Solved Need help...embedded 'updateflashpayer.exe trojan virus

Mark O

Posts: 13   +0
We opened the wrong email....Delta tickets attached! Immediately got an embedded virus, 'updateflashplayer.exe Trojan. I started the process of following the Techspot forum instructions.
Here are the logs from MBAM and DDS. I have Security Essentials as antivirus protection and only now loaded MBAM premium...for real time malware protection going forward. Windows 7 Pro, 32bit laptop.
Can you help me finish cleaning this machine??

Version: 2.00.2.1012
Malware Database: v2014.09.06.06
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: AnyUser
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 279195
Time Elapsed: 7 min, 50 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 1
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, 3848, Delete-on-Reboot, [a6f3d6f3d2a9a690f71e8f2926dbf20e]
Modules: 0
(No malicious items detected)
Registry Keys: 1
PUP.Optional.WeDownLoadManager.A, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\WEDLMNGR, Quarantined, [d7c205c4d4a76ec8119f738822e01de3],
Registry Values: 1
Trojan.Zbot, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Ymsedielamb, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, Quarantined, [a6f3d6f3d2a9a690f71e8f2926dbf20e]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 5
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, Delete-on-Reboot, [a6f3d6f3d2a9a690f71e8f2926dbf20e],
Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Alpebyc\ibfuu.exe, Quarantined, [12872f9a4635cb6b987dbefa01008d73],
Trojan.Zbot, C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_96952c1b.exe, Quarantined, [5c3d6a5fceadc76f44d1962203fef50b],
Trojan.Zbot, C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_d3c7bcbb.exe, Quarantined, [ebae5376e19a9d99f61f9226669ba55b],
Trojan.Agent.MP, C:\Users\AnyUser\AppData\Local\butiqvll.exe, Quarantined, [46533297fa81f73f122bedf8ca3a60a0],
Physical Sectors: 0
(No malicious items detected)

(end)


DDS scan
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17239
Run by AnyUser at 12:09:14 on 2014-09-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.2017 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\DTS.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\AtService.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoSync\MemeoAutoSync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uSearch Bar = Preserve
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [HP Officejet Pro 8610 (NET)] "c:\program files\hp\hp officejet pro 8610\bin\ScanToPCActivationApp.exe" -deviceID "CN41BBK12X:NW" -scfn "HP Officejet Pro 8610 (NET)" -AutoStart 1
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [FingerPrintSoftwareSplashScreen] "c:\program files\lenovo fingerprint software\splashscreen.exe" \s
mRun: [picon] "c:\program files\common files\intel\privacy icon\PIconStartup.exe"
mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: DisallowCpl = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print\SmartPrintSetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1388550385823
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{F5FB515C-88C4-40A8-A8E0-D729B3C3D357} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\belarcadvisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.103\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-5-31 1824584]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-5-31 98304]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-9-5 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-9-5 860472]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2014-3-15 2058776]
R3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2011-5-31 659968]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-8-22 225408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-9-5 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-9-5 110296]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-5-31 106496]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-8-14 108032]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-9-5 51928]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 104264]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-1-4 14848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-3-14 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-10-18 1343400]
.
=============== Created Last 30 ================
.
2014-09-06 16:24:31 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-06 16:24:31 -------- d-----w- c:\programdata\RogueKiller
2014-09-05 23:46:36 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-05 23:46:21 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-05 23:46:21 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-05 23:46:21 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-05 23:46:20 -------- d-----w- c:\programdata\Malwarebytes
2014-09-05 23:46:20 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-05 10:17:44 237 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
2014-09-05 10:16:10 -------- d-----w- c:\users\anyuser\appdata\roaming\Alpebyc
2014-09-05 09:57:58 -------- d-----w- c:\users\anyuser\appdata\roaming\Ihexdoe
2014-09-05 04:15:34 280064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzppw71.dll
2014-09-04 11:31:22 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4cabbce6-e73b-4acb-b060-dff64cb7fc07}\mpengine.dll
2014-09-03 11:29:47 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-08-29 11:30:34 893248 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a53b23e6-d90f-41c5-8cd2-bc028b31e215}\gapaengine.dll
2014-08-27 19:27:47 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-08-27 19:27:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-27 14:55:41 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
2014-08-27 14:16:02 -------- d-----w- c:\windows\system32\appmgmt
2014-08-18 22:29:03 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-18 22:28:27 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-18 22:27:32 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-08-18 22:27:32 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-15 11:09:55 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-15 11:09:49 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-15 11:09:38 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-08-15 11:09:29 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
.
==================== Find3M ====================
.
2014-07-25 13:04:40 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-07-25 13:03:54 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-07-25 12:34:49 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-07-25 12:34:03 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-07-25 12:33:08 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-07-25 12:30:32 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-07-25 12:10:15 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-07-25 12:10:12 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-07-25 12:08:47 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-07-25 12:06:47 4204032 ----a-w- c:\windows\system32\jscript9.dll
2014-07-25 11:59:29 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-07-25 11:43:16 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-07-25 11:07:49 2001920 ----a-w- c:\windows\system32\inetcpl.cpl
2014-07-25 11:07:10 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-07-25 10:05:23 1792512 ----a-w- c:\windows\system32\wininet.dll
2014-07-16 02:46:02 2048 ----a-w- c:\windows\system32\tzres.dll
2014-07-14 01:42:02 654336 ----a-w- c:\windows\system32\rpcrt4.dll
2014-07-09 02:59:14 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 02:59:14 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
2014-06-16 01:44:49 730048 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-06-16 01:44:49 219072 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2014-06-16 01:40:20 107520 ----a-w- c:\windows\system32\cdd.dll
.
============= FINISH: 12:09:46.87 ===============

I will post DDS 'attach' report if you need it.

Thank you!
 
Welcome aboard


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================

redtarget.gif
I still need Attach.txt log from DDS.

redtarget.gif
Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

  • Close all the running programs
  • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Create new restore point before proceeding with the next step....
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download http://www.imgdumper.nl/uploads6/51a5f31352f71/51a5f31352b88-icon_MBAR.png][/url][b][url=https://www.techspot.com/downloads/5603-malwarebytes-anti-rootkit.html][color=#0000FF]Malwarebytes Anti-Rootkit[/color][/url][/b] to your desktop.
[LIST]
[*][b][color=#FF0000]Warning![/color][/b] [I]Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.[/I]
[*]Double click on downloaded file. OK self extracting prompt.
[*]MBAR will start. Click "[b]Next[/b]" to continue.
[*]Click in the following screen "[b]Update[/b]" to obtain the latest malware definitions.
[*]Once the update is complete select "[b]Next[/b]" and click "[b]Scan[/b]".
[*]When the scan is finished and no malware has been found select "[b]Exit[/b]".
[*]If malware was detected, make sure to check all the items and click "[b]Cleanup[/b]". Reboot your computer.
[*]Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
[LIST]
[*][b]"mbar-log-[I]{date} (xx-xx-xx)[/I].txt"[/b]
[*][b]"system-log.txt"[/b]
[/LIST]
[/LIST]
 
Hi Broni, While many may follow steps of similar virus infections I'm gratefull to have your eyes on the logs as we clean my machine. MANY THANKS!
Logs to follow; DDS attach text,

Separate post Rogue killer log, MBAR scan log, MBAR system log,

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/6/2013 8:35:01 PM
System Uptime: 9/6/2014 11:58:01 AM (1 hours ago)
.
Motherboard: LENOVO | | 7417TPU
Processor: Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz | None | 793/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 177.815 GiB free.
D: is CDROM ()
G: is CDROM ()
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP95: 8/4/2014 5:50:02 PM - Windows Update
RP96: 8/8/2014 5:50:03 PM - Windows Update
RP97: 8/12/2014 10:29:51 AM - Windows Update
RP98: 8/15/2014 6:00:15 AM - Windows Update
RP99: 8/18/2014 6:48:39 AM - Windows Update
RP100: 8/18/2014 5:27:17 PM - Windows Update
RP101: 8/20/2014 11:09:51 PM - Installed HP Update.
RP102: 8/20/2014 11:17:09 PM - Windows Update
RP103: 8/23/2014 11:37:21 PM - Windows Update
RP104: 8/27/2014 9:11:40 AM - Removed HP Update.
RP105: 8/27/2014 9:13:54 AM - Removed HP Officejet Pro 8600 Help
RP106: 8/27/2014 9:16:14 AM - Removed HP FWUpdateEDO2
RP107: 8/27/2014 9:17:47 AM - Removed HP Officejet Pro 8600 Basic Device Software
RP108: 8/28/2014 6:00:18 AM - Windows Update
RP109: 8/31/2014 6:30:13 AM - Windows Update
RP110: 9/4/2014 6:30:22 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe Acrobat 9 Standard - English, Français, Deutsch
Adobe Acrobat 9.5.5 - CPSID_83708
Adobe Flash Player 14 ActiveX
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 6
Belarc Advisor 8.4
Bonjour
Conexant 20561 SmartAudio HD
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Google Chrome
Google Update Helper
HP Officejet Pro 8610 Basic Device Software
HP Officejet Pro 8610 Help
HP Photosmart Plus B210 series Basic Device Software
HP Update
I.R.I.S. OCR
Intel(R) Management Engine Interface
Intel(R) Network Connections Drivers
Intel® Active Management Technology
Internet Explorer (Enable DEP)
iTunes
Lenovo Fingerprint Software
Lenovo Power Management Driver
Malwarebytes Anti-Malware version 2.0.2.1012
Memeo AutoSync
Microsoft .NET Framework 4.5.1
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Quicken 2009
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2881071) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
ThinkPad UltraNav Driver
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687502) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition
Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition
Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition
VirtualCloneDrive
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (07/02/2010 8.6.0.29)
.
==== Event Viewer Messages From Past Week ========
.
9/6/2014 8:11:58 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/6/2014 12:08:47 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/6/2014 11:57:21 AM, Error: Service Control Manager [7016] - The Data Transfer Service service has reported an invalid current state 0.
9/5/2014 6:52:46 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/5/2014 6:51:06 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
9/5/2014 6:51:06 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
9/5/2014 6:50:45 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_cac9cd10.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Program Files\Malwarebytes Anti-Malware\mbam.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/5/2014 5:14:14 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_4bcf51fe.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/5/2014 5:01:41 AM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
9/5/2014 4:54:15 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_8d8c67e7.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/5/2014 3:12:26 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_df117291.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/5/2014 12:55:39 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_65cae4d6.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/5/2014 12:11:10 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
9/5/2014 1:17:19 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5f489339.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:49:07 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_9167203a.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_b5a34405.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_fbf225c6.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:47:27 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_440efd2e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_737fd14a.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_b5a34405.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ce3d5bc2.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:46:36 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_737fd14a.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ce3d5bc2.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_e9b46306.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:44:57 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_36513fbb.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_c99239f1.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_e9b46306.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_f19d4651.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:44:01 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_36513fbb.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_bb5f6b36.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_f19d4651.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:41:17 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_7f8b7604.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_a279f738.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_a6c94414.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ad86090f.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:40:20 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_2773afd3.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_a279f738.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ad86090f.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:38:31 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_1fb97d2f.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_3422c7e3.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_e07e3e3d.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:36:30 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_1eba4797.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_371f6b0d.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ab66311e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_fa76eb19.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:35:36 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_96f43081.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ab66311e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_fa76eb19.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:32:41 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_3385f804.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5e03b623.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_766f248a.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_f9e39eb5.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:31:39 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_05f2c269.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5e03b623.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_658693d3.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_f9e39eb5.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:30:35 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_05f2c269.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_658693d3.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ea75df98.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:28:33 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_0daafe07.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_90be82aa.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_b490557e.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:26:32 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_0aa33d94.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_1867fe2e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_256ddab7.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_2ea37fc9.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:25:29 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_256ddab7.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_2ea37fc9.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_307b1001.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:23:28 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_0af56a1c.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_91f53db1.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_924ae955.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:21:24 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_1e145d0e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_35819d89.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_bdd7a032.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_d18ba42c.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:20:22 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5567c87b.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_8cf7a37f.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_bdd7a032.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_d18ba42c.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:19:18 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5567c87b.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_8cf7a37f.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_c09b6559.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 9:18:20 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_128dc180.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_8cf7a37f.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_c09b6559.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 11:17:07 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_7d258362.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 11:16:56 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ebb5be62.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
9/4/2014 11:13:18 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_62502206.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
.
==== End Of File ===========================
 
Rogue Killer log,

RogueKiller V9.2.9.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : https://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : AnyUser [Admin rights]
Mode : Remove -- Date : 09/06/2014 14:41:12
¤¤¤ Bad processes : 1 ¤¤¤
[Proc.Hidden] -- [x] -> KILLED [TermThr]
¤¤¤ Registry Entries : 5 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mbr -> NOT SELECTED
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1311731379-2688022510-2026161381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ HOSTS File : 0 ¤¤¤
¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\drivers\1394ohci.sys)
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500BEVT-00A0RT0 ATA Device +++++
--- User ---
[MBR] c318f86380f1c48d8d64165e4ec071b1
[BSP] 152eb3cb729760bdcd81c1fa45dd5d79 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
--- User ---
[MBR] 01aa0771c122f52fec7e68de6c222831
[BSP] 4db0cdb66c479bd3e15b2ab904c90d55 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16-LBA (0xe) [VISIBLE] Offset (sectors): 32 | Size: 489 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_DEL_09062014_113241.log - RKreport_DEL_09062014_114200.log - RKreport_SCN_09062014_113133.log - RKreport_SCN_09062014_113847.log
RKreport_SCN_09062014_143857.log

MBAR SCAN,

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org
Database version: v2014.09.06.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.17239
AnyUser :: ANYUSER-PC [administrator]
9/6/2014 2:53:12 PM
mbar-log-2014-09-06 (14-53-12).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 279199
Time elapsed: 8 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)



MBAR System,


Disk Size: 250059350016 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-488377168-488397168)...
Done!
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: A58EAC95
Partition information:
Partition 0 type is Other (0xe)
Partition is ACTIVE.
Partition starts at LBA: 32 Numsec = 1003488
Partition file system is FAT
Partition is not bootable
Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 513802240 bytes
Sector size: 512 bytes
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-I.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-I.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-I.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-1-0-32-I.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished
 
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
Combofix log,

ComboFix 14-09-05.01 - AnyUser 09/06/2014 15:44:42.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.1369 [GMT -5:00]
Running from: c:\users\AnyUser\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\AnyUser\Documents\DPE.DUS
.
.
((((((((((((((((((((((((( Files Created from 2014-08-06 to 2014-09-06 )))))))))))))))))))))))))))))))
.
.
2014-09-06 20:50 . 2014-09-06 20:50 -------- d-----w- c:\users\AnyUser\AppData\Local\temp
2014-09-06 20:50 . 2014-09-06 20:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-06 19:53 . 2014-09-06 20:02 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-09-06 19:32 . 2014-09-06 19:32 39464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F81B5A5A-B665-4030-9E09-19AB35F4B5F8}\MpKsldc39dd24.sys
2014-09-06 17:10 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F81B5A5A-B665-4030-9E09-19AB35F4B5F8}\mpengine.dll
2014-09-06 16:24 . 2014-09-06 19:32 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-06 16:24 . 2014-09-06 16:24 -------- d-----w- c:\programdata\RogueKiller
2014-09-05 23:46 . 2014-09-06 17:19 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-05 23:46 . 2014-09-06 19:52 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-05 23:46 . 2014-05-12 13:19 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-05 23:46 . 2014-05-12 13:19 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\programdata\Malwarebytes
2014-09-05 10:17 . 2014-09-05 10:17 237 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
2014-09-05 10:16 . 2014-09-06 16:57 -------- d-----w- c:\users\AnyUser\AppData\Roaming\Alpebyc
2014-09-05 09:57 . 2014-09-06 16:58 -------- d-----w- c:\users\AnyUser\AppData\Roaming\Ihexdoe
2014-09-05 04:15 . 2014-09-05 04:15 -------- d-----w- c:\programdata\Hewlett-Packard
2014-09-05 04:15 . 2009-07-14 01:15 280064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzppw71.dll
2014-09-03 11:29 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-08-29 11:30 . 2014-08-20 11:48 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A53B23E6-D90F-41C5-8CD2-BC028B31E215}\gapaengine.dll
2014-08-27 19:27 . 2014-08-23 00:42 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-08-27 19:27 . 2014-08-23 01:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-27 14:56 . 2014-08-27 14:56 -------- d-----w- c:\program files\Hewlett-Packard
2014-08-27 14:55 . 2014-07-21 20:33 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
2014-08-18 22:29 . 2014-05-14 16:23 45536 ----a-w- c:\windows\system32\wups2.dll
2014-08-18 22:29 . 2014-05-14 16:23 54240 ----a-w- c:\windows\system32\wuauclt.exe
2014-08-18 22:29 . 2014-05-14 16:23 1973728 ----a-w- c:\windows\system32\wuaueng.dll
2014-08-18 22:29 . 2014-05-14 16:17 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-18 22:28 . 2014-05-14 16:23 36320 ----a-w- c:\windows\system32\wups.dll
2014-08-18 22:28 . 2014-05-14 16:23 581600 ----a-w- c:\windows\system32\wuapi.dll
2014-08-18 22:28 . 2014-05-14 16:17 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-18 22:27 . 2014-05-14 14:23 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-18 22:27 . 2014-05-14 14:17 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-08-15 11:09 . 2014-03-09 21:47 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-15 11:09 . 2014-06-30 22:14 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-15 11:09 . 2014-03-09 21:47 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-08-15 11:09 . 2014-06-06 06:16 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-20 11:48 . 2014-01-04 21:24 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-07-09 02:59 . 2013-10-18 18:27 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 02:59 . 2013-10-18 18:27 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-18 01:51 . 2014-07-09 00:22 646144 ----a-w- c:\windows\system32\osk.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Officejet Pro 8610 (NET)"="c:\program files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe" [2014-07-21 2427400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"FingerPrintSoftwareSplashScreen"="c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s" [X]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 171288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 172824]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1425208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-02-04 111640]
"Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-10-19 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 hbifodwl;hbifodwl;c:\windows\system32\drivers\hbifodwl.sys [x]
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-05-31 106496]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-07-25 108032]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-10-18 1343400]
S1 MpKsldc39dd24;MpKsldc39dd24;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F81B5A5A-B665-4030-9E09-19AB35F4B5F8}\MpKsldc39dd24.sys [2014-09-06 39464]
S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-05-31 1824584]
S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-05-31 98304]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2010-02-04 2058776]
S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2011-06-01 659968]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-09-06 110296]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-16 6114816]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MPKSLDC39DD24
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-03 23:21 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.103\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-18 02:59]
.
2014-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
.
2014-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: harrisbank.com\www4
TCP: DhcpNameServer = 192.168.1.254
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-06 15:52:55
ComboFix-quarantined-files.txt 2014-09-06 20:52
.
Pre-Run: 191,291,088,896 bytes free
Post-Run: 191,870,406,656 bytes free
.
- - End Of File - - C7EFBF688038EB7B6AB5D029386C9730
A36C5E4F47E84449FF07ED3517B43A31
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::

Folder::
c:\users\AnyUser\AppData\Roaming\Ihexdoe
c:\users\AnyUser\AppData\Roaming\Alpebyc

Driver::
hbifodwl

Registry::

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Hi Broni,
Unless specifically instructed to disconnect this machine from the internet, I assume I am to leave it connected.

Also, between my last post of 3:55pm Sat and your post of 2:17pm Today,Sunday, the MBAM blocked a registry event. Now quarantined in MBAM. Here is the log for that.
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 9/7/2014
Scan Time: 2:27:13 AM
Logfile:
Administrator: Yes
Version: 2.00.2.1012
Malware Database: v2014.09.07.01
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: AnyUser
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 288752
Time Elapsed: 6 min, 4 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 1
Malware.Trace, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWCPL|1, @biocpl.dll,-1, Quarantined, [c30a7e6ca6d55dd951309ff8996a57a9]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)

(end)

Here is the current Combofix log,

ComboFix 14-09-05.01 - AnyUser 09/07/2014 17:52:18.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.1981 [GMT -5:00]
Running from: c:\users\AnyUser\Desktop\ComboFix.exe
Command switches used :: H:\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-08-07 to 2014-09-07 )))))))))))))))))))))))))))))))
.
.
2014-09-07 23:00 . 2014-09-07 23:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-07 07:08 . 2014-09-07 07:08 62576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{841B5BF5-BB07-4EB2-B981-0B3B1585EA57}\offreg.dll
2014-09-07 07:08 . 2014-09-07 07:08 39464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{841B5BF5-BB07-4EB2-B981-0B3B1585EA57}\MpKsl686f8e44.sys
2014-09-07 07:06 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{841B5BF5-BB07-4EB2-B981-0B3B1585EA57}\mpengine.dll
2014-09-06 23:02 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-09-06 20:52 . 2014-09-07 23:00 -------- d-----w- c:\users\AnyUser\AppData\Local\temp
2014-09-06 19:53 . 2014-09-06 20:02 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-09-06 16:24 . 2014-09-06 19:32 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-06 16:24 . 2014-09-06 16:24 -------- d-----w- c:\programdata\RogueKiller
2014-09-05 23:46 . 2014-09-07 19:30 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-05 23:46 . 2014-09-06 19:52 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-05 23:46 . 2014-05-12 13:19 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-05 23:46 . 2014-05-12 13:19 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\programdata\Malwarebytes
2014-09-05 10:17 . 2014-09-05 10:17 237 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
2014-09-05 10:16 . 2014-09-06 16:57 -------- d-----w- c:\users\AnyUser\AppData\Roaming\Alpebyc
2014-09-05 09:57 . 2014-09-06 16:58 -------- d-----w- c:\users\AnyUser\AppData\Roaming\Ihexdoe
2014-09-05 04:15 . 2014-09-05 04:15 -------- d-----w- c:\programdata\Hewlett-Packard
2014-09-05 04:15 . 2009-07-14 01:15 280064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzppw71.dll
2014-08-29 11:30 . 2014-08-20 11:48 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A53B23E6-D90F-41C5-8CD2-BC028B31E215}\gapaengine.dll
2014-08-27 19:27 . 2014-08-23 00:42 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-08-27 19:27 . 2014-08-23 01:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-27 14:56 . 2014-08-27 14:56 -------- d-----w- c:\program files\Hewlett-Packard
2014-08-27 14:55 . 2014-07-21 20:33 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
2014-08-18 22:29 . 2014-05-14 16:23 45536 ----a-w- c:\windows\system32\wups2.dll
2014-08-18 22:29 . 2014-05-14 16:23 54240 ----a-w- c:\windows\system32\wuauclt.exe
2014-08-18 22:29 . 2014-05-14 16:23 1973728 ----a-w- c:\windows\system32\wuaueng.dll
2014-08-18 22:29 . 2014-05-14 16:17 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-18 22:28 . 2014-05-14 16:23 36320 ----a-w- c:\windows\system32\wups.dll
2014-08-18 22:28 . 2014-05-14 16:23 581600 ----a-w- c:\windows\system32\wuapi.dll
2014-08-18 22:28 . 2014-05-14 16:17 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-18 22:27 . 2014-05-14 14:23 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-18 22:27 . 2014-05-14 14:17 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-08-15 11:09 . 2014-03-09 21:47 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-15 11:09 . 2014-06-30 22:14 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-15 11:09 . 2014-03-09 21:47 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-08-15 11:09 . 2014-06-06 06:16 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-20 11:48 . 2014-01-04 21:24 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-07-09 02:59 . 2013-10-18 18:27 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 02:59 . 2013-10-18 18:27 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-18 01:51 . 2014-07-09 00:22 646144 ----a-w- c:\windows\system32\osk.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Officejet Pro 8610 (NET)"="c:\program files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe" [2014-07-21 2427400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"FingerPrintSoftwareSplashScreen"="c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s" [X]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 171288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 172824]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1425208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-02-04 111640]
"Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-10-19 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 hbifodwl;hbifodwl;c:\windows\system32\drivers\hbifodwl.sys [x]
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-05-31 106496]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-07-25 108032]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-10-18 1343400]
S1 MpKsl686f8e44;MpKsl686f8e44;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{841B5BF5-BB07-4EB2-B981-0B3B1585EA57}\MpKsl686f8e44.sys [2014-09-07 39464]
S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-05-31 1824584]
S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-05-31 98304]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2010-02-04 2058776]
S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2011-06-01 659968]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-09-07 110296]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-16 6114816]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MPKSL686F8E44
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-03 23:21 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.103\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-18 02:59]
.
2014-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
.
2014-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: harrisbank.com\www4
TCP: DhcpNameServer = 192.168.1.254
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-07 18:07:09
ComboFix-quarantined-files.txt 2014-09-07 23:07
ComboFix2.txt 2014-09-06 20:52
.
Pre-Run: 192,022,368,256 bytes free
Post-Run: 191,974,494,208 bytes free
.
- - End Of File - - 353BACEEA69A2F24D3C98D62D93BA7B8
A36C5E4F47E84449FF07ED3517B43A31
 
Sorry, first time did not copy the actual header area with the word "code:"

Here is the new log...

ComboFix 14-09-05.01 - AnyUser 09/07/2014 19:47:51.3.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.1856 [GMT -5:00]
Running from: c:\users\AnyUser\Desktop\ComboFix.exe
Command switches used :: H:\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\AnyUser\AppData\Roaming\Alpebyc
c:\users\AnyUser\AppData\Roaming\Ihexdoe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_hbifodwl
.
.
((((((((((((((((((((((((( Files Created from 2014-08-08 to 2014-09-08 )))))))))))))))))))))))))))))))
.
.
2014-09-08 00:55 . 2014-09-08 00:55 62576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B32800A-9A7B-4AD1-A08F-D48EA8251CB5}\offreg.dll
2014-09-08 00:52 . 2014-09-08 00:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-07 23:16 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B32800A-9A7B-4AD1-A08F-D48EA8251CB5}\mpengine.dll
2014-09-06 23:02 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-09-06 20:52 . 2014-09-08 00:56 -------- d-----w- c:\users\AnyUser\AppData\Local\temp
2014-09-06 19:53 . 2014-09-06 20:02 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-09-06 16:24 . 2014-09-06 19:32 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-09-06 16:24 . 2014-09-06 16:24 -------- d-----w- c:\programdata\RogueKiller
2014-09-05 23:46 . 2014-09-08 00:55 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-05 23:46 . 2014-09-06 19:52 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-05 23:46 . 2014-05-12 13:19 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-05 23:46 . 2014-05-12 13:19 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\programdata\Malwarebytes
2014-09-05 10:17 . 2014-09-05 10:17 237 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
2014-09-05 04:15 . 2014-09-05 04:15 -------- d-----w- c:\programdata\Hewlett-Packard
2014-09-05 04:15 . 2009-07-14 01:15 280064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzppw71.dll
2014-08-29 11:30 . 2014-08-20 11:48 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A53B23E6-D90F-41C5-8CD2-BC028B31E215}\gapaengine.dll
2014-08-27 19:27 . 2014-08-23 00:42 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-08-27 19:27 . 2014-08-23 01:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-27 14:56 . 2014-08-27 14:56 -------- d-----w- c:\program files\Hewlett-Packard
2014-08-27 14:55 . 2014-07-21 20:33 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
2014-08-18 22:29 . 2014-05-14 16:23 45536 ----a-w- c:\windows\system32\wups2.dll
2014-08-18 22:29 . 2014-05-14 16:23 54240 ----a-w- c:\windows\system32\wuauclt.exe
2014-08-18 22:29 . 2014-05-14 16:23 1973728 ----a-w- c:\windows\system32\wuaueng.dll
2014-08-18 22:29 . 2014-05-14 16:17 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-18 22:28 . 2014-05-14 16:23 36320 ----a-w- c:\windows\system32\wups.dll
2014-08-18 22:28 . 2014-05-14 16:23 581600 ----a-w- c:\windows\system32\wuapi.dll
2014-08-18 22:28 . 2014-05-14 16:17 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-18 22:27 . 2014-05-14 14:23 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-18 22:27 . 2014-05-14 14:17 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-08-15 11:09 . 2014-03-09 21:47 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-15 11:09 . 2014-06-30 22:14 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-15 11:09 . 2014-03-09 21:47 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-08-15 11:09 . 2014-06-06 06:16 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-20 11:48 . 2014-01-04 21:24 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-07-09 02:59 . 2013-10-18 18:27 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 02:59 . 2013-10-18 18:27 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-18 01:51 . 2014-07-09 00:22 646144 ----a-w- c:\windows\system32\osk.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Officejet Pro 8610 (NET)"="c:\program files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe" [2014-07-21 2427400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
"FingerPrintSoftwareSplashScreen"="c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s" [X]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 171288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 172824]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1425208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-02-04 111640]
"Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-10-19 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-05-31 106496]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-07-25 108032]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-10-18 1343400]
S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-05-31 1824584]
S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-05-31 98304]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2010-02-04 2058776]
S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2011-06-01 659968]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-09-08 110296]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-16 6114816]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-03 23:21 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.103\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-18 02:59]
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
.
2014-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: harrisbank.com\www4
TCP: DhcpNameServer = 192.168.1.254
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Malwarebytes Anti-Malware\mbam.exe
c:\windows\system32\taskhost.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
c:\windows\system32\conhost.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2014-09-07 20:00:27 - machine was rebooted
ComboFix-quarantined-files.txt 2014-09-08 01:00
ComboFix2.txt 2014-09-07 23:07
ComboFix3.txt 2014-09-06 20:52
.
Pre-Run: 192,012,500,992 bytes free
Post-Run: 191,631,241,216 bytes free
.
- - End Of File - - 67B98BA2449B0F86CD824096C814591E
A36C5E4F47E84449FF07ED3517B43A31
 
Good :)

redtarget.gif
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

redtarget.gif
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

redtarget.gif
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
 
# AdwCleaner v3.309 - Report created 08/09/2014 at 08:12:04
# Updated 02/09/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : AnyUser - ANYUSER-PC
# Running from : C:\Users\AnyUser\Desktop\adwcleaner_3.309.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\InstalledThirdPartyPrograms
Key Deleted : HKLM\SOFTWARE\InstalledThirdPartyPrograms

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17239


-\\ Google Chrome v37.0.2062.103

[ File : C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1618 octets] - [08/09/2014 08:10:13]
AdwCleaner[S0].txt - [1561 octets] - [08/09/2014 08:12:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1621 octets] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.3 (03.23.2014:1)
OS: Windows 7 Professional x86
Ran by AnyUser on Mon 09/08/2014 at 8:26:38.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\allyrics-16-bg_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\allyrics-16-bg_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Allyrics-16-codedownloader_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Allyrics-16-codedownloader_RASMANCS



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/08/2014 at 8:29:15.54
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-09-2014
Ran by AnyUser (administrator) on ANYUSER-PC on 08-09-2014 08:34:35
Running from C:\Users\AnyUser\Desktop
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: https://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html
Download link for 64-Bit Version: https://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST:

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Windows\System32\DTS.exe
(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(AuthenTec, Inc.) C:\Windows\System32\AtService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Elaborate Bytes AG) C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe
(Memeo Inc.) C:\Program Files\Memeo\AutoSync\MemeoAutoSync.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Intel Corporation) C:\Program Files\Intel\AMT\LMS.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VirtualCloneDrive] => C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [FingerPrintSoftware] => C:\Program Files\Lenovo Fingerprint Software\fpapp.exe [1582920 2011-05-31] (AuthenTec)
HKLM\...\Run: [FingerPrintSoftwareSplashScreen] => C:\Program Files\Lenovo Fingerprint Software\SplashScreen.exe [102400 2011-05-31] (AuthenTec, Inc.)
HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe [111640 2010-02-04] ()
HKLM\...\Run: [Memeo AutoSync] => C:\Program Files\Memeo\AutoSync\MemeoLauncher2.exe [144608 2010-04-16] (Memeo Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\Run: [ArcSoft Connection Service] => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKU\.DEFAULT\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-10-19] (Microsoft Corporation)
HKU\S-1-5-21-1311731379-2688022510-2026161381-1000\...\Run: [HP Officejet Pro 8610 (NET)] => C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe [2427400 2014-07-21] (Hewlett-Packard Development Company, LP)
HKU\S-1-5-21-1311731379-2688022510-2026161381-1000\...\Policies\Explorer: [DisallowCpl] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF3291824C340CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1388550385823
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR HomePage: Default ->
CHR DefaultSearchKeyword: Default -> 573E5242114621EC3F8AC57831F33F02494A7D227E6F36CC0F4009CD3212231B
CHR DefaultSearchURL: Default -> CC8155B8290070D618262C21AA52F43392699D5EABAEABB29EBAEE1ABB23B325
CHR CustomProfile: C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-11]
CHR Extension: (Google Drive) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-11]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-29]
CHR Extension: (YouTube) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-11]
CHR Extension: (Google Search) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-11]
CHR Extension: (Google Wallet) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-11]
CHR Extension: (Gmail) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-11]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S3 ADMonitor; C:\Windows\system32\ADMonitor.exe [106496 2011-05-31] () [File not signed]
R2 dtsvc; C:\Windows\system32\DTS.exe [98304 2011-05-31] () [File not signed]
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2013-09-06] (Macrovision Europe Ltd.) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2058776 2010-02-04] (Intel Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [30616 2013-03-04] (Elaborate Bytes AG)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-08] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
S3 catchme; \??\C:\Users\AnyUser\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-08 08:34 - 2014-09-08 08:34 - 00012787 _____ () C:\Users\AnyUser\Desktop\FRST.txt
2014-09-08 08:34 - 2014-09-08 08:34 - 00000000 ____D () C:\FRST
2014-09-08 08:33 - 2014-09-08 08:32 - 01097728 _____ (Farbar) C:\Users\AnyUser\Desktop\FRST.exe
2014-09-08 08:32 - 2014-09-08 08:32 - 01097728 _____ (Farbar) C:\Users\AnyUser\Downloads\FRST.exe
2014-09-08 08:29 - 2014-09-08 08:29 - 00001116 _____ () C:\Users\AnyUser\Desktop\JRT.txt
2014-09-08 08:23 - 2014-09-08 08:23 - 00000000 ____D () C:\Windows\ERUNT
2014-09-08 08:22 - 2014-09-08 08:22 - 01016261 _____ (Thisisu) C:\Users\AnyUser\Downloads\JRT.exe
2014-09-08 08:22 - 2014-09-08 08:22 - 01016261 _____ (Thisisu) C:\Users\AnyUser\Desktop\JRT.exe
2014-09-08 08:10 - 2014-09-08 08:12 - 00000000 ____D () C:\AdwCleaner
2014-09-08 08:08 - 2014-09-08 08:08 - 01370467 _____ () C:\Users\AnyUser\Desktop\adwcleaner_3.309.exe
2014-09-07 20:00 - 2014-09-07 20:00 - 00014330 _____ () C:\ComboFix.txt
2014-09-07 08:39 - 2014-09-07 08:39 - 00001265 _____ () C:\Users\AnyUser\Desktop\WhileWaitingRegistryThreatcameup.txt
2014-09-06 17:47 - 2014-09-06 17:47 - 00000000 ____D () C:\Users\AnyUser\Downloads\LenovaT400Fingerprint
2014-09-06 15:43 - 2014-09-07 20:00 - 00000000 ____D () C:\Qoobox
2014-09-06 15:43 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-09-06 15:43 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-09-06 15:43 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-09-06 15:43 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-09-06 15:43 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-09-06 15:43 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-09-06 15:43 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-09-06 15:43 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-09-06 15:42 - 2014-09-07 19:52 - 00000000 ____D () C:\Windows\erdnt
2014-09-06 15:41 - 2014-09-06 15:39 - 05576440 ____R (Swearware) C:\Users\AnyUser\Desktop\ComboFix.exe
2014-09-06 14:53 - 2014-09-06 15:02 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-09-06 14:52 - 2014-09-06 15:02 - 00000000 ____D () C:\Users\AnyUser\Desktop\mbar
2014-09-06 14:51 - 2014-09-06 14:50 - 14349744 _____ (Malwarebytes Corp.) C:\Users\AnyUser\Desktop\mbar-1.07.0.1012.exe
2014-09-06 14:42 - 2014-09-06 14:42 - 00002549 _____ () C:\Users\AnyUser\Desktop\RKreport_DEL_09062014_144112.log
2014-09-06 12:09 - 2014-09-06 12:09 - 00044168 _____ () C:\Users\AnyUser\Desktop\attach.txt
2014-09-06 12:09 - 2014-09-06 12:09 - 00015421 _____ () C:\Users\AnyUser\Desktop\dds.txt
2014-09-06 11:24 - 2014-09-06 14:32 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-09-06 11:24 - 2014-09-06 11:24 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-09-06 11:24 - 2014-09-06 11:23 - 04857944 _____ () C:\Users\AnyUser\Desktop\RogueKiller.exe
2014-09-05 18:46 - 2014-09-08 08:26 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-05 18:46 - 2014-09-06 14:52 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-05 18:46 - 2014-09-05 18:46 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-05 18:46 - 2014-05-12 08:19 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-05 18:46 - 2014-05-12 08:19 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-05 18:45 - 2014-09-05 18:42 - 17291904 _____ (Malwarebytes Corporation ) C:\Users\AnyUser\Desktop\mbam_premium.exe
2014-09-04 23:15 - 2014-09-04 23:15 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2014-09-04 19:01 - 2014-09-04 19:01 - 00068415 _____ () C:\Users\AnyUser\AppData\Local\guptemlm
2014-08-27 14:27 - 2014-08-22 20:46 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-27 14:27 - 2014-08-22 19:42 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-27 09:56 - 2014-08-27 09:56 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2014-08-27 09:55 - 2014-07-21 15:33 - 00597512 ____N (Hewlett-Packard Development Company, LP) C:\Windows\system32\HPDiscoPM7112.dll
2014-08-27 09:16 - 2014-08-27 09:16 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-27 09:04 - 2014-08-27 09:04 - 00231760 _____ () C:\Users\AnyUser\Downloads\CrucialScan (1).exe
2014-08-20 23:17 - 2014-06-24 20:41 - 12874240 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-08-18 17:29 - 2014-05-14 11:23 - 01973728 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-08-18 17:29 - 2014-05-14 11:23 - 00054240 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-08-18 17:29 - 2014-05-14 11:23 - 00045536 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-08-18 17:29 - 2014-05-14 11:17 - 02425856 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-08-18 17:28 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-08-18 17:28 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-08-18 17:28 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-08-18 17:27 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-08-18 17:27 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-08-15 06:09 - 2014-06-30 17:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2014-08-15 06:09 - 2014-06-06 01:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2014-08-15 06:09 - 2014-03-09 16:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2014-08-15 06:09 - 2014-03-09 16:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2014-08-14 16:51 - 2014-07-31 18:16 - 00307384 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-08-14 16:51 - 2014-07-25 08:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-08-14 16:51 - 2014-07-25 08:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-08-14 16:51 - 2014-07-25 07:34 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-08-14 16:51 - 2014-07-25 07:34 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-08-14 16:51 - 2014-07-25 07:33 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-08-14 16:51 - 2014-07-25 07:18 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-08-14 16:51 - 2014-07-25 07:17 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-08-14 16:51 - 2014-07-25 07:10 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-08-14 16:51 - 2014-07-25 07:10 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-08-14 16:51 - 2014-07-25 06:59 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-08-14 16:51 - 2014-07-25 06:52 - 00367104 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-08-14 16:51 - 2014-07-25 06:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-08-14 16:51 - 2014-07-25 06:36 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-08-14 16:51 - 2014-07-25 06:29 - 00239616 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-08-14 16:51 - 2014-07-25 06:13 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-08-14 16:51 - 2014-07-25 06:09 - 00663040 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-08-14 16:51 - 2014-07-25 06:07 - 02001920 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-08-14 16:51 - 2014-07-25 05:09 - 00704512 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-08-14 16:51 - 2014-07-25 05:05 - 01792512 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-08-14 16:51 - 2014-07-25 05:00 - 01169920 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-08-14 16:51 - 2014-07-13 20:42 - 00654336 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2014-08-14 16:51 - 2014-06-15 20:44 - 00730048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2014-08-14 16:51 - 2014-06-15 20:44 - 00219072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2014-08-14 16:51 - 2014-06-15 20:40 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2014-08-14 16:50 - 2014-07-25 08:51 - 17524224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-08-14 16:50 - 2014-07-25 07:30 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-08-14 16:50 - 2014-07-25 07:21 - 02184704 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-08-14 16:50 - 2014-07-25 07:12 - 00438784 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-08-14 16:50 - 2014-07-25 07:08 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-08-14 16:50 - 2014-07-25 07:06 - 04204032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-08-14 16:50 - 2014-07-25 06:34 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-08-14 16:50 - 2014-07-25 06:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-08-14 16:50 - 2014-07-25 06:03 - 11772928 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-08-14 16:50 - 2014-07-15 21:46 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-08-14 16:50 - 2014-06-03 04:30 - 00101824 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2014-08-14 16:50 - 2014-06-03 04:29 - 02363392 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-08-14 16:50 - 2014-06-03 04:29 - 01805824 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-08-14 16:50 - 2014-06-03 04:29 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-08-11 10:22 - 2014-08-11 10:22 - 00231760 _____ () C:\Users\AnyUser\Downloads\CrucialScan.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-08 08:34 - 2014-09-08 08:34 - 00012787 _____ () C:\Users\AnyUser\Desktop\FRST.txt
2014-09-08 08:34 - 2014-09-08 08:34 - 00000000 ____D () C:\FRST
2014-09-08 08:32 - 2014-09-08 08:33 - 01097728 _____ (Farbar) C:\Users\AnyUser\Desktop\FRST.exe
2014-09-08 08:32 - 2014-09-08 08:32 - 01097728 _____ (Farbar) C:\Users\AnyUser\Downloads\FRST.exe
2014-09-08 08:32 - 2009-07-13 23:34 - 00029904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-08 08:32 - 2009-07-13 23:34 - 00029904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-08 08:29 - 2014-09-08 08:29 - 00001116 _____ () C:\Users\AnyUser\Desktop\JRT.txt
2014-09-08 08:28 - 2013-09-06 21:28 - 02077458 _____ () C:\Windows\WindowsUpdate.log
2014-09-08 08:26 - 2014-09-05 18:46 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-08 08:25 - 2014-03-11 17:58 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-08 08:25 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-08 08:25 - 2009-07-13 23:39 - 00036152 _____ () C:\Windows\setupact.log
2014-09-08 08:23 - 2014-09-08 08:23 - 00000000 ____D () C:\Windows\ERUNT
2014-09-08 08:22 - 2014-09-08 08:22 - 01016261 _____ (Thisisu) C:\Users\AnyUser\Downloads\JRT.exe
2014-09-08 08:22 - 2014-09-08 08:22 - 01016261 _____ (Thisisu) C:\Users\AnyUser\Desktop\JRT.exe
2014-09-08 08:21 - 2014-03-11 17:58 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-09-08 08:13 - 2013-10-18 10:30 - 00025618 _____ () C:\Windows\PFRO.log
2014-09-08 08:12 - 2014-09-08 08:10 - 00000000 ____D () C:\AdwCleaner
2014-09-08 08:08 - 2014-09-08 08:08 - 01370467 _____ () C:\Users\AnyUser\Desktop\adwcleaner_3.309.exe
2014-09-08 07:59 - 2014-03-11 17:41 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-07 20:00 - 2014-09-07 20:00 - 00014330 _____ () C:\ComboFix.txt
2014-09-07 20:00 - 2014-09-06 15:43 - 00000000 ____D () C:\Qoobox
2014-09-07 19:56 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2014-09-07 19:53 - 2009-07-13 21:03 - 52953088 _____ () C:\Windows\system32\config\SOFTWARE.bak
2014-09-07 19:53 - 2009-07-13 21:03 - 14680064 _____ () C:\Windows\system32\config\SYSTEM.bak
2014-09-07 19:53 - 2009-07-13 21:03 - 00524288 _____ () C:\Windows\system32\config\DEFAULT.bak
2014-09-07 19:53 - 2009-07-13 21:03 - 00262144 _____ () C:\Windows\system32\config\SECURITY.bak
2014-09-07 19:53 - 2009-07-13 21:03 - 00262144 _____ () C:\Windows\system32\config\SAM.bak
2014-09-07 19:52 - 2014-09-06 15:42 - 00000000 ____D () C:\Windows\erdnt
2014-09-07 08:39 - 2014-09-07 08:39 - 00001265 _____ () C:\Users\AnyUser\Desktop\WhileWaitingRegistryThreatcameup.txt
2014-09-06 17:49 - 2014-03-15 23:16 - 00013960 _____ () C:\Windows\DPINST.LOG
2014-09-06 17:49 - 2014-03-15 23:15 - 00000000 ____D () C:\Program Files\Lenovo Fingerprint Software
2014-09-06 17:47 - 2014-09-06 17:47 - 00000000 ____D () C:\Users\AnyUser\Downloads\LenovaT400Fingerprint
2014-09-06 15:52 - 2009-07-13 21:37 - 00000000 __RHD () C:\Users\Default
2014-09-06 15:52 - 2009-07-13 21:37 - 00000000 ___RD () C:\Users\Public
2014-09-06 15:39 - 2014-09-06 15:41 - 05576440 ____R (Swearware) C:\Users\AnyUser\Desktop\ComboFix.exe
2014-09-06 15:02 - 2014-09-06 14:53 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-09-06 15:02 - 2014-09-06 14:52 - 00000000 ____D () C:\Users\AnyUser\Desktop\mbar
2014-09-06 14:52 - 2014-09-05 18:46 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-06 14:50 - 2014-09-06 14:51 - 14349744 _____ (Malwarebytes Corp.) C:\Users\AnyUser\Desktop\mbar-1.07.0.1012.exe
2014-09-06 14:42 - 2014-09-06 14:42 - 00002549 _____ () C:\Users\AnyUser\Desktop\RKreport_DEL_09062014_144112.log
2014-09-06 14:32 - 2014-09-06 11:24 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-09-06 12:09 - 2014-09-06 12:09 - 00044168 _____ () C:\Users\AnyUser\Desktop\attach.txt
2014-09-06 12:09 - 2014-09-06 12:09 - 00015421 _____ () C:\Users\AnyUser\Desktop\dds.txt
2014-09-06 11:58 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Web
2014-09-06 11:24 - 2014-09-06 11:24 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-09-06 11:23 - 2014-09-06 11:24 - 04857944 _____ () C:\Users\AnyUser\Desktop\RogueKiller.exe
2014-09-06 11:12 - 2013-09-06 20:36 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-06 08:01 - 2013-09-06 22:24 - 00000000 ____D () C:\Windows\Panther
2014-09-05 18:46 - 2014-09-05 18:46 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-05 18:42 - 2014-09-05 18:45 - 17291904 _____ (Malwarebytes Corporation ) C:\Users\AnyUser\Desktop\mbam_premium.exe
2014-09-04 23:15 - 2014-09-04 23:15 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2014-09-04 19:23 - 2014-03-14 09:09 - 00000000 ____D () C:\Users\AnyUser\Documents\Outlook Files
2014-09-04 19:01 - 2014-09-04 19:01 - 00068415 _____ () C:\Users\AnyUser\AppData\Local\guptemlm
2014-08-29 02:25 - 2014-03-13 19:42 - 00000000 ____D () C:\Users\AnyUser\AppData\Roaming\HpUpdate
2014-08-28 06:19 - 2009-07-13 23:33 - 00409416 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-27 09:56 - 2014-08-27 09:56 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2014-08-27 09:56 - 2014-03-03 14:44 - 00000000 ____D () C:\Users\AnyUser\AppData\Local\HP
2014-08-27 09:55 - 2014-03-03 14:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2014-08-27 09:55 - 2014-03-03 14:44 - 00000000 ____D () C:\Program Files\HP
2014-08-27 09:54 - 2014-03-03 14:45 - 00000000 ____D () C:\ProgramData\HP
2014-08-27 09:54 - 2009-07-13 23:52 - 00000000 ____D () C:\Windows\twain_32
2014-08-27 09:16 - 2014-08-27 09:16 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-27 09:04 - 2014-08-27 09:04 - 00231760 _____ () C:\Users\AnyUser\Downloads\CrucialScan (1).exe
2014-08-22 20:46 - 2014-08-27 14:27 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-22 19:42 - 2014-08-27 14:27 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-21 00:13 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-08-15 06:58 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-08-15 06:18 - 2013-10-18 11:57 - 00000000 ____D () C:\Windows\system32\MRT
2014-08-15 06:18 - 2013-09-06 21:06 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-08-15 06:14 - 2013-10-18 11:57 - 96303304 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-08-11 10:22 - 2014-08-11 10:22 - 00231760 _____ () C:\Users\AnyUser\Downloads\CrucialScan.exe
2014-08-11 10:18 - 2014-03-13 21:23 - 00000000 ____D () C:\Program Files\Microsoft Silverlight

Some content of TEMP:
====================
C:\Users\AnyUser\AppData\Local\temp\Quarantine.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-09-06 00:25

==================== End Of Log ============================
 
FARBAR Additional scan log

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 07-09-2014
Ran by AnyUser at 2014-09-08 08:35:16
Running from C:\Users\AnyUser\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Disabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Disabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat 9 Standard - English, Français, Deutsch (HKLM\...\{AC76BA86-1033-F400-BA7E-000000000004}{AC76BA86-1033-F400-BA7E-000000000004}) (Version: 9.5.5 - Adobe Systems)
Adobe Acrobat 9 Standard - English, Français, Deutsch (Version: 9.5.5 - Adobe Systems) Hidden
Adobe Acrobat 9.5.5 - CPSID_83708 (HKLM\...\{AC76BA86-1033-F400-BA7E-000000000004}_955) (Version: - Adobe Systems Incorporated)
Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
AnswerWorks 5.0 English Runtime (HKLM\...\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}) (Version: 5.0.7 - Vantage Software Technologies)
Apple Application Support (HKLM\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{18D47FA1-0440-48D3-A7E0-DA09537FF471}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft PhotoStudio 6 (HKLM\...\{9A4D3FF6-FFDD-4E4E-B887-4BF378174F04}) (Version: 6.0.0.138 - ArcSoft)
Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Conexant 20561 SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.92.10.0 - Conexant)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{132D27B8-C656-44BD-8C16-73C54EA8A85F}) (Version: - Microsoft)
Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.103 - Google Inc.)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
HP Officejet Pro 8610 Basic Device Software (HKLM\...\{B199C367-0F3F-4873-8D8D-7B60D50ED105}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP Officejet Pro 8610 Help (HKLM\...\{F9569D00-4576-46C8-B6C7-207A4FD39745}) (Version: 32.0.0 - Hewlett Packard)
HP Photosmart Plus B210 series Basic Device Software (HKLM\...\{B4BEEEA3-05E9-4966-AE47-B0F3490564BE}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
I.R.I.S. OCR (HKLM\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel(R) Management Engine Interface (HKLM\...\HECI) (Version: - Intel Corporation)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: - )
Intel® Active Management Technology (HKLM\...\MESOL) (Version: - Intel Corporation)
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version: - )
iTunes (HKLM\...\{2F21564D-DE05-4C6D-B21E-08B9D313FAB3}) (Version: 11.1.5.5 - Apple Inc.)
Lenovo Fingerprint Software (HKLM\...\{2D440AF4-7330-43F0-A085-35DE1A90E703}) (Version: 3.3.2.50 - AuthenTec, Inc.)
Lenovo Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.67.04.05 - )
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Memeo AutoSync (HKLM\...\{75B7F766-7998-44d8-A202-F1EC76A121BA}) (Version: - Memeo Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Quicken 2009 (HKLM\...\{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}) (Version: 18.1.3.11 - Intuit)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (Version: - Microsoft) Hidden
ThinkPad UltraNav Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.19.7 - )
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version: - Microsoft)
Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4ACD847E-547D-493F-9A86-F73EAE1B5174}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{302A8FE3-EBF5-486C-A431-16A1CD914443}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2687502) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7DE7DF97-82FE-4B3A-AB8D-1621F9CC464A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F1A20C69-9FE5-40FD-9CD5-84EABC2EF64A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{BA610006-2C39-4419-9834-CF61AB24810A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{334FB202-28D7-4BA4-8BC9-4FE4AB233EA0}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B0D672F7-883E-4279-8E75-D97A5445AB46}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B0DB9F71-E0F7-4FE6-8925-35B860CAC0C4}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{089DBFD7-8211-43B2-AAAE-5BDD8C23E3A8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{794A0574-4E2F-4D58-B2A0-D7460ACDC85C}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{334AA0A1-2BB1-4D74-B66A-2B2C4D9C2C87}) (Version: - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{7B29D8B8-6A87-496C-A65E-B935E740448A}) (Version: - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{38CF30E4-3348-4BD1-A859-B630C355A56F}) (Version: - Microsoft)
Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B9B89E01-5B6B-4F73-BC34-B2C0D8ACB4CD}) (Version: - Microsoft)
VirtualCloneDrive (HKLM\...\VirtualCloneDrive) (Version: - Elaborate Bytes)
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (07/02/2010 8.6.0.29) (HKLM\...\05FBE63CF9C9B3424152207E7278CD6DA193C56C) (Version: 07/02/2010 8.6.0.29 - AuthenTec Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

08-08-2014 22:50:03 Windows Update
12-08-2014 15:29:51 Windows Update
15-08-2014 11:00:15 Windows Update
18-08-2014 11:48:39 Windows Update
18-08-2014 22:27:17 Windows Update
21-08-2014 04:09:51 Installed HP Update.
21-08-2014 04:17:09 Windows Update
24-08-2014 04:37:21 Windows Update
27-08-2014 14:11:40 Removed HP Update.
27-08-2014 14:13:54 Removed HP Officejet Pro 8600 Help
27-08-2014 14:16:14 Removed HP FWUpdateEDO2
27-08-2014 14:17:47 Removed HP Officejet Pro 8600 Basic Device Software
28-08-2014 11:00:18 Windows Update
31-08-2014 11:30:13 Windows Update
04-09-2014 11:30:22 Windows Update
06-09-2014 19:44:26 AfterRogueKillerBeforeRootKit

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2014-09-07 19:55 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2D051F2C-6385-45B4-A98E-53F73276B964} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-08] (Adobe Systems Incorporated)
Task: {A7DBAE7B-8F1E-4A1E-A230-8BA1AF77647F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-03-11] (Google Inc.)
Task: {C605189B-CA6B-4510-BB78-D000C428ABCD} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-04-24] (Synaptics Incorporated)
Task: {F8AF599A-3024-4875-AB51-F9CCD5B0E222} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-03-11] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2011-05-31 06:26 - 2011-05-31 06:26 - 00098304 _____ () C:\Windows\system32\DTS.exe
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2013-09-05 01:14 - 2013-09-05 01:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2010-04-16 16:49 - 2010-04-16 16:49 - 00024288 _____ () C:\Program Files\Memeo\AutoSync\Memeo.Client.DriveDetection.dll
2010-04-16 16:48 - 2010-04-16 16:48 - 00038112 _____ () C:\Program Files\Memeo\AutoSync\NamedPipes.dll
2010-02-09 20:20 - 2010-02-09 20:20 - 00491202 _____ () C:\Program Files\Memeo\AutoSync\sqlite3.DLL
2010-04-16 16:49 - 2010-04-16 16:49 - 00165088 _____ () C:\Program Files\Memeo\AutoSync\providers\Memeo.Server.Providers.FileCopySyncProvider.dll
2014-09-03 18:24 - 2014-08-29 21:49 - 01098056 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\libglesv2.dll
2014-09-03 18:24 - 2014-08-29 21:49 - 00174408 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\libegl.dll
2014-09-03 18:24 - 2014-08-29 21:49 - 08577864 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\pdf.dll
2014-09-03 18:24 - 2014-08-29 21:49 - 00331592 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\ppGoogleNaClPluginChrome.dll
2014-09-03 18:24 - 2014-08-29 21:49 - 01660232 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\ffmpegsumo.dll
2014-09-03 18:24 - 2014-08-29 21:49 - 14669128 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2014-09-05 22:37:07.819
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webservices_31bf3856ad364e35_6.2.9200.16384_none_0b27641a00190493\webservices.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.768
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webservices_31bf3856ad364e35_6.2.9200.16384_none_0b27641a00190493\webservices.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.721
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webservices_31bf3856ad364e35_6.2.9200.16384_none_0b27641a00190493\webservices.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.461
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.20569_none_6a381c25963dbf70\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.456
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.20569_none_6a381c25963dbf70\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.451
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.20569_none_6a381c25963dbf70\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.323
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.16465_none_69aa7e327d23ba4a\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.318
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.16465_none_69aa7e327d23ba4a\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.313
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.16465_none_69aa7e327d23ba4a\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

Date: 2014-09-05 22:37:07.239
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.16384_none_6993dc2a7d34dbae\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz
Percentage of memory in use: 43%
Total physical RAM: 3032.03 MB
Available physical RAM: 1710.89 MB
Total Pagefile: 6062.34 MB
Available Pagefile: 4271.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1899.98 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:178.36 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 1503D8EA)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================
 
How is computer doing?

Last scans...

redtarget.gif
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


redtarget.gif
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

redtarget.gif
Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.

redtarget.gif
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Internet Explorer users - Click on this link to open ESET OnlineScan.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on ESET Smart Installer to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the http://www.bleepstatic.com/fhost/uploads/0/esetsmartinstaller_enu.png][/url] icon on your desktop.
      [/LIST]
      [*]Check [I]"YES, I accept the Terms of Use."[/I]
      [*]Click the [b]Start[/b] button.
      [*]Accept any security warnings from your browser.[/*]
      [*]Check [I]"Enable detection of potentially unwanted applications"[/I].
      [*]Click [I]Advanced settings[/I] and make sure all 4 boxes are checkmarked (two of them are already checkmarked by default).
      Do NOT checkmark [I]"Use custom proxy settings"[/I]
      [*]Click the [b]Start[/b] button.
      [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      [*]When the scan completes, click [b]List Threats[/b][/*]
      [*]Click [b]Export[/b], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      [*]Click the [b]Back[/b] button.
      [*]Click the [b]Finish[/b] button.
      [/LIST]
 
Hey Broni,
The computer has been working well...and faster. I'm working on the next steps. Meanwhile, I have a couple other questions. If I click on donate, will you get the donation?? Also, I had a USB 1TB drive connected as a syncing backup to some folders. I disconnected it right away and it has been disconnected throughout the cleaning process. When we are done cleaning this machine, can I reconnect the USB drive and just have Security Essentials and MBAM scan it...and feel safe with that? Or do I have to do more for the USB drive?
 
Thanks for your Input!!

Results of screen317's Security Check version 0.99.87
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Google Chrome 36.0.1985.143
Google Chrome 37.0.2062.103
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

Farbar Service Scanner Version: 21-07-2014
Ran by AnyUser (administrator) on 08-09-2014 at 20:44:58
Running from "C:\Users\AnyUser\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo.com returned error: Yahoo.com is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed


**** End of log ****

Temp file CLeaner ran well

ESET did not find any threats.
Then it did not allow ability to follow instructions re: List Threats...Export...Back Only FINISH.

END
 
Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download
51a5ce45263de-delfix.png
DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:
  • Activate UAC (optional; some users prefer to keep it off)
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore
  • Reset system settings
Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

12. Please, let me know, how your computer is doing.
 
HI Broni, Before performing last set of instructions I need to ask about a new occurrence today. We use Outlook with pop forwarding from Ameritech.net. (att.net older domain). So the web interface captured all these "mailer-Daemon" emails (260or so ,they came every few minutes all day today, in the Trash folder, (Versus Spam folder). Our Outlook allowed these into the Inbox, (I think I can change the Pop settings to not forward Spam). Is this an unrelated event to our infection? We have not seen this before. Other than this, the machine is running quite smoothly now. Here is a text copy of one of them, (changed our email name to "myname") ,

From MAILER-DAEMON@yahoo.com Tue Sep 9 13:02:18 2014
X-Apparently-To: (myname)@ameritech.net via 98.136.215.72; Tue, 09 Sep 2014 20:02:19 +0000
Return-Path: <>
Received-SPF: none (domain of nlpi167.prodigy.net does not designate permitted sender hosts)
b24gWW91IGhhdmUgYSBtaXNzZWQgY2FsbCBhdCBTZXAtMDggMjAxNCAxMDow
NkFNISAyMDE0IFZpYmVyIE1lZGlhIFMuYS5yLmEgATABAQEBA3RleHQvcGxh
aW4DAzACA3RleHQvaHRtbAMDMw--
X-YMailISG: pn9VBJEWLDtH.T8U9tIPMmKe3_8BsrZIU_JzonP74XXKFCAU
DmNwNyH386ZD5VX2bc467IY0yyMaDHOeGn.gstmFB1a2YjLwPC1gyIN4O_Xc
NYklRiHfEImANIl5jdzh3sHiXgNX5PgWT3sT7iURrZ.FhU0KuuBFPM9CxmFW
YuNWycl.fiyEWb.VmRfGe4qWz2Vvzh3eA87LYdQm68fMBNqc16S.O5TPt.7F
6hFeXiD486Jm_ITiJpMRgafK04qyI8wwt0QTuRxzIQyxAQzwjooQkPuoZNw_
c5_uHHlosdlegECWdUUC8vqbXcANqrdpZM20rSjo8KgQIKbeTIoIC3mwTV_u
gykT_BqqSHHgG0PMpHcf1he1PDcAvUGhEgv8nTD4RrrdLWzh9_nX97drNi4Z
hQtuwy01XJKDXhCM6G6fmFLhO4pbRwZEc8goV91.9uEsFFlO8D.kYY6CXDhs
_WV50FLH3g7s6ObGPBh8Ub8F2KtTJc9d0K7BVt0eXJxmI8zfurUxDaMrGCVl
YRrgoE.0_STz94oI0VoDOhLm6igO101jMcgbwKJ.l6eq5QUWJJ9iN4tQQlYi
dMFRRphQKpsy3KpP7J7X8DqOiiSFaAq_lTfzWNEYBhs8KZRMfvUK6Rk0QQAc
wY.4ZKcPFkWbH7rfQq8pf3MQVp80D8jCmlOWr4NqwAye4DRMI2veEtBRVaqV
0lhdVNC06wfVdhnldEJ395dQfpbHReL05IlNzCRH9Z06ffs8IRi1DWIHB1Ol
zYH7yEdNBrZJs20JnW025V_m0vFZjzwDe5I3P05Y22GTxzIQ14fpKzNpqgTw
PEE4V02T0jnxvjxJGx.F_5xq9qnFkag1IXpRihi6DmjKh02GJJxslY2JSUnv
o8aMvXPT8Jox23z.xrQB9bQyfWYxn_LyRwcTsvEW0pnXAA2ekXq40Ve_Rw5H
VXL.9BiawJ65R6xVKo_2qNdD3HKrkIa2luhPYoEU9WPl9krSr0TZ7nJpl5de
EdejQ6PTJmjoTUw61uDvfiWFNoaiclyrItWTXinxpRJXgcOJUANVn8YOKa7a
6B6EYEJrQ51MrNJ5peUPyQZUfHTW4GyzTeayLR9LemXh7H9fYH8B3DU2QubK
eHCqC_MeUA61Gog5QT4.uL5xI3kYqk2PRDgxYg0tSwFPCcmtS9xs0XrlLaFH
zHunmTPotvbReVBaPnfpvuTk4phHBxo3CpmOdgjvlGdpYt.Gfpc6a60MjDc1
MOPf_2sdKu7FJkEDXcoxQduxjzNE1Ld6s11vVyyUPQjiXRmGUl28NM39EWzh
GKMl_hWj6JceKJAK1DVYfuNkLEyGPsQfQBWDUFJPxIVDRoVUfoBKuaCXPo_G
Sj0VI1XZ9q_Fa23arPu1Jnp658Xcn8nS5gL7ZvSE86av_WucQuIGmgFaslKU
JqNucVR250F3fevPKz_UcNAO3dVm8ceY_QS1yd6ZzQI37RFgD23p2QjnLiqF
nt5XOehlQZgxJWegFw9JUDkIRtuhtxIf4xc42NEC_sjQVAw8S0Itzlh981fI
Vv703v9x.Q--
X-Originating-IP: [216.109.114.232]
Authentication-Results: mta1035.sbc.mail.bf1.yahoo.com from=yahoo.com; domainkeys=pass (ok); from=yahoo.com; dkim=pass (ok)
Received: from 207.115.36.39 (EHLO nlpi167.prodigy.net) (207.115.36.39)
by mta1035.sbc.mail.bf1.yahoo.com with SMTP; Tue, 09 Sep 2014 20:02:19 +0000
X-Originating-IP: [216.109.114.232]
Received: from nm11-vm9.access.bullet.mail.bf1.yahoo.com (nm11-vm9.access.bullet.mail.bf1.yahoo.com [216.109.114.232])
by nlpi167.prodigy.net (8.14.4 IN nd2 TLS/8.14.4) with ESMTP id s89K2Ith022418
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <(myname)@ameritech.net>; Tue, 9 Sep 2014 15:02:19 -0500
Message-Id: <201409092002.s89K2Ith022418@nlpi167.prodigy.net>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=bounce; t=1410292938; bh=kh8NCPOgjmSMinW98Dw3D2/J57mBVkGTV468Opg01mI=; h=From:To:Date:Subject:X-Yahoo-Newman-Property; b=lh0GRoV2Mxn8lN7ovsbKMw3y2VJv7793T4vb357nzzpsKmqY+qvVgPTgATRFeF6L9CyUjf96BKwqbMzI/5zAphehbZ683iuDOtKzbY7ntAUnfWCKeiMLD96aopyZtXuIhDUE0Ni8b51b1DWPHHBP8wn25e1vaO+0hY6ZJaNpeLQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=bounce; d=yahoo.com;
b=UIC6GGhtWBsGirmS8aUQhbuAQKFAYTKzrH9W05M4DrP1Dd2PH7ufEhHZ/4X/nqNX78RyM1yVioieWd1rCk5Wi7NiM88G0Ko4qRihObJALWKsLqFmFMrlUwWe7Vy9yK10Hlf+whoNozOfwLhFQ+rNsNDIyj+irQOQGV1OLdnrEEo=;
From: MAILER-DAEMON@yahoo.com
To: (myname)@ameritech.net
Date: Tue, 09 Sep 2014 20:02:18 -0000
Subject: Failure Notice
X-Yahoo-Newman-Property: bmbounce
Content-Length: 4750
 
OK Broni!! Good to go! We really appreciate all the time and concern you offer us all! I'll follow some of the other topics...now that I'm a fan! Donation coming...
 
Back