Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

ransom:HTML/Crowti.A troubles

This is a discussion on ransom:HTML/Crowti.A troubles within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello.... As indicated by the above not-so-smillie I'm frustrated to no end but lucky to still have networking capability for


 
 
Thread Tools Search this Thread
Old 05-31-2015, 01:55 PM   #1
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1





Hello....

As indicated by the above not-so-smillie I'm frustrated to no end but lucky to still have networking capability for the moment.
I noticed the cooling fan on my laptop running more than it needed to be so I checked Task Manager to see what was running.
Checking under "show processes from all users" I found several hundred running instances of the following programs:
cmd.exe
conhost.exe
schtasks.exe
svchost.exe

Windows Defender has identified one of the culprits as:
ransom:HTML/Crowti.A
which is tagged by Defender attempting something every 3-5 minutes at Severe threat level. The machine hiccups/ freezes for a split second, Defender quarantines it and usually I'll get control back afterward.

I was running Symmantec Endpoint Client which I have since removed, leaving Defender and MBAM on the system.

When I tried to run DDS the system froze completely and required a hard reset. I have not attempted again until I get feedback from the Forum, hence the lack of requested log files.

Of note also is that this machine is on my network wirelessly along with a desktop (not mapped yet on this machine) and a WD MyBook Duo (not yet set up but it is mapped). There are errors logged in the Motorola cable modem/ router (SBG6580) but were all the same date and don't appear to be relevant.

My other problem aside from the virus is that this machine appears unable to be booted from a WinPE disk/ USB drive. Sources have indicated that the BIOS on this machine is too old to support it so I'm stuck hoping that that I don't lose the MBR or other critical data before a resolution. I had been looking into having a cloned drive availalable but don't know the best method of doing that. I can't back up anything now without fear of cloning the virus as well.

Any initial assistance is appreciated. I'll run DDS in safe mode if it yields the necessary data or at least enough to start the process.
mat68046 is offline  
Sponsored Links
Advertisement
 
Old 05-31-2015, 02:39 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Let's make sure no remnants of Symantec remain on your system:

Please download the Norton Removal Tool and Save it to your Desktop.
  • Close all programs and double-click the Norton_Removal_Tool.exe then click Run
  • In Vista/Win7, right-click and choose 'Run as administrator'.
  • Follow the on-screen instructions.
  • Restart your computer if not prompted already.
  • Then delete Norton_Removal_Tool.exe from your desktop.
------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Do NOT click the green 'Download' button(if visible).
  • Click the blue 'Download now @bleepingcomputer' button.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-31-2015, 05:19 PM   #3
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



Norton removal: done
AWCleaner:
# AdwCleaner v4.206 - Logfile created 31/05/2015 at 19:38:30
# Updated 01/06/2015 by Xplode
# Database : 2015-05-31.5 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x86)
# Username : OEM - OEM-DV6244US
# Running from : C:\Users\OEM\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\BearShare Applications
Folder Deleted : C:\Program Files\Innovative Solutions
Folder Deleted : C:\Users\OEM\AppData\Local\iLivid
Folder Deleted : C:\Users\OEM\AppData\Local\Innovative Solutions
Folder Deleted : C:\Users\OEM\AppData\Roaming\pdfforge
File Deleted : C:\Users\OEM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk
File Deleted : C:\Users\OEM\AppData\Roaming\Mozilla\Firefox\Profiles\znpbckq2.default\user.js
File Deleted : C:\Program Files\Mozilla Firefox\defaults\pref\itms.js

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\iLivid.torrent
Key Deleted : HKLM\SOFTWARE\Classes\iLivid.torrent
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7C3B01BC-53A5-48A0-A43B-0C67731134B9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0ABE0FED-50E7-4E42-A125-57C0A11DBCDE}
Key Deleted : HKCU\Software\Bitberry Software
Key Deleted : HKCU\Software\Bitberry
Key Deleted : HKCU\Software\ilivid
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local;192.168.*.*

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17801


-\\ Mozilla Firefox v38.0.1 (x86 en-US)


*************************

AdwCleaner[R0].txt - [1933 bytes] - [31/05/2015 02:44:11]
AdwCleaner[R1].txt - [1990 bytes] - [31/05/2015 19:34:45]
AdwCleaner[S0].txt - [1949 bytes] - [31/05/2015 19:38:30]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2008 bytes] ##########

Farbar:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 29-05-2015
Ran by OEM (administrator) on OEM-DV6244US on 31-05-2015 19:59:08
Running from C:\Users\OEM\Desktop
Loaded Profiles: OEM (Available Profiles: OEM)
Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(iolo technologies, LLC) C:\Program Files\iolo\System Mechanic\ioloGovernor.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe
(iolo technologies, LLC) C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Malwarebytes Corporation) C:\Malwarebytes Anti-Malware\mbamscheduler.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Western Digital Technologies, Inc.) C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe
(Malwarebytes Corporation) C:\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Malwarebytes Anti-Malware\mbam.exe
(Dropbox, Inc.) C:\Users\OEM\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Motorola) C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
(iolo technologies, LLC) C:\Program Files\iolo\System Mechanic\LiveBoost.exe
(Paramount Software UK Ltd) C:\Program Files\Macrium\Reflect\ReflectService.exe
(WDC) C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_17_0_0_188.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_17_0_0_188.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1045800 2008-03-28] (Synaptics, Inc.)
HKLM\...\Run: [WirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [500792 2010-05-20] (Hewlett-Packard Company)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [981688 2015-04-30] (Microsoft Corporation)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [WD Quick View] => C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe [3998616 2011-12-06] (Western Digital Technologies, Inc.)
HKLM\...\Run: [iolo Startup] => C:\Program Files\iolo\Common\Lib\ioloLManager.exe [4521272 2015-04-27] (iolo technologies, LLC)
HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: F - F:\LaunchU3.exe -a
HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: {00cc46cf-8877-11e3-94c5-806e6f6e6963} - D:\setup.exe -q
HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: {c35b6d44-34a8-11e4-a81d-001636c70e67} - F:\LaunchU3.exe -a
Startup: C:\Users\OEM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-05-12]
ShortcutTarget: Dropbox.lnk -> C:\Users\OEM\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\OEM\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\OEM\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\OEM\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\Windows\system32\CbFsMntNtf3.dll [2012-04-09] (EldoS Corporation)
BootExecute: autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2165473294-3813611429-24842049-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = msn
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-25] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-25] (Oracle Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\OEM\AppData\Roaming\Mozilla\Firefox\Profiles\znpbckq2.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_17_0_0_188.dll [2015-05-26] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin: @dymo.com/DymoLabelFramework -> C:\Program Files\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll [2012-01-30] ( Sanford L.P.)
FF Plugin: @IPCWebComponents -> C:\Program Files\IPCWebComponents\npIPCReg.dll [2014-04-07] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-25] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-10-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-10-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-10-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-10-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-10-25] (Apple Inc.)
FF Extension: Garmin Communicator - C:\Users\OEM\AppData\Roaming\Mozilla\Firefox\Profiles\znpbckq2.default\Extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [2014-07-28]
FF Extension: Yahoo Mail Hide Ad Panel - C:\Users\OEM\AppData\Roaming\Mozilla\Firefox\Profiles\znpbckq2.default\Extensions\{c37bac34-849a-4d28-be41-549b2c76c64e}.xpi [2015-02-11]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2014-06-14]
FF HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\Firefox\Extensions: [[email protected]] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 DymoPnpService; C:\Program Files\DYMO\DYMO Label Software\DymoPnpService.exe [32336 2012-01-30] (Sanford, L.P.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe [89864 2014-12-11] (Hewlett-Packard Company)
R2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [4676408 2015-04-27] (iolo technologies, LLC)
R2 MBAMScheduler; C:\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
R2 MBAMService; C:\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
S4 Motorola Device Manager; C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2014-04-08] (Motorola Mobility LLC)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2015-04-30] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [284504 2015-04-30] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 PST Service; C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [2462160 2014-07-21] (Paramount Software UK Ltd)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\DRIVERS\amdkmafd.sys [15968 2013-03-14] (Advanced Micro Devices, Inc.)
R3 cbfs3; C:\Windows\System32\DRIVERS\cbfs3.sys [299024 2012-04-09] (EldoS Corporation)
S3 CH341SER; C:\Windows\System32\Drivers\CH341SER.SYS [39632 2009-06-03] (???????????????--???)
S3 dg_ksudbus; C:\Windows\System32\DRIVERS\ksudbus.sys [75776 2011-03-25] (Microsoft Corporation) [File not signed]
R3 ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [34760 2007-02-15] (SlySoft, Inc.)
R1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [24232 2009-02-17] (Elaborate Bytes AG)
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57672 2009-05-21] (FTDI Ltd.)
S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [160768 2007-05-01] (Conexant Systems Inc.) [File not signed]
R2 HOSTNT; C:\Windows\system32\Drivers\HOSTNT.sys [4032 2014-02-11] () [File not signed]
R3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSF_HWAZL.sys [210688 2008-05-08] (Conexant Systems, Inc.) [File not signed]
R3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DP.sys [985472 2008-05-08] (Conexant Systems, Inc.) [File not signed]
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-04-14] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2015-05-31] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-04-14] (Malwarebytes Corporation)
S3 MotDev; C:\Windows\System32\DRIVERS\motodrv.sys [42752 2013-07-23] (Motorola Inc)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [245096 2015-03-04] (Microsoft Corporation)
R0 MxEFUF; C:\Windows\System32\DRIVERS\MxEFUF32.sys [102728 2010-11-04] (Matrox Graphics Inc.)
R2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [69016 2015-03-25] (Raxco Software, Inc.)
S3 PortTalk; C:\Windows\System32\Drivers\PortTalk.sys [3567 2009-01-18] (Beyond Logic BeyondLogic) [File not signed]
R0 pssnap; C:\Windows\System32\DRIVERS\pssnap.sys [13528 2014-07-21] ()
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [46096 2014-03-24] (Corel Corporation)
R1 RawDisk3; C:\Windows\system32\drivers\rawdsk3.sys [28256 2015-03-25] (EldoS Corporation)
S3 RT-USB; C:\Windows\System32\drivers\RT-USB.SYS [59464 2010-06-16] (Ross-Tech LLC)
S3 Ser2plx86; C:\Windows\System32\DRIVERS\ser2pl.sys [77824 2008-10-27] (Prolific Technology Inc.)
R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [3562880 2013-08-12] (Sonix Co. Ltd.)
S3 ST50220; C:\Windows\System32\Drivers\ST50220.sys [26752 2006-11-24] (Sonix)
S3 w39n51; C:\Windows\System32\DRIVERS\bzeek.sys [724096 2012-06-24] (BzeekLand LTD.)
S3 GPU-Z; \??\C:\Users\OEM\AppData\Local\Temp\GPU-Z.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-31 19:59 - 2015-05-31 19:59 - 00014373 _____ () C:\Users\OEM\Desktop\FRST.txt
2015-05-31 19:58 - 2015-05-31 19:59 - 00000000 ____D () C:\FRST
2015-05-31 19:43 - 2015-05-31 19:44 - 01147392 _____ (Farbar) C:\Users\OEM\Desktop\FRST.exe
2015-05-31 19:30 - 2015-05-31 19:30 - 02231296 _____ () C:\Users\OEM\Desktop\AdwCleaner.exe
2015-05-31 14:52 - 2015-05-31 14:52 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-05-31 14:26 - 2015-05-31 14:29 - 00688992 ____R (Swearware) C:\Users\OEM\Downloads\dds.scr
2015-05-31 13:34 - 2015-05-31 13:34 - 02108928 _____ (Farbar) C:\Users\OEM\Downloads\FRST64.exe
2015-05-31 03:03 - 2015-05-31 03:08 - 00000000 ___SD () C:\32788R22FWJFW
2015-05-31 03:03 - 2015-05-31 03:03 - 00000000 ____D () C:\Windows\erdnt
2015-05-31 03:01 - 2015-05-31 03:02 - 05628678 ____R (Swearware) C:\Users\OEM\Downloads\ComboFix.exe
2015-05-31 02:48 - 2015-05-31 02:48 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\OEM\Downloads\tdsskiller.exe
2015-05-31 02:44 - 2015-05-31 19:38 - 00000000 ____D () C:\AdwCleaner
2015-05-31 02:18 - 2015-05-31 02:18 - 00017722 _____ () C:\Users\OEM\Documents\eset5-31-15.txt
2015-05-31 00:36 - 2015-05-31 00:36 - 00000000 ____D () C:\Program Files\ESET
2015-05-31 00:35 - 2015-05-31 00:35 - 02347384 _____ (ESET) C:\Users\OEM\Downloads\esetsmartinstaller_enu.exe
2015-05-30 21:28 - 2015-05-30 21:28 - 00000000 ____D () C:\Windows\Sun
2015-05-30 00:03 - 2015-05-30 00:03 - 00021402 _____ () C:\Users\OEM\Documents\cc_20150530_000340.reg
2015-05-30 00:01 - 2015-05-30 00:01 - 00000965 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-05-29 23:25 - 2015-05-29 23:25 - 16502728 _____ (Malwarebytes Corp.) C:\Users\OEM\Downloads\mbar-1.09.1.1004.exe
2015-05-29 23:03 - 2015-05-29 23:03 - 08014872 _____ (Symantec Corporation) C:\Users\OEM\Downloads\SymHelp.exe
2015-05-27 22:25 - 2015-05-27 22:25 - 00000701 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-05-27 22:25 - 2015-05-27 22:25 - 00000000 ____D () C:\Malwarebytes Anti-Malware
2015-05-27 21:38 - 2015-05-27 21:38 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\OEM\Downloads\mbam-setup-2.1.6.1022.exe
2015-05-26 21:52 - 2015-05-26 21:52 - 00000000 ____D () C:\Users\OEM\AppData\Local\Symantec
2015-05-26 21:48 - 2015-05-31 14:52 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2015-05-26 21:48 - 2009-07-13 12:06 - 00511328 _____ (Microsoft Corporation) C:\Windows\system32\capicom.dll
2015-05-26 21:48 - 2007-03-21 20:39 - 01060864 _____ (Microsoft Corporation) C:\Windows\system32\MFC71.DLL
2015-05-26 21:48 - 2007-03-21 20:33 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\MSVCP71.DLL
2015-05-26 21:48 - 2007-03-21 20:33 - 00348160 _____ (Microsoft Corporation) C:\Windows\system32\MSVCR71.DLL
2015-05-25 21:01 - 2015-05-25 21:01 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-05-25 20:59 - 2015-05-25 20:59 - 00561248 _____ (Oracle Corporation) C:\Users\OEM\Downloads\jxpiinstall(1).exe
2015-05-20 02:07 - 2015-05-01 09:16 - 00102608 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-17 20:58 - 2015-05-17 20:58 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-05-13 21:43 - 2015-05-13 21:43 - 00822582 _____ () C:\Users\OEM\Downloads\IPCameraTool version 1.0.0.1 - 20131120.zip
2015-05-13 21:43 - 2015-05-13 21:43 - 00000000 ____D () C:\Users\OEM\Downloads\IPCameraTool version 1.0.0.1 - 20131120
2015-05-12 20:44 - 2015-05-12 20:45 - 00149160 _____ () C:\Windows\Minidump\051215-22354-01.dmp
2015-05-12 20:44 - 2015-05-12 20:44 - 416804091 _____ () C:\Windows\MEMORY.DMP
2015-05-12 20:44 - 2015-05-12 20:44 - 00000000 ____D () C:\Windows\Minidump
2015-05-12 19:30 - 2015-04-27 15:11 - 03989440 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-05-12 19:30 - 2015-04-27 15:11 - 03934144 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-05-12 19:30 - 2015-04-27 15:11 - 00137664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-05-12 19:30 - 2015-04-27 15:11 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-05-12 19:30 - 2015-04-27 15:08 - 01307648 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00851456 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00635392 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\sechost.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 00641536 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 00364544 _____ (Microsoft Corporation) C:\Windows\system32\tracerpt.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00082944 _____ (Microsoft Corporation) C:\Windows\system32\logman.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00040448 _____ (Microsoft Corporation) C:\Windows\system32\typeperf.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\relog.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-05-12 19:30 - 2015-04-27 15:03 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-05-12 19:30 - 2015-04-27 15:03 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\diskperf.exe
2015-05-12 19:30 - 2015-04-27 15:01 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-05-12 19:30 - 2015-04-27 15:01 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-05-12 19:30 - 2015-04-27 14:59 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-05-12 19:30 - 2015-04-27 14:59 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-05-12 19:30 - 2015-04-27 14:00 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-05-12 19:30 - 2015-04-19 22:56 - 01250816 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-05-12 19:30 - 2015-04-19 22:56 - 00909312 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-05-12 19:30 - 2015-04-19 22:03 - 02382336 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-05-12 19:30 - 2015-01-28 23:02 - 02311168 _____ (Microsoft Corporation) C:\Windows\system32\wpdshext.dll
2015-05-12 19:29 - 2015-05-04 21:12 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-05-12 19:29 - 2015-04-21 21:48 - 00342736 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-05-12 19:29 - 2015-04-21 12:25 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-05-12 19:29 - 2015-04-21 12:25 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-05-12 19:29 - 2015-04-21 12:24 - 19691008 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-05-12 19:29 - 2015-04-21 12:11 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-05-12 19:29 - 2015-04-21 12:11 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-05-12 19:29 - 2015-04-21 12:10 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-05-12 19:29 - 2015-04-21 12:09 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-05-12 19:29 - 2015-04-21 12:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-05-12 19:29 - 2015-04-21 12:04 - 02278400 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-05-12 19:29 - 2015-04-21 12:03 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-05-12 19:29 - 2015-04-21 12:02 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-05-12 19:29 - 2015-04-21 12:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-05-12 19:29 - 2015-04-21 11:58 - 00664576 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-05-12 19:29 - 2015-04-21 11:58 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-05-12 19:29 - 2015-04-21 11:58 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-05-12 19:29 - 2015-04-21 11:57 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-05-12 19:29 - 2015-04-21 11:51 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-05-12 19:29 - 2015-04-21 11:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-05-12 19:29 - 2015-04-21 11:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-05-12 19:29 - 2015-04-21 11:39 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-05-12 19:29 - 2015-04-21 11:38 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-05-12 19:29 - 2015-04-21 11:36 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-05-12 19:29 - 2015-04-21 11:31 - 04305920 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-05-12 19:29 - 2015-04-21 11:26 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-05-12 19:29 - 2015-04-21 11:26 - 00685568 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-05-12 19:29 - 2015-04-21 11:25 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-05-12 19:29 - 2015-04-21 11:24 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-05-12 19:29 - 2015-04-21 11:17 - 12828672 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-05-12 19:29 - 2015-04-21 11:02 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-05-12 19:29 - 2015-04-21 10:58 - 01310208 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-05-12 19:29 - 2015-04-21 10:56 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-05-12 19:29 - 2015-04-17 22:56 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2015-05-12 19:29 - 2015-04-12 23:19 - 00259072 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-05-12 19:29 - 2015-04-07 23:14 - 00216064 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-05-12 19:29 - 2015-04-07 23:14 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2015-05-12 19:29 - 2015-03-04 00:11 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\shimeng.dll
2015-05-12 19:29 - 2015-03-04 00:10 - 00295936 _____ (Microsoft Corporation) C:\Windows\system32\apphelp.dll
2015-05-12 19:29 - 2015-03-04 00:10 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\aelupsvc.dll
2015-05-12 19:29 - 2015-03-04 00:10 - 00020992 _____ (Microsoft Corporation) C:\Windows\system32\sdbinst.exe
2015-05-12 19:29 - 2015-02-18 03:06 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-31 19:56 - 2014-09-10 23:09 - 00114416 _____ () C:\Windows\setupact.log
2015-05-31 19:49 - 2014-01-28 19:54 - 01986939 _____ () C:\Windows\WindowsUpdate.log
2015-05-31 19:48 - 2009-07-14 00:34 - 00026576 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-05-31 19:48 - 2009-07-14 00:34 - 00026576 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-05-31 19:41 - 2014-06-30 16:45 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2015-05-31 19:41 - 2014-05-08 03:15 - 00000000 ____D () C:\Users\OEM\Dropbox
2015-05-31 19:41 - 2014-05-08 03:11 - 00000000 ____D () C:\Users\OEM\AppData\Roaming\Dropbox
2015-05-31 19:41 - 2014-01-28 20:46 - 00000437 _____ () C:\Windows\system32\Drivers\etc\hosts.ics
2015-05-31 19:40 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-31 19:23 - 2015-03-11 08:23 - 00000917 _____ () C:\Windows\Tasks\EPSON XP-620 Series Update {A1CFF8BD-4937-4DA3-A69C-447EE14FCD95}.job
2015-05-31 19:21 - 2014-10-25 23:56 - 00098338 _____ () C:\Windows\PFRO.log
2015-05-31 19:05 - 2014-03-18 17:01 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-05-31 15:50 - 2009-07-14 00:53 - 00029400 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-05-31 02:04 - 2011-09-14 00:49 - 00000000 ____D () C:\AOL Instant Messenger
2015-05-30 00:01 - 2014-02-23 15:00 - 00000000 ____D () C:\Program Files\CCleaner
2015-05-29 23:58 - 2014-02-19 18:23 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-05-29 23:28 - 2014-02-19 18:17 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-05-27 22:25 - 2014-06-30 16:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-05-27 22:10 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Help
2015-05-27 21:41 - 2010-11-20 17:01 - 00781782 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-05-27 19:27 - 2015-01-05 23:10 - 00000000 ____D () C:\IPCamRecord
2015-05-27 05:08 - 2014-12-29 05:18 - 00000000 ____D () C:\Users\OEM\Desktop\Computer
2015-05-27 04:49 - 2014-06-30 16:51 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-05-26 21:16 - 2014-08-20 22:32 - 00000000 ____D () C:\Users\OEM\AppData\Local\Adobe
2015-05-26 21:16 - 2014-01-29 01:07 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-05-26 21:16 - 2014-01-29 01:07 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-05-26 00:46 - 2014-01-28 23:18 - 00000000 ____D () C:\ProgramData\Oracle
2015-05-25 21:00 - 2014-10-26 00:10 - 00096352 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-05-25 21:00 - 2014-01-28 23:17 - 00000000 ____D () C:\Program Files\Java
2015-05-22 20:55 - 2010-11-20 20:46 - 00000000 ____D () C:\Program Files\Windows Journal
2015-05-21 22:43 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache
2015-05-21 21:13 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-05-21 21:05 - 2009-07-14 00:33 - 00287560 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-05-21 21:03 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\system32\AdvancedInstallers
2015-05-20 02:08 - 2014-01-28 21:19 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-05-20 02:08 - 2014-01-28 21:19 - 00001945 _____ () C:\Windows\epplauncher.mif
2015-05-20 02:08 - 2014-01-28 21:18 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-05-20 02:05 - 2014-01-29 00:05 - 00000000 ____D () C:\Windows\system32\MRT
2015-05-20 01:56 - 2014-01-29 00:05 - 137310008 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-05-20 01:53 - 2015-04-07 19:49 - 00000000 ___SD () C:\Windows\system32\GWX
2015-05-20 01:50 - 2014-04-17 09:10 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-20 01:50 - 2014-04-17 09:10 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-05-20 01:26 - 2014-01-28 21:03 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-05-20 01:21 - 2015-04-21 21:26 - 00000000 ____D () C:\Program Files\Mozilla Firefox.bak
2015-05-18 05:01 - 2015-04-30 22:38 - 00000000 ____D () C:\Windows\system32\config\SM Registry Backup
2015-05-16 07:13 - 2014-01-29 16:17 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-05-12 19:15 - 2014-05-08 03:15 - 00001015 _____ () C:\Users\OEM\Desktop\Dropbox.lnk
2015-05-12 19:15 - 2014-05-08 03:13 - 00000000 ____D () C:\Users\OEM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-05-04 04:21 - 2014-01-28 20:14 - 00000000 ____D () C:\Users\OEM
2015-05-04 04:20 - 2015-04-30 22:39 - 00000000 ____D () C:\Windows\system32\config\Before Compact

==================== Files in the root of some directories =======

2014-12-28 22:36 - 2014-12-28 22:38 - 0030921 __RSH () C:\Program Files\DLS8Uninstall.log
2014-01-29 11:41 - 2014-01-29 11:41 - 0000000 _____ () C:\Users\OEM\AppData\Local\AtStart.txt
2014-01-29 11:41 - 2014-01-29 11:41 - 0000000 _____ () C:\Users\OEM\AppData\Local\DSwitch.txt
2014-01-29 11:41 - 2014-01-29 11:41 - 0000000 _____ () C:\Users\OEM\AppData\Local\QSwitch.txt
2014-02-01 20:30 - 2014-02-27 22:29 - 0007603 _____ () C:\Users\OEM\AppData\Local\resmon.resmoncfg
2015-03-22 23:46 - 2015-03-22 23:46 - 0000041 ___SH () C:\ProgramData\.zreglib
2015-03-11 12:23 - 2015-03-11 12:23 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-03-06 20:22 - 2015-05-31 19:49 - 0000369 _____ () C:\ProgramData\HPWALog.txt
2014-06-14 03:34 - 2014-06-23 09:24 - 0001663 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\OEM\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpgrr1ii.dll
C:\Users\OEM\AppData\Local\Temp\Quarantine.exe
C:\Users\OEM\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-05-24 00:20

==================== End of log ============================
Attached Files
File Type: txt Addition.txt (45.6 KB, 72 views)
mat68046 is offline  
Sponsored Links
Advertisement
 
Old 05-31-2015, 07:56 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello mat68046. Why do you only have 1 system restore point?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

Also, if you haven't done so already, create a system repair disc. It's really easy and quick.

Create a system repair disc

You can also download recovery software if you don't have an installation DVD:

Microsoft Software Recovery

------------------------------------------------------

iolo technologies System Mechanic
System Checkup


We do not recommend the use of registry cleaners, or the registry cleaner feature of CCleaner.. Our colleague miekiemoes has an excellent writeup here

We strongly recommend uninstalling iolo technologies System Mechanic and System Checkup via Programs and Features in your Control Panel.

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

------------------------------------------------------

I noticed you have Free File Viewer installed.

Please read this and decide if you want to keep it >> Free File Viewer 2014 by Bitberry Software - Should I Remove It?

You can uninstall it via Programs and Features in your Control Panel.

If you decide to uninstall it, please delete the following Folder if it still exists:

C:\Program Files\FreeFileViewer

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Double-click ComboFix.exe and follow the prompts to run it.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

Note: If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please open Task Manager and 'End Process' on explorer.exe

Next, go File > New Task(Run...) and type explorer then press 'Enter'.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-03-2015, 06:57 PM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Still with us, mat68046? I generally unsubscribe from threads after 3 days of inactivity. If you do not reply within 24 hours, this thread will be closed.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-04-2015, 03:48 AM   #6
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



Chemist, bear with me.
Creating backup now...
Repair disk done.
Iolo System Mechanic, Free File Viewer and uTorrent removed.

On backup completion and reboot will run ComboFix tonight and post the log. Thanks for your help thus far!
mat68046 is offline  
Old 06-04-2015, 06:53 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome. Did you also uninstall System Checkup?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-05-2015, 05:22 AM   #8
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1


Yes, system mechanic is uninstalled however I did not run ComboFix from the desktop directly, it ran from downloads subdirectory....
If this messes up the process, can it be re run as you specified?
I'm on mobile at the moment, I'll do what you suggest tonight and/or post the log.
Thanks very much.
As of just before running ComboFix the machine had the same issues as before.
mat68046 is offline  
Old 06-05-2015, 06:15 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



System Checkup and System Mechanic are 2 different applications. Did you also uninstall System Checkup?

Just post the ComboFix.txt log you already have.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-07-2015, 05:57 AM   #10
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1


System Checkup is uninstalled. ComboFix crashed so I had a chance to uninstall it.
Just started a new session with ComboFix and again it hangs up at the AutoScan stage. It hasn't ever run completely so there is no log yet.
I have cursor control and no hard drive activity and cannot open any programs. Soft reboot does not work.
Trying to avoid many hard resets.
What should I do next?
mat68046 is offline  
Old 06-07-2015, 12:26 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, mat68046. Forget ComboFix for now. Exit ComboFix if necessary.

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST.exe

    NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {32E3FC58-5608-4B7C-8CF9-E4CF9DC628B7} - System32\Tasks\iolo Process Governor => C:\Program Files\iolo\System Mechanic\iologovernor.exe [2015-04-27] (iolo technologies, LLC)
    Task: {C3B3A5BB-373C-412B-A92B-9D76342E6A7B} - System32\Tasks\iolo DelOnReboot => cmd.exe /c del /f C:\ProgramData\iolo\ops\smrr.dll
    Task: {D6AE69BD-07F2-47A2-913B-56DC703D65DD} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-05-08] (Piriform Ltd)
    Task: {D85944D9-6D95-4420-B88F-3BAA33C92A78} - System32\Tasks\iolo System Checkup => C:\ProgramData\iolo\scustask.lnk [2015-04-26] ()
    2015-05-31 19:40 - 2015-05-31 19:40 - 00043008 _____ () c:\users\oem\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpgrr1ii.dll
    AlternateDataStreams: C:\Windows:800FFB093E1393C1
    AlternateDataStreams: C:\ProgramData\TEMP:2A42CEA6
    AlternateDataStreams: C:\Users\Public\DRM:احتضان
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ioloSystemService => ""="Service"
    FirewallRules: [{F708C902-B8CC-4A2F-B7B2-AFE82C41A2B2}] => (Allow) C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe
    FirewallRules: [{1E533FAB-BFAE-4F34-A556-0097C65D32C3}] => (Allow) C:\Users\OEM\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{0BA9B3AC-AA4D-4973-956B-D70CFD13ED55}] => (Allow) C:\Users\OEM\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{218E8588-6A26-4149-AA83-BB98A343FF41}] => (Allow) C:\Users\OEM\AppData\Local\Temp\7zS1D82.tmp\SymNRT.exe
    FirewallRules: [{CCD9CE9C-9353-42CF-9D39-2995DC848676}] => (Allow) C:\Users\OEM\AppData\Local\Temp\7zS1D82.tmp\SymNRT.exe
    (iolo technologies, LLC) C:\Program Files\iolo\System Mechanic\ioloGovernor.exe
    C:\Program Files\iolo
    (iolo technologies, LLC) C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
    (iolo technologies, LLC) C:\Program Files\iolo\System Mechanic\LiveBoost.exe
    HKLM\...\Run: [iolo Startup] => C:\Program Files\iolo\Common\Lib\ioloLManager.exe [4521272 2015-04-27] (iolo technologies, LLC)
    HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: F - F:\LaunchU3.exe -a
    HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: {00cc46cf-8877-11e3-94c5-806e6f6e6963} - D:\setup.exe -q
    HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: {c35b6d44-34a8-11e4-a81d-001636c70e67} - F:\LaunchU3.exe -a
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    R2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [4676408 2015-04-27] (iolo technologies, LLC)
    S3 GPU-Z; \??\C:\Users\OEM\AppData\Local\Temp\GPU-Z.sys [X]
    2015-05-29 23:03 - 2015-05-29 23:03 - 08014872 _____ (Symantec Corporation) C:\Users\OEM\Downloads\SymHelp.exe
    2015-05-26 21:52 - 2015-05-26 21:52 - 00000000 ____D () C:\Users\OEM\AppData\Local\Symantec
    2015-05-26 21:48 - 2015-05-31 14:52 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
    2015-05-26 21:48 - 2009-07-13 12:06 - 00511328 _____ (Microsoft Corporation) C:\Windows\system32\capicom.dll
    2015-05-26 21:48 - 2007-03-21 20:39 - 01060864 _____ (Microsoft Corporation) C:\Windows\system32\MFC71.DLL
    2015-05-26 21:48 - 2007-03-21 20:33 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\MSVCP71.DLL
    2015-05-26 21:48 - 2007-03-21 20:33 - 00348160 _____ (Microsoft Corporation) C:\Windows\system32\MSVCR71.DLL
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iLivid" /f
    EmptyTemp:
    end
  • Double-click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-07-2015, 07:51 PM   #12
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1





Attempting FRST as you instructed; Notepad noted that the text you had me copy and paste had Unicode in it. I saved as Unicode and will proceed. If saving as ANSI would have worked or is preferred, please advise. I'll post whatever log is generated shortly...
mat68046 is offline  
Old 06-07-2015, 08:05 PM   #13
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



Fix result of Farbar Recovery Scan Tool (x86) Version: 07-06-2015
Ran by OEM at 2015-06-07 22:56:24 Run:1
Running from C:\Users\OEM\Desktop
Loaded Profiles: OEM (Available Profiles: OEM)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
createrestorepoint:
Task: {32E3FC58-5608-4B7C-8CF9-E4CF9DC628B7} - System32\Tasks\iolo Process Governor => C:\Program Files\iolo\System Mechanic\iologovernor.exe [2015-04-27] (iolo technologies, LLC)
Task: {C3B3A5BB-373C-412B-A92B-9D76342E6A7B} - System32\Tasks\iolo DelOnReboot => cmd.exe /c del /f C:\ProgramData\iolo\ops\smrr.dll
Task: {D6AE69BD-07F2-47A2-913B-56DC703D65DD} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-05-08] (Piriform Ltd)
Task: {D85944D9-6D95-4420-B88F-3BAA33C92A78} - System32\Tasks\iolo System Checkup => C:\ProgramData\iolo\scustask.lnk [2015-04-26] ()
2015-05-31 19:40 - 2015-05-31 19:40 - 00043008 _____ () c:\users\oem\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpgrr1ii.dll
AlternateDataStreams: C:\Windows:800FFB093E1393C1
AlternateDataStreams: C:\ProgramData\TEMP:2A42CEA6
AlternateDataStreams: C:\Users\Public\DRM:احتضان
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ioloSystemService => ""="Service"
FirewallRules: [{F708C902-B8CC-4A2F-B7B2-AFE82C41A2B2}] => (Allow) C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe
FirewallRules: [{1E533FAB-BFAE-4F34-A556-0097C65D32C3}] => (Allow) C:\Users\OEM\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{0BA9B3AC-AA4D-4973-956B-D70CFD13ED55}] => (Allow) C:\Users\OEM\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{218E8588-6A26-4149-AA83-BB98A343FF41}] => (Allow) C:\Users\OEM\AppData\Local\Temp\7zS1D82.tmp\SymNRT.exe
FirewallRules: [{CCD9CE9C-9353-42CF-9D39-2995DC848676}] => (Allow) C:\Users\OEM\AppData\Local\Temp\7zS1D82.tmp\SymNRT.exe
(iolo technologies, LLC) C:\Program Files\iolo\System Mechanic\ioloGovernor.exe
C:\Program Files\iolo
(iolo technologies, LLC) C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
(iolo technologies, LLC) C:\Program Files\iolo\System Mechanic\LiveBoost.exe
HKLM\...\Run: [iolo Startup] => C:\Program Files\iolo\Common\Lib\ioloLManager.exe [4521272 2015-04-27] (iolo technologies, LLC)
HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: F - F:\LaunchU3.exe -a
HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: {00cc46cf-8877-11e3-94c5-806e6f6e6963} - D:\setup.exe -q
HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\MountPoints2: {c35b6d44-34a8-11e4-a81d-001636c70e67} - F:\LaunchU3.exe -a
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
R2 ioloSystemService; C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe [4676408 2015-04-27] (iolo technologies, LLC)
S3 GPU-Z; \??\C:\Users\OEM\AppData\Local\Temp\GPU-Z.sys [X]
2015-05-29 23:03 - 2015-05-29 23:03 - 08014872 _____ (Symantec Corporation) C:\Users\OEM\Downloads\SymHelp.exe
2015-05-26 21:52 - 2015-05-26 21:52 - 00000000 ____D () C:\Users\OEM\AppData\Local\Symantec
2015-05-26 21:48 - 2015-05-31 14:52 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2015-05-26 21:48 - 2009-07-13 12:06 - 00511328 _____ (Microsoft Corporation) C:\Windows\system32\capicom.dll
2015-05-26 21:48 - 2007-03-21 20:39 - 01060864 _____ (Microsoft Corporation) C:\Windows\system32\MFC71.DLL
2015-05-26 21:48 - 2007-03-21 20:33 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\MSVCP71.DLL
2015-05-26 21:48 - 2007-03-21 20:33 - 00348160 _____ (Microsoft Corporation) C:\Windows\system32\MSVCR71.DLL
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iLivid" /f
EmptyTemp:
end
*****************

Restore point was successfully created.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{32E3FC58-5608-4B7C-8CF9-E4CF9DC628B7} => key not found.
C:\Windows\System32\Tasks\iolo Process Governor not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\iolo Process Governor => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C3B3A5BB-373C-412B-A92B-9D76342E6A7B} => key not found.
C:\Windows\System32\Tasks\iolo DelOnReboot not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\iolo DelOnReboot => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D6AE69BD-07F2-47A2-913B-56DC703D65DD}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6AE69BD-07F2-47A2-913B-56DC703D65DD}" => key removed successfully.
C:\Windows\System32\Tasks\CCleanerSkipUAC => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D85944D9-6D95-4420-B88F-3BAA33C92A78} => key not found.
C:\Windows\System32\Tasks\iolo System Checkup not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\iolo System Checkup => key not found.
"c:\users\oem\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpgrr1ii.dll" => File/Folder not found.
C:\Windows => ":800FFB093E1393C1" ADS removed successfully..
C:\ProgramData\TEMP => ":2A42CEA6" ADS removed successfully..
C:\Users\Public\DRM => ":احتضان" ADS removed successfully..
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService => key not found.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ioloSystemService => key not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F708C902-B8CC-4A2F-B7B2-AFE82C41A2B2} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1E533FAB-BFAE-4F34-A556-0097C65D32C3} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0BA9B3AC-AA4D-4973-956B-D70CFD13ED55} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{218E8588-6A26-4149-AA83-BB98A343FF41} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CCD9CE9C-9353-42CF-9D39-2995DC848676} => value removed successfully.
C:\Program Files\iolo\System Mechanic\ioloGovernor.exe => No running process found
C:\Program Files\iolo => moved successfully.
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe => No running process found
C:\Program Files\iolo\System Mechanic\LiveBoost.exe => No running process found
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\iolo Startup => value not found.
"HKU\S-1-5-21-2165473294-3813611429-24842049-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F" => key removed successfully.
"HKU\S-1-5-21-2165473294-3813611429-24842049-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00cc46cf-8877-11e3-94c5-806e6f6e6963}" => key removed successfully.
HKCR\CLSID\{00cc46cf-8877-11e3-94c5-806e6f6e6963} => key not found.
"HKU\S-1-5-21-2165473294-3813611429-24842049-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c35b6d44-34a8-11e4-a81d-001636c70e67}" => key removed successfully.
HKCR\CLSID\{c35b6d44-34a8-11e4-a81d-001636c70e67} => key not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully.
ioloSystemService => Service removed successfully.
GPU-Z => Service removed successfully.
C:\Users\OEM\Downloads\SymHelp.exe => moved successfully.
C:\Users\OEM\AppData\Local\Symantec => moved successfully.
C:\Program Files\Common Files\Symantec Shared => moved successfully.
C:\Windows\system32\capicom.dll => moved successfully.
C:\Windows\system32\MFC71.DLL => moved successfully.
C:\Windows\system32\MSVCP71.DLL => moved successfully.
C:\Windows\system32\MSVCR71.DLL => moved successfully.

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iLivid" /f =========

The operation completed successfully.



========= End of Reg: =========

EmptyTemp: => 108.6 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 22:57:14 ====
mat68046 is offline  
Old 06-07-2015, 11:05 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, mat68046. You did just fine saving it as you did. Thanks.

You never answered my question about why you only have 1 system restore point.

How is the machine behaving? Any improvement in behavior?

------------------------------------------------------
  • Launch Malwarebytes' Anti-Malware
  • On the Dashboard, click the Scan Now button.
  • A check for database updates will be performed.
  • After the update check completes, a Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs
  • Double-click on the scan log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7, you must open the Web browser via a right-click using the Run as Administrator command.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-10-2015, 03:38 AM   #15
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



Chemist

ESET came back clean.
Behavior seems normal at the moment.
MBAM log:

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Scan Date: 6/9/2015
Scan Time: 9:10:04 PM
Logfile: MBAMScan060915.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.06.09.06
Rootkit Database: v2015.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: OEM

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 329461
Time Elapsed: 25 min, 54 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Before closng the thread, allow me a day or two to assess and thank you for the assistance!
I'll post a closing reply
mat68046 is offline  
Old 06-10-2015, 01:27 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, mat68046. You're very welcome. Glad to hear it. Take your time replying.

You still haven't answered my question about why you only had 1 restore point.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable WinDefender before uninstalling ComboFix and then re-enable it after doing so.

Press the Windows "logo" key and "R" key and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.
  • Run AdwCleaner and select Uninstall
  • Confirm by clicking Yes
------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s /q "C:\FRST"

A DOS window will open and close again, this is normal.

------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Keep MBAM, update and run a Quick Scan weekly.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

------------------------------------------------------

Important

Due to continued exploits of zero-day vulnerabilities in Oracle's Java application, it is the recommendation of many security experts, as well as the TSF Security Team, that you disable Java in your web browsers.

Java

US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability

We recommend disabling Java in your browsers, and enabling it only when needed by certain websites.

Please disable Java in your browser(s) by following these instructions:

How do I disable Java in my web browser?

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-10-2015, 04:23 PM   #17
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



Chemist

I don't think I'm quite out of the woods yet. I have 18 sessions of svchost.exe running (local, system and network) , one of which was at 600k of memory and the machine was running horribly slow again.
Is there another virus running using svchost as a shadow?

I know of no reasons why that many sessions of that program need be running. The machine was idle and off-line all day.

I don't see the cmd.exe or conhost.exe programs running anymore which is a good thing.

What do you think?
mat68046 is offline  
Old 06-10-2015, 08:58 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, mat68046. Both MBAM and ESET reported clean. I doubt you are still infected.

Run FRST again and post/attach the logs as before.

You still haven't answered my question about why you only had 1 restore point(3rd request).

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-10-2015, 10:27 PM   #19
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



The hard drive in this machine was replaced not too long ago. For some reason this laptop will not boot into a WinPE from a flash drive; assume the BIOS is too old and cannot be upgraded to allow this to work. Either way I was negligent in doing backups and establishing regular restore points since changing the drive. I did manage to do a backup to a 64gb flash drive (33gb file).
My goal is to clone a second HDD with a recent restore point as an additional backup option but my lack of experience is an issue. Backing anything up at all with the possibility of replicating a virus was a concern also in generating restore points.
FRST log:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-06-2015
Ran by OEM (administrator) on OEM-DV6244US on 11-06-2015 01:04:49
Running from C:\Users\OEM\Desktop
Loaded Profiles: OEM (Available Profiles: OEM)
Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe
(Malwarebytes Corporation) C:\Malwarebytes Anti-Malware\mbam.exe
(Motorola) C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Paramount Software UK Ltd) C:\Program Files\Macrium\Reflect\ReflectService.exe
(WDC) C:\Program Files\Western Digital\WD SmartWare\WDDMService.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Western Digital Technologies, Inc.) C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe
(Dropbox, Inc.) C:\Users\OEM\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_17_0_0_188.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_17_0_0_188.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1045800 2008-03-28] (Synaptics, Inc.)
HKLM\...\Run: [WirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [500792 2010-05-20] (Hewlett-Packard Company)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [WD Quick View] => C:\Program Files\Western Digital\WD SmartWare\WDDMStatus.exe [3998616 2011-12-06] (Western Digital Technologies, Inc.)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Smart Security\egui.exe [5088456 2015-01-28] (ESET)
Startup: C:\Users\OEM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-05-12]
ShortcutTarget: Dropbox.lnk -> C:\Users\OEM\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\OEM\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\OEM\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\OEM\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-02-10] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\Windows\system32\CbFsMntNtf3.dll [2012-04-09] (EldoS Corporation)
BootExecute: autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2165473294-3813611429-24842049-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = msn
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-25] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-25] (Oracle Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\OEM\AppData\Roaming\Mozilla\Firefox\Profiles\znpbckq2.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_17_0_0_188.dll [2015-05-26] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin: @dymo.com/DymoLabelFramework -> C:\Program Files\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll [2012-01-30] ( Sanford L.P.)
FF Plugin: @IPCWebComponents -> C:\Program Files\IPCWebComponents\npIPCReg.dll [2014-04-07] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-25] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-10-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-10-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-10-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-10-25] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-10-25] (Apple Inc.)
FF Extension: Garmin Communicator - C:\Users\OEM\AppData\Roaming\Mozilla\Firefox\Profiles\znpbckq2.default\Extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [2014-07-28]
FF Extension: Yahoo Mail Hide Ad Panel - C:\Users\OEM\AppData\Roaming\Mozilla\Firefox\Profiles\znpbckq2.default\Extensions\{c37bac34-849a-4d28-be41-549b2c76c64e}.xpi [2015-02-11]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2014-06-14]
FF HKU\S-1-5-21-2165473294-3813611429-24842049-1000\...\Firefox\Extensions: [[email protected]] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 DymoPnpService; C:\Program Files\DYMO\DYMO Label Software\DymoPnpService.exe [32336 2012-01-30] (Sanford, L.P.)
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [1349576 2015-01-28] (ESET)
R2 HPSupportSolutionsFrameworkService; C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe [89864 2014-12-11] (Hewlett-Packard Company)
S4 Motorola Device Manager; C:\Program Files\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2014-04-08] (Motorola Mobility LLC)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2015-04-30] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [284504 2015-04-30] (Microsoft Corporation)
S2 PEVSystemStart; C:\ComboFix\SWREG.3XE [518144 2000-08-30] (SteelWerX) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 PST Service; C:\Program Files\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [2462160 2014-07-21] (Paramount Software UK Ltd)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\DRIVERS\amdkmafd.sys [15968 2013-03-14] (Advanced Micro Devices, Inc.)
R3 cbfs3; C:\Windows\System32\DRIVERS\cbfs3.sys [299024 2012-04-09] (EldoS Corporation)
S3 CH341SER; C:\Windows\System32\Drivers\CH341SER.SYS [39632 2009-06-03] (???????????????--???)
S3 dg_ksudbus; C:\Windows\System32\DRIVERS\ksudbus.sys [75776 2011-03-25] (Microsoft Corporation) [File not signed]
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [193464 2015-01-30] (ESET)
R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [190880 2015-01-30] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [135808 2015-01-30] (ESET)
R3 ElbyCDFL; C:\Windows\System32\Drivers\ElbyCDFL.sys [34760 2007-02-15] (SlySoft, Inc.)
R1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [24232 2009-02-17] (Elaborate Bytes AG)
R2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [176448 2015-01-30] (ESET)
R1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [37928 2015-01-30] (ESET)
R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [51824 2015-01-30] (ESET)
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [57672 2009-05-21] (FTDI Ltd.)
S3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [160768 2007-05-01] (Conexant Systems Inc.) [File not signed]
R2 HOSTNT; C:\Windows\system32\Drivers\HOSTNT.sys [4032 2014-02-11] () [File not signed]
R3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSF_HWAZL.sys [210688 2008-05-08] (Conexant Systems, Inc.) [File not signed]
R3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DP.sys [985472 2008-05-08] (Conexant Systems, Inc.) [File not signed]
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [119512 2015-06-10] (Malwarebytes Corporation)
S3 MotDev; C:\Windows\System32\DRIVERS\motodrv.sys [42752 2013-07-23] (Motorola Inc)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [245096 2015-03-04] (Microsoft Corporation)
R0 MxEFUF; C:\Windows\System32\DRIVERS\MxEFUF32.sys [102728 2010-11-04] (Matrox Graphics Inc.)
S3 PortTalk; C:\Windows\System32\Drivers\PortTalk.sys [3567 2009-01-18] (Beyond Logic BeyondLogic) [File not signed]
R0 pssnap; C:\Windows\System32\DRIVERS\pssnap.sys [13528 2014-07-21] ()
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [46096 2014-03-24] (Corel Corporation)
R1 RawDisk3; C:\Windows\system32\drivers\rawdsk3.sys [28256 2015-03-25] (EldoS Corporation)
S3 RT-USB; C:\Windows\System32\drivers\RT-USB.SYS [59464 2010-06-16] (Ross-Tech LLC)
S3 Ser2plx86; C:\Windows\System32\DRIVERS\ser2pl.sys [77824 2008-10-27] (Prolific Technology Inc.)
R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [3562880 2013-08-12] (Sonix Co. Ltd.)
S3 ST50220; C:\Windows\System32\Drivers\ST50220.sys [26752 2006-11-24] (Sonix)
S3 w39n51; C:\Windows\System32\DRIVERS\bzeek.sys [724096 2012-06-24] (BzeekLand LTD.)
S3 catchme; \??\C:\Users\OEM\AppData\Local\Temp\catchme.sys [X]
S1 MpKsl460bdd8f; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E7C08DA2-4F20-4C72-9140-6AB4187AAE4C}\MpKsl460bdd8f.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-10 00:22 - 2015-06-10 00:22 - 00000000 ____D C:\Users\OEM\AppData\Roaming\ESET
2015-06-10 00:22 - 2015-06-10 00:22 - 00000000 ____D C:\Users\OEM\AppData\Local\ESET
2015-06-10 00:20 - 2015-06-10 00:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2015-06-10 00:20 - 2015-06-10 00:20 - 00000000 ____D C:\ProgramData\ESET
2015-06-10 00:17 - 2015-06-10 00:17 - 01661128 _____ (ESET) C:\Users\OEM\Downloads\eset_smart_security_live_installer.exe
2015-06-09 23:06 - 2015-06-09 23:06 - 02870984 _____ (ESET) C:\Users\OEM\Downloads\esetsmartinstaller_enu(1).exe
2015-06-09 21:42 - 2015-06-09 21:42 - 00001059 _____ C:\Users\OEM\Desktop\MBAMScan060915.txt
2015-06-07 22:54 - 2015-06-07 22:54 - 00000000 ____D C:\Users\OEM\Desktop\FRST-OlderVersion
2015-06-07 08:46 - 2015-06-07 08:49 - 00000000 ___SD C:\ComboFix
2015-06-07 08:45 - 2015-06-07 08:45 - 00074703 _____ C:\Windows\system32\mfc45.dat
2015-06-06 21:07 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
2015-06-06 21:07 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
2015-06-06 21:07 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-06-06 21:07 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-06-06 21:07 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-06-06 21:07 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
2015-06-06 21:07 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
2015-06-06 21:07 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
2015-06-04 04:24 - 2015-06-04 04:25 - 00000000 ____D C:\Users\OEM\Desktop\Lexar
2015-06-03 21:21 - 2015-06-03 21:21 - 00000000 ____D C:\Users\OEM\AppData\Local\GWX
2015-05-31 20:00 - 2015-05-31 20:02 - 00046740 _____ C:\Users\OEM\Desktop\Addition.txt
2015-05-31 19:59 - 2015-06-11 01:05 - 00013426 _____ C:\Users\OEM\Desktop\FRST.txt
2015-05-31 19:58 - 2015-06-11 01:04 - 00000000 ____D C:\FRST
2015-05-31 19:43 - 2015-06-07 22:54 - 01147904 _____ (Farbar) C:\Users\OEM\Desktop\FRST.exe
2015-05-31 19:30 - 2015-05-31 19:30 - 02231296 _____ C:\Users\OEM\Desktop\AdwCleaner.exe
2015-05-31 14:52 - 2015-05-31 14:52 - 00000000 ____D C:\Windows\system32\appmgmt
2015-05-31 14:26 - 2015-05-31 14:29 - 00688992 ____R (Swearware) C:\Users\OEM\Downloads\dds.scr
2015-05-31 13:34 - 2015-05-31 13:34 - 02108928 _____ (Farbar) C:\Users\OEM\Downloads\FRST64.exe
2015-05-31 03:03 - 2015-05-31 03:03 - 00000000 ____D C:\Windows\erdnt
2015-05-31 03:01 - 2015-06-06 21:07 - 05628238 ____R (Swearware) C:\Users\OEM\Desktop\ComboFix.exe
2015-05-31 02:48 - 2015-05-31 02:48 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\OEM\Downloads\tdsskiller.exe
2015-05-31 02:44 - 2015-05-31 19:38 - 00000000 ____D C:\AdwCleaner
2015-05-31 02:18 - 2015-05-31 02:18 - 00017722 _____ C:\Users\OEM\Documents\eset5-31-15.txt
2015-05-31 00:36 - 2015-06-10 00:20 - 00000000 ____D C:\Program Files\ESET
2015-05-31 00:35 - 2015-05-31 00:35 - 02347384 _____ (ESET) C:\Users\OEM\Downloads\esetsmartinstaller_enu.exe
2015-05-30 21:28 - 2015-05-30 21:28 - 00000000 ____D C:\Windows\Sun
2015-05-30 00:03 - 2015-05-30 00:03 - 00021402 _____ C:\Users\OEM\Documents\cc_20150530_000340.reg
2015-05-30 00:01 - 2015-05-30 00:01 - 00000965 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-05-29 23:25 - 2015-05-29 23:25 - 16502728 _____ (Malwarebytes Corp.) C:\Users\OEM\Downloads\mbar-1.09.1.1004.exe
2015-05-27 22:25 - 2015-05-27 22:25 - 00000701 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-05-27 22:25 - 2015-05-27 22:25 - 00000000 ____D C:\Malwarebytes Anti-Malware
2015-05-27 21:38 - 2015-05-27 21:38 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\OEM\Downloads\mbam-setup-2.1.6.1022.exe
2015-05-25 21:01 - 2015-05-25 21:01 - 00000000 ____D C:\Program Files\Common Files\Java
2015-05-25 20:59 - 2015-05-25 20:59 - 00561248 _____ (Oracle Corporation) C:\Users\OEM\Downloads\jxpiinstall(1).exe
2015-05-20 02:07 - 2015-05-01 09:16 - 00102608 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-17 20:58 - 2015-06-06 08:11 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-05-13 21:43 - 2015-05-13 21:43 - 00822582 _____ C:\Users\OEM\Downloads\IPCameraTool version 1.0.0.1 - 20131120.zip
2015-05-13 21:43 - 2015-05-13 21:43 - 00000000 ____D C:\Users\OEM\Downloads\IPCameraTool version 1.0.0.1 - 20131120
2015-05-12 20:44 - 2015-05-12 20:45 - 00149160 _____ C:\Windows\Minidump\051215-22354-01.dmp
2015-05-12 20:44 - 2015-05-12 20:44 - 416804091 _____ C:\Windows\MEMORY.DMP
2015-05-12 20:44 - 2015-05-12 20:44 - 00000000 ____D C:\Windows\Minidump
2015-05-12 19:30 - 2015-04-27 15:11 - 03989440 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-05-12 19:30 - 2015-04-27 15:11 - 03934144 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-05-12 19:30 - 2015-04-27 15:11 - 00137664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-05-12 19:30 - 2015-04-27 15:11 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-05-12 19:30 - 2015-04-27 15:08 - 01307648 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00851456 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00635392 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\sechost.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-05-12 19:30 - 2015-04-27 15:05 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 00641536 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 00364544 _____ (Microsoft Corporation) C:\Windows\system32\tracerpt.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00082944 _____ (Microsoft Corporation) C:\Windows\system32\logman.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00040448 _____ (Microsoft Corporation) C:\Windows\system32\typeperf.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-05-12 19:30 - 2015-04-27 15:04 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\relog.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-05-12 19:30 - 2015-04-27 15:04 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-05-12 19:30 - 2015-04-27 15:03 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-05-12 19:30 - 2015-04-27 15:03 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\diskperf.exe
2015-05-12 19:30 - 2015-04-27 15:01 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-05-12 19:30 - 2015-04-27 15:01 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-05-12 19:30 - 2015-04-27 14:59 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-05-12 19:30 - 2015-04-27 14:59 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-05-12 19:30 - 2015-04-27 14:00 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-05-12 19:30 - 2015-04-19 22:56 - 01250816 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-05-12 19:30 - 2015-04-19 22:56 - 00909312 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-05-12 19:30 - 2015-04-19 22:03 - 02382336 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-05-12 19:30 - 2015-01-28 23:02 - 02311168 _____ (Microsoft Corporation) C:\Windows\system32\wpdshext.dll
2015-05-12 19:29 - 2015-05-04 21:12 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-05-12 19:29 - 2015-04-21 21:48 - 00342736 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-05-12 19:29 - 2015-04-21 12:25 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-05-12 19:29 - 2015-04-21 12:25 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-05-12 19:29 - 2015-04-21 12:24 - 19691008 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-05-12 19:29 - 2015-04-21 12:11 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-05-12 19:29 - 2015-04-21 12:11 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-05-12 19:29 - 2015-04-21 12:10 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-05-12 19:29 - 2015-04-21 12:09 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-05-12 19:29 - 2015-04-21 12:08 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-05-12 19:29 - 2015-04-21 12:04 - 02278400 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-05-12 19:29 - 2015-04-21 12:03 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-05-12 19:29 - 2015-04-21 12:02 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-05-12 19:29 - 2015-04-21 12:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-05-12 19:29 - 2015-04-21 11:58 - 00664576 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-05-12 19:29 - 2015-04-21 11:58 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-05-12 19:29 - 2015-04-21 11:58 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-05-12 19:29 - 2015-04-21 11:57 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-05-12 19:29 - 2015-04-21 11:51 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-05-12 19:29 - 2015-04-21 11:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-05-12 19:29 - 2015-04-21 11:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-05-12 19:29 - 2015-04-21 11:39 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-05-12 19:29 - 2015-04-21 11:38 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-05-12 19:29 - 2015-04-21 11:36 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-05-12 19:29 - 2015-04-21 11:31 - 04305920 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-05-12 19:29 - 2015-04-21 11:26 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-05-12 19:29 - 2015-04-21 11:26 - 00685568 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-05-12 19:29 - 2015-04-21 11:25 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-05-12 19:29 - 2015-04-21 11:24 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-05-12 19:29 - 2015-04-21 11:17 - 12828672 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-05-12 19:29 - 2015-04-21 11:02 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-05-12 19:29 - 2015-04-21 10:58 - 01310208 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-05-12 19:29 - 2015-04-21 10:56 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-05-12 19:29 - 2015-04-17 22:56 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2015-05-12 19:29 - 2015-04-12 23:19 - 00259072 _____ (Microsoft Corporation) C:\Windows\system32\services.exe
2015-05-12 19:29 - 2015-04-07 23:14 - 00216064 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2015-05-12 19:29 - 2015-04-07 23:14 - 00019968 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2015-05-12 19:29 - 2015-03-04 00:11 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\shimeng.dll
2015-05-12 19:29 - 2015-03-04 00:10 - 00295936 _____ (Microsoft Corporation) C:\Windows\system32\apphelp.dll
2015-05-12 19:29 - 2015-03-04 00:10 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\aelupsvc.dll
2015-05-12 19:29 - 2015-03-04 00:10 - 00020992 _____ (Microsoft Corporation) C:\Windows\system32\sdbinst.exe
2015-05-12 19:29 - 2015-02-18 03:06 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-11 01:05 - 2014-03-18 17:01 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-11 01:01 - 2014-09-10 23:09 - 00121976 _____ C:\Windows\setupact.log
2015-06-11 00:23 - 2015-03-11 08:23 - 00000917 _____ C:\Windows\Tasks\EPSON XP-620 Series Update {A1CFF8BD-4937-4DA3-A69C-447EE14FCD95}.job
2015-06-10 23:17 - 2014-01-28 19:54 - 01852325 _____ C:\Windows\WindowsUpdate.log
2015-06-10 23:14 - 2009-07-14 00:34 - 00026576 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-10 23:14 - 2009-07-14 00:34 - 00026576 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-10 19:22 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-10 19:21 - 2009-07-14 00:53 - 00031640 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-06-10 19:18 - 2014-06-30 16:45 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2015-06-07 23:00 - 2014-05-08 03:15 - 00000000 ___RD C:\Users\OEM\Dropbox
2015-06-07 23:00 - 2014-05-08 03:11 - 00000000 ____D C:\Users\OEM\AppData\Roaming\Dropbox
2015-06-07 22:59 - 2014-01-28 20:46 - 00000437 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2015-06-07 22:58 - 2014-10-25 23:56 - 00106440 _____ C:\Windows\PFRO.log
2015-06-07 08:45 - 2015-04-26 20:58 - 00000000 ____D C:\ProgramData\iolo
2015-06-06 21:07 - 2013-01-17 10:15 - 00000000 ____D C:\Qoobox
2015-06-06 08:11 - 2014-01-28 21:03 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-06-04 03:52 - 2014-02-27 00:43 - 00000000 ____D C:\Users\OEM\AppData\Roaming\uTorrent
2015-06-04 03:52 - 2014-02-19 16:02 - 00000000 ____D C:\Program Files\FreeFileViewer
2015-06-04 03:52 - 2009-07-13 22:37 - 00000000 __RSD C:\Windows\Media
2015-06-01 05:27 - 2015-04-30 22:38 - 00000000 ____D C:\Windows\system32\config\SM Registry Backup
2015-05-31 20:48 - 2014-12-29 05:18 - 00000000 ____D C:\Users\OEM\Desktop\Computer
2015-05-31 02:04 - 2011-09-14 00:49 - 00000000 ____D C:\AOL Instant Messenger
2015-05-30 00:01 - 2014-02-23 15:00 - 00000000 ____D C:\Program Files\CCleaner
2015-05-29 23:58 - 2014-02-19 18:23 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-05-29 23:28 - 2014-02-19 18:17 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-05-27 22:25 - 2014-06-30 16:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-05-27 22:10 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Help
2015-05-27 21:41 - 2010-11-20 17:01 - 00781782 _____ C:\Windows\system32\PerfStringBackup.INI
2015-05-27 19:27 - 2015-01-05 23:10 - 00000000 ____D C:\IPCamRecord
2015-05-27 04:49 - 2014-06-30 16:51 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-05-26 21:16 - 2014-08-20 22:32 - 00000000 ____D C:\Users\OEM\AppData\Local\Adobe
2015-05-26 21:16 - 2014-01-29 01:07 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-05-26 21:16 - 2014-01-29 01:07 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-05-26 00:46 - 2014-01-28 23:18 - 00000000 ____D C:\ProgramData\Oracle
2015-05-25 21:00 - 2014-10-26 00:10 - 00096352 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-05-25 21:00 - 2014-01-28 23:17 - 00000000 ____D C:\Program Files\Java
2015-05-22 20:55 - 2010-11-20 20:46 - 00000000 ____D C:\Program Files\Windows Journal
2015-05-21 22:43 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2015-05-21 21:13 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Microsoft.NET
2015-05-21 21:05 - 2009-07-14 00:33 - 00287560 _____ C:\Windows\system32\FNTCACHE.DAT
2015-05-21 21:03 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2015-05-20 02:08 - 2014-01-28 21:19 - 00002117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-05-20 02:08 - 2014-01-28 21:19 - 00001945 _____ C:\Windows\epplauncher.mif
2015-05-20 02:08 - 2014-01-28 21:18 - 00000000 ____D C:\Program Files\Microsoft Security Client
2015-05-20 02:05 - 2014-01-29 00:05 - 00000000 ____D C:\Windows\system32\MRT
2015-05-20 01:56 - 2014-01-29 00:05 - 137310008 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-05-20 01:53 - 2015-04-07 19:49 - 00000000 ___SD C:\Windows\system32\GWX
2015-05-20 01:50 - 2014-04-17 09:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-05-20 01:50 - 2014-04-17 09:10 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-05-16 07:13 - 2014-01-29 16:17 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-05-12 19:15 - 2014-05-08 03:15 - 00001015 _____ C:\Users\OEM\Desktop\Dropbox.lnk
2015-05-12 19:15 - 2014-05-08 03:13 - 00000000 ____D C:\Users\OEM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox

==================== Files in the root of some directories =======

2014-12-28 22:36 - 2014-12-28 22:38 - 0030921 __RSH () C:\Program Files\DLS8Uninstall.log
2014-01-29 11:41 - 2014-01-29 11:41 - 0000000 _____ () C:\Users\OEM\AppData\Local\AtStart.txt
2014-01-29 11:41 - 2014-01-29 11:41 - 0000000 _____ () C:\Users\OEM\AppData\Local\DSwitch.txt
2014-01-29 11:41 - 2014-01-29 11:41 - 0000000 _____ () C:\Users\OEM\AppData\Local\QSwitch.txt
2014-02-01 20:30 - 2014-02-27 22:29 - 0007603 _____ () C:\Users\OEM\AppData\Local\resmon.resmoncfg
2015-03-22 23:46 - 2015-03-22 23:46 - 0000041 ___SH () C:\ProgramData\.zreglib
2015-03-11 12:23 - 2015-03-11 12:23 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-03-06 20:22 - 2015-06-09 21:56 - 0028799 _____ () C:\ProgramData\HPWALog.txt
2014-06-14 03:34 - 2014-06-23 09:24 - 0001663 _____ () C:\ProgramData\hpzinstall.log

Some files in TEMP:
====================
C:\Users\OEM\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmptjhqet.dll
C:\Users\OEM\AppData\Local\Temp\InstHelper.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-03 00:26

==================== End of log ============================

Still have no idea why so many svchost.exe's are running (17).

Addition.txt attached....
Attached Files
File Type: txt Addition.txt (46.0 KB, 37 views)
mat68046 is offline  
Old 06-11-2015, 11:45 AM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, mat68046. Your logs are clean.

------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

sc delete MpKsl460bdd8f

A DOS window will open and close again, this is normal.

------------------------------------------------------

It appears that you have two antivirus programs installed and running, ESET and Security Essentials.

While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs.

Please choose one to keep and uninstall the other via Programs and Features in your Control Panel.

------------------------------------------------------

I have 10 instances of svchost.exe running on my XP machine, multiple internet tabs.

I have 12 instances of svchost.exe running on my Win7(64-bit) machine, no internet.

I have 12 instances of svchost.exe running on my Win7(32-bit) machine, no internet.

What is svchost.exe And Why Is It Running?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Keyboard Troubles
I'm enhavinhbg ek eybgoard etroubgl es. I'm having keyboard troubles. Spaces have e's after them among other things.
bachrock Windows 8, 8.1 Support 25 08-11-2014 07:06 AM
Bluetooth Mic troubles. pc noob
Hi and I apologise for having to post here as I know there is alot of info on this already. The problem is making sense of said info has frustrated me to the point of asking you kind, knowledgable folk for help. I have TurtleBeach PX5's. They work fine except for the bluetooth mic. It pairs to...
Hsv7ltr Windows XP Support 6 02-16-2013 05:04 PM
TSST TSL642C video playback troubles
Hello; I've sene many other threads related to this DVD/CDRW drive, but none of them answred my personal question relating to sound and video at the same time. When incerting and playing a music CD, the sound works just fine, there are no troubles whatsoever encountered with the sound. When...
Awinita Removable Media Drives 5 11-12-2011 03:35 PM
Troubles in navigating
Hello, I have Windows 7 and I've had troubles with all the browsers since about one month ago. I cannot recall exactly when and how the problem started but it is indeed a nuisance. For example, I cannot never visit this page TIM Ricarica e Vinci I tried with Firefox, opera, Chrome...no way....
kukuviza Resolved HJT Threads 1 10-06-2011 09:27 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 09:31 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts