Jump to content

PerfectKeyLogger - can't find it/remove it


Recommended Posts

hi -

I've read an older post here (2014) about this, but that person didn't follow thru and it was closed.

https://forums.malwarebytes.org/index.php?/topic/157498-keylogger-removal-help/

 

following that page -- I'm not running anti-virus.

I did steps 1 & 2.  I was unable to do step 3.  after starting the "threat" scan, I quickly got this message:

"Malwarebytes was unable to load the Anti-Rootkit DDA Driver, this error may be caused by rootkit activity.  Do you want to reboot the system and attempt to install the Driver?  (If you don't choose to reboot, Anti-Rootkit scanning will be disabled for this session).

I chose "No."

 

I found older "fixes" for going into the registry.  the Symantec one was, I think, from 2009.  the other...I don't remember.  at any rate, for both of those fixes, the keys, etc. they said to either locate/navigate to, and/or delete, were not there.  I assume the malware turds changed where things get deposited.

http://www.symantec.com/security_response/writeup.jsp?docid=2003-100210-1458-99&tabid=3

 

 

I was on some questionable sites last night.  This morning, the laptop had the BSOD (I had not done a shut-down).  After restarting in Normal mode, I noticed some strange things, like my wireless mouse would no longer work (although the ports worked for other things).

I have the "Windows 7 Build 7601 This copy of Windows is not genuine" in the lower right corner of the desktop, although the desktop never went black, and it appears "normal."

 

Unrelated (it was occurring before the infection...I think before)--I haven't been able to update windows.  the windows updater is missing.  I may have deleted it at some point, because the computer was running so slowly and someone somewhere probably said to delete it?  Anyway, I haven't been able to install the critical update from last week.  Other than that...seems like there was something specific I was going to look into.  I can't remember.  but in general, the machine is just slow/lags.

I haven't yet resolved the windows update issue--have tried several fixes, but none worked.

 

Anyway, posting this now while I'm out here trying to resolve this (at least one of the issues--the KeyLogger seems much more important).  I won't be able to respond before late tonight, if anyone responds to me today.

 

thank you very much for any assistance you can provide!

 

 

Link to post
Share on other sites

I remembered what the other thing was--Word seems to just randomly crash every so often.  Often enough, that I've gone and set the Autosave to, like, every 5 minutes because I was losing so much work.  It's Office 2000 (yeah, yeah--I don't have the money to re-buy essentially the same program.)

 

again, this has been happening for awhile.  long before this KeyLogger thing.

oh, the reason I know its PerfectKeyLogger--I was running a Spybot scan and just happened to glance at the screen while it was looking at all the activity of "PerfectKeyLogger."  which I knew was not a program I'd installed.  it, of course, did not show up in the installed programs via Control Panel.

Link to post
Share on other sites

Hello and welcome to Malwarebytes.org

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Next,

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Settings.JPG
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Next,

Follow the instructions in the following link to show hidden files:

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Next,

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…




If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either accept the alert or disable your security and allow FRST to run...

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.



Next,

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
  • Post back the report which should also be located here:



C:\Programdata\RogueKiller\Logs <-------- W7/8
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP


Let me see those logs in your reply....

Thank you,

Kevin...
 

Link to post
Share on other sites

apologies for the slow response.  I got caught at work the last 2 nights.  and thank you very much for your help in this.  there have been more strange things since my last response, but I won't detail them unless you ask.  I forgot to say before--Asus laptop, Window 7 Home Premium, SP1, 64-bit.  I usually use Firefox, but have resorted to IE for this fix.

 

I set all defaults as you requested (most were already that way) except that instead of downloading directly to the desktop, there is a folder on the desktop named "WinUpdate fix AND PerfectKeyLogger."  I already had that folder going, so just continued using it.

 

MBAM is already installed.  In fact, I had read thru another post here about using Chameleon.  I started using that; both buttons #1 and #2 brought up the "DDA driver uninstalled, allow restart?" pop-up window; both times I said "no," and both times it ran a scan anyway (both of which found zero threats).

 

Then I followed your instructions, and with the settings as noted, ran a scan.  Immediately got the DDA driver pop-up window; selected "yes," as instructed.  The computer did a restart, and came up with MBAM running and open to where it had been.  Immediately, the DDA driver pop-up window appeared.  I selected "yes" again.  AGAIN, the computer restarted, MBAM was running, and immediately, the DDA driver pop-up window appeared.  The third time, I selected "no" and MBAM ran a scan which was probably exactly the same as Chameleon had run twice previously.  That log is pasted here, and I'm going to continue on to your next steps.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/30/2015
Scan Time: 10:53 PM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.31.01
Rootkit Database: v2015.07.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Diana

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 340067
Time Elapsed: 5 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

thought I might as well post the logs of the 2 scans performed using Chameleon:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/30/2015
Scan Time: 10:09 PM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.31.01
Rootkit Database: v2015.07.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Diana

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 341471
Time Elapsed: 5 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/30/2015
Scan Time: 9:50 PM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.31.01
Rootkit Database: v2015.07.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Diana

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 341428
Time Elapsed: 14 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

and, just for sh** and giggles, here's the scan that ran 2 days ago:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/28/2015
Scan Time: 7:46 AM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.28.03
Rootkit Database: v2015.07.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Diana

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 340874
Time Elapsed: 5 min, 52 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

there's also a Protection Log for July 28 (also one for July 30).  I know you didn't ask for it, but:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Update, 7/28/2015 6:27 AM, SYSTEM, LAPTOP, Manual, Domain Database, 0.0.0.0, 2015.7.24.2,
Update, 7/28/2015 6:27 AM, SYSTEM, LAPTOP, Manual, Remediation Database, 2015.5.13.1, 2015.7.27.5,
Update, 7/28/2015 6:27 AM, SYSTEM, LAPTOP, Manual, IP Database, 0.0.0.0, 2015.7.24.3,
Update, 7/28/2015 6:27 AM, SYSTEM, LAPTOP, Manual, Rootkit Database, 2015.6.2.1, 2015.7.22.1,
Update, 7/28/2015 6:31 AM, SYSTEM, LAPTOP, Manual, program, 2.1.6.1022, 2.1.8.0,
Error, 7/28/2015 6:31 AM, SYSTEM, LAPTOP, Manual, 0,
Update, 7/28/2015 6:31 AM, SYSTEM, LAPTOP, Manual, Malware Database, Failed, Unable to access update server, 2015.6.3.1, 2015.7.28.2,
Error, 7/28/2015 7:44 AM, SYSTEM, LAPTOP, Update, Bad md5 or size: akadomains, 11,
Error, 7/28/2015 7:44 AM, SYSTEM, LAPTOP, Update, Bad md5 or size: akaips, 11,
Update, 7/28/2015 7:44 AM, SYSTEM, LAPTOP, Manual, Remediation Database, 2015.5.13.1, 2015.7.27.5,
Update, 7/28/2015 7:44 AM, SYSTEM, LAPTOP, Manual, IP Database, 0.0.0.0, 2015.7.24.3,
Update, 7/28/2015 7:44 AM, SYSTEM, LAPTOP, Manual, Domain Database, 0.0.0.0, 2015.7.24.2,
Update, 7/28/2015 7:44 AM, SYSTEM, LAPTOP, Manual, Rootkit Database, 2015.6.2.1, 2015.7.22.1,
Update, 7/28/2015 7:44 AM, SYSTEM, LAPTOP, Manual, AKA IP Database, 0.0.0.0, 2015.7.15.1,
Update, 7/28/2015 7:44 AM, SYSTEM, LAPTOP, Manual, AKA Domain Database, 0.0.0.0, 2015.7.28.1,
Update, 7/28/2015 7:45 AM, SYSTEM, LAPTOP, Manual, Malware Database, 2015.6.3.3, 2015.7.28.3,
Scan, 7/28/2015 8:06 AM, SYSTEM, LAPTOP, Manual, Start:7/28/2015 7:46 AM, Duration:5 min 52 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,

(end)

 

 

here's the log for the last scan I ran, before the PerfectKeyLogger thing showed up:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/3/2015
Scan Time: 3:49 AM
Logfile:
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.06.03.01
Rootkit Database: v2015.06.02.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Diana

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 343144
Time Elapsed: 5 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:30-07-2015
Ran by Diana (administrator) on LAPTOP (31-07-2015 00:53:03)
Running from C:\Users\Diana\Desktop\WinUpdate fix AND PerfectKeyLogger
Loaded Profiles: Diana (Available Profiles: Diana)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(NETGEAR) C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_IATIJAE.EXE
(NETGEAR Inc.) C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
() C:\Program Files (x86)\NETGEAR\WNA1100\WNA1100.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
() C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
() C:\Program Files (x86)\NETGEAR Genie\bin\genie2_tray.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDGesture.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\SnagIt 6\SnagIt32.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office\WINWORD.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2661672 2012-02-20] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [uSB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-07] (Intel Corporation)
HKLM-x32\...\Run: [jswtrayutil] => "C:\Program Files (x86)\NETGEAR\WNA1100\jswtrayutil.exe"
HKLM-x32\...\Run: [sDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-466896216-3158495083-2059922761-1000\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIJAE.EXE [283232 2012-02-29] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-466896216-3158495083-2059922761-1000\...\Run: [NETGEARGenie] => C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe [602880 2014-12-14] (NETGEAR Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk [2014-01-20]
ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2014-03-29]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNA1100 Genie.lnk [2015-01-01]
ShortcutTarget: NETGEAR WNA1100 Genie.lnk -> C:\Program Files (x86)\NETGEAR\WNA1100\WNA1100.exe ()
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://duckduckgo.com/
HKU\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-466896216-3158495083-2059922761-1000 -> {3EB6EC02-FE84-404E-B2DB-C19198E6532C} URL = https://www.google.com/search?q={searchTerms}
BHO-x32: E-Web Print -> {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} -> C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll [2014-11-27] (SEIKO EPSON CORPORATION)
Toolbar: HKLM-x32 - E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll [2014-11-27] (SEIKO EPSON CORPORATION)
Toolbar: HKU\S-1-5-21-466896216-3158495083-2059922761-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [2000-11-21] (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [2000-11-21] (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [2000-11-21] (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [2000-11-21] (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [2000-11-21] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [2000-11-21] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [2000-11-21] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{AD4E691A-05B2-4F09-AD10-FC85D8B5DE68}: [DhcpNameServer] 71.10.216.1 71.10.216.2

FireFox:
========
FF ProfilePath: C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default
FF DefaultSearchEngine: DuckDuckGo
FF DefaultSearchEngine.US: DuckDuckGo
FF Homepage: about:sessionrestore|hxxp://diy.stackexchange.com/questions/53078/dripping-sound-inside-wall/53137#53137|hxxp://tonyortega.org/|hxxp://aattp.org/new-study-shows-that-conservatives-react-more-squeamishly-to-disgusting-images/|hxxp://www.amazon.com/gp/search/ref=sr_nr_p_36_4?bbn=3732191&qid=1416313293&rh=n%3A1055398%2Cn%3A%211063498%2Cn%3A1063252%2Cn%3A1063280%2Cn%3A3732181%2Cn%3A3732191%2Cp_n_size_browse-bin%3A362279011%2Cp_n_feature_keywords_browse-bin%3A7799429011&rnid=386465011&low-price=25&high-price=110&x=9&y=17|hxxp://workplace.stackexchange.com/questions/36368/a-co-worker-is-using-my-cup|https://getadblock.com/installed/?u=bnkooacl64543479|hxxp://www.wbcws.org/|hxxp://www.newscientist.com/article/dn26481-left-or-rightwing-brains-disgust-response-tells-all.html#.VGa4aMlnvtQ|hxxp://www.huffingtonpost.com/2014/11/12/heating-gadgets_n_6147088.html?cps=gravity|hxxp://ideas.time.com/2013/11/26/religious-people-are-more-charitable/|hxxp://www.dailykos.com/story/2014/11/08/1343359/-Man-assaulted-for-being-gay-sends-message-to-his-attacker-and-it-s-amazing?detail=email|hxxp://www.dailykos.com/story/2014/11/08/1343257/-How-Native-Americans-Beat-the-Kochs-in-America-s-Most-Competitive-Congressional-District?detail=email|hxxp://www.dailykos.com/story/2014/11/06/1342751/-Michigan-Dems-Got-More-Votes-and-Still-Lost|hxxp://www.dailykos.com/story/2014/11/11/1343931/-Another-Open-Letter-To-Americans-About-Midterms-This-Time-From-Canada-This-One-Hurts?detail=email|hxxp://www.aspca.org/blog/strong-sentences-handed-down-alabama-court-historic-dog-fighting-case?ms=em_new_blogpost-dogfightingsentences-20141114&initialms=em_new_blogpost-dogfightingsentences-20141114&utm_source=newsalertemail_20141114&utm_medium=email&utm_campaign=newsalert|hxxp://blog.theanimalrescuesite.com/feralshelteridea/|hxxp://nypost.com/2014/08/11/louisiana-gov-defies-christie-helps-cash-strapped-astorino/|https://www.yahoo.com/parenting/dear-santa-sign-stirs-controversy-102370375437.html|hxxp://www.gutenberg.org/ebooks/14980
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-21] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-02-28] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-21] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default\searchplugins\duckduckgo.xml [2014-01-18]
FF Extension: Disconnect - C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default\Extensions\2.0@disconnect.me.xpi [2014-11-25]
FF Extension: AdBlock for Firefox - C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default\Extensions\jid1-NIfFY2CA8fy1tg@jetpack.xpi [2014-11-18]
FF Extension: Flash Control - C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default\Extensions\jid1-sNL73VCI4UB0Fw@jetpack.xpi [2015-03-13]
FF Extension: StopTube - C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default\Extensions\stoptube@kashiif.com.xpi [2015-03-13]
FF Extension: ImTranslator - C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default\Extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}.xpi [2015-07-21]
FF Extension: Dictionary Lookup Extension - C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default\Extensions\{f01f4cbe-b8a8-4c37-94b3-119d8779e7e0}.xpi [2015-07-21]
FF HKLM-x32\...\Firefox\Extensions: [e-webprint@epson.com] - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on
FF Extension: E-Web Print - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on [2015-05-18]

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

4fe70c57aa47e2b2" service could not be unlocked. <===== ATTENTION

R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 HPSLPSVC; C:\Users\Diana\AppData\Local\Temp\7zS252E\hpslpsvc64.dll [1039360 2013-07-19] (Hewlett-Packard Co.) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273168 2011-12-08] ()
R2 NETGEARGenieDaemon; C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [232192 2014-12-14] (NETGEAR)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5495056 2015-06-18] (TeamViewer GmbH)
U2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WSWNA1100; C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe [297440 2011-07-28] ()
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [594704 2011-12-08] (Intel® Corporation)

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 4fe70c57aa47e2b2; C:\Windows\System32\Drivers\4fe70c57aa47e2b2.sys [75224 2015-05-20] () <===== ATTENTION Necurs Rootkit?
S4 cdfs; C:\Windows\System32\DRIVERS\cdfs.sys [92160 2009-07-13] () [File not signed]
R1 cdrom; C:\Windows\System32\DRIVERS\cdrom.sys [147456 2010-11-20] () [File not signed]
S3 circlass; C:\Windows\system32\drivers\circlass.sys [45568 2009-07-13] () [File not signed]
R0 CLFS; C:\Windows\System32\CLFS.sys [367696 2009-07-13] () [File not signed]
R3 CmBatt; C:\Windows\System32\DRIVERS\CmBatt.sys [17664 2009-07-13] () [File not signed]
S3 cmdide; C:\Windows\system32\drivers\cmdide.sys [17488 2009-07-13] () [File not signed]
R0 CNG; C:\Windows\System32\Drivers\cng.sys [458712 2013-07-04] () [File not signed]
R0 Compbatt; C:\Windows\System32\DRIVERS\compbatt.sys [21584 2009-07-13] () [File not signed]
R3 CompositeBus; C:\Windows\System32\DRIVERS\CompositeBus.sys [38912 2010-11-20] () [File not signed]
S4 crcdisk; C:\Windows\system32\drivers\crcdisk.sys [24144 2009-07-13] () [File not signed]
R1 DfsC; C:\Windows\System32\Drivers\dfsc.sys [102400 2010-11-20] () [File not signed]
R1 discache; C:\Windows\System32\drivers\discache.sys [40448 2009-07-13] () [File not signed]
R0 Disk; C:\Windows\System32\drivers\disk.sys [73280 2009-07-13] () [File not signed]
S3 drmkaud; C:\Windows\system32\drivers\drmkaud.sys [5632 2009-07-13] () [File not signed]
R3 DXGKrnl; C:\Windows\System32\drivers\dxgkrnl.sys [983488 2013-08-01] () [File not signed]
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] () [File not signed]
S3 elxstor; C:\Windows\system32\drivers\elxstor.sys [530496 2009-07-13] () [File not signed]
S3 ErrDev; C:\Windows\system32\drivers\errdev.sys [9728 2009-07-13] () [File not signed]
R3 ETD; C:\Windows\System32\DRIVERS\ETD.sys [200488 2012-02-20] () [File not signed]
S3 exfat; C:\Windows\System32\Drivers\exfat.sys [195072 2009-07-13] () [File not signed]
R3 fastfat; C:\Windows\System32\Drivers\fastfat.sys [204800 2009-07-13] () [File not signed]
S3 fdc; C:\Windows\system32\drivers\fdc.sys [29696 2009-07-13] () [File not signed]
R0 FileInfo; C:\Windows\System32\drivers\fileinfo.sys [70224 2009-07-13] () [File not signed]
S3 Filetrace; C:\Windows\System32\drivers\filetrace.sys [34304 2009-07-13] () [File not signed]
S3 flpydisk; C:\Windows\system32\drivers\flpydisk.sys [24576 2009-07-13] () [File not signed]
R0 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [289664 2010-11-20] () [File not signed]
S3 FsDepends; C:\Windows\System32\drivers\FsDepends.sys [55376 2009-07-13] () [File not signed]
U0 Fs_Rec; C:\Windows\System32\Drivers\Fs_Rec.sys [23408 2012-03-01] ()
R0 fvevol; C:\Windows\System32\DRIVERS\fvevol.sys [223752 2013-01-24] () [File not signed]
S3 gagp30kx; C:\Windows\system32\drivers\gagp30kx.sys [65088 2009-07-13] () [File not signed]
S3 hcw85cir; C:\Windows\system32\drivers\hcw85cir.sys [31232 2009-06-10] () [File not signed]
R3 HdAudAddService; C:\Windows\System32\drivers\HdAudio.sys [350208 2010-11-20] () [File not signed]
R3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [122368 2010-11-20] () [File not signed]
S3 HidBatt; C:\Windows\system32\drivers\HidBatt.sys [26624 2009-07-13] () [File not signed]
S3 HidBth; C:\Windows\system32\drivers\hidbth.sys [100864 2009-07-13] () [File not signed]
S3 HidIr; C:\Windows\system32\drivers\hidir.sys [46592 2009-07-13] () [File not signed]
S3 HidUsb; C:\Windows\System32\DRIVERS\hidusb.sys [30208 2010-11-20] () [File not signed]
S3 HpSAMD; C:\Windows\system32\drivers\HpSAMD.sys [78720 2010-11-20] () [File not signed]
R3 HTTP; C:\Windows\System32\drivers\HTTP.sys [753664 2010-11-20] () [File not signed]
R0 hwpolicy; C:\Windows\System32\drivers\hwpolicy.sys [14720 2010-11-20] () [File not signed]
R3 i8042prt; C:\Windows\System32\DRIVERS\i8042prt.sys [105472 2009-07-13] () [File not signed]
S3 iaStorV; C:\Windows\system32\drivers\iaStorV.sys [410496 2011-03-11] () [File not signed]
R3 igfx; C:\Windows\System32\DRIVERS\igdkmd64.sys [5353888 2012-12-14] () [File not signed]
S3 iirsp; C:\Windows\system32\drivers\iirsp.sys [44112 2009-07-13] () [File not signed]
R3 IntcDAud; C:\Windows\System32\DRIVERS\IntcDAud.sys [331264 2012-02-20] () [File not signed]
S3 intelide; C:\Windows\system32\drivers\intelide.sys [16960 2009-07-13] () [File not signed]
R3 intelppm; C:\Windows\System32\DRIVERS\intelppm.sys [62464 2009-07-13] () [File not signed]
S3 IpFilterDriver; C:\Windows\System32\DRIVERS\ipfltdrv.sys [82944 2010-11-20] () [File not signed]
S3 IPMIDRV; C:\Windows\system32\drivers\IPMIDrv.sys [78848 2010-11-20] () [File not signed]
S3 IPNAT; C:\Windows\System32\drivers\ipnat.sys [116224 2009-07-13] () [File not signed]
S3 IRENUM; C:\Windows\System32\drivers\irenum.sys [17920 2009-07-13] () [File not signed]
S3 isapnp; C:\Windows\system32\drivers\isapnp.sys [20544 2009-07-13] () [File not signed]
S3 iScsiPrt; C:\Windows\system32\drivers\msiscsi.sys [273792 2010-11-20] () [File not signed]
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [16152 2012-02-07] () [File not signed]
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [356120 2012-02-07] () [File not signed]
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [787736 2012-02-07] () [File not signed]
R1 JSWPSLWF; C:\Windows\System32\DRIVERS\jswpslwfx.sys [26624 2008-05-15] () [File not signed]
R3 kbdclass; C:\Windows\System32\DRIVERS\kbdclass.sys [50768 2009-07-13] () [File not signed]
S3 kbdhid; C:\Windows\system32\drivers\kbdhid.sys [33280 2010-11-20] () [File not signed]
R0 KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [95680 2013-09-24] () [File not signed]
R0 KSecPkg; C:\Windows\System32\Drivers\ksecpkg.sys [154560 2013-09-24] () [File not signed]
R3 ksthunk; C:\Windows\system32\drivers\ksthunk.sys [20992 2009-07-13] () [File not signed]
R2 lltdio; C:\Windows\System32\DRIVERS\lltdio.sys [60928 2009-07-13] () [File not signed]
S3 LSI_FC; C:\Windows\system32\drivers\lsi_fc.sys [114752 2009-07-13] () [File not signed]
S3 LSI_SAS; C:\Windows\system32\drivers\lsi_sas.sys [106560 2009-07-13] () [File not signed]
S3 LSI_SAS2; C:\Windows\system32\drivers\lsi_sas2.sys [65600 2009-07-13] () [File not signed]
S3 LSI_SCSI; C:\Windows\system32\drivers\lsi_scsi.sys [115776 2009-07-13] () [File not signed]
R2 luafv; C:\Windows\system32\drivers\luafv.sys [113152 2009-07-13] () [File not signed]
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-07-31] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-06-18] (Malwarebytes Corporation)
S3 megasas; C:\Windows\system32\drivers\megasas.sys [35392 2009-07-13] () [File not signed]
S3 MegaSR; C:\Windows\system32\drivers\MegaSR.sys [284736 2009-07-13] () [File not signed]
R3 MEIx64; C:\Windows\System32\DRIVERS\HECIx64.sys [62784 2012-07-17] () [File not signed]
S3 Modem; C:\Windows\System32\drivers\modem.sys [40448 2009-07-13] () [File not signed]
R3 monitor; C:\Windows\System32\DRIVERS\monitor.sys [30208 2009-07-13] () [File not signed]
R3 mouclass; C:\Windows\System32\DRIVERS\mouclass.sys [49216 2009-07-13] () [File not signed]
S3 mouhid; C:\Windows\System32\DRIVERS\mouhid.sys [31232 2009-07-13] () [File not signed]
R0 mountmgr; C:\Windows\System32\drivers\mountmgr.sys [94592 2010-11-20] () [File not signed]
S3 mpio; C:\Windows\system32\drivers\mpio.sys [155008 2010-11-20] () [File not signed]
R3 mpsdrv; C:\Windows\System32\drivers\mpsdrv.sys [77312 2009-07-13] () [File not signed]
S3 MRxDAV; C:\Windows\system32\drivers\mrxdav.sys [140800 2013-07-04] () [File not signed]
R3 mrxsmb; C:\Windows\System32\DRIVERS\mrxsmb.sys [158208 2011-04-26] () [File not signed]
R3 mrxsmb10; C:\Windows\System32\DRIVERS\mrxsmb10.sys [288768 2011-07-08] () [File not signed]
R3 mrxsmb20; C:\Windows\System32\DRIVERS\mrxsmb20.sys [128000 2011-04-26] () [File not signed]
R0 msahci; C:\Windows\System32\drivers\msahci.sys [31104 2010-11-20] () [File not signed]
S3 msdsm; C:\Windows\system32\drivers\msdsm.sys [140672 2010-11-20] () [File not signed]
R1 Msfs; C:\Windows\System32\Drivers\Msfs.sys [26112 2009-07-13] ()
S3 mshidkmdf; C:\Windows\System32\drivers\mshidkmdf.sys [8192 2009-07-13] () [File not signed]
R0 msisadrv; C:\Windows\System32\drivers\msisadrv.sys [15424 2009-07-13] () [File not signed]
S3 MSKSSRV; C:\Windows\System32\drivers\MSKSSRV.sys [11136 2009-07-13] () [File not signed]
S3 MSPCLOCK; C:\Windows\System32\drivers\MSPCLOCK.sys [7168 2009-07-13] () [File not signed]
S3 MSPQM; C:\Windows\System32\drivers\MSPQM.sys [6784 2009-07-13] () [File not signed]
S3 MsRPC; C:\Windows\System32\Drivers\MsRPC.sys [366976 2010-11-20] ()
R1 mssmbios; C:\Windows\System32\DRIVERS\mssmbios.sys [32320 2009-07-13] () [File not signed]
S3 MSTEE; C:\Windows\System32\drivers\MSTEE.sys [8064 2009-07-13] () [File not signed]
S3 MTConfig; C:\Windows\system32\drivers\MTConfig.sys [15360 2009-07-13] () [File not signed]
R0 Mup; C:\Windows\System32\Drivers\mup.sys [60496 2009-07-13] () [File not signed]
R3 NativeWifiP; C:\Windows\System32\DRIVERS\nwifi.sys [318976 2009-07-13] () [File not signed]
R0 NDIS; C:\Windows\System32\drivers\ndis.sys [950128 2012-08-22] () [File not signed]
S3 NdisCap; C:\Windows\System32\DRIVERS\ndiscap.sys [35328 2009-07-13] () [File not signed]
R3 NdisTapi; C:\Windows\System32\DRIVERS\ndistapi.sys [24064 2009-07-13] () [File not signed]
R3 Ndisuio; C:\Windows\System32\DRIVERS\ndisuio.sys [56832 2010-11-20] () [File not signed]
R3 NdisWan; C:\Windows\System32\DRIVERS\ndiswan.sys [164352 2010-11-20] () [File not signed]
R3 NDProxy; C:\Windows\System32\Drivers\NDProxy.sys [57856 2010-11-20] ()
R1 NetBIOS; C:\Windows\System32\DRIVERS\netbios.sys [44544 2009-07-13] () [File not signed]
R1 NetBT; C:\Windows\System32\DRIVERS\netbt.sys [261632 2010-11-20] () [File not signed]
S3 nfrd960; C:\Windows\system32\drivers\nfrd960.sys [51264 2009-07-13] () [File not signed]
R2 NPF; C:\Windows\system32\drivers\npf.sys [35344 2015-05-06] () [File not signed]
R1 Npfs; C:\Windows\System32\Drivers\Npfs.sys [44032 2009-07-13] ()
R1 nsiproxy; C:\Windows\System32\drivers\nsiproxy.sys [24576 2009-07-13] () [File not signed]
R3 Ntfs; C:\Windows\System32\Drivers\Ntfs.sys [1656680 2013-04-12] ()
R1 Null; C:\Windows\System32\Drivers\Null.sys [6144 2009-07-13] () [File not signed]
S3 nvraid; C:\Windows\system32\drivers\nvraid.sys [148352 2011-03-11] () [File not signed]
S3 nvstor; C:\Windows\system32\drivers\nvstor.sys [166272 2011-03-11] () [File not signed]
S3 nv_agp; C:\Windows\system32\drivers\nv_agp.sys [122960 2009-07-13] () [File not signed]
S3 ohci1394; C:\Windows\system32\drivers\ohci1394.sys [72832 2009-07-13] () [File not signed]
S3 Parport; C:\Windows\system32\drivers\parport.sys [97280 2009-07-13] () [File not signed]
R0 partmgr; C:\Windows\System32\drivers\partmgr.sys [75120 2012-03-17] () [File not signed]
R0 pci; C:\Windows\System32\drivers\pci.sys [184704 2010-11-20] () [File not signed]
S3 pciide; C:\Windows\system32\drivers\pciide.sys [12352 2009-07-13] () [File not signed]
S3 pcmcia; C:\Windows\system32\drivers\pcmcia.sys [220752 2009-07-13] () [File not signed]
R0 pcw; C:\Windows\System32\drivers\pcw.sys [50768 2009-07-13] () [File not signed]
R2 PEAUTH; C:\Windows\System32\drivers\peauth.sys [651264 2009-07-13] () [File not signed]
R3 PptpMiniport; C:\Windows\System32\DRIVERS\raspptp.sys [111104 2010-11-20] () [File not signed]
S3 Processor; C:\Windows\system32\drivers\processr.sys [60416 2009-07-13] () [File not signed]
R1 Psched; C:\Windows\System32\DRIVERS\pacer.sys [131584 2010-11-20] () [File not signed]
S3 ql2300; C:\Windows\system32\drivers\ql2300.sys [1524816 2009-07-13] () [File not signed]
S3 ql40xx; C:\Windows\system32\drivers\ql40xx.sys [128592 2009-07-13] () [File not signed]
S3 QWAVEdrv; C:\Windows\system32\drivers\qwavedrv.sys [46592 2009-07-13] () [File not signed]
S3 RasAcd; C:\Windows\System32\DRIVERS\rasacd.sys [14848 2009-07-13] () [File not signed]
R3 RasAgileVpn; C:\Windows\System32\DRIVERS\AgileVpn.sys [60416 2009-07-13] () [File not signed]
R3 Rasl2tp; C:\Windows\System32\DRIVERS\rasl2tp.sys [129536 2010-11-20] () [File not signed]
R3 RasPppoe; C:\Windows\System32\DRIVERS\raspppoe.sys [92672 2009-07-13] () [File not signed]
R3 RasSstp; C:\Windows\System32\DRIVERS\rassstp.sys [83968 2009-07-13] () [File not signed]
R1 rdbss; C:\Windows\System32\DRIVERS\rdbss.sys [309248 2010-11-20] () [File not signed]
S3 rdpbus; C:\Windows\system32\drivers\rdpbus.sys [24064 2009-07-13] () [File not signed]
R1 RDPCDD; C:\Windows\System32\DRIVERS\RDPCDD.sys [7680 2009-07-13] () [File not signed]
R1 RDPENCDD; C:\Windows\System32\drivers\rdpencdd.sys [7680 2009-07-13] () [File not signed]
R1 RDPREFMP; C:\Windows\System32\drivers\rdprefmp.sys [8192 2009-07-13] () [File not signed]
S3 RDPWD; C:\Windows\System32\Drivers\RDPWD.sys [210944 2012-04-27] ()
R0 rdyboost; C:\Windows\System32\drivers\rdyboost.sys [213888 2010-11-20] () [File not signed]
R3 RSBASTOR; C:\Windows\System32\DRIVERS\RtsBaStor.sys [292968 2012-02-01] () [File not signed]
R2 rspndr; C:\Windows\System32\DRIVERS\rspndr.sys [76800 2009-07-13] () [File not signed]
R3 RTL8167; C:\Windows\System32\DRIVERS\Rt64win7.sys [565352 2011-08-23] () [File not signed]
S3 sbp2port; C:\Windows\system32\drivers\sbp2port.sys [103808 2010-11-20] () [File not signed]
S3 scfilter; C:\Windows\System32\DRIVERS\scfilter.sys [29696 2010-11-20] () [File not signed]
R0 SCMNdisP; C:\Windows\System32\DRIVERS\scmndisp.sys [25056 2011-07-22] () [File not signed]
R2 secdrv; C:\Windows\System32\Drivers\secdrv.sys [23040 2009-06-10] () [File not signed]
S3 Serenum; C:\Windows\system32\drivers\serenum.sys [23552 2009-07-13] () [File not signed]
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] () [File not signed]
S3 sermouse; C:\Windows\system32\drivers\sermouse.sys [26624 2009-07-13] () [File not signed]
S3 sffdisk; C:\Windows\system32\drivers\sffdisk.sys [14336 2009-07-13] () [File not signed]
S3 sffp_mmc; C:\Windows\system32\drivers\sffp_mmc.sys [13824 2009-07-13] () [File not signed]
S3 sffp_sd; C:\Windows\system32\drivers\sffp_sd.sys [14336 2010-11-20] () [File not signed]
S3 sfloppy; C:\Windows\system32\drivers\sfloppy.sys [16896 2009-07-13] () [File not signed]
S3 SiSRaid2; C:\Windows\system32\drivers\SiSRaid2.sys [43584 2009-07-13] () [File not signed]
S3 SiSRaid4; C:\Windows\system32\drivers\sisraid4.sys [80464 2009-07-13] () [File not signed]
S3 Smb; C:\Windows\System32\DRIVERS\smb.sys [93184 2009-07-13] () [File not signed]
R0 spldr; C:\Windows\System32\Drivers\spldr.sys [19008 2009-07-13] ()
R3 srv; C:\Windows\System32\DRIVERS\srv.sys [467456 2011-04-28] () [File not signed]
R3 srv2; C:\Windows\System32\DRIVERS\srv2.sys [410112 2011-04-28] () [File not signed]
R3 srvnet; C:\Windows\System32\DRIVERS\srvnet.sys [168448 2011-04-28] () [File not signed]
S3 stexstor; C:\Windows\system32\drivers\stexstor.sys [24656 2009-07-13] () [File not signed]
R3 swenum; C:\Windows\System32\DRIVERS\swenum.sys [12496 2009-07-13] () [File not signed]
R0 Tcpip; C:\Windows\System32\drivers\tcpip.sys [1903552 2013-09-07] () [File not signed]
S3 TCPIP6; C:\Windows\System32\DRIVERS\tcpip.sys [1903552 2013-09-07] () [File not signed]
R2 tcpipreg; C:\Windows\System32\drivers\tcpipreg.sys [45568 2012-10-03] () [File not signed]
S3 TDPIPE; C:\Windows\System32\drivers\tdpipe.sys [15872 2009-07-13] () [File not signed]
S3 TDTCP; C:\Windows\System32\drivers\tdtcp.sys [23552 2012-02-16] () [File not signed]
R1 tdx; C:\Windows\System32\DRIVERS\tdx.sys [119296 2010-11-20] () [File not signed]
R1 TermDD; C:\Windows\System32\DRIVERS\termdd.sys [63360 2010-11-20] () [File not signed]
S3 tssecsrv; C:\Windows\System32\DRIVERS\tssecsrv.sys [39936 2013-06-14] () [File not signed]
S3 TsUsbFlt; C:\Windows\System32\drivers\tsusbflt.sys [59392 2010-11-20] () [File not signed]
S3 TsUsbGD; C:\Windows\system32\drivers\TsUsbGD.sys [31232 2010-11-20] () [File not signed]
R3 tunnel; C:\Windows\System32\DRIVERS\tunnel.sys [125440 2010-11-20] () [File not signed]
S3 uagp35; C:\Windows\system32\drivers\uagp35.sys [64080 2009-07-13] () [File not signed]
S4 udfs; C:\Windows\System32\DRIVERS\udfs.sys [328192 2010-11-20] () [File not signed]
S3 uliagpkx; C:\Windows\system32\drivers\uliagpkx.sys [64592 2009-07-13] () [File not signed]
R3 umbus; C:\Windows\System32\DRIVERS\umbus.sys [48640 2010-11-20] () [File not signed]
S3 UmPass; C:\Windows\system32\drivers\umpass.sys [9728 2009-07-13] () [File not signed]
R3 usbccgp; C:\Windows\System32\DRIVERS\usbccgp.sys [99840 2013-11-26] () [File not signed]
S3 usbcir; C:\Windows\system32\drivers\usbcir.sys [100864 2013-07-12] () [File not signed]
R3 usbehci; C:\Windows\system32\drivers\usbehci.sys [53248 2013-11-26] () [File not signed]
R3 usbhub; C:\Windows\System32\DRIVERS\usbhub.sys [343040 2013-11-26] () [File not signed]
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [25600 2009-07-13] () [File not signed]
S3 usbprint; C:\Windows\System32\DRIVERS\usbprint.sys [25088 2009-07-13] () [File not signed]
S3 usbscan; C:\Windows\System32\DRIVERS\usbscan.sys [42496 2013-07-02] () [File not signed]
S3 USBSTOR; C:\Windows\System32\DRIVERS\USBSTOR.SYS [91648 2011-03-10] () [File not signed]
S3 usbuhci; C:\Windows\system32\drivers\usbuhci.sys [30720 2009-07-13] () [File not signed]
R3 usbvideo; C:\Windows\System32\Drivers\usbvideo.sys [185344 2013-07-12] () [File not signed]
R0 vdrvroot; C:\Windows\System32\drivers\vdrvroot.sys [36432 2009-07-13] () [File not signed]
S3 vga; C:\Windows\System32\DRIVERS\vgapnp.sys [29184 2009-07-13] () [File not signed]
R1 VgaSave; C:\Windows\System32\drivers\vga.sys [29184 2009-07-13] () [File not signed]
S3 vhdmp; C:\Windows\system32\drivers\vhdmp.sys [215936 2010-11-20] () [File not signed]
S3 viaide; C:\Windows\system32\drivers\viaide.sys [17488 2009-07-13] () [File not signed]
R0 volmgr; C:\Windows\System32\drivers\volmgr.sys [71552 2010-11-20] () [File not signed]
R0 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [363392 2010-11-20] () [File not signed]
R0 volsnap; C:\Windows\System32\drivers\volsnap.sys [295808 2010-11-20] () [File not signed]
S3 vsmraid; C:\Windows\system32\drivers\vsmraid.sys [161872 2009-07-13] () [File not signed]
R3 vwifibus; C:\Windows\System32\DRIVERS\vwifibus.sys [24576 2009-07-13] () [File not signed]
R1 VWiFiFlt; C:\Windows\System32\DRIVERS\vwififlt.sys [59904 2009-07-13] () [File not signed]
S3 vwifimp; C:\Windows\System32\DRIVERS\vwifimp.sys [17920 2009-07-13] () [File not signed]
S3 WacomPen; C:\Windows\system32\drivers\wacompen.sys [27776 2009-07-13] () [File not signed]
S3 WANARP; C:\Windows\System32\DRIVERS\wanarp.sys [88576 2010-11-20] () [File not signed]
R1 Wanarpv6; C:\Windows\System32\DRIVERS\wanarp.sys [88576 2010-11-20] () [File not signed]
S3 Wd; C:\Windows\system32\drivers\wd.sys [21056 2009-07-13] () [File not signed]
R0 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [785624 2013-06-25] () [File not signed]
R1 WfpLwf; C:\Windows\System32\DRIVERS\wfplwf.sys [12800 2009-07-13] () [File not signed]
S3 WIMMount; C:\Windows\System32\drivers\wimmount.sys [22096 2009-07-13] () [File not signed]
R3 WmiAcpi; C:\Windows\System32\DRIVERS\wmiacpi.sys [14336 2009-07-13] () [File not signed]
S4 ws2ifsl; C:\Windows\system32\drivers\ws2ifsl.sys [21504 2009-07-13] () [File not signed]
S3 WudfPf; C:\Windows\System32\drivers\WudfPf.sys [87040 2012-07-25] () [File not signed]
S3 WUDFRd; C:\Windows\System32\DRIVERS\WUDFRd.sys [198656 2012-07-25] () [File not signed]
U5 4fe70c57aa47e2b2;  <===== ATTENTION Locked Service

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-31 00:52 - 2015-07-31 00:53 - 00000000 ____D C:\FRST
2015-07-30 22:33 - 2015-07-31 00:52 - 00000000 ____D C:\Users\Diana\Desktop\July 30 - d.top
2015-07-28 07:42 - 2015-07-28 07:42 - 00000000 ____D C:\Windows\ERDNT
2015-07-28 07:41 - 2015-07-28 07:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2015-07-28 07:41 - 2015-07-28 07:41 - 00000000 ____D C:\Program Files (x86)\ERUNT
2015-07-28 07:15 - 2015-07-28 07:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-28 06:38 - 2015-07-28 06:40 - 00000000 ____D C:\AdwCleaner
2015-07-28 03:14 - 2015-07-28 03:14 - 00000000 ____D C:\Program Files (x86)\Windows Resource Kits
2015-07-28 03:12 - 2015-07-31 00:53 - 00000000 ____D C:\Users\Diana\Desktop\WinUpdate fix AND PerfectKeyLogger
2015-07-27 17:30 - 2015-07-27 17:30 - 00279808 _____ C:\Windows\Minidump\072715-28236-01.dmp
2015-07-22 03:16 - 2015-07-22 03:20 - 00000000 ____D C:\Users\Diana\Downloads\MS Fix it
2015-07-21 20:42 - 2015-07-21 20:42 - 00698552 _____ C:\Users\Diana\Downloads\Windows6.1-KB3079904-x64.msu
2015-07-21 20:35 - 2015-07-21 20:38 - 18524336 _____ (Adobe Systems Incorporated) C:\Users\Diana\Downloads\install_flash_player_18_plugin.exe
2015-07-21 17:07 - 2015-07-21 17:07 - 00851142 _____ (Sphinx Software ) C:\Users\Diana\Downloads\DesktopAssist-FreeDictionary-Setup.exe
2015-07-05 20:30 - 2015-07-11 17:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-07-04 19:43 - 2015-07-04 19:44 - 00279752 _____ C:\Windows\Minidump\070415-27378-01.dmp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-31 00:31 - 2015-05-20 03:56 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-07-31 00:21 - 2009-07-13 23:45 - 00022736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-31 00:21 - 2009-07-13 23:45 - 00022736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-30 23:13 - 2009-07-14 00:13 - 00726316 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-30 23:07 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-30 23:07 - 2009-07-13 23:51 - 00056885 _____ C:\Windows\setupact.log
2015-07-30 22:09 - 2015-05-20 03:56 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-07-30 20:31 - 2014-01-15 22:48 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{D8492B5D-B1A7-4027-84AF-43AACD1E7C10}
2015-07-30 20:17 - 2014-01-17 18:18 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2015-07-28 07:15 - 2015-05-20 03:56 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-28 07:15 - 2014-01-15 22:50 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-27 17:32 - 2014-01-15 18:07 - 01996726 _____ C:\Windows\WindowsUpdate.log
2015-07-27 17:30 - 2015-05-06 06:08 - 00000000 ____D C:\Users\Diana\AppData\Local\NETGEARGenie
2015-07-27 17:30 - 2015-01-25 21:42 - 00000000 ____D C:\Windows\Minidump
2015-07-27 17:29 - 2015-01-25 21:41 - 1677160483 _____ C:\Windows\MEMORY.DMP
2015-07-22 03:34 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2015-07-22 02:54 - 2014-08-26 00:16 - 00347440 _____ (Microsoft Corporation) C:\Users\Diana\Downloads\MicrosoftFixit-portable.exe
2015-07-21 20:46 - 2014-01-18 19:56 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-21 20:46 - 2014-01-18 19:56 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-21 20:45 - 2014-07-04 02:12 - 00000000 ____D C:\Users\Diana\Documents\My Digital Editions
2015-07-21 20:45 - 2014-01-16 08:00 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-07-11 17:13 - 2014-02-15 13:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-07-11 17:13 - 2010-11-20 22:47 - 00017320 _____ C:\Windows\PFRO.log
2015-07-04 21:14 - 2015-05-12 16:59 - 00000971 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2015-07-04 20:17 - 2014-08-24 22:32 - 00000000 ____D C:\Users\Diana\AppData\Local\Adobe

Some files in TEMP:
====================
C:\Users\Diana\AppData\Local\Temp\Quarantine.exe
C:\Users\Diana\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys
[2010-11-20 22:23] - [2010-11-20 22:23] - 0295808 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\System32\Drivers\volsnap.sys No Company Name <===== ATTENTION

 

testsigning: ==> testsigning is on. Check for possible unsigned rootkit driver <===== ATTENTION

LastRegBack: 2015-07-23 20:07

==================== End of log ============================

 

 

 

 

okay, so I have too many tabs in firefox.  and interesting that it says Bluetooth anything is running.  I was trying to get Bluetooth on this laptop, and it kept coming up that I couldn't/it wasn't installed.

Link to post
Share on other sites

Additional scan result of Farbar Recovery Scan Tool (x64) Version:30-07-2015
Ran by Diana (2015-07-31 00:54:00)
Running from C:\Users\Diana\Desktop\WinUpdate fix AND PerfectKeyLogger
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-466896216-3158495083-2059922761-500 - Administrator - Disabled)
Diana (S-1-5-21-466896216-3158495083-2059922761-1000 - Administrator - Enabled) => C:\Users\Diana
Guest (S-1-5-21-466896216-3158495083-2059922761-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-466896216-3158495083-2059922761-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Digital Editions 3.0 (HKLM-x32\...\Adobe Digital Editions 3.0) (Version: 3.0.1 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Photoshop 5.5 (HKLM-x32\...\Adobe Photoshop 5.5) (Version: 5.5 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.11) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
Agent Ransack x64 (HKLM\...\{FD8C1365-2229-4F37-A126-558DB2471CBE}) (Version: 7.0.828.1 - Mythicsoft Ltd)
ASUS Virtual Camera (HKLM-x32\...\{EC8BD21F-0CA0-4BBF-97D9-4A52B30041A1}) (Version: 1.0.25 - ASUS)
calibre 64bit (HKLM\...\{4C296BF8-1A08-4C8D-A4B3-16FB6AECEF20}) (Version: 1.30.0 - Kovid Goyal)
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.4.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{44F72193-F59C-4303-BAE8-E3E4BC1C122C}) (Version: 3.01.0003 - Seiko Epson Corporation)
Epson E-Web Print (HKLM-x32\...\{E904F572-D7DB-43C1-929F-043F267FC77D}) (Version: 1.22.0000 - SEIKO EPSON CORPORATION)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.46.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON XP-800 Series Printer Uninstall (HKLM\...\EPSON XP-800 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.5.00 - SEIKO EPSON CORPORATION)
ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version:  - Lars Hederer)
ETDWare PS/2-X64 10.5.9.0 (HKLM\...\Elantech) (Version: 10.5.9.0 - ELAN Microelectronic Corp.)
Intel® OpenCL CPU Runtime (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version:  - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Intel® PROSet/Wireless for Bluetooth® + High Speed (HKLM\...\{2C0E6BD4-65B1-4E82-B2AC-43EFFC8F100C}) (Version: 15.0.0.0083 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology (HKLM\...\{3015F546-6C3E-4E6A-B564-BCDF88C0BA2A}) (Version: 2.1.1.0153 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.3.214 - Intel Corporation)
Intel® PROSet/Wireless WiFi Software (HKLM\...\{DF7756DD-656A-45C3-BA71-74673E8259A9}) (Version: 15.00.0000.0708 - Intel Corporation)
Kobo (HKLM-x32\...\Kobo) (Version: /Qt-5.2.0 - Kobo Inc.)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
MediaMonkey 4.1 (HKLM-x32\...\MediaMonkey_is1) (Version: 4.1 - Ventis Media Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2000 SR-1 Premium (HKLM-x32\...\{00000409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.9327 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{402ED4A1-8F5B-387A-8688-997ABF58B8F2}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 39.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 34.0.5 - Mozilla)
Mozilla Thunderbird 31.6.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 31.6.0 (x86 en-US)) (Version: 31.6.0 - Mozilla)
NETGEAR Genie (HKLM-x32\...\NETGEAR Genie) (Version: 2.3.1.57 - NETGEAR Inc.)
NETGEAR WNA1100 N150 Wireless USB Adapter (HKLM-x32\...\{A2AE9709-283B-4B48-AA34-729C070A62FB}) (Version: 1.0.0.133 - NETGEAR)
OpenOffice 4.0.1 (HKLM-x32\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
Qualcomm Atheros WiFi Driver Installation (HKLM-x32\...\{7D916FA5-DAE9-4A25-B089-655C70EAF607}) (Version: 9.2 - Qualcomm Atheros)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.48.823.2011 - Realtek)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.27015 - Realtek Semiconductor Corp.)
SnagIt 6 (HKLM-x32\...\SnagIt6) (Version: 6.1 - TechSmith Corporation)
Software Updater (HKLM-x32\...\{8DBC5A0A-31C4-46C7-B252-6B593EA11A87}) (Version: 4.3.7 - SEIKO EPSON CORPORATION)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.43879 - TeamViewer)
VLC media player 2.1.4 (HKLM\...\VLC media player) (Version: 2.1.4 - VideoLAN)
Windows Resource Kit Tools - SubInAcl.exe (HKLM-x32\...\{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}) (Version: 5.2.3790.1164 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {61E82774-652C-44ED-BABC-34470ABD2BB9} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {D85A7E50-0DB7-42B1-BA4F-B135F51FFAA1} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {EB23B57E-6538-4AE3-BD93-EB9C56FFAF28} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Loaded Modules (Whitelisted) ==============

2014-01-15 23:12 - 2013-08-01 21:12 - 00043520 _____ () C:\Windows\system32\CSRSRV.dll
2009-07-13 18:19 - 2009-07-13 20:41 - 00036864 _____ () C:\Windows\system32\pcwum.dll
2009-07-13 18:19 - 2009-07-13 20:41 - 00036864 _____ () C:\Windows\system32\pcwum.DLL
2009-07-13 18:19 - 2009-07-13 20:41 - 00036864 _____ () c:\windows\system32\pcwum.dll
2012-02-22 16:18 - 2012-02-22 16:18 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2015-01-01 21:57 - 2011-07-28 17:06 - 08247264 _____ () C:\Program Files (x86)\NETGEAR\WNA1100\WNA1100.exe
2015-01-01 21:57 - 2011-07-28 18:06 - 00297440 _____ () C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe
2014-12-14 21:27 - 2014-12-14 21:27 - 00105216 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\genie2_tray.exe
2015-05-20 04:10 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-05-20 04:10 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2015-05-20 04:10 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2015-05-20 04:10 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2015-05-20 04:10 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2013-09-28 20:14 - 2013-09-28 20:14 - 03369922 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\icuin51.dll
2013-09-28 20:13 - 2013-09-28 20:13 - 00544817 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\libgcc_s_dw2-1.dll
2013-09-28 20:13 - 2013-09-28 20:13 - 00989805 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\libstdc++-6.dll
2013-09-28 20:14 - 2013-09-28 20:14 - 01978690 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\icuuc51.dll
2013-09-28 20:14 - 2013-09-28 20:14 - 22378434 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\icudt51.dll
2013-09-28 20:14 - 2013-09-28 20:14 - 01233408 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\platforms\qwindows.dll
2015-01-09 01:40 - 2015-01-09 01:40 - 00640000 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\Genie.dll
2014-12-19 01:03 - 2014-12-19 01:03 - 01686016 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\SvtNetworkTool.dll
2015-01-09 01:01 - 2015-01-09 01:01 - 00192512 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_Airprint.dll
2014-11-05 02:37 - 2014-11-05 02:37 - 00632832 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_Internet.dll
2015-01-09 01:03 - 2015-01-09 01:03 - 06477824 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_Map.dll
2014-06-29 20:55 - 2014-06-29 20:55 - 00068608 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\QRCode.dll
2014-06-29 21:05 - 2014-06-29 21:05 - 01183232 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\qwt.dll
2015-01-07 20:57 - 2015-01-07 20:57 - 02493952 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_MyMedia.dll
2012-10-15 15:27 - 2012-10-15 15:27 - 00111616 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\libvlc.dll
2012-10-15 15:28 - 2012-10-15 15:28 - 02286592 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\libvlccore.dll
2014-12-05 00:32 - 2014-12-05 00:32 - 01056768 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_NetworkProblem.dll
2014-09-11 03:39 - 2014-09-11 03:39 - 00144896 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\DragonNetTool.dll
2015-01-09 01:03 - 2015-01-09 01:03 - 01195008 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_ParentalControl.dll
2015-01-14 00:45 - 2015-01-14 00:45 - 10388480 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_Resource.dll
2015-01-14 22:04 - 2015-01-14 22:04 - 02545664 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_RouterConfiguration.dll
2014-12-18 02:49 - 2014-12-18 02:49 - 00177152 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_Statistics.dll
2014-12-05 00:35 - 2014-12-05 00:35 - 00890368 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_Ui.dll
2014-11-05 03:00 - 2014-11-05 03:00 - 00435712 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\GeniePlugin_Wireless.dll
2013-09-28 20:13 - 2013-09-28 20:13 - 00051200 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\imageformats\qgif.dll
2013-09-28 20:13 - 2013-09-28 20:13 - 00052224 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\imageformats\qico.dll
2013-09-28 20:13 - 2013-09-28 20:13 - 00261120 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\imageformats\qjpeg.dll
2013-09-28 20:13 - 2013-09-28 20:13 - 00046080 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\imageformats\qsvg.dll
2014-06-29 20:55 - 2014-06-29 20:55 - 00081408 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\DiagnosePlugin.dll
2014-11-03 03:23 - 2014-11-03 03:23 - 00143360 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\DiagnoseDll.dll
2014-06-18 21:22 - 2014-06-18 21:22 - 02177405 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\drivers\libntgr_api.dll
2014-09-04 01:00 - 2014-09-04 01:00 - 00072192 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\SVTUtils.dll
2014-09-04 01:00 - 2014-09-04 01:00 - 00074240 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\NetcardApi.dll
2014-09-04 01:00 - 2014-09-04 01:00 - 00136704 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\airprintdll.dll
2012-10-15 15:28 - 2012-10-15 15:28 - 00219648 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\plugins\access\libdshow_plugin.dll
2012-10-15 15:28 - 2012-10-15 15:28 - 00049664 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\plugins\audio_output\libaout_directx_plugin.dll
2012-10-15 15:28 - 2012-10-15 15:28 - 00051200 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\plugins\audio_output\libwaveout_plugin.dll
2012-10-15 15:28 - 2012-10-15 15:28 - 00070144 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\plugins\video_output\libdirectx_plugin.dll
2013-09-28 20:13 - 2013-09-28 20:13 - 00040960 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\printsupport\windowsprintersupport.dll
2014-11-05 02:59 - 2014-11-05 02:59 - 00642048 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\InnerPlugin_Update.dll
2014-11-05 03:01 - 2014-11-05 03:01 - 00458752 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\InnerPlugin_WirelessExport.dll
2014-06-29 21:33 - 2014-06-29 21:33 - 00046080 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\WSetupApiPlugin.dll
2014-09-04 01:00 - 2014-09-04 01:00 - 00066560 _____ () C:\Program Files (x86)\NETGEAR Genie\bin\WSetupDll.dll
2015-01-01 21:57 - 2009-08-28 17:50 - 00282624 _____ () C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvcLib.dll
2015-01-01 21:57 - 2011-07-27 12:53 - 00360448 _____ () C:\Program Files (x86)\NETGEAR\WNA1100\WifiLib.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-466896216-3158495083-2059922761-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Diana\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 71.10.216.1 - 71.10.216.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: BLEServicesCtrl => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
MSCONFIG\startupreg: BTMTrayAgent => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
MSCONFIG\startupreg: EEventManager => "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
MSCONFIG\startupreg: FUFAXRCV => "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe"
MSCONFIG\startupreg: FUFAXSTM => "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{A0050943-FA9A-4136-B764-DF3FE210B039}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{44CB6DBA-B421-4193-BE6E-C7CEB677F1B7}] => (Allow) C:\Users\Diana\AppData\Local\Temp\7zS252E\hppiw.exe
FirewallRules: [{A10F01C0-0AD6-4D4F-B432-86D155ABB9BF}] => (Allow) C:\Users\Diana\AppData\Local\Temp\7zS252E\hppiw.exe
FirewallRules: [{B90F40FC-4A30-4308-B2DF-B77506B2F95B}] => (Allow) C:\Users\Diana\AppData\Local\Temp\7zS3146\hppiw.exe
FirewallRules: [{88DFAC8F-CCC5-40B5-A958-B2C8CCEF150C}] => (Allow) C:\Users\Diana\AppData\Local\Temp\7zS3146\hppiw.exe
FirewallRules: [{F9DB3670-7274-4F16-B543-8D62F4AB9C83}] => (Allow) C:\Users\Diana\AppData\Local\Temp\7zS3765\hppiw.exe
FirewallRules: [{A816D08B-2076-4675-8ED0-21B9C53E4C12}] => (Allow) C:\Users\Diana\AppData\Local\Temp\7zS3765\hppiw.exe
FirewallRules: [{36CE76FB-EA60-4B9C-A2D2-06E2BD406519}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{F340558C-8765-4CE9-9BFF-B9F15B55AD4F}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{723ED3F8-D940-4CF4-8C99-E1E222805AD5}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{38102020-3722-4C5F-85F3-C78584EBA6BF}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{80F2D18A-4283-4A46-964F-EDC58AB6EBD5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{B52B877D-80AA-4076-8F19-D07C0FB3E4F2}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F9BCD006-C1B2-4506-88DE-43121B361130}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{A3B95B5B-C187-449F-80AA-4F5C81930F28}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [TCP Query User{16221967-CC52-48B9-BDA5-C92187545AC9}C:\program files (x86)\netgear genie\bin\netgeargenie.exe] => (Allow) C:\program files (x86)\netgear genie\bin\netgeargenie.exe
FirewallRules: [uDP Query User{98D21D15-16A0-4F99-8C4E-E943D44035AD}C:\program files (x86)\netgear genie\bin\netgeargenie.exe] => (Allow) C:\program files (x86)\netgear genie\bin\netgeargenie.exe
FirewallRules: [TCP Query User{F9E8BE6A-BE4B-4755-AD58-3B26CCB6992F}C:\program files (x86)\mediamonkey\mediamonkey.exe] => (Allow) C:\program files (x86)\mediamonkey\mediamonkey.exe
FirewallRules: [uDP Query User{5E958DF1-F8B9-4124-879D-2723761C9341}C:\program files (x86)\mediamonkey\mediamonkey.exe] => (Allow) C:\program files (x86)\mediamonkey\mediamonkey.exe
FirewallRules: [{E7DEF48D-E60A-46D3-B25F-D2C2DB67E7A8}] => (Block) C:\program files (x86)\mediamonkey\mediamonkey.exe
FirewallRules: [{8692876B-BAA5-4213-BB5D-98B7E332C8C8}] => (Block) C:\program files (x86)\mediamonkey\mediamonkey.exe
FirewallRules: [{139F25BD-8183-4BDD-B6D9-01214D10215B}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{D3030649-4F25-4064-B68B-DC4B6DB66009}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{617B16D0-37CA-42CE-904A-835E12D84BD5}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{9BC65C01-AAE6-4969-B4C1-30FB26400987}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Faulty Device Manager Devices =============

Name: Microsoft Virtual WiFi Miniport Adapter #3
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (07/30/2015 11:07:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/30/2015 10:53:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/30/2015 10:51:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/30/2015 08:28:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/29/2015 11:23:12 AM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )
Description: The volume (C:) was not defragmented because an error was encountered: Access is denied. (0x80070005)

Error: (07/29/2015 10:32:43 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/28/2015 08:15:30 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.16428 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: a008

Start Time: 01d0c9345b90cab4

Termination Time: 20

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (07/27/2015 05:32:23 PM) (Source: Software Protection Platform Service) (EventID: 1001) (User: )
Description: The Software Protection service failed to start. 0xD0000022
6.1.7601.17514

Error: (07/27/2015 05:30:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/25/2015 10:21:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SDFSSvc.exe, version: 2.4.40.217, time stamp: 0x535a5114
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x7d0
Faulting application start time: 0xSDFSSvc.exe0
Faulting application path: SDFSSvc.exe1
Faulting module path: SDFSSvc.exe2
Report Id: SDFSSvc.exe3

System errors:
=============
Error: (07/31/2015 12:31:52 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMSwissArmy service failed to start due to the following error:
%%31

Error: (07/30/2015 11:07:16 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%31

Error: (07/30/2015 11:07:15 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%31

Error: (07/30/2015 10:55:17 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMSwissArmy service failed to start due to the following error:
%%31

Error: (07/30/2015 10:53:21 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMSwissArmy service failed to start due to the following error:
%%31

Error: (07/30/2015 10:53:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMSwissArmy service failed to start due to the following error:
%%31

Error: (07/30/2015 10:53:07 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%31

Error: (07/30/2015 10:53:05 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%31

Error: (07/30/2015 10:51:48 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMSwissArmy service failed to start due to the following error:
%%31

Error: (07/30/2015 10:51:44 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMSwissArmy service failed to start due to the following error:
%%31

Microsoft Office:
=========================
Error: (07/30/2015 11:07:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/30/2015 10:53:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/30/2015 10:51:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/30/2015 08:28:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/29/2015 11:23:12 AM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )
Description: (C:)Access is denied. (0x80070005)

Error: (07/29/2015 10:32:43 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/28/2015 08:15:30 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE11.0.9600.16428a00801d0c9345b90cab420C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Error: (07/27/2015 05:32:23 PM) (Source: Software Protection Platform Service) (EventID: 1001) (User: )
Description: 0xD00000226.1.7601.17514

Error: (07/27/2015 05:30:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/25/2015 10:21:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: SDFSSvc.exe2.4.40.217535a5114unknown0.0.0.000000000c0000005000000007d001d0c5aa4a2b5d03C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exeunknown6cab2982-3345-11e5-af7d-10bf4828f25f

CodeIntegrity:
===================================
  Date: 2015-05-20 03:08:26.453
  Description: N/A

  Date: 2015-05-20 03:08:26.413
  Description: N/A

==================== Memory info ===========================

Processor: Intel® Core i5-3210M CPU @ 2.50GHz
Percentage of memory in use: 47%
Total physical RAM: 3981.91 MB
Available physical RAM: 2089.93 MB
Total Virtual: 7962.01 MB
Available Virtual: 5866.71 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.54 GB) (Free:382.8 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: EB0B7C1C)

Partition: GPT Partition Type.

==================== End of log ============================

Link to post
Share on other sites

Continue as follows :-

 

1.Download Malwarebytes Anti-Rootkit from this link:

 http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

Image1.png

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

mbarwm.png

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

Image2.png

7. The following image opens, select Update

Image3.png

8. When the update completes select Next.

Image4.png

9. In the following window ensure "Targets" are ticked. Then select "Scan"

Image5.png

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

MBAntiRKcleanA.png

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:

Image6.png

13. Verify that your system is now running normally, making sure that the following items are functional:


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall



14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number


Next,
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.



Next,

 

Read the following link before we continue and run Combofix:

 

ComboFix usage, Questions, Help? - Look here

 

Next,

 

Download Combofix from either of the following links :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

http://www.infospyware.net/antimalware/combofix/

 

Ensure that Combofix is saved directly to the Desktop <--- Very important

 

Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.

 

Close any open browsers and any other programs you might have running

 

Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 

Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.

 

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 

When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

 

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.

If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal

If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post those logs in your next reply please...

 

Kevin

 

Link to post
Share on other sites

dam.  okay, here's the RogueKiller log.  then i'll start all the new steps.  well, at some point today, i'll do those.

I read about the Necurs...thing, by tigzy (it opened that page).  read about OTL and OTLPE (still not sure what the PE stands for).

it definitely sounds like...something like Necurs.  the way it hides, and the way it has been blocking me.  (when I first noted a problem, I tried to do a System Restore, and I couldn't.  since then, I've noticed that folders in WinExplorer are locked, and I often get the message that I don't have "permission" because I'm not an administrator.  except that I am; I double-checked.)

 

but I will follow your steps, rather than the steps for OTL, etc.  besides, maybe MBAM has now included some of these methods (the OTL stuff seemed to be a few years old).

 

thank you very much.  I greatly appreciate all your time and help.  here's the RogueKiller log:

 

RogueKiller V10.9.4.0 [Jul 30 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Diana [Administrator]
Started from : C:\Users\Diana\Desktop\WinUpdate fix AND PerfectKeyLogger\RogueKiller.exe
Mode : Scan -- Date : 07/31/2015 02:39:54

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 13 ¤¤¤
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\4fe70c57aa47e2b2 -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4fe70c57aa47e2b2 -> Found
[Root.Necurs] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\4fe70c57aa47e2b2 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://duckduckgo.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://duckduckgo.com/  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-466896216-3158495083-2059922761-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.Proxy][FIREFX:Config] bc4g19d0.default : user_pref("network.proxy.type", 4); -> Found
[PUM.HomePage][FIREFX:Config] bc4g19d0.default : user_pref("browser.startup.homepage", "about:sessionrestore|http://diy.stackexchange.com/questions/53078/dripping-sound-inside-wall/53137#53137|http://tonyortega.org/|http://aattp.org/new-study-shows-that-conservatives-react-more-squeamishly-to-disgusting-images/|http://www.amazon.com/gp/search/ref=sr_nr_p_36_4?bbn=3732191&qid=1416313293&rh=n%3A1055398%2Cn%3A%211063498%2Cn%3A1063252%2Cn%3A1063280%2Cn%3A3732181%2Cn%3A3732191%2Cp_n_size_browse-bin%3A362279011%2Cp_n_feature_keywords_browse-bin%3A7799429011&rnid=386465011&low-price=25&high-price=110&x=9&y=17|http://workplace.stackexchange.com/questions/36368/a-co-worker-is-using-my-cup|https://getadblock.com/installed/?u=bnkooacl64543479|http://www.wbcws.org/|http://www.newscientist.com/article/dn26481-left-or-rightwing-brains-disgust-response-tells-all.html#.VGa4aMlnvtQ|http://www.huffingtonpost.com/2014/11/12/heating-gadgets_n_6147088.html?cps=gravity|http://ideas.time.com/2013/11/26/religious-people-are-more-charitable/|http://www.dailykos.com/story/2014/11/08/1343359/-Man-assaulted-for-being-gay-sends-message-to-his-attacker-and-it-s-amazing?detail=email|http://www.dailykos.com/story/2014/11/08/1343257/-How-Native-Americans-Beat-the-Kochs-in-America-s-Most-Competitive-Congressional-District?detail=email|http://www.dailykos.com/story/2014/11/06/1342751/-Michigan-Dems-Got-More-Votes-and-Still-Lost|http://www.dailykos.com/story/2014/11/11/1343931/-Another-Open-Letter-To-Americans-About-Midterms-This-Time-From-Canada-This-One-Hurts?detail=email|http://www.aspca.org/blog/strong-sentences-handed-down-alabama-court-historic-dog-fighting-case?ms=em_new_blogpost-dogfightingsentences-20141114&initialms=em_new_blogpost-dogfightingsentences-20141114&utm_source=newsalertemail_20141114&utm_medium=email&utm_campaign=newsalert|http://blog.theanimalrescuesite.com/feralshelteridea/|http://nypost.com/2014/08/11/louisiana-gov-defies-christie-helps-cash-strapped-astorino/|https://www.yahoo.com/parenting/dear-santa-sign-stirs-controversy-102370375437.html|http://www.gutenberg.org/ebooks/14980");-> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000BPKX-22HPJT0 ATA Device +++++
--- User ---
[MBR] 354105d32283d8d17cfc3e49b4b8dde1
[bSP] 52b287badbe83bcc0b8c14dc4c08bd3a : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 206848 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 468992 | Size: 476711 MB
User = LL1 ... OK
User = LL2 ... OK

Link to post
Share on other sites

ran Mbar.  the "DDA Driver uninstalled" pop-up showed, but after that reboot, it ran fine.  it found 4 objects (Rootkit.Necurs.GO and 3 Spyware.Agent).  did Cleanup, and it rebooted.  it seemed fine, but I ran Mbar again.  it found no threats the 2nd time.

 

internet access seemed fine (it always had).  Windows Update was fixed (and I installed the critical update from a week or so ago).  I think Windows Firewall is working (I hadn't ever done anything with it before; I actually thought it was turned off).

 

here's the Mbar system log.  it must contain both scans?

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16476

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.494000 GHz
Memory total: 4175339520, free: 2569486336

Could not load protection driver
Downloaded database version: v2015.07.31.07
Downloaded database version: v2015.07.30.01
Downloaded database version: v2015.07.28.01
=======================================
Initializing...
DDA Driver installation error.
Driver installed on boot. Reboot required.

System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16476

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.494000 GHz
Memory total: 4175339520, free: 2990600192

=======================================
Initializing...
Done!

Scan started
Database versions:
  main:    v2015.07.31.07
  rootkit: v2015.07.30.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80047c4060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80047c4b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80047c4060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80042c89b0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80042c5060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
File C:\WINDOWS\SYSTEM32\drivers\4fe70c57aa47e2b2.sys will be destroyed
Infected: C:\WINDOWS\SYSTEM32\drivers\4fe70c57aa47e2b2.sys --> [Rootkit.Necurs.GO]
File user open failed: C:\WINDOWS\SYSTEM32\drivers\BrFiltLo.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\BrFiltUp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\bridge.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\BrSerId.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\BrSerWdm.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\BrUsbMdm.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\BrUsbSer.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\bthmodem.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\bxvbda.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\cdfs.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\cdrom.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\circlass.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\Classpnp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\CmBatt.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\cmdide.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\cng.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\compbatt.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\CompositeBus.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\crashdmp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\crcdisk.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\dfsc.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\disk.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\Diskdump.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\drmk.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\drmkaud.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\Dumpata.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\dumpfve.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\dxapi.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\dxg.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\dxgkrnl.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\dxgmms1.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\elxstor.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\exfat.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\fastfat.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\fdc.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\fileinfo.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\filetrace.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\flpydisk.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\fltMgr.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\iaStorV.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\igdkmd64.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\iirsp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\IntcDAud.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\intelide.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\intelppm.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ipfltdrv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\IPMIDrv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ipnat.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\irda.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\irenum.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\isapnp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\iusb3hcs.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\iusb3hub.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\iusb3xhc.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\jswpslwfx.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\kbdclass.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\kbdhid.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ks.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ksecdd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ksecpkg.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ksthunk.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\lltdio.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\lsi_fc.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\msfs.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mshidkmdf.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\msisadrv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\msiscsi.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mskssrv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mspclock.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mspqm.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\msrpc.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mssmbios.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mstee.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\MTConfig.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mup.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ndis.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ndiscap.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ndistapi.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ndisuio.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ndiswan.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\scfilter.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\SCMNdisP.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\scsiport.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\secdrv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\serenum.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\serial.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sermouse.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sffdisk.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sffp_mmc.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sffp_sd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sfloppy.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sisraid2.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sisraid4.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\smb.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\smclib.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\spldr.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\spsys.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\srv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\b57nd60a.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\discache.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\fsdepends.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\i8042prt.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\lsi_sas.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\msdsm.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ndproxy.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\pcmcia.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sbp2port.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\srv2.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\umpass.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\videoprt.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usb8023.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\USBCAMD2.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbccgp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbcir.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbehci.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbhub.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbohci.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbport.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbprint.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbrpm.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbscan.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\USBSTOR.SYS (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbuhci.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\usbvideo.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\vdrvroot.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\vga.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\vgapnp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\vhdmp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\viaide.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\netbios.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\netbt.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\netio.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\nfrd960.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\npf.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\npfs.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\nsiproxy.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ntfs.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\null.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\nvraid.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\nvstor.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\NV_AGP.SYS (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\nwifi.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ohci1394.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\pacer.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\parport.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\partmgr.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\pci.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\pciide.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\pciidex.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\pcw.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\PEAuth.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\portcls.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\processr.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ql2300.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ql40xx.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\qwavedrv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rasacd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rasl2tp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\raspppoe.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\raspptp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rassstp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rdbss.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rdpbus.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\RDPCDD.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\RDPENCDD.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\RDPREFMP.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rdpwd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rdyboost.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rmcast.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\RNDISMP.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rootmdm.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\rspndr.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\Rt64win7.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\RtsBaStor.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\srvnet.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\stexstor.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\storport.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\stream.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\swenum.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tape.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tcpip.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tcpipreg.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tdi.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tdpipe.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tdtcp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tdx.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\termdd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tssecsrv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\TsUsbFlt.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\TsUsbGD.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\tunnel.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\UAGP35.SYS (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\udfs.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ULIAGPKX.SYS (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\umbus.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\volmgr.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\volmgrx.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\volsnap.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\vsmraid.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\vwifibus.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\vwififlt.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\vwifimp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\wacompen.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\wanarp.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\watchdog.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\wd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\Wdf01000.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\WdfLdr.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\wfplwf.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\wimmount.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\wmiacpi.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\wmilib.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\ws2ifsl.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\WUDFPf.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\WUDFRd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\fs_rec.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\fvevol.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\FWPKCLNT.SYS (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\GAGP30KX.SYS (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hcw85cir.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hdaudbus.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\HdAudio.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\HECIx64.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hidbatt.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hidbth.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hidclass.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hidir.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hidparse.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hidusb.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\HpSAMD.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\http.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\hwpolicy.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\lsi_sas2.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\lsi_scsi.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\luafv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mcd.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\megasas.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\MegaSR.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\modem.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\monitor.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mouclass.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mouhid.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mountmgr.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mpio.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mpsdrv.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mrxdav.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mrxsmb.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mrxsmb10.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\mrxsmb20.sys (0x00000005)
File user open failed: C:\WINDOWS\SYSTEM32\drivers\msahci.sys (0x00000005)
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: EB0B7C1C

GPT Protective MBR Partition information:

    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

GPT Partition information:

    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 1474874837
    GPT Header CurrentLba = 1 BackupLba 976773167
    GPT Header FirstUsableLba 34  LastUsableLba 976773134
    GPT Header Guid ecb1c60-8904-4730-93c1-17e2c4b58dde
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128

    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 1474874837
    Backup GPT header CurrentLba = 976773167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 976773134
    Backup GPT header Guid ecb1c60-8904-4730-93c1-17e2c4b58dde
    Backup GPT header Contains 128 partition entries starting at LBA 976773135
    Backup GPT header Partition entry size = 128

    Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID d36ca970-4dfe-4c1b-9990-8163e3841a40
    FirstLBA 2048  Last LBA 206847
    Attributes 0
    Partition Name                 EFI system partition

    GPT Partition 0 is bootable
    Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID bf8b243f-6bbd-4550-ae75-3effd4c3f9bd
    FirstLBA 206848  Last LBA 468991
    Attributes 0
    Partition Name         Microsoft reserved partition

    Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID a18df172-4370-45d8-ab70-db72bf124657
    FirstLBA 468992  Last LBA 976773119
    Attributes 0
    Partition Name                 Basic data partition

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Infected: c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\syshost.exe --> [spyware.Agent]
Infected: c:\Windows\Temp\syshost.exe --> [spyware.Agent]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Executing an action bcdedit.exe...
Success!
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16476

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.494000 GHz
Memory total: 4175339520, free: 2855665664

=======================================
Initializing...
------------ Kernel report ------------
     07/31/2015 22:37:08
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\iusb3hcs.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\scmndisp.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\jswpslwfx.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\iusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\RtsBaStor.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\ETD.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\AMPPAL.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\iusb3hub.sys
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\athurx.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\??\C:\Windows\system32\drivers\npf.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2015.07.31.07
  rootkit: v2015.07.30.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80047b1060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80047b1b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80047b1060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80041639b0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8004160060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: EB0B7C1C

GPT Protective MBR Partition information:

    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

GPT Partition information:

    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 1474874837
    GPT Header CurrentLba = 1 BackupLba 976773167
    GPT Header FirstUsableLba 34  LastUsableLba 976773134
    GPT Header Guid ecb1c60-8904-4730-93c1-17e2c4b58dde
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128

    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 1474874837
    Backup GPT header CurrentLba = 976773167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 976773134
    Backup GPT header Guid ecb1c60-8904-4730-93c1-17e2c4b58dde
    Backup GPT header Contains 128 partition entries starting at LBA 976773135
    Backup GPT header Partition entry size = 128

    Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID d36ca970-4dfe-4c1b-9990-8163e3841a40
    FirstLBA 2048  Last LBA 206847
    Attributes 0
    Partition Name                 EFI system partition

    GPT Partition 0 is bootable
    Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID bf8b243f-6bbd-4550-ae75-3effd4c3f9bd
    FirstLBA 206848  Last LBA 468991
    Attributes 0
    Partition Name         Microsoft reserved partition

    Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID a18df172-4370-45d8-ab70-db72bf124657
    FirstLBA 468992  Last LBA 976773119
    Attributes 0
    Partition Name                 Basic data partition

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-FFB558031651AC84AF27B121F3D3B25FD125EEB6.bin.VE1" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-FFB558031651AC84AF27B121F3D3B25FD125EEB6.bin.VF" is compressed (flags = 1)
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

Link to post
Share on other sites

Mbar log:

 

 

Malwarebytes Anti-Rootkit BETA 1.09.1.1004
www.malwarebytes.org

Database version:
  main:    v2015.07.31.07
  rootkit: v2015.07.30.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Diana :: LAPTOP [administrator]

7/31/2015 6:37:13 PM
mbar-log-2015-07-31 (18-37-13).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 341017
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\WINDOWS\SYSTEM32\drivers\4fe70c57aa47e2b2.sys (Rootkit.Necurs.GO) -> Delete on reboot. [d74fcdeeb6f1255f520bef1fe2818cb3]
c:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [afa4b0388dfd88aefb9a45c20bf9a55b]
c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [7dd64c9c9af073c3c1d4f215659f9a66]
c:\Windows\Temp\syshost.exe (Spyware.Agent) -> Delete on reboot. [fc5742a64941e74f7e1760a7e91ba45c]

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

ran AdwCleaner.  it found 3 items.  let it Clean.  the text file that opened only mentioned 2 of those items.  so I ran AdwCleaner again.  the 2nd time, it found nothing.  It found:

File -- C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml

Registry -- HKCU\Software\APN PIP  and  HKCU64\Software\APN PIP

 

the log didn't mention the HKCU64 key.  it wasn't found when I ran AdwCleaner again, though.  I read that it probably isn't dangerous, and, anyway, I don't know exactly where to look in the registry to see if it's still there or not.

 

here are the 2 text files:

 

 

# AdwCleaner v4.208 - Logfile created 01/08/2015 at 01:13:47

# Updated 09/07/2015 by Xplode

# Database : 2015-07-26.2 [server]

# Operating system : Windows 7 Home Premium Service Pack 1 (x64)

# Username : Diana - LAPTOP

# Running from : C:\Users\Diana\Desktop\WinUpdate fix AND PerfectKeyLogger\AdwCleaner\AdwCleaner.exe

# Option : Cleaning

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml

 

***** [ Scheduled tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKCU\Software\APN PIP

 

***** [ Web browsers ] *****

 

-\\ Internet Explorer v11.0.9600.16428

 

 

-\\ Mozilla Firefox v39.0 (x86 en-US)

 

 

*************************

 

AdwCleaner[R0].txt - [1349 bytes] - [28/07/2015 06:39:00]

AdwCleaner[R1].txt - [1015 bytes] - [01/08/2015 01:02:44]

AdwCleaner[s0].txt - [905 bytes] - [01/08/2015 01:13:47]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [963  bytes] ##########

 

 

 

 

# AdwCleaner v4.208 - Logfile created 01/08/2015 at 01:42:19

# Updated 09/07/2015 by Xplode

# Database : 2015-07-26.2 [server]

# Operating system : Windows 7 Home Premium Service Pack 1 (x64)

# Username : Diana - LAPTOP

# Running from : C:\Users\Diana\Desktop\WinUpdate fix AND PerfectKeyLogger\AdwCleaner\AdwCleaner.exe

# Option : Cleaning

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

 

***** [ Web browsers ] *****

 

-\\ Internet Explorer v11.0.9600.16428

 

 

-\\ Mozilla Firefox v39.0 (x86 en-US)

Link to post
Share on other sites

additional note on what I found after running Mbar -- when I first realized the laptop "had a problem," I opened up System Restore, as it had helped last time I had a minor issue.  but the infection had affected it, as there were NO restore points, and I couldn't run it.

after running Mbar, I opened System Restore to see if I had the option to run it.  I did, AND there were multiple restore points present, most from many months ago.

 

 

ran Junkware Removal Tool.  it seemed to find/do 2 things, based on the log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 7.5.4 (07.27.2015:1)

OS: Windows 7 Home Premium x64

Ran by Diana on Sat 08/01/2015 at  4:40:31.31

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Tasks

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

 

 

~~~ FireFox

 

Successfully deleted the following from C:\Users\Diana\AppData\Roaming\mozilla\firefox\profiles\bc4g19d0.default\prefs.js

 

user_pref(extensions.disconnect.whitelist, {\latimes.com\:{\Disconnect\:{\whitelisted\:false,\services\:{\Google\:true}}},\mediafire.com\:{\Disconnect\:{\whi

Emptied folder: C:\Users\Diana\AppData\Roaming\mozilla\firefox\profiles\bc4g19d0.default\minidumps [90 files]

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 08/01/2015 at  4:44:10.24

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to post
Share on other sites

I've read the page about ComboFix and downloaded it (to the DESKTOP).  I haven't done anything else with it.  I thought I'd let you look at the logs and decide if I should still run it.

 

I did run a partial SpyBot scan.  it had "found" the PerfectKeyLogger stuff early the last time I ran it (meaning, I saw that it was "looking" at those files/folders/whatever).  so I let SpyBot run for awhile, and tried to watch every so often to see if it came up again.  I didn't see PKL and stopped the scan (it needed another 5-6 hours or so).  I hope I didn't mess anything up by doing that.

 

other than that, I've just had browser/s open and surfed for awhile.  no problems that I noticed.  (although IE wanted to reset my default search engine, and I'd had that turned off.  no biggie.)  the USB ports seem to be working fine (they'd stopped, for the most part).

 

thank you for your help!!

Link to post
Share on other sites

sorry for the delay.  I've been busy non-computer-wise.  and I've had some issues with the computer, too.  couldn't get in my email; got some weird results with a full Spybot scan; and I think it was mBar that fixed the windows installer problem and I forgot I'd set it to auto-update so MS went and ahead and installed some 120 updates that I've been avoiding.  have been cleaning up some of that stuff (NO, i do NOT want windows 10).

 

was hoping this thread hadn't been closed yet.

will run Combofix now.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

sorry about that.  quick confession--i have an illness where i can't be on the computer sometimes.  wednesdays are pretty much all doctor appointments and...aftermath.  i try to ignore it, and had hoped i'd get this resolved quickly enough so it wouldn't be an issue here.  but i was wrong on that.  i apologize.  i know you don't hang here waiting for my responses, but still.

 

okay, so i ran ComboFix.  first, i read that linked page again.  i made sure i could get to the Recovery Console (the instructions for that weren't quite right, for Win 7, so maybe i'll let them know).  since it had been awhile, i first ran MBAR, AdwCleaner, and JRT again.  none of them flagged anything.  i'll post the log files if you want.  i tried to turn off everything before running ComboFix, but when that started, it immediately flagged SpyBot.  i've never used SpyBot's TeaTimer, so i had simply gone in and i THOUGHT turned it off.  when ComboFix flagged it and waited for me to turn it off, i went into the Task Manager and ended its process. (i didn't think i could go into Programs and Features and uninstall it with CF running.  if i'd known it was going to be such a problem, i would have uninstalled it to begin with.  maybe i'll sugget that for THAT page, too.)  but CF STILL said it was running, but continued (on its own) with its scan.

 

following CF, the only thing i really noticed being weird was the keyboard.  every 8-10 letters or so, the cursor would suddenly jump to another location.  it was quite annoying.  but, after a complete shutdown, i haven't noticed it happening tonight.

 

CF didn't take too long.  i skimmed thru the file, but really don't know what i'm looking for.  so here it is.

 

ComboFix 15-08-08.01 - Diana 08/11/2015  13:43:45.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3982.2977 [GMT -5:00]
Running from: c:\users\Diana\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\programdata\Roaming
c:\users\Diana\AppData\Local\Temp\7zS252E\HPSLPSVC64.DLL
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\wpcap.dll
c:\windows\tmp
c:\windows\tmp\dd_vcredistMSI6EBD.txt
c:\windows\tmp\dd_vcredistUI6EBD.txt
c:\windows\tmp\qtsingleapp-koboex-7d5-1-lockfile
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
-------\Service_HPSLPSVC
.
.
(((((((((((((((((((((((((   Files Created from 2015-07-11 to 2015-08-11  )))))))))))))))))))))))))))))))
.
.
2015-08-11 18:47 . 2015-08-11 18:47    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-08-10 10:06 . 2015-07-21 12:25    12222168    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{7C1040D7-70C7-4A78-B386-407623491934}\mpengine.dll
2015-08-03 09:30 . 2015-08-03 09:30    --------    d-----w-    c:\users\Diana\AppData\Local\GWX
2015-08-02 05:12 . 2014-07-09 02:03    7168    ----a-w-    c:\windows\system32\KBDTAT.DLL
2015-08-02 05:12 . 2014-07-09 01:31    7168    ----a-w-    c:\windows\SysWow64\KBDYAK.DLL
2015-08-02 05:12 . 2014-07-09 01:31    6656    ----a-w-    c:\windows\SysWow64\KBDBASH.DLL
2015-08-02 05:12 . 2014-07-09 02:03    7168    ----a-w-    c:\windows\system32\KBDYAK.DLL
2015-08-02 05:12 . 2014-07-09 02:03    7168    ----a-w-    c:\windows\system32\KBDRU1.DLL
2015-08-02 05:12 . 2014-07-09 02:03    6656    ----a-w-    c:\windows\system32\KBDRU.DLL
2015-08-02 05:12 . 2014-07-09 02:03    7168    ----a-w-    c:\windows\system32\KBDBASH.DLL
2015-08-01 13:42 . 2015-08-01 13:42    --------    d-----w-    c:\windows\Migration
2015-08-01 13:42 . 2015-08-01 13:42    --------    d-s---w-    c:\windows\system32\CompatTel
2015-08-01 13:42 . 2015-08-01 13:42    --------    d-----w-    c:\windows\system32\appraiser
2015-08-01 12:15 . 2015-05-01 13:17    124112    ----a-w-    c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-08-01 12:15 . 2015-05-01 13:16    102608    ----a-w-    c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2015-08-01 12:06 . 2014-06-27 02:08    2777088    ----a-w-    c:\windows\system32\msmpeg2vdec.dll
2015-08-01 12:06 . 2014-06-27 01:45    2285056    ----a-w-    c:\windows\SysWow64\msmpeg2vdec.dll
2015-08-01 12:04 . 2014-06-30 22:24    8856    ----a-w-    c:\windows\system32\icardres.dll
2015-08-01 12:04 . 2014-06-30 22:14    8856    ----a-w-    c:\windows\SysWow64\icardres.dll
2015-08-01 12:04 . 2014-03-09 21:48    171160    ----a-w-    c:\windows\system32\infocardapi.dll
2015-08-01 12:04 . 2014-03-09 21:48    1389208    ----a-w-    c:\windows\system32\icardagt.exe
2015-08-01 12:04 . 2014-03-09 21:47    99480    ----a-w-    c:\windows\SysWow64\infocardapi.dll
2015-08-01 12:04 . 2014-03-09 21:47    619672    ----a-w-    c:\windows\SysWow64\icardagt.exe
2015-08-01 12:04 . 2014-06-06 06:16    35480    ----a-w-    c:\windows\SysWow64\TsWpfWrp.exe
2015-08-01 12:04 . 2014-06-06 06:12    35480    ----a-w-    c:\windows\system32\TsWpfWrp.exe
2015-08-01 06:43 . 2015-08-01 06:43    --------    d-----w-    c:\users\Diana\AppData\Local\CrashDumps
2015-08-01 04:29 . 2015-08-01 04:29    --------    d-----w-    c:\program files\Common Files\AV
2015-08-01 02:42 . 2015-01-09 03:14    91136    ----a-w-    c:\windows\system32\wdi.dll
2015-08-01 02:42 . 2015-01-09 03:14    950272    ----a-w-    c:\windows\system32\perftrack.dll
2015-08-01 02:42 . 2015-01-09 03:14    29696    ----a-w-    c:\windows\system32\powertracker.dll
2015-08-01 02:42 . 2015-01-09 02:48    76800    ----a-w-    c:\windows\SysWow64\wdi.dll
2015-08-01 02:26 . 2015-06-02 00:07    254976    ----a-w-    c:\windows\system32\cewmdm.dll
2015-08-01 02:25 . 2015-05-09 03:27    362496    ----a-w-    c:\windows\system32\wow64win.dll
2015-08-01 02:23 . 2015-07-09 17:58    37888    ----a-w-    c:\windows\system32\wups2.dll
2015-08-01 02:14 . 2015-04-24 18:17    633856    ----a-w-    c:\windows\system32\comctl32.dll
2015-08-01 02:14 . 2015-04-24 17:56    530432    ----a-w-    c:\windows\SysWow64\comctl32.dll
2015-08-01 02:14 . 2015-07-04 18:07    2087424    ----a-w-    c:\windows\system32\ole32.dll
2015-08-01 02:14 . 2015-07-04 17:48    1414656    ----a-w-    c:\windows\SysWow64\ole32.dll
2015-08-01 02:12 . 2015-06-15 21:50    112064    ----a-w-    c:\windows\system32\consent.exe
2015-08-01 02:09 . 2015-04-18 03:10    460800    ----a-w-    c:\windows\system32\certcli.dll
2015-08-01 02:08 . 2015-02-03 03:34    693176    ----a-w-    c:\windows\system32\winload.efi
2015-08-01 02:02 . 2014-12-19 03:06    210432    ----a-w-    c:\windows\system32\profsvc.dll
2015-08-01 02:01 . 2014-10-14 02:13    683520    ----a-w-    c:\windows\system32\termsrv.dll
2015-08-01 02:00 . 2014-06-06 10:10    624128    ----a-w-    c:\windows\system32\qedit.dll
2015-08-01 01:59 . 2013-11-26 08:16    3419136    ----a-w-    c:\windows\SysWow64\d2d1.dll
2015-08-01 01:58 . 2014-11-26 03:53    861696    ----a-w-    c:\windows\system32\oleaut32.dll
2015-08-01 01:58 . 2014-11-26 03:32    571904    ----a-w-    c:\windows\SysWow64\oleaut32.dll
2015-08-01 01:58 . 2015-03-04 04:10    295936    ----a-w-    c:\windows\SysWow64\apphelp.dll
2015-08-01 01:58 . 2015-03-04 04:41    6656    ----a-w-    c:\windows\system32\shimeng.dll
2015-08-01 01:58 . 2015-03-04 04:41    72192    ----a-w-    c:\windows\system32\aelupsvc.dll
2015-08-01 01:58 . 2015-03-04 04:41    342016    ----a-w-    c:\windows\system32\apphelp.dll
2015-08-01 01:58 . 2015-03-04 04:41    23552    ----a-w-    c:\windows\system32\sdbinst.exe
2015-08-01 01:58 . 2015-03-04 04:11    5120    ----a-w-    c:\windows\SysWow64\shimeng.dll
2015-08-01 01:58 . 2015-03-04 04:10    20992    ----a-w-    c:\windows\SysWow64\sdbinst.exe
2015-08-01 01:50 . 2015-07-15 03:19    41984    ----a-w-    c:\windows\system32\lpk.dll
2015-08-01 01:50 . 2015-07-15 03:19    100864    ----a-w-    c:\windows\system32\fontsub.dll
2015-08-01 01:50 . 2015-07-15 03:19    14336    ----a-w-    c:\windows\system32\dciman32.dll
2015-08-01 01:50 . 2015-07-15 03:19    46080    ----a-w-    c:\windows\system32\atmlib.dll
2015-08-01 01:50 . 2015-07-15 02:55    70656    ----a-w-    c:\windows\SysWow64\fontsub.dll
2015-08-01 01:50 . 2015-07-15 02:55    10240    ----a-w-    c:\windows\SysWow64\dciman32.dll
2015-08-01 01:50 . 2015-07-15 02:55    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2015-08-01 01:50 . 2015-07-15 02:54    25600    ----a-w-    c:\windows\SysWow64\lpk.dll
2015-08-01 01:50 . 2015-07-15 01:59    372224    ----a-w-    c:\windows\system32\atmfd.dll
2015-08-01 01:50 . 2015-07-15 01:52    299008    ----a-w-    c:\windows\SysWow64\atmfd.dll
2015-08-01 01:48 . 2015-02-18 07:06    123904    ----a-w-    c:\windows\SysWow64\poqexec.exe
2015-08-01 01:48 . 2015-02-18 07:04    142336    ----a-w-    c:\windows\system32\poqexec.exe
2015-08-01 01:37 . 2014-10-25 01:57    77824    ----a-w-    c:\windows\system32\packager.dll
2015-08-01 01:36 . 2015-02-04 03:16    465920    ----a-w-    c:\windows\system32\WMPhoto.dll
2015-08-01 01:36 . 2015-02-04 02:54    417792    ----a-w-    c:\windows\SysWow64\WMPhoto.dll
2015-07-31 23:37 . 2015-08-11 17:44    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2015-07-31 07:22 . 2015-07-31 07:22    35064    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2015-07-31 07:22 . 2015-07-31 23:22    --------    d-----w-    c:\programdata\RogueKiller
2015-07-31 05:52 . 2015-07-31 05:54    --------    d-----w-    C:\FRST
2015-07-28 12:41 . 2015-07-28 12:41    --------    d-----w-    c:\program files (x86)\ERUNT
2015-07-28 11:38 . 2015-08-11 18:01    --------    d-----w-    C:\AdwCleaner
2015-07-28 08:14 . 2015-07-28 08:14    --------    d-----w-    c:\program files (x86)\Windows Resource Kits
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-08-11 18:24 . 2015-05-20 08:56    113880    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-08-11 17:32 . 2015-05-20 08:56    107736    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-08-04 13:35 . 2015-05-06 10:47    369168    ----a-w-    c:\windows\system32\wpcap.dll
2015-08-04 13:35 . 2015-05-06 10:47    35344    ----a-w-    c:\windows\system32\drivers\npf.sys
2015-08-04 13:35 . 2015-05-06 10:47    106000    ----a-w-    c:\windows\system32\packet.dll
2015-07-22 01:46 . 2014-01-19 00:56    778416    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-07-22 01:46 . 2014-01-19 00:56    142512    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-07-03 13:43 . 2014-01-16 04:15    130333168    ----a-w-    c:\windows\system32\MRT.exe
2015-06-23 18:30 . 2010-11-21 03:27    300704    ------w-    c:\windows\system32\MpSigStub.exe
2015-06-18 13:41 . 2015-05-20 08:56    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-06-18 13:41 . 2014-01-16 03:50    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-28 1011200]
"NETGEARGenie"="c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" [2015-06-02 602880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-07 291608]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
NETGEAR WNA1100 Genie.lnk - c:\program files (x86)\NETGEAR\WNA1100\WNA1100.exe [2015-1-1 8247264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean64.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys;c:\windows\SYSNATIVE\DRIVERS\amppal.sys [x]
R3 athur;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athurx.sys;c:\windows\SYSNATIVE\DRIVERS\athurx.sys [x]
R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files (x86)\NETGEAR\WNA1100\jswpsapi.exe;c:\program files (x86)\NETGEAR\WNA1100\jswpsapi.exe [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys;c:\windows\SYSNATIVE\DRIVERS\scmndisp.sys [x]
S1 JSWPSLWF;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwfx.sys;c:\windows\SYSNATIVE\DRIVERS\jswpslwfx.sys [x]
S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [x]
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [x]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [x]
S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [x]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]
S2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc64.exe;c:\windows\SYSNATIVE\EscSvc64.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S2 WSWNA1100;WSWNA1100;c:\program files (x86)\NETGEAR\WNA1100\WifiSvc.exe;c:\program files (x86)\NETGEAR\WNA1100\WifiSvc.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys;c:\windows\SYSNATIVE\DRIVERS\AMPPAL.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 RSBASTOR;Realtek PCIE CardReader Driver - BA;c:\windows\system32\DRIVERS\RtsBaStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsBaStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]
"BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2012-03-27 11407120]
"BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-03-15 178960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://duckduckgo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
FF - ProfilePath - c:\users\Diana\AppData\Roaming\Mozilla\Firefox\Profiles\bc4g19d0.default\
FF - prefs.js: browser.startup.homepage - about:sessionrestore|hxxp://diy.stackexchange.com/questions/53078/dripping-sound-inside-wall/53137#53137|http://tonyortega.org/|http://aattp.org/new-study-shows-that-conservatives-react-more-squeamishly-to-disgusting-images/|http://www.amazon.com/gp/search/ref=sr_nr_p_36_4?bbn=3732191&qid=1416313293&rh=n%3A1055398%2Cn%3A%211063498%2Cn%3A1063252%2Cn%3A1063280%2Cn%3A3732181%2Cn%3A3732191%2Cp_n_size_browse-bin%3A362279011%2Cp_n_feature_keywords_browse-bin%3A7799429011&rnid=386465011&low-price=25&high-price=110&x=9&y=17|http://workplace.stackexchange.com/questions/36368/a-co-worker-is-using-my-cup|https://getadblock.com/installed/?u=bnkooacl64543479|http://www.wbcws.org/|http://www.newscientist.com/article/dn26481-left-or-rightwing-brains-disgust-response-tells-all.html#.VGa4aMlnvtQ|http://www.huffingtonpost.com/2014/11/12/heating-gadgets_n_6147088.html?cps=gravity|http://ideas.time.com/2013/11/26/religious-people-are-more-charitable/|http://www.dailykos.com/story/2014/11/08/1343359/-Man-assaulted-for-being-gay-sends-message-to-his-attacker-and-it-s-amazing?detail=email|http://www.dailykos.com/story/2014/11/08/1343257/-How-Native-Americans-Beat-the-Kochs-in-America-s-Most-Competitive-Congressional-District?detail=email|http://www.dailykos.com/story/2014/11/06/1342751/-Michigan-Dems-Got-More-Votes-and-Still-Lost|http://www.dailykos.com/story/2014/11/11/1343931/-Another-Open-Letter-To-Americans-About-Midterms-This-Time-From-Canada-This-One-Hurts?detail=email|http://www.aspca.org/blog/strong-sentences-handed-down-alabama-court-historic-dog-fighting-case?ms=em_new_blogpost-dogfightingsentences-20141114&initialms=em_new_blogpost-dogfightingsentences-20141114&utm_source=newsalertemail_20141114&utm_medium=email&utm_campaign=newsalert|http://blog.theanimalrescuesite.com/feralshelteridea/|http://nypost.com/2014/08/11/louisiana-gov-defies-christie-helps-cash-strapped-astorino/|https://www.yahoo.com/parenting/dear-santa-sign-stirs-controversy-102370375437.html|http://www.gutenberg.org/ebooks/14980
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-jswtrayutil - c:\program files (x86)\NETGEAR\WNA1100\jswtrayutil.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\TeamViewer\TeamViewer_Service.exe
c:\program files (x86)\TeamViewer\TeamViewer.exe
c:\program files (x86)\TeamViewer\tv_w32.exe
.
**************************************************************************
.
Completion time: 2015-08-11  13:51:25 - machine was rebooted
ComboFix-quarantined-files.txt  2015-08-11 18:51
.
Pre-Run: 408,007,794,688 bytes free
Post-Run: 407,527,198,720 bytes free
.
- - End Of File - - 18B9D184AA718769C2118C603B27B46E
5FB38429D5D77768867C76DCBDB35194
 

Link to post
Share on other sites

in looking at the log file, i noticed a few things.  the Adobe Gamma Loader in startup.  i got rid of that/turned it off.  completely.

 

this:  HPSLPSVC64.DLL

made me realize that my old HP printer was still in the system.  i didn't find it in Ctrl Panel>Programs and Features, so i "removed" it from Devices and Printers.  restarted and Devices and Printers and it was STILL THERE.  (this is a printer that i have had huge problems with -- psc 2410. this episode increased my hatred for HP.  which actually STARTED with this printer.)

anyway, checked Task Manager to try and find this buried/embedded/whatever HP printer garbage, and saw that something else (process) i've tried to turn off more than once was STILL THERE.  (i actually can't remember what it was now.  oh, i remember--i UNINSTALLED sypbot earlier.  i saw it had restarted itself in Processes and decided to just get rid of it, at least for now.  after a restart, it was STILL running.  after being uninstalled.  i think i got rid of it now.)

 

so, i did some things and got that stuff turned off.  after a restart, this was my Task Manager processes:

um....nevermind.  i don't know how to get an image in here, or how to attach one.

 

i'll stop fiddling now.  (although i saw that there's still Bluetooth stuff running in the Services window.  it never works on this laptop, and i've tried to turn it off.  athough not from there. but i'll wait.

 

the most annoying thing that i still have happening, is the Word stuff.  but it was happening long before this virus hit.  so unless there's some other virus doing it...it must be unrelated.  i'm using Office 2000.  mostly just Word any more.  but i have set up formatting for the documents i create.  i've even changed the Normal template.  i use the Format painter a lot.  the 2 things that keep happening -- it changes my formatting at every single opportunity, even though i've tried to "lock" everything down (i used to make the templates for a large group that was creating corporate documentation, so i know how to do that so it will "hold."  now it won't "hold.")

the other thing is that Word crashes every so often.  it hasn't done it for the last...4 days or so.  but it's often enough that i set the "auto save" in Word to every minute. (i tried it 10 minutes and 5 minutes and continued to lose a lot of work.)

 

i'm guessing this must be unrelated.  but if you know of anywhere that might be able to help me with it.  i wouldn't think that MS would still be supporting Office 2000.  (and i've not ever noticed there support to be much help.)

 

also, i stumbled across MrCharlie's posts at one point.  i think when i was reading something about ComboFix.  do you think his preventative measures are good and still valid?  posted here, about halfway down the page:

https://forums.malwarebytes.org/index.php?/topic/145712-malware-codec-and-linkbucks/page-2

 

and finally, what do YOU recommend?  i've been very lax with security for a couple years and the fact that this is the first crap-fest i've had to deal with surprises me.  i purchases Kaspersky several years ago--bought it for 3 years for 2 computers (mine and my mom's laptop, which i'm also supposed to maintain). i could never get it to install correctly, and i gave up after awhile and then got caught up in....other things (like health issues), and never remembered to go back in and work on it some more.   i used to use AVG--the free one.  that worked well for both computers for quite awhile, but then it started acting almost like malware itself, so i dumped it.

i see MalwareBytes has a paid option?  i'm guessing you might say that would be best?  i know last time i had a bad virus (before buying kaspersky) i had to pay a guy to get my stuff off my hard drive and then he basically wiped the system and reloaded it.  he put MBAM on the desktop and said he highly recommended it, and i should use it.  but he didn't say HOW i should use it.  it didn't seem to be running constantly like AVG or Norton or.....  so every now and then i would open it and run it like i do SpyBot.  there must be more that i should be doing??

 

that's all i can think of.  trying to get it all out here at once.  and doing this stuff let me put the laptop thru some "paces" to see if anything funky popped up.

thank you so much.  oh, and what is catchme.log?

oh, and is there a way to donate without PayPal?

Link to post
Share on other sites

Thanks for the log, continue please:

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

ESETOnline.png Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:

  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.


To perform the scan:

  • Make sure that Remove found threats is Checked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.



Please include this logfile in your next reply.

Don't forget to re-enable security software!

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...

Let me see those logs, also give an update on any remaining issues or concerns.....

 

Read the following link to fully understand PC security and best practices, you may find it useful....

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629
 

Thank you,

 

Kevin...

 





 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.