hard drive. Now if we removed it and future files will not get encrypted then I would probably keep the laptop and just delete the files. Can you give me any insight on which way to go with this? Thanks!
  4. MrC, The log from FRST: Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06-05-2014Ran by RI519MA at 2014-05-06 15:26:47Running from C:\Users\RI519MA\DesktopBoot Mode: Normal========================================================== ==================== Security Center ======================== AV: McAfee VirusScan Enterprise (Enabled - Up to date) {86355677-4064-3EA7-ABB3-1B136EB04637}AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AS: McAfee VirusScan Enterprise Antispyware Module (Enabled - Up to date) {3D54B793-665E-3129-9103-206115370C8A} ==================== Installed Programs ====================== 64 Bit HP CIO Components Installer (Version: 6.2.2 - Hewlett-Packard) Hidden6500_E709_BasicWeb (x32 Version: 140.0.000.000 - Hewlett-Packard) Hidden6500_E709_Help_BasicWeb (x32 Version: 1.00.0000 - Hewlett-Packard) HiddenAccellion Email Plug-in for Microsoft Outlook (HKLM-x32\...\{DCC6B6D0-02B3-4548-9332-674C29A5FE2A}) (Version: 4.1.1012.10 - Accellion Pte Ltd)Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.6.0.6090 - Adobe Systems Incorporated)Adobe AIR (x32 Version: 3.6.0.6090 - Adobe Systems Incorporated) HiddenAdobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.6.602.180 - Adobe Systems Incorporated)Adobe Flash Player 12 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)Adobe Reader XI (11.0.02) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.02 - Adobe Systems Incorporated)AT&T Global Network Client Managed VPN Edition (HKLM-x32\...\{433657FC-710A-4A06-85FD-709C3F98D3DB}) (Version: 7.7.1.3006 - AT&T)bpd_scan (x32 Version: 3.00.0000 - Hewlett-Packard) HiddenBPDSoftware_Ini (x32 Version: 1.00.0000 - Hewlett-Packard) HiddenBufferChm (x32 Version: 140.0.213.000 - Hewlett-Packard) HiddenCitrix Authentication Manager (x32 Version: 2.0.0.41479 - Citrix Systems, Inc.) HiddenCitrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)Citrix Receiver (HDX Flash Redirection) (x32 Version: 13.1.201.3 - Citrix Systems, Inc.) HiddenCitrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.1.201.3 - Citrix Systems, Inc.)Citrix Receiver Inside (x32 Version: 3.2.0.5844 - Citrix Systems, Inc.) HiddenCitrix Receiver(Aero) (x32 Version: 13.1.201.3 - Citrix Systems, Inc.) HiddenCitrix Receiver(DV) (x32 Version: 13.1.201.3 - Citrix Systems, Inc.) HiddenCitrix Receiver(USB) (x32 Version: 13.1.201.3 - Citrix Systems, Inc.) HiddenConfiguration Manager Client (Version: 5.00.7804.1000 - Microsoft Corporation) HiddenDameWare Development Mirror Driver 64 Uninstall (HKLM\...\DamewareMirror) (Version: - )DameWare Mini Remote Control Service (HKLM\...\{385FED21-85D3-401E-8B8A-38140333FAC8}) (Version: 7.5.6.0 - DameWare Development)Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1208.101.125 - ALPS ELECTRIC CO., LTD.)Dell Webcam Central (HKLM-x32\...\Dell Webcam Central) (Version: 1.40.28 - Creative Technology Ltd)Google Chrome (HKLM-x32\...\Google Chrome) (Version: 32.0.1700.76 - Google Inc.)Google Update Helper (x32 Version: 1.3.21.153 - Google Inc.) HiddenGoToMeeting 6.2.0.1350 (HKCU\...\GoToMeeting) (Version: 6.2.0.1350 - CitrixOnline)Hitachi ID Password Manager Credential Provider (HKLM\...\{D81D8F3E-E459-4957-A5B1-6F5BE026BA8B}) (Version: 6.4.9 - Hitachi ID Systems, Inc.)HP Client Automation Application Manager Agent (HKLM-x32\...\{0D0FB621-270C-4942-A2D7-F8790D72828A}) (Version: 7.90 - Hewlett-Packard Company)HP Officejet 6500 E709 Series (HKLM\...\{4C8C6D37-CA3C-4EF6-A1E5-0D188E7B6021}) (Version: 14.0 - HP)Java 6 Update 14 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416014FF}) (Version: 6.0.140 - Sun Microsystems, Inc.)Java 6 Update 14 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216014FF}) (Version: 6.0.140 - Sun Microsystems, Inc.)join.me (HKCU\...\JoinMe) (Version: 1.13.0.130 - LogMeIn, Inc.)Magic Online (HKLM-x32\...\{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF}) (Version: 3.00.0000 - Wizards of the Coast)Malwarebytes Anti-Malware version 2.0.1.1004 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.1.1004 - Malwarebytes Corporation)McAfee Agent (HKLM-x32\...\{1995804A-B1A2-4826-99DD-CEA1352D090B}) (Version: 4.6.0.2935 - McAfee, Inc.)McAfee SiteAdvisor Enterprise Plus (x32 Version: 3.0.0.561 - McAfee, Inc.) HiddenMcAfee VirusScan Enterprise (HKLM-x32\...\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}) (Version: 8.8.02004 - McAfee, Inc.)McAfeeReg_1.0.0 (HKLM-x32\...\{A583F7D6-A31A-4415-B040-FB4094C418D8}) (Version: 1.0.0 - Pitney Bowes)Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) HiddenMicrosoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) HiddenMicrosoft Application Error Reporting (x32 Version: 12.0.6012.5000 - Microsoft Corporation) HiddenMicrosoft Application Virtualization Desktop Client (HKLM-x32\...\{342C9BB8-65A0-46DE-AB7A-8031E151AF69}) (Version: 4.6.1.20870 - Microsoft Corporation)Microsoft Conferencing Add-in for Microsoft Office Outlook (HKLM-x32\...\{13BEAC7C-69C1-4A9E-89A3-D5F311DE2B69}) (Version: 8.0.6362.202 - Microsoft Corporation)Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version: - Microsoft)Microsoft Office 2010 Service Pack 1 (SP1) (x32 Version: - Microsoft) HiddenMicrosoft Office Access MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Communicator 2007 R2 (HKLM-x32\...\{0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4}) (Version: 3.5.6907.225 - Microsoft Corporation)Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Groove MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office InfoPath MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Live Meeting 2005 Replay Wrapper (HKLM-x32\...\{543C7F37-8978-4CC8-A95D-E02E7999CF44}) (Version: 7.0.RTOLOC.1503.26 - Microsoft Corporation)Microsoft Office Live Meeting 2007 (HKLM-x32\...\{389F8A7A-8611-42E8-8169-20D2BAF0C595}) (Version: 8.0.6362.215 - Microsoft Corporation)Microsoft Office Office 64-bit Components 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.6029.1000 - Microsoft Corporation)Microsoft Office Professional Plus 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Proof (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Proof (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Proof (French) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Proof (French) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Proof (Spanish) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Proof (Spanish) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Proofing (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Shared MUI (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Shared MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Office Visio MUI (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Visio Standard 2007 (HKLM-x32\...\VISSTD) (Version: 12.0.4518.1014 - Microsoft Corporation)Microsoft Office Visio Standard 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) HiddenMicrosoft Office Word MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) HiddenMicrosoft Policy Platform (Version: 1.2.3602.0 - Microsoft Corporation) HiddenMicrosoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.10411.0 - Microsoft Corporation)Microsoft Visio Viewer 2010 (HKLM-x32\...\{95140000-0052-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)Mozilla Firefox 28.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 28.0 (x86 en-US)) (Version: 28.0 - Mozilla)Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 28.0 - Mozilla)Network64 (Version: 140.0.215.000 - Hewlett-Packard) HiddenOnline Plug-in (x32 Version: 13.1.201.3 - Citrix Systems, Inc.) HiddenPitney Bowes Globe Screensaver (HKLM-x32\...\Pitney Bowes Globe Screensaver) (Version: - )SAFE Servlet (x32 Version: 6.0 - Guidance Software) HiddenScan (x32 Version: 140.0.167.000 - Hewlett-Packard) HiddenSelf-service Plug-in (x32 Version: 3.2.0.24226 - Citrix Systems, Inc.) HiddenSnagit 11 (HKLM-x32\...\{B5C1B474-149D-402F-BAA3-E2A45D136646}) (Version: 11.3.0 - TechSmith Corporation)TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.13 - TeamSpeak Systems GmbH)TeamViewer 6 Host (HKLM-x32\...\TeamViewer 6 Host) (Version: 6.0.10511 - TeamViewer GmbH)TeamViewer 6 Host (MSI Wrapper) (HKLM-x32\...\{60396943-BCBA-44BA-AE26-657AE521A08F}) (Version: 6.0.10511 - TeamViewer GmbH)Toolbox (x32 Version: 140.0.428.000 - Hewlett-Packard) HiddenUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2836939v3) (Version: 3 - Microsoft Corporation)Update for Microsoft .NET Framework 4 Extended (KB2468871) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2468871) (Version: 1 - Microsoft Corporation)Update for Microsoft .NET Framework 4 Extended (KB2533523) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2533523) (Version: 1 - Microsoft Corporation)Update for Microsoft .NET Framework 4 Extended (KB2600217) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2600217) (Version: 1 - Microsoft Corporation)Update for Microsoft .NET Framework 4 Extended (KB2836939v3) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2836939v3) (Version: 3 - Microsoft Corporation)WebEx (HKLM-x32\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)WebReg (x32 Version: 140.0.213.017 - Hewlett-Packard) HiddenWindows XP Mode (HKLM\...\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}) (Version: 1.3.7600.16423 - Microsoft Corporation) ==================== Restore Points ========================= 28-02-2014 06:00:05 Scheduled Checkpoint14-03-2014 12:21:13 Scheduled Checkpoint24-03-2014 21:21:18 Scheduled Checkpoint04-04-2014 05:00:05 Scheduled Checkpoint01-05-2014 16:47:36 Scheduled Checkpoint ==================== Hosts content: ========================== 2014-05-03 17:57 - 2014-05-03 18:00 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts127.0.0.1 localhost ==================== Scheduled Tasks (whitelisted) ============= Task: {01399DAC-7259-4436-94F8-8643BD65426F} - System32\Tasks\G2MUpdateTask-S-1-5-21-590445608-1855731889-617630493-16148 => C:\Program Files (x86)\Citrix\GoToMeeting\1350\g2mupdate.exe [2014-03-09] (Citrix Online, a division of Citrix Systems, Inc.)Task: {284526BF-6669-4661-B810-FCE0071F0337} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Health Evaluation => C:\Windows\CCM\ccmeval.exe [2012-11-21] (Microsoft Corporation)Task: {92F36B0E-AA38-4A3A-8D70-DB0DFEBEF838} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-20] (Google Inc.)Task: {B1CA6F08-E7E5-4A10-A3BA-62B3B1816A0A} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Idle DetectionTask: {C4E1A6D4-0719-40FD-92C1-7D17A9C2E09E} - System32\Tasks\TechSmith Updater => C:\Program Files (x86)\Common Files\TechSmith Shared\Updater\TSCUpdClt.exe [2013-10-04] (TechSmith Corporation)Task: {D9368BEF-B70C-43D3-A8A6-A214497A8266} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-20] (Google Inc.)Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-590445608-1855731889-617630493-16148.job => C:\Program Files (x86)\Citrix\GoToMeeting\1350\g2mupdate.exeTask: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exeTask: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe ==================== Loaded Modules (whitelisted) ============= 2011-03-16 23:07 - 2011-03-16 23:07 - 04297568 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF2010-10-20 14:23 - 2010-10-20 14:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll2012-07-05 18:15 - 2011-02-21 19:14 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll2011-05-01 14:48 - 2012-07-05 14:51 - 01508864 _____ () C:\Windows\system32\enstart64.exe2007-04-18 19:30 - 2007-04-18 19:30 - 00393216 _____ () C:\Program Files (x86)\McAfee\Common Framework\cryptocme2.dll2007-04-18 19:30 - 2007-04-18 19:30 - 00471040 _____ () C:\Program Files (x86)\McAfee\Common Framework\ccme_base.dll2011-01-12 19:46 - 2011-01-12 19:46 - 00150032 _____ () C:\Program Files (x86)\McAfee\VirusScan Enterprise\WscAv.dll2010-05-24 12:14 - 2010-05-24 12:14 - 00140856 _____ () C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\expat.dll2013-11-11 13:10 - 2013-11-11 13:10 - 01298432 ____R () C:\Program Files (x86)\TechSmith\Snagit 11\PDFLib.dll2013-11-11 13:15 - 2013-11-11 13:15 - 00127488 _____ () C:\Program Files (x86)\TechSmith\Snagit 11\VideoRecording.dll2013-11-11 13:14 - 2013-11-11 13:14 - 00110080 _____ () C:\Program Files (x86)\TechSmith\Snagit 11\SDKRecorder.dll2011-03-16 23:11 - 2011-03-16 23:11 - 04297568 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf2011-03-16 23:11 - 2011-03-16 23:11 - 04297568 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll2014-01-20 11:19 - 2014-01-11 05:28 - 00715544 _____ () C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.76\libglesv2.dll2014-01-20 11:19 - 2014-01-11 05:28 - 00100120 _____ () C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.76\libegl.dll2014-01-20 11:19 - 2014-01-11 05:29 - 04055320 _____ () C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.76\pdf.dll2014-01-20 11:19 - 2014-01-11 05:29 - 00399640 _____ () C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.76\ppGoogleNaClPluginChrome.dll2014-01-20 11:19 - 2014-01-11 05:28 - 01634584 _____ () C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.76\ffmpegsumo.dll ==================== Alternate Data Streams (whitelisted) ========= ==================== Safe Mode (whitelisted) =================== HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver" ==================== EXE Association (whitelisted) ============= ==================== Disabled items from MSCONFIG ============== ==================== Faulty Device Manager Devices ============= Name: AGN Virtual Network AdapterDescription: AGN Virtual Network AdapterClass Guid: {4d36e972-e325-11ce-bfc1-08002be10318}Manufacturer: AT&TService: avpnnicProblem: : This device is disabled. (Code 22)Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors:==================Error: (05/06/2014 11:49:43 AM) (Source: Application Error) (User: ) (EventID: 1000)Description: Faulting application name: NetSP.exe, version: 7.7.1.3006, time stamp: 0x4a2ed3f5Faulting module name: KERNELBASE.dll, version: 6.1.7601.18229, time stamp: 0x51fb1116Exception code: 0xe0000001Fault offset: 0x0000c41fFaulting process id: 0x99cFaulting application start time: 0xNetSP.exe0Faulting application path: NetSP.exe1Faulting module path: NetSP.exe2Report Id: NetSP.exe3 Error: (05/06/2014 11:47:53 AM) (Source: dwmrcs) (User: ) (EventID: 110)Description: Error: DameWare Mini Remote ControlNo Link-Local or Site-Local Cloud Available (Unique). System Error: 0System Message: The operation completed successfully. (srv 64 bit) Error: (05/06/2014 11:47:53 AM) (Source: dwmrcs) (User: ) (EventID: 110)Description: Error: DameWare Mini Remote ControlNo Link-Local or Site-Local Cloud Available (Local). System Error: 0System Message: The operation completed successfully. (srv 64 bit) Error: (05/06/2014 11:47:52 AM) (Source: WinMgmt) (User: ) (EventID: 10)Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (05/06/2014 11:40:24 AM) (Source: Application Error) (User: ) (EventID: 1000)Description: Faulting application name: NetSP.exe, version: 7.7.1.3006, time stamp: 0x4a2ed3f5Faulting module name: KERNELBASE.dll, version: 6.1.7601.18229, time stamp: 0x51fb1116Exception code: 0xe0000001Fault offset: 0x0000c41fFaulting process id: 0x10b0Faulting application start time: 0xNetSP.exe0Faulting application path: NetSP.exe1Faulting module path: NetSP.exe2Report Id: NetSP.exe3 Error: (05/06/2014 11:36:43 AM) (Source: dwmrcs) (User: ) (EventID: 110)Description: Error: DameWare Mini Remote ControlNo Link-Local or Site-Local Cloud Available (Unique). System Error: 0System Message: The operation completed successfully. (srv 64 bit) Error: (05/06/2014 11:36:43 AM) (Source: dwmrcs) (User: ) (EventID: 110)Description: Error: DameWare Mini Remote ControlNo Link-Local or Site-Local Cloud Available (Local). System Error: 0System Message: The operation completed successfully. (srv 64 bit) Error: (05/06/2014 11:36:39 AM) (Source: WinMgmt) (User: ) (EventID: 10)Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (05/06/2014 09:44:15 AM) (Source: Application Error) (User: ) (EventID: 1000)Description: Faulting application name: services.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc10eFaulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24Exception code: 0xc0000005Fault offset: 0x0000000000020a7aFaulting process id: 0x248Faulting application start time: 0xservices.exe0Faulting application path: services.exe1Faulting module path: services.exe2Report Id: services.exe3 Error: (05/06/2014 09:41:09 AM) (Source: Application Error) (User: ) (EventID: 1000)Description: Faulting application name: NetSP.exe, version: 7.7.1.3006, time stamp: 0x4a2ed3f5Faulting module name: KERNELBASE.dll, version: 6.1.7601.18229, time stamp: 0x51fb1116Exception code: 0xe0000001Fault offset: 0x0000c41fFaulting process id: 0x1180Faulting application start time: 0xNetSP.exe0Faulting application path: NetSP.exe1Faulting module path: NetSP.exe2Report Id: NetSP.exe3 System errors:=============Error: (05/06/2014 02:48:44 PM) (Source: bowser) (User: ) (EventID: 8003)Description: The master browser has received a server announcement from the computer RI519MA-KSC1that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6004D317-69E6-4539-AB94-EDB8BA1C35B7}.The master browser is stopping or an election is being forced. Error: (05/06/2014 11:50:26 AM) (Source: TermService) (User: ) (EventID: 1067)Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.. Error: (05/06/2014 11:49:16 AM) (Source: Microsoft-Windows-GroupPolicy) (User: PBI) (EventID: 1129)Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error: (05/06/2014 11:48:02 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY) (EventID: 1129)Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error: (05/06/2014 11:47:42 AM) (Source: NETLOGON) (User: ) (EventID: 5719)Description: This computer was not able to set up a secure session with a domaincontroller in domain PBI due to the following: %%1311 This may lead to authentication problems. Make sure that thiscomputer is connected to the network. If the problem persists,please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, itsets up the secure session to the primary domain controller emulator in the specifieddomain. Otherwise, this computer sets up the secure session to any domain controllerin the specified domain. Error: (05/06/2014 11:46:34 AM) (Source: Service Control Manager) (User: ) (EventID: 7034)Description: The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s). Error: (05/06/2014 11:39:55 AM) (Source: Microsoft-Windows-GroupPolicy) (User: PBI) (EventID: 1129)Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error: (05/06/2014 11:39:15 AM) (Source: TermService) (User: ) (EventID: 1067)Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.. Error: (05/06/2014 11:36:46 AM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY) (EventID: 1129)Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error: (05/06/2014 11:36:22 AM) (Source: NETLOGON) (User: ) (EventID: 5719)Description: This computer was not able to set up a secure session with a domaincontroller in domain PBI due to the following: %%1311 This may lead to authentication problems. Make sure that thiscomputer is connected to the network. If the problem persists,please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, itsets up the secure session to the primary domain controller emulator in the specifieddomain. Otherwise, this computer sets up the secure session to any domain controllerin the specified domain. Microsoft Office Sessions:========================= CodeIntegrity Errors:=================================== Date: 2014-05-03 17:57:15.234 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2014-05-03 17:57:15.188 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-09-19 16:57:37.651 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\sminfsys.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-09-19 16:57:37.651 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\sminfsys.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-09-19 16:57:37.370 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\sminfsys.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-09-19 16:57:37.354 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\sminfsys.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-09-19 16:57:37.058 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\sminfsys.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-09-19 16:57:37.058 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\sminfsys.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-09-19 16:57:36.496 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\sminfsys.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-09-19 16:57:36.496 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\sminfsys.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Percentage of memory in use: 47%Total physical RAM: 3977.05 MBAvailable physical RAM: 2087.3 MBTotal Pagefile: 7952.29 MBAvailable Pagefile: 5844.89 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.83 MB ==================== Drives ================================ Drive c: (Windows) (Fixed) (Total:465.66 GB) (Free:418.32 GB) NTFS ==================== MBR & Partition Table ================== ========================================================Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: EE63FC6C)Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)Partition 2: (Not Active) - (Size=466 GB) - (Type=07 NTFS) ==================== End Of Log ============================ Thanks again for the help! Hopping on a plane, will check the thread again later tonight.
  5. adwcleaner log: # AdwCleaner v3.207 - Report created 05/05/2014 at 17:03:41# Updated 05/05/2014 by Xplode# Operating System : Windows 7 Enterprise Service Pack 1 (64 bits)# Username : RI519MA - RI519MA-BIR1# Running from : C:\Users\RI519MA\Desktop\AdwCleaner (1).exe# Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.7601.17514 -\\ Mozilla Firefox v28.0 (en-US) [ File : C:\Users\RI519MA\AppData\Roaming\Mozilla\Firefox\Profiles\omlphnyp.default\prefs.js ] -\\ Google Chrome v32.0.1700.76 [ File : C:\Users\RI519MA\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [1366 octets] - [07/04/2014 09:20:14]AdwCleaner[R1].txt - [1366 octets] - [08/04/2014 09:32:49]AdwCleaner[R2].txt - [1366 octets] - [08/04/2014 10:09:56]AdwCleaner[R3].txt - [1373 octets] - [09/04/2014 09:53:30]AdwCleaner[R4].txt - [1536 octets] - [05/05/2014 17:00:11]AdwCleaner[s0].txt - [1366 octets] - [07/04/2014 09:21:20]AdwCleaner[s1].txt - [1366 octets] - [08/04/2014 09:33:42]AdwCleaner[s2].txt - [1366 octets] - [08/04/2014 10:10:46]AdwCleaner[s3].txt - [1436 octets] - [09/04/2014 13:20:43]AdwCleaner[s4].txt - [1461 octets] - [05/05/2014 17:03:41] ########## EOF - C:\AdwCleaner\AdwCleaner[s4].txt - [1521 octets] ########## FRST next!
  6. After reboot Malwarebytes came up and automatically scanned. This is the log (says it detects two): Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 5/5/2014Scan Time: 10:43:56 AMLogfile: malwarebytes log.txtAdministrator: Yes Version: 2.00.1.1004Malware Database: v2014.05.05.07Rootkit Database: v2014.03.27.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledChameleon: Disabled OS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: RI519MA Scan Type: Threat ScanResult: CompletedObjects Scanned: 404361Time Elapsed: 53 min, 1 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledShuriken: EnabledPUP: EnabledPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 0(No malicious items detected) Registry Data: 2PUM.Hijack.Regedit, HKU\S-1-5-21-4187871522-2992343207-878159895-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableRegistryTools, 1, Good: (0), Bad: (1),,[d7f491bcf18a0a2c4b5231045da733cd]PUM.Hijack.TaskManager, HKU\S-1-5-21-4187871522-2992343207-878159895-1004-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableTaskMgr, 1, Good: (0), Bad: (1),,[735870dd176437fff9064beb798ba45c] Folders: 0(No malicious items detected) Files: 0(No malicious items detected) Physical Sectors: 0(No malicious items detected) (end)
  7. MrC, I did run TDSSKILLER - the only thing it detected was "enstart64.exe" which was not on your list so I skipped it. I did get combofix to run in safemode, here is the log: ComboFix 14-04-30.01 - RI519MA 05/03/2014 17:53:31.1.4 - x64Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3977.3257 [GMT -5:00]Running from: c:\users\RI519MA\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active...((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..C:\uninstall.exec:\users\RI519MA\AppData\Local\assembly\tmpc:\users\RI519MA\AppData\Roaming\erijwq.dllc:\users\RI519MA\AppData\Roaming\mmvmvzf.dll..((((((((((((((((((((((((( Files Created from 2014-04-03 to 2014-05-03 )))))))))))))))))))))))))))))))..2014-05-03 22:57 . 2014-05-03 22:57 -------- d-----w- c:\users\PBAdmin\AppData\Local\temp2014-05-03 22:57 . 2014-05-03 22:57 -------- d-----w- c:\users\help\AppData\Local\temp2014-05-03 22:57 . 2014-05-03 22:57 -------- d-----w- c:\users\desktop\AppData\Local\temp2014-04-08 20:13 . 2014-05-02 04:37 -------- d-----w- C:\Quarantine2014-04-07 15:21 . 2014-05-01 15:53 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys2014-04-07 15:21 . 2014-04-03 14:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys2014-04-07 15:21 . 2014-04-03 14:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys2014-04-07 15:21 . 2014-04-03 14:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys2014-04-07 15:21 . 2014-04-07 15:21 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware2014-04-07 15:21 . 2014-04-07 15:21 -------- d-----w- c:\programdata\Malwarebytes2014-04-07 15:20 . 2014-04-07 15:20 -------- d-----w- c:\users\RI519MA\AppData\Local\Programs2014-04-07 15:04 . 2014-05-01 15:07 -------- d-----w- c:\windows\ERUNT2014-04-07 15:01 . 2014-04-07 15:01 -------- d-----w- c:\users\RI519MA\AppData\Local\VirtualStore2014-04-07 14:20 . 2014-04-09 18:20 -------- d-----w- C:\AdwCleaner...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2014-05-01 15:27 . 2011-05-01 19:48 84296 ----a-w- c:\windows\system32\enstart64_.sys2014-03-17 03:16 . 2012-07-05 19:35 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2014-03-17 03:16 . 2012-07-05 19:35 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0)"HideFastUserSwitching"= 0 (0x0)"MaxGPOScriptWait"= 6000 (0x1770).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-590445608-1855731889-617630493-16148\Scripts\Logon\0\0]"Script"=BaloonReg.bat.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-590445608-1855731889-617630493-16148\Scripts\Logon\1\0]"Script"=GPR-QARegistration.bat.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver".R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1y60x64.sys [x]R3 enstart64_;enstart64_;c:\windows\system32\enstart64_.sys;c:\windows\SYSNATIVE\enstart64_.sys [x]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]R3 RadiaMsi;RadiaMsi;c:\windows\system32\DRIVERS\radiamsi.sys;c:\windows\SYSNATIVE\DRIVERS\radiamsi.sys [x]R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys;c:\windows\SYSNATIVE\drivers\Synth3dVsc.sys [x]R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]R4 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]R4 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]R4 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe;c:\windows\CCM\RemCtrl\CmRcService.exe [x]R4 enstart64;enstart64;c:\windows\system32\enstart64.exe;c:\windows\SYSNATIVE\enstart64.exe [x]R4 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]R4 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]R4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]R4 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]R4 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe;c:\program files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [x]R4 NetClientSvc;AT&T Global Network Client Service;c:\program files (x86)\AT&T Global Network Client\NetClientSvc.exe;c:\program files (x86)\AT&T Global Network Client\NetClientSvc.exe [x]R4 NetLogSvc;NetLogSvc;c:\progra~2\AT&TGL~1\NETLOG~1.EXE;c:\progra~2\AT&TGL~1\NETLOG~1.EXE [x]R4 Radexecd;HP OVCM Notify Daemon;c:\program files (x86)\Hewlett-Packard\HPCA\Agent\radexecd.exe;c:\program files (x86)\Hewlett-Packard\HPCA\Agent\radexecd.exe [x]R4 Radsched;HP OVCM Scheduler Daemon;c:\program files (x86)\Hewlett-Packard\HPCA\Agent\radsched.exe;c:\program files (x86)\Hewlett-Packard\HPCA\Agent\radsched.exe [x]R4 Radstgms;HP OVCM MSI Redirector;c:\program files (x86)\Hewlett-Packard\HPCA\Agent\Radstgms.exe;c:\program files (x86)\Hewlett-Packard\HPCA\Agent\Radstgms.exe [x]R4 TeamViewer6;TeamViewer 6;c:\program files (x86)\Teamviewer\Version6\TeamViewer_Service.exe;c:\program files (x86)\Teamviewer\Version6\TeamViewer_Service.exe [x]R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys;c:\windows\SYSNATIVE\DRIVERS\stdcfltn.sys [x]S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]S1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;c:\windows\system32\DRIVERS\dwvkbd64.sys;c:\windows\SYSNATIVE\DRIVERS\dwvkbd64.sys [x]S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys;c:\windows\SYSNATIVE\DRIVERS\Accelern.sys [x]S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys;c:\windows\SYSNATIVE\Drivers\cvusbdrv.sys [x]S3 DwMirror;DwMirror;c:\windows\system32\DRIVERS\DamewareMini.sys;c:\windows\SYSNATIVE\DRIVERS\DamewareMini.sys [x]S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\DRIVERS\O2MDFw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\O2MDFw7x64.sys [x]..--- Other Services/Drivers In Memory ---.*Deregistered* - mfeavfk01.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]2014-01-20 16:19 1211672 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.76\Installer\chrmstp.exe.Contents of the 'Scheduled Tasks' folder.2014-05-03 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-590445608-1855731889-617630493-16148.job- c:\program files (x86)\Citrix\GoToMeeting\1350\g2mupdate.exe [2014-03-09 11:23].2014-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-20 16:19].2014-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-20 16:19]..--------- X64 Entries -----------..------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmuStart Page = about:blankmStart Page = about:blankmLocal Page = c:\windows\SysWOW64\blank.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105Trusted Zone: aplverhubp1Trusted Zone: cyberu.comTrusted Zone: enrollment.comTrusted Zone: enrollment.com\wwwTrusted Zone: global.pvt\*.pbiTrusted Zone: imaginatik.comTrusted Zone: onbaseonline.comTrusted Zone: pb.comTrusted Zone: pb.com\*.ctTrusted Zone: pitneybowes.caTrusted Zone: pitneybowes.comTrusted Zone: recruitsoft.comTrusted Zone: spoverhubp1Trusted Zone: taleo.netTrusted Zone: teampbbi.comTrusted Zone: trowerprice.comTrusted Zone: yammer.comTCP: DhcpNameServer = 97.64.209.36 97.64.168.13TCP: Interfaces\{06E9EBD5-11DC-470A-A08B-A360B11AB8D4}: NameServer = 8.8.8.8,8.8.8.8TCP: Interfaces\{6004D317-69E6-4539-AB94-EDB8BA1C35B7}: NameServer = 8.8.8.8,8.8.8.8TCP: Interfaces\{8D509A9E-040E-4630-932F-5F000B853C70}: NameServer = 8.8.8.8,8.8.8.8TCP: Interfaces\{A0A9CF3D-7CBC-4900-A019-EE921C2792A3}: NameServer = 8.8.8.8,8.8.8.8FF - ProfilePath - c:\users\RI519MA\AppData\Roaming\Mozilla\Firefox\Profiles\omlphnyp.default\.- - - - ORPHANS REMOVED - - - -.Toolbar-Locked - (no file)Wow6432Node-HKU-Default-Run-fcperf - c:\windows\system32\mcbudmin.exeSafeBoot-41696420.sysToolbar-Locked - (no file)...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.11".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\program files (x86)\McAfee\Common Framework\FrameworkService.exec:\program files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exec:\program files (x86)\McAfee\VirusScan Enterprise\mfeann.exec:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe.**************************************************************************.Completion time: 2014-05-03 18:02:56 - machine was rebootedComboFix-quarantined-files.txt 2014-05-03 23:02.Pre-Run: 449,719,476,224 bytes freePost-Run: 449,238,851,584 bytes free.- - End Of File - - 12F14CEFBC0F135470848121D8E7E9935C616939100B85E558DA92B899A0FC36 and here are the last two roguekiller logs:RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : RI519MA [Admin rights]Mode : Scan -- Date : 05/02/2014 16:24:02| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9500420AS ATA Device +++++--- User ---[MBR] f8ce7873170e4023808c45c9b55da4fb[bSP] 79941dfac347f38b8aee0ccc48a0a599 : Windows Vista MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MBUser = LL1 ... OK!User = LL2 ... OK! Finished : << RKreport[0]_S_05022014_162402.txt >>RKreport[0]_D_04082014_095407.txt;RKreport[0]_D_05012014_101701.txt;RKreport[0]_S_04202014_101902.txtRKreport[0]_S_05012014_101211.txt RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : RI519MA [Admin rights]Mode : Scan -- Date : 05/03/2014 11:03:45| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9500420AS ATA Device +++++--- User ---[MBR] f8ce7873170e4023808c45c9b55da4fb[bSP] 79941dfac347f38b8aee0ccc48a0a599 : Windows Vista MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MBUser = LL1 ... OK!User = LL2 ... OK! Finished : << RKreport[0]_S_05032014_110345.txt >>RKreport[0]_D_04082014_095407.txt;RKreport[0]_D_05012014_101701.txt;RKreport[0]_S_04202014_101902.txtRKreport[0]_S_05012014_101211.txt;RKreport[0]_S_05022014_162402.txt Because I got combofix to run I did not do FRST, should I?
  8. Here are the roguekiller logs if you can still help me: RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.co...es/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : RI519MA [Admin rights] Mode : Scan -- Date : 05/01/2014 10:12:12 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤ [RUN][sUSP PATH] HKUS\.DEFAULT\[...]\Run : fj1GRrgnJ26w7kM6c1i5Ro+AZQ== ("C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\syskey.exe" [x]) -> FOUND [RUN][sUSP PATH] HKUS\S-1-5-18\[...]\Run : fj1GRrgnJ26w7kM6c1i5Ro+AZQ== ("C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\syskey.exe" [x]) -> FOUND [HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND [HJ][PUM] HKLM\[...]\Wow6432Node\[...]\SystemRestore : DisableSR (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9500420AS ATA Device +++++ --- User --- [MBR] f8ce7873170e4023808c45c9b55da4fb [bSP] 79941dfac347f38b8aee0ccc48a0a599 : Windows Vista MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_05012014_101211.txt >> RKreport[0]_D_04082014_095407.txt;RKreport[0]_S_04202014_101902.txt Second log: RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.co...es/roguekiller/ Blog : http://www.adlice.com I went to run the combofix and it turns out McAffee Enterprisse software is running on the laptop. I tried to shut it off but everything that allows me to turn it off is greyed out ... even the checkbox preventing it from being turned off. It appears to be asking for a password to turn it off ... does that mean I need to contact my companies IT center for that password? My fear is they will just ask me to send the laptop in which results in a reimage and massive loss of data. Thank you for your patience Mr C. I appreciate your help. At this point the audio has stopped. My screen saver is corrupt, though, and most excel/ppt files on this laptop appear to be corrupt also.
  9. Mr C, Thank you for the help! Here are the logs you requested: [malwarebytes] Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 4/20/2014Scan Time: 9:49:44 AMLogfile: malwarebytes scan.txtAdministrator: Yes Version: 2.00.1.1004Malware Database: v2014.04.20.05Rootkit Database: v2014.03.27.01License: TrialMalware Protection: EnabledMalicious Website Protection: EnabledChameleon: Disabled OS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: RI519MA Scan Type: Threat ScanResult: CompletedObjects Scanned: 382837Time Elapsed: 22 min, 14 sec Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledShuriken: EnabledPUP: EnabledPUM: Enabled Processes: 0(No malicious items detected) Modules: 0(No malicious items detected) Registry Keys: 0(No malicious items detected) Registry Values: 0(No malicious items detected) Registry Data: 0(No malicious items detected) Folders: 0(No malicious items detected) Files: 12Trojan.FakeMS, C:\Windows\System32\rpcss.dll, , [60aca60f1f249d358ae9b4ae5ab9e060], Spyware.Zbot.VXGen, C:\Windows\SysWOW64\mcbudmin.exe, , [44bc629e936d58a889e9362e98697090], Spyware.Zbot.VXGen, c:\Windows\Temp\~tmf8903395520732507239.tmp, , [c33dbb459b65c13fb3bf5014f30e15eb], Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (79.142.66.242 www.google-analytics.com.), ,[7e822fd1a95702fea2ff87cd5ba9b64a]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (79.142.66.242 google-analytics.com.), ,[a75937c967996b959c05b2a27292d030]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (79.142.66.242 connect.facebook.net.), ,[1ce4dc246e92fa06f4ad6ee6758f17e9]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (79.142.66.242 bing.com.), ,[25dbfc044db38080178a8dc78d77a35d]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (79.142.66.242 www.bing.com.), ,[be4202fecc347a86d3ce69eb8f7509f7]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (146.0.75.221 www.google-analytics.com.), ,[2bd50ef2eb1529d7781c302530d4e719]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (146.0.75.221 google-analytics.com.), ,[8a766c9452aead53a8ecc095a95b827e]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (146.0.75.221 connect.facebook.net.), ,[7f8170906e922ed23c58d67fd82cfc04]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (146.0.75.221 bing.com.), ,[659b956b2ed2bc448f052b2ade2629d7]Hijack.Host, C:\Windows\System32\drivers\etc\hosts, Good: (), Bad: (146.0.75.221 www.bing.com.), ,[857baa56b94759a7eba98acbcc3843bd] Physical Sectors: 0(No malicious items detected) (end) [dds logs]DDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 8.0.7601.17514Run by RI519MA at 10:06:00 on 2014-04-20Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3977.2340 [GMT -5:00].AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}.============== Running Processes ===============.C:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k netsvcsC:\Program Files\IDT\WDM\STacSV64.exeC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files\IDT\WDM\AESTSr64.exeC:\Windows\dwrcs\dwrcs.exeC:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exeC:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exeC:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exeC:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exeC:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exeC:\Windows\system32\mfevtps.exeC:\Windows\System32\svchost.exe -k HPZ12C:\Program Files (x86)\AT&T Global Network Client\netcfgsvr.exeC:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exeC:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exeC:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exeC:\Windows\system32\DRIVERS\o2flash.exeC:\Windows\System32\svchost.exe -k HPZ12C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radexecd.exeC:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radsched.exeC:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\Radstgms.exeC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeC:\Windows\system32\svchost.exe -k bthsvcsC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\System32\WUDFHost.exeC:\Windows\System32\WUDFHost.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\CCM\CcmExec.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\enstart64.exeC:\Program Files (x86)\Google\Update\GoogleUpdate.exeC:\Windows\system32\svchost.exe -k HPServiceC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\sppsvc.exeC:\Program Files (x86)\Teamviewer\Version6\TeamViewer_Service.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Microsoft Policy Platform\policyHost.exeC:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEC:\PROGRA~2\AT&TGL~1\NETLOG~1.EXEC:\Windows\dwrcs\DWRCST.exeC:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exeC:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files (x86)\Teamviewer\Version6\TeamViewer.exeC:\Windows\Explorer.EXEC:\Program Files\IDT\WDM\sttray64.exeC:\Windows\System32\igfxpers.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Program Files\DellTPad\Apoint.exeC:\Program Files (x86)\Citrix\GoToMeeting\1350\g2mstart.exeC:\Program Files (x86)\TechSmith\Snagit 11\Snagit32.exeC:\Program Files (x86)\Java\jre6\bin\jusched.exeC:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exeC:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exeC:\Program Files (x86)\Citrix\ICA Client\concentr.exeC:\Program Files (x86)\Microsoft Office Communicator\communicator.exeC:\Program Files (x86)\Citrix\GoToMeeting\1350\g2mcomm.exeC:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exeC:\Program Files (x86)\TechSmith\Snagit 11\TSCHelp.exeC:\Program Files (x86)\Citrix\GoToMeeting\1350\g2mlauncher.exeC:\Program Files\DellTPad\ApMsgFwd.exeC:\Program Files (x86)\McAfee\Common Framework\McTray.exeC:\Program Files (x86)\TechSmith\Snagit 11\SnagPriv.exeC:\Program Files\DellTPad\HidFind.exeC:\Program Files\DellTPad\Apntex.exeC:\Windows\CCM\SCNotification.exeC:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exeC:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exeC:\Program Files (x86)\TechSmith\Snagit 11\snagiteditor.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\splwow64.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\System32\cscript.exe.============== Pseudo HJT Report ===============.mWinlogon: Userinit = userinit.exe,BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLLBHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130820160039.dllBHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dllBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLLBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllTB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dlluRun: [NetSP - restore settings on power failure] "C:\Program Files (x86)\AT&T Global Network Client\NetSP.exe" -showuRun: [GoToMeeting] "C:\Program Files (x86)\Citrix\GoToMeeting\1350\g2mstart.exe" "/Trigger RunAtLogon"mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"mRun: [shStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONEmRun: [Radia Connect] C:\PROGRA~2\HEWLET~1\HPCA\Agent\radskman.exe cat=m,ulogon=n,mname=Radia,dname=software,ind=n,ask=y,hreboot=y,uid=$machine,startdir=$user,context=U,userfreq=0,cop=y,log=connect_User_Software.logmRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKeymRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startupmRun: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkeymRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServicesmRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"dRun: [fcperf] C:\Windows\System32\mcbudmin.exedRun: [fj1GRrgnJ26w7kM6c1i5Ro+AZQ==] "C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\syskey.exe"StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AT&TGL~1.LNK - C:\Windows\Installer\{433657FC-710A-4A06-85FD-709C3F98D3DB}\NetGM1_89563E53ECF44E868145468A128BDC83.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAGIT~1.LNK - C:\Program Files (x86)\TechSmith\Snagit 11\Snagit32.exeuPolicies-Explorer: NoDriveTypeAutoRun = dword:145mPolicies-Explorer: NoActiveDesktop = dword:1mPolicies-Explorer: NoActiveDesktopChanges = dword:1mPolicies-Explorer: NoDriveTypeAutoRun = dword:255mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableUIADesktopToggle = dword:0mPolicies-System: PromptOnSecureDesktop = dword:0mPolicies-System: HideFastUserSwitching = dword:0mPolicies-System: MaxGPOScriptWait = dword:6000IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}Trusted Zone: aplverhubp1Trusted Zone: cyberu.comTrusted Zone: enrollment.comTrusted Zone: imaginatik.comTrusted Zone: onbaseonline.comTrusted Zone: pb.comTrusted Zone: pitneybowes.caTrusted Zone: pitneybowes.comTrusted Zone: recruitsoft.comTrusted Zone: spoverhubp1Trusted Zone: taleo.netTrusted Zone: teampbbi.comTrusted Zone: trowerprice.comTrusted Zone: yammer.comTCP: NameServer = 97.64.209.36 97.64.168.13TCP: Interfaces\{06E9EBD5-11DC-470A-A08B-A360B11AB8D4} : NameServer = 8.8.8.8,8.8.8.8TCP: Interfaces\{6004D317-69E6-4539-AB94-EDB8BA1C35B7} : NameServer = 8.8.8.8,8.8.8.8TCP: Interfaces\{6004D317-69E6-4539-AB94-EDB8BA1C35B7} : DHCPNameServer = 97.64.209.36 97.64.168.13TCP: Interfaces\{6004D317-69E6-4539-AB94-EDB8BA1C35B7}\05D294E647 : DHCPNameServer = 161.228.215.112 161.228.215.213 152.144.145.136 152.144.114.135TCP: Interfaces\{8D509A9E-040E-4630-932F-5F000B853C70} : NameServer = 8.8.8.8,8.8.8.8TCP: Interfaces\{A0A9CF3D-7CBC-4900-A019-EE921C2792A3} : NameServer = 8.8.8.8,8.8.8.8Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllFilter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dllHandler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dllHandler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dllAppInit_DLLs= C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dllSSODL: WebCheck - <orphaned>SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLLmASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.76\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chromex64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLLx64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130820160038.dllx64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLLx64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllx64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exex64-Run: [Persistence] C:\Windows\System32\igfxpers.exex64-Run: [igfxTray] C:\Windows\System32\igfxtray.exex64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exex64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exex64-Run: [DameWare MRC Agent] C:\Windows\dwrcs\DWRCST.exex64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dllx64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dllx64-Trusted Zone: aplverhubp1x64-Trusted Zone: cyberu.comx64-Trusted Zone: enrollment.comx64-Trusted Zone: imaginatik.comx64-Trusted Zone: onbaseonline.comx64-Trusted Zone: pb.comx64-Trusted Zone: pitneybowes.cax64-Trusted Zone: pitneybowes.comx64-Trusted Zone: recruitsoft.comx64-Trusted Zone: spoverhubp1x64-Trusted Zone: taleo.netx64-Trusted Zone: teampbbi.comx64-Trusted Zone: trowerprice.comx64-Trusted Zone: yammer.comx64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>x64-Notify: igfxcui - igfxdev.dllx64-SSODL: WebCheck - <orphaned>x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.================= FIREFOX ===================.FF - ProfilePath - C:\Users\RI519MA\AppData\Roaming\Mozilla\Firefox\Profiles\omlphnyp.default\FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLLFF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLLFF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dllFF - plugin: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dllFF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dllFF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dllFF - plugin: C:\Users\RI519MA\AppData\Local\Citrix\Plugins\104\npappdetector.dllFF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll.============= SERVICES / DRIVERS ===============.R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2012-10-2 665768]R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2012-10-2 303464]R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\System32\drivers\stdcfltn.sys [2013-12-10 21616]R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2012-5-17 93272]R1 dwvkbd;DameWare Virtual Keyboard 64 bit Driver;C:\Windows\System32\drivers\dwvkbd64.sys [2008-3-13 30720]R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-7-5 89600]R2 enstart64;enstart64;C:\Windows\System32\enstart64.exe [2011-5-1 1508864]R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-4-7 1809720]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-4-7 857912]R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [2010-3-25 226624]R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2012-8-21 132712]R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2012-10-2 201864]R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2011-1-12 209760]R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2012-10-2 170440]R2 NetClientSvc;AT&T Global Network Client Service;C:\Program Files (x86)\AT&T Global Network Client\NetClientSvc.exe [2009-6-9 336152]R2 Radexecd;HP OVCM Notify Daemon;C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radexecd.exe [2011-11-8 337640]R2 Radsched;HP OVCM Scheduler Daemon;C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radsched.exe [2011-11-8 235240]R2 Radstgms;HP OVCM MSI Redirector;C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radstgms.exe [2011-11-8 366312]R2 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\Teamviewer\Version6\TeamViewer_Service.exe [2011-4-15 2285432]R3 Acceler;Accelerometer Service;C:\Windows\System32\drivers\Accelern.sys [2013-12-10 27760]R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-9-21 172960]R3 cvusbdrv;Dell ControlVault;C:\Windows\System32\drivers\cvusbdrv.sys [2012-7-5 38440]R3 DwMirror;DwMirror;C:\Windows\System32\drivers\DamewareMini.sys [2008-3-14 5632]R3 enstart64_;enstart64_;C:\Windows\System32\enstart64_.sys [2011-5-1 84296]R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-7-5 317440]R3 lpasvc;Microsoft Policy Platform Local Authority;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2012-8-2 50280]R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-4-7 25816]R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-4-7 119512]R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2012-10-2 274880]R3 NetLogSvc;NetLogSvc;C:\PROGRA~2\AT&TGL~1\NETLOG~1.EXE [2009-6-9 68888]R3 O2MDFRDR;O2MDFRDR;C:\Windows\System32\drivers\o2mdfw7x64.sys [2012-7-5 72808]R3 RadiaMsi;RadiaMsi;C:\Windows\System32\drivers\radiamsi.sys [2011-8-12 42808]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]S3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y60x64.sys [2009-6-10 281088]S3 lppsvc;Microsoft Policy Platform Processor;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2012-8-2 50280]S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2012-10-2 101200]S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-3-21 19456]S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\Windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-3-21 29696]S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-3-21 57856]S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-3-21 30208]S3 tsusbhub;Remote Deskotop USB Hub;C:\Windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-5-1 1255736]S4 CmRcService;Configuration Manager Remote Control;C:\Windows\CCM\RemCtrl\CmRcService.exe [2012-11-21 633952].=============== Created Last 30 ================.2014-04-09 18:36:36 34638 ----a-w- C:\uninstall.exe2014-04-08 20:13:30 -------- d-----w- C:\Quarantine2014-04-08 14:28:19 -------- d-----w- C:\Windows\pss2014-04-07 15:21:26 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys2014-04-07 15:21:09 88280 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys2014-04-07 15:21:09 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys2014-04-07 15:21:09 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys2014-04-07 15:21:08 -------- d-----w- C:\ProgramData\Malwarebytes2014-04-07 15:21:08 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware2014-04-07 15:20:55 -------- d-----w- C:\Users\RI519MA\AppData\Local\Programs2014-04-07 15:04:37 -------- d-----w- C:\Windows\ERUNT2014-04-07 15:01:58 -------- d-----w- C:\Users\RI519MA\AppData\Local\VirtualStore2014-04-07 14:20:10 -------- d-----w- C:\AdwCleaner2014-04-04 18:50:25 70656 ----a-w- C:\Users\RI519MA\AppData\Roaming\erijwq.dll2014-04-04 18:50:25 3727872 ----a-w- C:\Users\RI519MA\AppData\Roaming\mmvmvzf.dll.==================== Find3M ====================.2014-04-20 14:55:52 84296 ----a-w- C:\Windows\System32\enstart64_.sys2014-03-17 03:16:04 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2014-03-17 03:16:04 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe.============= FINISH: 10:06:48.68 =============== .UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows 7 Enterprise Boot Device: \Device\HarddiskVolume1Install Date: 12/10/2013 2:26:02 PMSystem Uptime: 4/20/2014 9:53:15 AM (1 hours ago).Motherboard: Dell Inc. | | 0K0DNPProcessor: Intel® Core i5-2520M CPU @ 2.50GHz | CPU 1 | 2501/100mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 466 GiB total, 415.257 GiB free.D: is CDROM ()E: is Removable.==== Disabled Device Manager Items =============.Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}Description: AGN Virtual Network AdapterDevice ID: ROOT\NET\0000Manufacturer: AT&TName: AGN Virtual Network AdapterPNP Device ID: ROOT\NET\0000Service: avpnnic.==== System Restore Points ===================.RP37: 2/2/2014 7:18:47 PM - Scheduled CheckpointRP38: 2/2/2014 7:36:40 PM - Installed Magic OnlineRP39: 2/14/2014 12:00:05 AM - Scheduled CheckpointRP40: 2/28/2014 12:00:05 AM - Scheduled CheckpointRP41: 3/14/2014 7:21:13 AM - Scheduled CheckpointRP42: 3/24/2014 4:21:18 PM - Scheduled CheckpointRP43: 4/4/2014 12:00:05 AM - Scheduled Checkpoint.==== Installed Programs ======================.64 Bit HP CIO Components Installer6500_E709_BasicWeb6500_E709_Help_BasicWebAccellion Email Plug-in for Microsoft OutlookAdobe AIRAdobe Flash Player 11 ActiveXAdobe Flash Player 12 PluginAdobe Reader XI (11.0.02)AT&T Global Network Client Managed VPN Editionbpd_scanBPDSoftware_IniBufferChmCitrix Authentication ManagerCitrix Online LauncherCitrix ReceiverCitrix Receiver (HDX Flash Redirection)Citrix Receiver InsideCitrix Receiver(Aero)Citrix Receiver(DV)Citrix Receiver(USB)Configuration Manager ClientDameWare Development Mirror Driver 64 UninstallDameWare Mini Remote Control ServiceDell TouchpadDell Webcam CentralGoogle ChromeGoogle Update HelperGoToMeeting 6.2.0.1350Hitachi ID Password Manager Credential ProviderHP Client Automation Application Manager AgentHP Officejet 6500 E709 SeriesJava 6 Update 14Java 6 Update 14 (64-bit)join.meMagic OnlineMalwarebytes Anti-Malware version 2.0.1.1004McAfee AgentMcAfee SiteAdvisor Enterprise PlusMcAfee VirusScan EnterpriseMcAfeeReg_1.0.0Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Application Error ReportingMicrosoft Application Virtualization Desktop ClientMicrosoft Conferencing Add-in for Microsoft Office OutlookMicrosoft Office 2010 Service Pack 1 (SP1)Microsoft Office Access MUI (English) 2010Microsoft Office Access Setup Metadata MUI (English) 2010Microsoft Office Communicator 2007 R2Microsoft Office Excel MUI (English) 2010Microsoft Office Groove MUI (English) 2010Microsoft Office InfoPath MUI (English) 2010Microsoft Office Live Meeting 2005 Replay WrapperMicrosoft Office Live Meeting 2007Microsoft Office Office 64-bit Components 2007Microsoft Office Office 64-bit Components 2010Microsoft Office OneNote MUI (English) 2010Microsoft Office Outlook MUI (English) 2010Microsoft Office PowerPoint MUI (English) 2010Microsoft Office Professional Plus 2010Microsoft Office Proof (English) 2007Microsoft Office Proof (English) 2010Microsoft Office Proof (French) 2007Microsoft Office Proof (French) 2010Microsoft Office Proof (Spanish) 2007Microsoft Office Proof (Spanish) 2010Microsoft Office Proofing (English) 2007Microsoft Office Proofing (English) 2010Microsoft Office Publisher MUI (English) 2010Microsoft Office Shared 64-bit MUI (English) 2007Microsoft Office Shared 64-bit MUI (English) 2010Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010Microsoft Office Shared MUI (English) 2007Microsoft Office Shared MUI (English) 2010Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2010Microsoft Office Visio MUI (English) 2007Microsoft Office Visio Standard 2007Microsoft Office Word MUI (English) 2010Microsoft Policy PlatformMicrosoft SilverlightMicrosoft Visio Viewer 2010Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2005 Redistributable (x64)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Mozilla Firefox 28.0 (x86 en-US)Mozilla Maintenance ServiceNetwork64Online Plug-inPitney Bowes Globe ScreensaverSAFE ServletScanSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)Security Update for Microsoft .NET Framework 4 Extended (KB2736428)Security Update for Microsoft .NET Framework 4 Extended (KB2742595)Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)Self-service Plug-inSnagit 11TeamSpeak 3 ClientTeamViewer 6 HostTeamViewer 6 Host (MSI Wrapper)ToolboxUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2836939v3)WebExWebRegWindows XP Mode.==== Event Viewer Messages From Past Week ========.4/20/2014 9:56:27 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .4/20/2014 9:53:41 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain PBI due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.4/20/2014 9:09:01 AM, Error: Service Control Manager [7023] - The Power service terminated with the following error: The WMI request could not be completed and should be retried.4/20/2014 10:01:35 AM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.4/20/2014 10:01:30 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.4/15/2014 4:07:19 AM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.4/14/2014 8:20:07 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SMS Agent Host service to connect.4/14/2014 8:20:07 AM, Error: Service Control Manager [7000] - The SMS Agent Host service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.4/14/2014 8:18:51 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer RI519MA-KSC1 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{6004D317-69E6-4539-AB94-EDB8BA1C35B7}. The master browser is stopping or an election is being forced.4/14/2014 2:14:59 PM, Error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s)..==== End Of File =========================== [rkkiller]RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Softwaremail : http://www.adlice.com/contact/Feedback : http://forum.adlice.comWebsite : http://www.adlice.com/softwares/roguekiller/Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : RI519MA [Admin rights]Mode : Scan -- Date : 04/20/2014 10:19:02| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 7 ¤¤¤[RUN][sUSP PATH] HKUS\.DEFAULT\[...]\Run : fj1GRrgnJ26w7kM6c1i5Ro+AZQ== ("C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\syskey.exe" [x]) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-18\[...]\Run : fj1GRrgnJ26w7kM6c1i5Ro+AZQ== ("C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\syskey.exe" [x]) -> FOUND[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND[HJ][PUM] HKLM\[...]\Wow6432Node\[...]\SystemRestore : DisableSR (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤[Address] EAT @explorer.exe (WlanAllocateMemory) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF898AC8)[Address] EAT @explorer.exe (WlanCloseHandle) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8938A0)[Address] EAT @explorer.exe (WlanConnect) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF895558)[Address] EAT @explorer.exe (WlanDeleteProfile) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF896D10)[Address] EAT @explorer.exe (WlanDisconnect) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8957E8)[Address] EAT @explorer.exe (WlanEnumInterfaces) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF893A80)[Address] EAT @explorer.exe (WlanExtractPsdIEDataList) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF898394)[Address] EAT @explorer.exe (WlanFreeMemory) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF89A5A0)[Address] EAT @explorer.exe (WlanGetAvailableNetworkList) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF894F88)[Address] EAT @explorer.exe (WlanGetFilterList) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF897F9C)[Address] EAT @explorer.exe (WlanGetInterfaceCapability) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF894188)[Address] EAT @explorer.exe (WlanGetNetworkBssList) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF895268)[Address] EAT @explorer.exe (WlanGetProfile) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF896A20)[Address] EAT @explorer.exe (WlanGetProfileCustomUserData) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF897B1C)[Address] EAT @explorer.exe (WlanGetProfileList) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF897404)[Address] EAT @explorer.exe (WlanGetSecuritySettings) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF898D88)[Address] EAT @explorer.exe (WlanHostedNetworkForceStart) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF89935C)[Address] EAT @explorer.exe (WlanHostedNetworkForceStop) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF899418)[Address] EAT @explorer.exe (WlanHostedNetworkInitSettings) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8999D8)[Address] EAT @explorer.exe (WlanHostedNetworkQueryProperty) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8994D4)[Address] EAT @explorer.exe (WlanHostedNetworkQuerySecondaryKey) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF89A020)[Address] EAT @explorer.exe (WlanHostedNetworkQueryStatus) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF899B50)[Address] EAT @explorer.exe (WlanHostedNetworkRefreshSecuritySettings) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF899A94)[Address] EAT @explorer.exe (WlanHostedNetworkSetProperty) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF899744)[Address] EAT @explorer.exe (WlanHostedNetworkSetSecondaryKey) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF899D78)[Address] EAT @explorer.exe (WlanHostedNetworkStartUsing) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8991EC)[Address] EAT @explorer.exe (WlanHostedNetworkStopUsing) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8992A4)[Address] EAT @explorer.exe (WlanIhvControl) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF894A00)[Address] EAT @explorer.exe (WlanOpenHandle) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF891960)[Address] EAT @explorer.exe (WlanQueryAutoConfigParameter) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF893EE8)[Address] EAT @explorer.exe (WlanQueryInterface) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF894668)[Address] EAT @explorer.exe (WlanReasonCodeToString) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF898A54)[Address] EAT @explorer.exe (WlanRegisterNotification) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF895A08)[Address] EAT @explorer.exe (WlanRegisterVirtualStationNotification) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF89A358)[Address] EAT @explorer.exe (WlanRenameProfile) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF896F4C)[Address] EAT @explorer.exe (WlanSaveTemporaryProfile) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8987D0)[Address] EAT @explorer.exe (WlanScan) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF894D40)[Address] EAT @explorer.exe (WlanSetAutoConfigParameter) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF893D10)[Address] EAT @explorer.exe (WlanSetFilterList) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF897DCC)[Address] EAT @explorer.exe (WlanSetInterface) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF894470)[Address] EAT @explorer.exe (WlanSetProfile) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF896760)[Address] EAT @explorer.exe (WlanSetProfileCustomUserData) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8978A4)[Address] EAT @explorer.exe (WlanSetProfileEapUserData) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF895CC4)[Address] EAT @explorer.exe (WlanSetProfileEapXmlUserData) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF895F9C)[Address] EAT @explorer.exe (WlanSetProfileList) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8971A8)[Address] EAT @explorer.exe (WlanSetProfilePosition) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF897644)[Address] EAT @explorer.exe (WlanSetPsdIEDataList) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF8981B0)[Address] EAT @explorer.exe (WlanSetSecuritySettings) : NLSData0009.dll -> HOOKED (C:\Windows\system32\Wlanapi.dll @ 0xEF898B58) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9500420AS ATA Device +++++--- User ---[MBR] f8ce7873170e4023808c45c9b55da4fb[bSP] 79941dfac347f38b8aee0ccc48a0a599 : Windows Vista MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MBUser = LL1 ... OK!User = LL2 ... OK! +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) Sony Storage Media USB Device +++++--- User ---[MBR] 2c99b37bbf4ba586232efd6cdd37014e[bSP] b167123f259803bd42a20f8ceddd825e : MBR Code unknownPartition table:0 - [XXXXXX] OS/2 (0x0a) [VISIBLE] Offset (sectors): 1919230059 | Size: 2092621 MB1 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 544829025 | Size: 266028 MB3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): -1409286144 | Size: 25 MBUser = LL1 ... OK!Error reading LL2 MBR! ([0x32] The request is not supported. ) Finished : << RKreport[0]_S_04202014_101902.txt >>RKreport[0]_D_04082014_095407.txt Thanks again!
  10. I've downloaded 6-7 different scans mentioned on different threads but none have worked. It's a work laptop and now my excel and powerpoint files are corrupt and I cannot open them. Windows 7 dell lattitude - fairly new. Any help would be greatly appreciated!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.