TechSpot

Yet another svchost.exe virus

Solved
By E-Will 1.0
Jan 4, 2013
  1. Hi, and thanks. Google brought me here and after reading a few threads I can see I'm in the right place.

    I have at least 1 PC infected with a virus that is hidden as SVCHOST.exe. The process will initiate multiple ip connections and uses obscene amounts of bandwidth (2.5 GB one day). Seems also to be allowing pop ups and is possibly interfering with my install of McAfee Enterprise - admittedly a free (and legal) "perk" from work. The on demand scan will not initiate due to an unfound dll.

    I said at least 1. I haven't played much with my other but it exhibits similar behaviour. They are both part of the same home network. Both running Win7.

    Due to the issues associated with actually allowing network traffic on my PCs I may prefer to d/l some of the recommended tools to a memory stick and then transfer them. This post is from my iPad, which seems fine (not surprisingly).

    In addition to support for cleanup I'd appreciate any recommended alternatives to McAfee.

    Thanks in advance to whomever replies, you guys are friggen heros in my books.

    Eric
  2. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Am running MBAM now... And the results are in. Lots of Trojans. Will post shortly. I was able to mostly restore my connectivity by suspending the offensive process. Killing it only caused it to re-spawn
  3. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    After running MBAM quick scan
    A) the svchost.exe process is gone.
    B) if I get to McAfee On-Demand scan as the computer is starting up, before MBAM starts screaming about more quarantined files I can initialize it. Once the quarnatining starts, it won't run. I assume this is an ongoing virus issue.

    MBAM Log follows, DDS coming soon...

    Malwarebytes Anti-Malware (Trial) 1.70.0.1100
    www.malwarebytes.org
    Database
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    EMW :: EMW-OFFICE [administrator]
    Protection: Enabled
    04/01/2013 9:20:04 PM
    mbam-log-2013-01-04 (21-20-04).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 247642
    Time elapsed: 6 minute(s), 1 second(s)
    Memory Processes Detected: 2
    C:\Windows\System32\SEARCHINDEXER.EXE (Trojan.FakeMS) -> 4156 -> Delete on reboot.
    C:\Windows\System32\taskmgr.exe (Trojan.FakeMS) -> 5952 -> Delete on reboot.
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 12
    HKLM\SYSTEM\CurrentControlSet\Services\WSearch (Trojan.FakeMS) -> Quarantined and deleted successfully.
    HKCR\CLSID\>{26923b43-4d38-484f-9b9e-de460746276c} (Trojan.FakeMS) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923B43-4D38-484F-9B9E-DE460746276C} (Trojan.FakeMS) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923B43-4D38-484F-9B9E-DE460746276C} (Trojan.FakeMS) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{7CDB4C42-D09D-4532-AF9D-B941DF2F3E24} (Trojan.FakeMS) -> Delete on reboot.
    HKCR\Interface\{5A6046F6-7B79-435B-908E-0C252F8FFACD} (Trojan.FakeMS) -> Delete on reboot.
    HKCR\TypeLib\{8E80422B-CAC4-472B-B272-9635F1DFEF3B} (Trojan.FakeMS) -> Delete on reboot.
    HKCR\Interface\{0178FAD1-B361-4B27-96AD-67C57EBF2E1D} (Trojan.FakeMS) -> Delete on reboot.
    HKCR\TypeLib\{00A40DB9-D8B4-40B3-8E0C-A8E8C6B3B720} (Trojan.FakeMS) -> Delete on reboot.
    HKCR\Interface\{802C03CF-0243-4DAF-BDE5-A1A9071B79D8} (Trojan.FakeMS) -> Delete on reboot.
    HKCR\TypeLib\{B0A20F08-4B8A-4BDE-9735-8CFC250A6B4B} (Trojan.FakeMS) -> Delete on reboot.
    HKCR\Interface\{4634D64C-B361-4AF9-94BC-FB86A7B18EFF} (Trojan.FakeMS) -> Delete on reboot.
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 1
    HKLM\SYSTEM\CurrentControlSet\SERVICES\COMSYSAPP|Type (Hijack.Comsysapp) -> Bad: (272) Good: (16) -> Quarantined and repaired successfully.
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 105
    C:\Windows\System32\SEARCHINDEXER.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\taskmgr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\SysWOW64\ie4uinit.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Windows Media Player\wmlaunch.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\at.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\bootcfg.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\certreq.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\certutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\chkdsk.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\choice.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\cmdl32.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\comp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\ComputerDefaults.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\convert.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\credwiz.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\cttunesvr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\dccw.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\ddodiag.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\diskpart.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\diskraid.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\DisplaySwitch.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\dnscacheugc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\dpnsvr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\dvdplay.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\dvdupgrd.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\dxdiag.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\efsui.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\eventvwr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\findstr.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\fltMC.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\fontview.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\fsutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\grpconv.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\hh.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\ie4uinit.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\iexpress.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\instnm.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\logman.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\mfpmp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\mmc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\MRINFO.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\msfeedssync.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\msra.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\MuiUnattend.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\Mystify.scr (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\netiougc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\notepad.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\ocsetup.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\odbcconf.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\print.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\proquota.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\rasautou.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\ReAgentc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\regedit.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\regini.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\replace.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\Ribbons.scr (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\RMActivate_ssp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\RMActivate_ssp_isv.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\sdchange.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\setup16.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\shrpubw.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\shutdown.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\ssText3d.scr (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\subst.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\systeminfo.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\SystemPropertiesAdvanced.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\SystemPropertiesComputerName.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\SystemPropertiesDataExecutionPrevention.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\SystemPropertiesHardware.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\SystemPropertiesProtection.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\SystemPropertiesRemote.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\TCPSVCS.EXE (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\TSTheme.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\tzutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\UserAccountControlSettings.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\vssadmin.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\wecutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\WerFault.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\wevtutil.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\wextract.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\where.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\whoami.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\wimserv.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\winrs.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\winver.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\wlanext.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\write.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\WSManHTTPConfig.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\xcopy.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\com\comrepl.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\com\MigRegDB.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\wbem\mofcomp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\wbem\WMIC.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\System32\wbem\WmiPrvSE.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\regedit.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\winhlp32.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\n (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    (end)
  4. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Dds.txt

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16421
    Run by EMW at 22:06:47 on 2013-01-04
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.4095.2392 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Program Files (x86)\Garmin\Training Center\gStart.exe
    C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Users\EMW\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe
    C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
    C:\Windows\SysWOW64\LVCOMSX.EXE
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
    C:\Windows\system32\mfevtps.exe
    C:\Program Files\Microsoft LifeCam\MSCamS64.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe
    C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\ProgramData\TVersity\Media Server\MediaServer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
    C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\jusched.exe
    C:\Windows\system32\UI0Detect.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\perfmon.exe
    C:\Windows\system32\prevhost.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\System32\jucheck.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcconsol.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.ca/
    mWinlogon: Userinit = userinit.exe,
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
    uRun: [gStart] C:\Program Files (x86)\Garmin\Training Center\gStart.exe
    uRun: [WeatherEye] C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [LVCOMSX] C:\Windows\System32\LVCOMSX.EXE
    mRun: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
    mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
    StartupFolder: C:\Users\EMW\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\EMW\AppData\Roaming\Dropbox\bin\Dropbox.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CINEFO~1.LNK - C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableLUA = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ras.opgonline.com/dana-cached/sc/JuniperSetupClient.cab
    TCP: NameServer = 192.168.2.1
    TCP: Interfaces\{2B13F128-3241-4FDD-813D-A1DC7671828D} : DHCPNameServer = 204.101.237.136 206.47.201.246
    TCP: Interfaces\{730C4F2F-384B-4891-8272-EE6923784ED8} : DHCPNameServer = 192.168.2.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
    x64-Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
    x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    x64-DPF: {AA570693-00E2-4907-B6F1-60A1199B030C} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
    x64-DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    P2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe [2010-10-22 181480]
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2012-10-3 470808]
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-3-27 55280]
    R1 NEOFLTR_720_21697;Juniper Networks TDI Filter Driver (NEOFLTR_720_21697);C:\Windows\System32\drivers\NEOFLTR_720_21697.SYS [2012-12-15 100728]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-9-27 239616]
    R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
    R2 JobManagerService110;Ansys JobManager Service V11;C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe [2007-1-16 20480]
    R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-1-4 398184]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-1-4 682344]
    R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [2010-10-22 20792]
    R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-8-25 262144]
    R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [2010-10-22 225280]
    R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2012-10-3 77968]
    R2 ScriptHostService110;Ansys ScriptHost Service V11;C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe [2007-1-16 20480]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-3-27 1692480]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-1-4 24176]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2012-10-3 120224]
    R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-3-12 36720]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-3-21 452200]
    S2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2010-12-3 1458176]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 288256]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 androidusb;ADB Interface Driver;C:\Windows\System32\drivers\androidusb.sys [2010-4-29 32768]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2010-3-27 138752]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2012-10-3 78768]
    S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2011-5-10 22528]
    S3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;C:\Windows\System32\drivers\netr7364.sys [2009-6-10 707072]
    S3 rt61x64;RT61 Extensible Wireless Driver;C:\Windows\System32\drivers\netr6164.sys [2010-10-24 438784]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-5-21 59392]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-4 1255736]
    .
    =============== Created Last 30 ================
    .
    2013-01-05 02:14:01 -------- d-----w- C:\Users\EMW\AppData\Roaming\Malwarebytes
    2013-01-05 02:13:41 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2013-01-05 02:13:41 -------- d-----w- C:\ProgramData\Malwarebytes
    2013-01-05 02:13:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-01-05 02:13:21 -------- d-----w- C:\Users\EMW\AppData\Local\Programs
    2013-01-03 00:11:59 -------- d-----w- C:\Windows\147BCE03C0F14C9F81576A89B6D2D973.TMP
    2012-12-16 03:24:32 100728 ----a-w- C:\Windows\System32\drivers\NEOFLTR_720_21697.SYS
    .
    ==================== Find3M ====================
    .
    2012-12-12 12:19:17 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-12 12:19:17 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-11-03 13:58:31 49664 ----a-w- C:\ProgramData\p25_406265978.dll
    2012-10-25 08:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 08:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2012-10-23 20:04:38 460288 ----a-w- C:\Windows\WLXPGSS.SCR
    2012-10-13 05:34:06 1424896 ----a-w- C:\Windows\System32\CFHD.dll
    2012-10-13 05:31:20 1458176 ----a-w- C:\Windows\SysWow64\CFHD.dll
    .
    ============= FINISH: 22:08:34.26 ===============
  5. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Attach.txt ...

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 05/04/2010 5:31:45 PM
    System Uptime: 04/01/2013 9:54:02 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0K83V0
    Processor: Pentium(R) Dual-Core CPU E5400 @ 2.70GHz | CPU 1 | 2700/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 451 GiB total, 219.893 GiB free.
    D: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is FIXED (FAT32) - 931 GiB total, 562.904 GiB free.
    J: is Removable
    X: is FIXED (NTFS) - 15 GiB total, 10.156 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: 802.11g PCI Wireless Adapter
    Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_00321737&REV_01\4&2AE74A33&0&08F0
    Manufacturer: Ralink Technology Corp.
    Name: 802.11g PCI Wireless Adapter
    PNP Device ID: PCI\VEN_1814&DEV_0201&SUBSYS_00321737&REV_01\4&2AE74A33&0&08F0
    Service: rt61x64
    .
    ==== System Restore Points ===================
    .
    RP177: 29/10/2012 5:21:45 PM - Installed Java(TM) 6 Update 37
    RP178: 12/11/2012 6:58:33 PM - Scheduled Checkpoint
    RP179: 20/11/2012 6:43:13 PM - Scheduled Checkpoint
    RP180: 27/11/2012 9:36:31 PM - Scheduled Checkpoint
    RP181: 15/12/2012 12:02:38 PM - Scheduled Checkpoint
    RP182: 31/12/2012 6:26:32 PM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.5.2
    AMD Accelerated Video Transcoding
    AMD APP SDK Runtime
    AMD AVIVO64 Codecs
    AMD Catalyst Install Manager
    AMD Drag and Drop Transcoding
    AMD Media Foundation Decoders
    ANSYS CFX 11.0
    ANSYS ICEM CFD 11.0
    ANSYS Products 11.0
    ANSYS Remote Solve Manager (RSM) 11.0
    Any Video Converter 3.1.7
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    µTorrent
    Bing Bar
    Bing Bar Platform
    Bonjour
    Brother HL-2170W
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-utility64
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Citrix XenApp Web Plugin
    Compatibility Pack for the 2007 Office system
    D3DX10
    Dell DataSafe Local Backup
    Dell DataSafe Local Backup - Support Software
    Dell Dock
    Dell Edoc Viewer
    Dell Getting Started Guide
    Dropbox
    Garmin Training Center
    Garmin USB Drivers
    Google Earth
    Google Update Helper
    GoPro CineForm Studio 1.3.1
    GoToAssist 8.0.0.514
    HydraVision
    iCloud
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    ISODisk 1.1
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 17 (64-bit)
    Java(TM) 6 Update 35
    Juniper Networks Secure Application Manager
    Juniper Networks, Inc. Setup Client
    Juniper Networks, Inc. Setup Client 64-bit Activex Control
    Junk Mail filter update
    Logitech® Camera Driver
    Malwarebytes Anti-Malware version 1.70.0.1100
    McAfee Agent
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Corporation
    Microsoft IntelliPoint 8.1
    Microsoft LifeCam
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office Office 64-bit Components 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Project 2007 Service Pack 2 (SP2)
    Microsoft Office Project MUI (English) 2007
    Microsoft Office Project Standard 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared 64-bit MUI (English) 2007
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable (x64)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    MSVCRT
    MSVCRT_amd64
    PowerDVD DX
    QuickTime
    Ralink RT6x Wireless LAN Card
    Realtek High Definition Audio Driver
    Roxio Burn
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office Groove 2007 (KB2494047)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype™ 4.2
    TVersity Codec Pack 1.7
    TVersity Media Server 1.9.7
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Project 2007 Help (KB963668)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2586924)
    Virtual DJ Pro Full - Atomix Productions
    WeatherEye
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
    Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices (03/07/2012 )
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR 4.11 (32-bit)
    Xiph.Org Open Codecs 0.85.17777
    Yahoo! Detect
    .
    ==== Event Viewer Messages From Past Week ========
    .
    04/01/2013 9:56:45 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    04/01/2013 9:56:45 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    04/01/2013 9:56:30 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    04/01/2013 9:56:00 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
    04/01/2013 9:55:57 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ISODisk
    04/01/2013 9:55:14 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    04/01/2013 9:54:29 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    04/01/2013 9:54:26 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    04/01/2013 9:54:22 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the ANSYS FLEXlm license manager service to connect.
    04/01/2013 9:54:22 PM, Error: Service Control Manager [7000] - The ANSYS FLEXlm license manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    04/01/2013 9:54:13 PM, Error: rt61x64 [5003] - 802.11g PCI Wireless Adapter : Could not find a network adapter.
    04/01/2013 9:54:07 PM, Error: Application Popup [1060] - \SystemRoot\SysWow64\Drivers\ISODisk.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    04/01/2013 10:04:08 PM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}. The error: "2" Happened while starting this command: C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    02/01/2013 7:14:10 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 38 time(s).
    02/01/2013 7:14:04 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 37 time(s).
    02/01/2013 7:13:59 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 36 time(s).
    02/01/2013 7:13:53 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 35 time(s).
    02/01/2013 7:13:48 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 34 time(s).
    02/01/2013 7:13:42 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 33 time(s).
    02/01/2013 7:13:37 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 32 time(s).
    02/01/2013 7:13:33 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 31 time(s).
    02/01/2013 7:13:27 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 30 time(s).
    02/01/2013 7:13:22 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 29 time(s).
    02/01/2013 7:13:16 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 28 time(s).
    02/01/2013 7:13:11 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 27 time(s).
    02/01/2013 7:13:05 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 26 time(s).
    02/01/2013 7:13:00 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 25 time(s).
    02/01/2013 7:12:55 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 24 time(s).
    02/01/2013 7:12:50 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 23 time(s).
    02/01/2013 7:12:44 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 22 time(s).
    02/01/2013 7:12:39 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 21 time(s).
    02/01/2013 7:12:33 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 20 time(s).
    02/01/2013 7:12:28 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 19 time(s).
    02/01/2013 7:12:22 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 18 time(s).
    02/01/2013 7:11:07 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 17 time(s).
    02/01/2013 7:09:45 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 16 time(s).
    02/01/2013 7:09:40 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 15 time(s).
    02/01/2013 7:09:34 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 14 time(s).
    02/01/2013 7:09:28 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 13 time(s).
    02/01/2013 7:09:23 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 12 time(s).
    02/01/2013 7:09:17 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 11 time(s).
    02/01/2013 7:09:12 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 10 time(s).
    02/01/2013 7:09:08 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 9 time(s).
    02/01/2013 7:09:02 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 8 time(s).
    02/01/2013 7:08:56 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 7 time(s).
    02/01/2013 7:08:51 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 6 time(s).
    02/01/2013 7:08:45 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 5 time(s).
    02/01/2013 7:08:40 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 4 time(s).
    02/01/2013 7:08:34 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 3 time(s).
    02/01/2013 7:06:28 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 2 time(s).
    02/01/2013 7:01:54 PM, Error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
    02/01/2013 6:34:40 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk5\DR5.
    02/01/2013 6:34:28 PM, Error: Service Control Manager [7023] - The iPod Service service terminated with the following error: %%-2147417831
    .
    ==== End Of File ===========================
  6. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ********************************************

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
  7. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    System-log.txt

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_35
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED, X:\ DRIVE_FIXED
    CPU speed: 2.693000 GHz
    Memory total: 4293902336, free: 2233475072
    ------------ Kernel report ------------
    01/04/2013 22:54:17
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\PxHlpa64.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\drivers\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\mfetdik.sys
    \SystemRoot\system32\drivers\TDI.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \??\C:\Windows\system32\Drivers\NEOFLTR_720_21697.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\atikmpag.sys
    \SystemRoot\system32\DRIVERS\atikmdag.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\HdAudio.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\drivers\RTKVHD64.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\point64.sys
    \SystemRoot\system32\drivers\luafv.sys
    \??\C:\Windows\system32\drivers\mbam.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\drivers\mrxdav.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\nx6000.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\drivers\usbaudio.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\Drivers\fastfat.SYS
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\SysWOW64\WinFLdrv.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\drivers\spsys.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\gdi32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\lpk.dll
    \Windows\System32\nsi.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\usp10.dll
    \Windows\System32\ole32.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\imm32.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\shell32.dll
    \Windows\System32\user32.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\sechost.dll
    \Windows\System32\psapi.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\msctf.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\wininet.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\msasn1.dll
    \Windows\SysWOW64\normaliz.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk5\DR5
    Upper Device Object: 0xfffffa8005e43790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000078\
    Lower Device Object: 0xfffffa8005e2a060
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    DriverEntry returned 0x0
    Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk4\DR4
    Upper Device Object: 0xfffffa8005e26060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000076\
    Lower Device Object: 0xfffffa8005e23570
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    <<<1>>>
    Upper Device Name: \Device\Harddisk3\DR3
    Upper Device Object: 0xfffffa8005e25060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000075\
    Lower Device Object: 0xfffffa8005e087b0
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    <<<1>>>
    Upper Device Name: \Device\Harddisk2\DR2
    Upper Device Object: 0xfffffa8005e07060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000074\
    Lower Device Object: 0xfffffa8005dc7060
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa8005e24060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000073\
    Lower Device Object: 0xfffffa8005e02150
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80048ba060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa8004441050
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    DriverEntry returned 0x0
    Function returned 0x0
    Downloaded database version: v2013.01.05.01
    Downloaded database version: v2013.01.04.01
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 3
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80048ba060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80048bab90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80048ba060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8004441050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a002f24a80, 0xfffffa80048ba060, 0xfffffa8003d2c090
    Lower DeviceData: 0xfffff8a0028dc820, 0xfffffa8004441050, 0xfffffa80070f4e40
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 78033E78
    Partition information:
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 80262
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920 Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30801920 Numsec = 945969200
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 500107862016 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xfffffa8005e24060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8005e24b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8005e24060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8005e02150, DeviceName: \Device\00000073\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 2, DevicePointer: 0xfffffa8005e07060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8005e07b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8005e07060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8005dc7060, DeviceName: \Device\00000074\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 3, DevicePointer: 0xfffffa8005e25060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8005e25b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8005e25060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8005e087b0, DeviceName: \Device\00000075\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 4, DevicePointer: 0xfffffa8005e26060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8005e26b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8005e26060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8005e23570, DeviceName: \Device\00000076\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 512
    Drive: 5, DevicePointer: 0xfffffa8005e43790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8005e44790, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8005e43790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8005e2a060, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a0032511a0, 0xfffffa8005e43790, 0xfffffa8004411790
    Lower DeviceData: 0xfffff8a00b322260, 0xfffffa8005e2a060, 0xfffffa8006ef82d0
    Drive 5
    Scanning MBR on drive 5...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: E8900690
    Partition information:
    Partition 0 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 1953520002
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 1000204886016 bytes
    Sector size: 512 bytes
    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\delldock.dat" is compressed (flags = 1)
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\instance.dat" is compressed (flags = 1)
    Infected: C:\Windows\System32\services.exe --> [Rootkit.0Access.S]
    Backup file found for a file C:\Windows\System32\services.exe
    Infected: C:\Windows\SysWOW64\chkntfs.exe --> [Trojan.FakeMS]
    Backup file found for a file C:\Windows\SysWOW64\chkntfs.exe
    Infected: C:\Windows\SysWOW64\mshta.exe --> [Trojan.FakeMS]
    Backup file found for a file C:\Windows\SysWOW64\mshta.exe
    Infected: C:\Windows\SysWOW64\SecEdit.exe --> [Trojan.FakeMS]
    Backup file found for a file C:\Windows\SysWOW64\SecEdit.exe
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\00000004.@ --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ --> [Trojan.Dropper.BCMiner]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ --> [Backdoor.0Access]
    Infected: C:\Windows\assembly\GAC_32\Desktop.ini --> [Trojan.0access]
    Infected: C:\Windows\assembly\GAC_64\Desktop.ini --> [Rootkit.0access]
    Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ --> [Trojan.Dropper.BCMiner]
    Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ --> [Trojan.Dropper.BCMiner]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ --> [Backdoor.0Access]
    Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| --> [Trojan.Zaccess]
    Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 --> [Trojan.Zaccess]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\1afb2d56 --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\201d3dde --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\4cce1f70 --> [Backdoor.0Access]
    Infected: C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L --> [Backdoor.0Access]
    Infected: C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\00000004.@ --> [Backdoor.0Access]
    Infected: HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| --> [Trojan.Zaccess]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    <<<2>>>
    Device number: 0, partition: 3
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_35
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED
    CPU speed: 2.693000 GHz
    Memory total: 4293902336, free: 3199561728
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011
    (c) Malwarebytes Corporation 2011-2012
    OS version: 6.1.7601 Windows 7 Service Pack 1 x64
    Account is Administrative
    Internet Explorer version: 9.0.8112.16421
    Java version: 1.6.0_35
    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, I:\ DRIVE_FIXED
    CPU speed: 2.693000 GHz
    Memory total: 4293902336, free: 2625609728
    ------------ Kernel report ------------
    01/04/2013 23:21:33
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\PxHlpa64.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\system32\drivers\mfehidk.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\drivers\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\mfetdik.sys
    \SystemRoot\system32\drivers\TDI.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \??\C:\Windows\system32\Drivers\NEOFLTR_720_21697.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\atikmpag.sys
    \SystemRoot\system32\DRIVERS\atikmdag.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\HdAudio.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\drivers\RTKVHD64.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\luafv.sys
    \??\C:\Windows\system32\drivers\mbam.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\system32\drivers\mrxdav.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\System32\Drivers\nx6000.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\drivers\usbaudio.sys
    \SystemRoot\system32\DRIVERS\point64.sys
    \SystemRoot\System32\Drivers\fastfat.SYS
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\SysWOW64\WinFLdrv.sys
    \SystemRoot\system32\drivers\mfeapfk.sys
    \SystemRoot\system32\drivers\mfeavfk.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\system32\drivers\spsys.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\iertutil.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\sechost.dll
    \Windows\System32\imm32.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\shell32.dll
    \Windows\System32\usp10.dll
    \Windows\System32\lpk.dll
    \Windows\System32\wininet.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\nsi.dll
    \Windows\System32\msctf.dll
    \Windows\System32\user32.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\msasn1.dll
    \Windows\SysWOW64\normaliz.dll
    ----------- End -----------
    <<<1>>>
    Upper Device Name: \Device\Harddisk5\DR5
    Upper Device Object: 0xfffffa80068a9790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000078\
    Lower Device Object: 0xfffffa8006894b60
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    DriverEntry returned 0x0
    Function returned 0x0
    <<<1>>>
    Upper Device Name: \Device\Harddisk4\DR4
    Upper Device Object: 0xfffffa800687f060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000076\
    Lower Device Object: 0xfffffa800686b060
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    <<<1>>>
    Upper Device Name: \Device\Harddisk3\DR3
    Upper Device Object: 0xfffffa8006887060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000075\
    Lower Device Object: 0xfffffa800687c6f0
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    <<<1>>>
    Upper Device Name: \Device\Harddisk2\DR2
    Upper Device Object: 0xfffffa8006880060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000074\
    Lower Device Object: 0xfffffa800687d660
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa8006888790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000073\
    Lower Device Object: 0xfffffa800687e060
    Lower Device Driver Name: \Driver\USBSTOR\
    Driver name found: USBSTOR
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80047ff790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa80043af050
    Lower Device Driver Name: \Driver\iaStor\
    Driver name found: iaStor
    DriverEntry returned 0x0
    Function returned 0x0
    Initializing...
    Done!
    <<<2>>>
    Device number: 0, partition: 3
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80047ff790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80047ff2c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80047ff790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa80043af050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a00b465260, 0xfffffa80047ff790, 0xfffffa8004218090
    Lower DeviceData: 0xfffff8a00b86c230, 0xfffffa80043af050, 0xfffffa80044b08a0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 78033E78
    Partition information:
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 80262
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920 Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30801920 Numsec = 945969200
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 500107862016 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xfffffa8006888790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80068882c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8006888790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800687e060, DeviceName: \Device\00000073\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 2, DevicePointer: 0xfffffa8006880060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8006880b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8006880060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800687d660, DeviceName: \Device\00000074\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 3, DevicePointer: 0xfffffa8006887060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8006887b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8006887060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800687c6f0, DeviceName: \Device\00000075\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 4, DevicePointer: 0xfffffa800687f060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa800687fb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa800687f060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa800686b060, DeviceName: \Device\00000076\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 512
    Drive: 5, DevicePointer: 0xfffffa80068a9790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80068aa040, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80068a9790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8006894b60, DeviceName: \Device\00000078\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Upper DeviceData: 0xfffff8a00d300370, 0xfffffa80068a9790, 0xfffffa800448b5e0
    Lower DeviceData: 0xfffff8a00b30b230, 0xfffffa8006894b60, 0xfffffa800427b980
    Drive 5
    Scanning MBR on drive 5...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: E8900690
    Partition information:
    Partition 0 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 1953520002
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 1000204886016 bytes
    Sector size: 512 bytes
    Done!
    Performing system, memory and registry scan...
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\delldock.dat" is compressed (flags = 1)
    Read File: File "C:\ProgramData\{D19C2D22-6043-47E7-B400-83A351841204}\instance.dat" is compressed (flags = 1)
    Done!
    Scan finished
    =======================================
  8. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    'clean' mbar log

    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org
    Database
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    EMW :: EMW-OFFICE [administrator]
    04/01/2013 11:37:53 PM
    mbar-log-2013-01-04 (23-37-53).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 29108
    Time elapsed: 16 minute(s), 5 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
  9. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    'dirty' mbar log

    Seeming better - no MBAM alerts anymore, McAfee runs 100%

    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org
    Database
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    EMW :: EMW-OFFICE [administrator]
    04/01/2013 11:14:25 PM
    mbar-log-2013-01-04 (23-14-25).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 29532
    Time elapsed: 18 minute(s), 52 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Delete on reboot.
    Registry Values Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| (Trojan.Zaccess) -> Data: C:\Users\EMW\AppData\Local\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\n. -> Delete on reboot.
    Registry Data Items Detected: 1
    HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32| (Trojan.Zaccess) -> Bad: (C:\Users\EMW\AppData\Local\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> Delete on reboot.
    Folders Detected: 4
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L (Backdoor.0Access) -> Delete on reboot.
    Files Detected: 30
    C:\Windows\System32\services.exe (Rootkit.0Access.S) -> Delete on reboot.
    C:\Windows\SysWOW64\chkntfs.exe (Trojan.FakeMS) -> Delete on reboot.
    C:\Windows\SysWOW64\mshta.exe (Trojan.FakeMS) -> Delete on reboot.
    C:\Windows\SysWOW64\SecEdit.exe (Trojan.FakeMS) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\00000004.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\assembly\GAC_32\Desktop.ini (Trojan.0access) -> Delete on reboot.
    C:\Windows\assembly\GAC_64\Desktop.ini (Rootkit.0access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Delete on reboot.
    C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000004.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\000000cb.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000000.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000032.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\U\80000064.@ (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\1afb2d56 (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\201d3dde (Backdoor.0Access) -> Delete on reboot.
    C:\Windows\Installer\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\4cce1f70 (Backdoor.0Access) -> Delete on reboot.
    C:\Users\EMW\Local Settings\Application Data\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}\L\00000004.@ (Backdoor.0Access) -> Delete on reboot.
    (end)
  10. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Very well...

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    ============================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
  11. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Rogue Killer Log 1/2

    RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating
    ¤¤¤ Bad processes : 1 ¤¤¤
    [SUSP PATH] WeatherEye.exe -- C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe -> KILLED [TermProc]
    ¤¤¤ Registry Entries : 11 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-3198253161-613055380-4240325347-1001[...]\Run : WeatherEye (C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (C:\Users\EMW\Desktop\Cleanup\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s) -> FOUND
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: ST3500418AS +++++
    --- User ---
    [MBR] c93c21bac940425f83f48c33a40e3d2c
    [BSP] b689a285b9fb589571be9d69c096bbe2 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[1]_S_01052013_02d1110.txt >>
    RKreport[1]_S_01052013_02d1110.txt
     
  12. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Rogue Killer log 2/2

    RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/
    Operating
    ¤¤¤ Bad processes : 1 ¤¤¤
    [SUSP PATH] WeatherEye.exe -- C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe -> KILLED [TermProc]
    ¤¤¤ Registry Entries : 8 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : WeatherEye (C:\Users\EMW\AppData\Local\TheWeatherNetwork\WeatherEye\WeatherEye.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : Z1 (C:\Users\EMW\Desktop\Cleanup\mbar-1.01.0.1011\mbar\mbar.exe /cleanup /s) -> DELETED
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: ST3500418AS +++++
    --- User ---
    [MBR] c93c21bac940425f83f48c33a40e3d2c
    [BSP] b689a285b9fb589571be9d69c096bbe2 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 461899 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2]_D_01052013_02d1111.txt >>
    RKreport[1]_S_01052013_02d1110.txt ; RKreport[2]_D_01052013_02d1111.txt
  13. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Am getting most of the way through the aswMBR scan (past \system32\drivers) and then find an infected file. Not long after, I get good 'ole "The instruction at XXX referenced memory at YYY. The memory could not be read - click Close to terminate the program".

    This has happened twice and seems to be stalling out at the same point in the process though the file being scanned at the time has been different - image file below
  14. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    ...see attached

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ==============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  16. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Okay. I've buggered this up fairly well at this point. With apologies.

    I created a restore point and downloaded combofix. I disabled mcafee and MBAM. Ran Combofix and it got partway through but twice halted on a compatibility mode error.
    I restarted McAfee and MBAM. Wasn't sure so I ticked Filesystem protection and Malicious website blocking on Protection tab
    Re-downloaded Combofix with alt name. Same result. Then realized I should not have run it right away so rebooted.

    Downloaded both versions of rkill.
    Muddled by my own confusion but thinking I was doing the right thing I successfully ran rkill.exe and immediately realized I should have done so in SafeMode.
    Reboot
    F8 did not provide a safe mode option (nor has it on subsequent reboots)

    Decided it was time to admit my sins

    Current behaviour:
    MBAM blocking access to "potentially malicious website 208.73.210.29, Port 53610 process mbamscheduler.exe. jusched.exe also being blocked.
    I get a UAC message when I envoke the MBAM GUI. Didn't realize that still existed in Win7
    On one reboot shortly after running rkill.exe chkdsk ran during startup. I did not initiate it.
    I think that's all.

    Feel free to fire me as a client. My biggest goal here outside of cleaning my machine was avoiding the Homer Simpson "Listen Carefully" sign. I can feel it coming now.... Sorry
  17. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
  18. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Okay. Thanks Broni. Could be until Monday evening before I get to a clean PC I can download to a flash drive.

    I appreciate your support and patience. If I have an excuse at all it's the three year old at my ankles yelling "Play with me dad". I guess I should take a break from this and go play anyway. Thx.
  19. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    No worries :)
  20. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Home PC network traffic is too slow to post right now (times out) Took some extra time. Thanks

    Farbar Recovery Scan Tool (x64) Version: 31-12-2012
    Ran by SYSTEM at 2013-01-07 17:20:36
    Running from E:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
    C:\Windows\System32\services.exe
    [2009-07-13 17:19] - [2009-07-13 19:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
    ====== End Of Search ======
  21. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-12-2012 (ATTENTION: FRST version is 7 days old)
    Ran by SYSTEM at 07-01-2013 17:18:30
    Running from E:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001
    ==================== Registry (Whitelisted) ===================
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8306208 2009-10-20] (Realtek Semiconductor)
    HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
    HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2399632 2011-04-13] (Microsoft Corporation)
    HKLM-x32\...\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [140520 2009-12-29] (CyberLink Corp.)
    HKLM-x32\...\Run: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [187904 2012-08-09] (Microsoft Corporation)
    HKLM-x32\...\Run: [LVCOMSX] C:\Windows\system32\LVCOMSX.EXE [x]
    HKLM-x32\...\Run: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun [3695928 2009-08-19] (brother)
    HKLM-x32\...\Run: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe" [276992 2012-08-09] (Microsoft Corporation)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [217088 2012-12-12] (Apple Inc.)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [412672 2012-10-31] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey [294912 2012-12-04] (McAfee, Inc.)
    HKLM-x32\...\Run: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [124224 2010-10-22] (McAfee, Inc.)
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [799744 2012-10-30] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [585728 2012-11-21] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [151952 2012-11-28] (Apple Inc.)
    HKU\EMW\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [26102056 2010-04-06] (Skype Technologies S.A.)
    HKU\EMW\...\Run: [gStart] C:\Program Files (x86)\Garmin\Training Center\gStart.exe [1891416 2008-08-13] (GARMIN Corp.)
    HKU\EMW\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [x]
    HKU\Guest\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [585728 2012-11-21] (Apple Inc.)
    HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-08] (Dell)
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
    Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\CineForm Status.lnk
    ShortcutTarget: CineForm Status.lnk -> C:\Program Files (x86)\CineForm\Tools\GoProCineFormStatusViewer.exe (GoPro)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\EMW\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    Startup: C:\Users\Guest\Start Menu\Programs\Startup\Dell Dock.lnk
    ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    ==================== Services (Whitelisted) ===================
    2 ANSYS FLEXlm license manager; C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [1458176 2012-08-08] (Macrovision Corporation)
    2 JobManagerService110; "C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe" [20480 2007-01-16] (Ansys, Inc)
    2 MBAMScheduler; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe" [557056 2013-01-04] (Malwarebytes Corporation)
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [841216 2013-01-05] (Malwarebytes Corporation)
    2 McAfeeEngineService; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe" [20792 2010-10-22] (McAfee, Inc.)
    2 McAfeeFramework; "C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [262144 2012-10-29] (McAfee, Inc.)
    2 McShield; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe" [181480 2010-10-22] (McAfee, Inc.)
    2 McTaskManager; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe" [225280 2012-10-29] (McAfee, Inc.)
    2 mfevtp; C:\Windows\system32\mfevtps.exe [77968 2010-10-22] (McAfee, Inc.)
    2 ScriptHostService110; "C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe" [20480 2007-01-16] (Ansys, Inc.)
    2 TVersityMediaServer; "C:\ProgramData\TVersity\Media Server\MediaServer.exe" [1249064 2011-07-29] ()
    ==================== Drivers (Whitelisted) =====================
    3 androidusb; C:\Windows\System32\Drivers\androidusb.sys [32768 2010-04-29] (Google Inc)
    1 ISODisk; C:\Windows\SysWow64\Drivers\ISODisk.sys [9600 2006-04-26] ()
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
    3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [98088 2010-10-22] (McAfee, Inc.)
    3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [120224 2010-10-22] (McAfee, Inc.)
    0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [470808 2010-10-22] (McAfee, Inc.)
    3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [78768 2010-10-22] (McAfee, Inc.)
    1 mfetdik; C:\Windows\System32\Drivers\mfetdik.sys [84424 2010-10-22] (McAfee, Inc.)
    1 NEOFLTR_720_21697; C:\Windows\System32\Drivers\NEOFLTR_720_21697.sys [100728 2012-08-23] (Juniper Networks)
    2 WinFLdrv; C:\Windows\SysWow64\WinFLdrv.sys [21888 2010-09-06] ()
    ==================== NetSvcs (Whitelisted) ====================

    ==================== One Month Created Files and Folders ========
    2013-01-07 17:18 - 2013-01-07 17:18 - 00000000 ____D C:\FRST
    2013-01-07 17:15 - 2013-01-07 17:15 - 00008212 ____A C:\Windows\mfebcdata
    2013-01-05 13:09 - 2013-01-05 13:09 - 00000000 ____D C:\Users\EMW\Desktop\rkill
    2013-01-05 13:08 - 2013-01-05 13:09 - 00003866 ____A C:\Users\EMW\Desktop\Rkill.txt
    2013-01-05 13:08 - 2013-01-05 13:08 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\EMW\Desktop\iExplore.exe
    2013-01-05 13:07 - 2013-01-05 13:07 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\EMW\Desktop\rkill.exe
    2013-01-05 13:05 - 2013-01-05 13:05 - 05019547 ____R (Swearware) C:\Users\EMW\Desktop\MyFile.exe
    2013-01-05 12:59 - 2013-01-05 13:06 - 00000000 ___SD C:\32788R22FWJFW
    2013-01-05 12:59 - 2013-01-05 12:59 - 00000000 ____D C:\Windows\erdnt
    2013-01-05 10:15 - 2013-01-05 10:16 - 04732416 ____A (AVAST Software) C:\Users\EMW\Desktop\aswMBR.exe
    2013-01-05 10:11 - 2013-01-05 10:11 - 00002174 ____A C:\Users\EMW\Desktop\RKreport[2]_D_01052013_02d1111.txt
    2013-01-05 10:10 - 2013-01-05 10:10 - 00002402 ____A C:\Users\EMW\Desktop\RKreport[1]_S_01052013_02d1110.txt
    2013-01-05 10:09 - 2013-01-05 10:11 - 00000000 ____D C:\Users\EMW\Desktop\RK_Quarantine
    2013-01-05 10:09 - 2013-01-05 10:09 - 00761856 ____A C:\Users\EMW\Desktop\RogueKiller.exe
    2013-01-04 21:04 - 2013-01-04 21:04 - 00688992 ____R (Swearware) C:\Users\EMW\Desktop\dds.com
    2013-01-04 20:29 - 2013-01-05 11:11 - 00000000 ____D C:\Users\EMW\Desktop\Cleanup
    2013-01-04 20:14 - 2013-01-04 20:14 - 00000000 ____D C:\Users\EMW\Application Data\Malwarebytes
    2013-01-04 20:14 - 2013-01-04 20:14 - 00000000 ____D C:\Users\EMW\AppData\Roaming\Malwarebytes
    2013-01-04 20:13 - 2013-01-05 13:17 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-01-04 20:13 - 2013-01-04 20:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-01-04 20:13 - 2013-01-04 20:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2013-01-04 20:13 - 2013-01-04 20:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2013-01-04 20:13 - 2013-01-04 20:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2013-01-04 20:13 - 2012-12-14 15:49 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2013-01-04 20:11 - 2013-01-04 20:13 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\EMW\Downloads\mbam-setup-1.70.0.1100.exe
    2013-01-02 18:11 - 2013-01-02 18:32 - 00000000 ____D C:\Windows\147BCE03C0F14C9F81576A89B6D2D973.TMP
    2012-12-15 21:24 - 2012-08-23 20:39 - 00100728 ____A (Juniper Networks) C:\Windows\System32\Drivers\NEOFLTR_720_21697.SYS
    ==================== One Month Modified Files and Folders =======
    2013-01-07 17:15 - 2013-01-07 17:15 - 00008212 ____A C:\Windows\mfebcdata
    2013-01-07 17:15 - 2010-04-12 18:55 - 00000000 ____D C:\Users\EMW\Application Data\Skype
    2013-01-07 17:15 - 2010-04-12 18:55 - 00000000 ____D C:\Users\EMW\AppData\Roaming\Skype
    2013-01-07 17:15 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-01-07 17:15 - 2009-07-13 22:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-01-07 17:14 - 2009-07-13 23:13 - 00730210 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-01-07 16:57 - 2010-04-12 19:03 - 00000000 ____D C:\Users\EMW\Application Data\skypePM
    2013-01-07 16:57 - 2010-04-12 19:03 - 00000000 ____D C:\Users\EMW\AppData\Roaming\skypePM
    2013-01-07 16:53 - 2012-04-05 19:15 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-01-07 16:53 - 2010-05-02 06:39 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-01-07 16:09 - 2011-11-20 15:02 - 00000000 ___RD C:\Users\EMW\Dropbox
    2013-01-07 16:09 - 2011-11-20 15:00 - 00000000 ____D C:\Users\EMW\Application Data\Dropbox
    2013-01-07 16:09 - 2011-11-20 15:00 - 00000000 ____D C:\Users\EMW\AppData\Roaming\Dropbox
    2013-01-07 16:09 - 2010-03-27 10:44 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
    2013-01-07 16:09 - 2009-07-13 22:51 - 00062747 ____A C:\Windows\setupact.log
    2013-01-07 16:08 - 2010-04-15 20:48 - 00000105 ____A C:\Windows\Brownie.ini
    2013-01-07 16:07 - 2010-05-02 06:39 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-01-07 16:07 - 2010-04-05 15:31 - 00000000 ____D C:\Users\EMW\AppData\Local\SoftThinks
    2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default\Local Settings\SoftThinks
    2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default\Local Settings\Application Data\SoftThinks
    2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
    2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default User\Local Settings\SoftThinks
    2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default User\Local Settings\Application Data\SoftThinks
    2013-01-07 16:07 - 2010-03-27 11:00 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
    2013-01-07 16:07 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-01-07 16:07 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\registration
    2013-01-05 13:17 - 2013-01-04 20:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-01-05 13:09 - 2013-01-05 13:09 - 00000000 ____D C:\Users\EMW\Desktop\rkill
    2013-01-05 13:09 - 2013-01-05 13:08 - 00003866 ____A C:\Users\EMW\Desktop\Rkill.txt
    2013-01-05 13:08 - 2013-01-05 13:08 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\EMW\Desktop\iExplore.exe
    2013-01-05 13:07 - 2013-01-05 13:07 - 01754528 ____A (Bleeping Computer, LLC) C:\Users\EMW\Desktop\rkill.exe
    2013-01-05 13:06 - 2013-01-05 12:59 - 00000000 ___SD C:\32788R22FWJFW
    2013-01-05 13:05 - 2013-01-05 13:05 - 05019547 ____R (Swearware) C:\Users\EMW\Desktop\MyFile.exe
    2013-01-05 12:59 - 2013-01-05 12:59 - 00000000 ____D C:\Windows\erdnt
    2013-01-05 11:11 - 2013-01-04 20:29 - 00000000 ____D C:\Users\EMW\Desktop\Cleanup
    2013-01-05 10:16 - 2013-01-05 10:15 - 04732416 ____A (AVAST Software) C:\Users\EMW\Desktop\aswMBR.exe
    2013-01-05 10:11 - 2013-01-05 10:11 - 00002174 ____A C:\Users\EMW\Desktop\RKreport[2]_D_01052013_02d1111.txt
    2013-01-05 10:11 - 2013-01-05 10:09 - 00000000 ____D C:\Users\EMW\Desktop\RK_Quarantine
    2013-01-05 10:10 - 2013-01-05 10:10 - 00002402 ____A C:\Users\EMW\Desktop\RKreport[1]_S_01052013_02d1110.txt
    2013-01-05 10:09 - 2013-01-05 10:09 - 00761856 ____A C:\Users\EMW\Desktop\RogueKiller.exe
    2013-01-04 22:17 - 2010-03-27 12:34 - 00586590 ____A C:\Windows\PFRO.log
    2013-01-04 22:15 - 2011-05-21 06:47 - 00000000 __SHD C:\Users\EMW\AppData\Local\{31936dfe-883f-bd04-fdcb-cd3e2e92c4f2}
    2013-01-04 21:50 - 2009-07-13 23:10 - 01901240 ____A C:\Windows\WindowsUpdate.log
    2013-01-04 21:04 - 2013-01-04 21:04 - 00688992 ____R (Swearware) C:\Users\EMW\Desktop\dds.com
    2013-01-04 20:29 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\com
    2013-01-04 20:14 - 2013-01-04 20:14 - 00000000 ____D C:\Users\EMW\Application Data\Malwarebytes
    2013-01-04 20:14 - 2013-01-04 20:14 - 00000000 ____D C:\Users\EMW\AppData\Roaming\Malwarebytes
    2013-01-04 20:13 - 2013-01-04 20:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-01-04 20:13 - 2013-01-04 20:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2013-01-04 20:13 - 2013-01-04 20:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2013-01-04 20:13 - 2013-01-04 20:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2013-01-04 20:13 - 2013-01-04 20:11 - 10156344 ____A (Malwarebytes Corporation ) C:\Users\EMW\Downloads\mbam-setup-1.70.0.1100.exe
    2013-01-04 20:06 - 2011-11-20 15:02 - 00001017 ____A C:\Users\EMW\Desktop\Dropbox.lnk
    2013-01-02 18:32 - 2013-01-02 18:11 - 00000000 ____D C:\Windows\147BCE03C0F14C9F81576A89B6D2D973.TMP
    2013-01-02 18:32 - 2012-10-03 16:10 - 00000000 ____D C:\Users\EMW\Desktop\VSE870LMLRP4
    2013-01-02 18:32 - 2010-11-21 09:37 - 00000000 ____D C:\users\Guest
    2013-01-02 18:32 - 2010-04-18 14:08 - 00000000 ____D C:\Program Files\Microsoft LifeCam
    2013-01-02 18:01 - 2012-02-19 14:42 - 00201128 ____A C:\Windows\SysWOW64\TVersityMediaServer.log
    2013-01-02 17:33 - 2010-04-05 15:31 - 00000000 ____D C:\users\EMW
    2012-12-19 18:53 - 2012-12-04 20:50 - 00000000 ____D C:\Users\All Users\Application Data\34BE82C4-E596-4e99-A191-52C6199EBF69
    2012-12-19 18:53 - 2012-12-04 20:50 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
    2012-12-15 21:24 - 2011-07-17 12:59 - 00000018 ____A C:\pending.un
    2012-12-14 15:49 - 2013-01-04 20:13 - 00024176 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-12-12 06:19 - 2012-04-05 19:15 - 00697272 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-12-12 06:19 - 2011-05-22 10:04 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-12-11 06:12 - 2012-08-08 17:03 - 00000003 ____A C:\Users\All Users\fcdddcja25.nls
    2012-12-11 06:12 - 2012-08-08 17:03 - 00000003 ____A C:\Users\All Users\Application Data\fcdddcja25.nls
    2012-12-10 18:47 - 2010-06-06 12:08 - 00007608 ____A C:\Users\EMW\AppData\Local\Resmon.ResmonCfg
    2012-12-10 17:44 - 2010-04-08 19:46 - 00000000 ____D C:\Users\EMW\My Documents\Excel
    2012-12-10 17:44 - 2010-04-08 19:46 - 00000000 ____D C:\Users\EMW\Documents\Excel

    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe
    [2009-07-13 17:36] - [2012-08-16 23:48] - 0260096 ____A (Microsoft Corporation) 4D203427A115EEA6841A535564F556FB
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe
    [2011-05-16 17:08] - [2012-08-16 22:27] - 2780160 ____A (Microsoft Corporation) 67C8D40D91E86F0C43E2FE694EA6B956
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe
    [2009-07-13 17:19] - [2012-08-13 18:24] - 0184832 ____A (Microsoft Corporation) 77D090BE39D1C604E2990622E0A7E835
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe
    [2011-05-21 06:46] - [2012-08-16 23:40] - 0190464 ____A (Microsoft Corporation) 4F136CAD332D0757202CF23D36F685FE
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points =========================
    Restore point made on: 2012-11-12 17:58:49
    Restore point made on: 2012-11-20 17:43:26
    Restore point made on: 2012-11-27 20:36:52
    Restore point made on: 2012-12-15 11:03:08
    Restore point made on: 2012-12-31 17:26:57
    Restore point made on: 2013-01-04 21:52:06
    Restore point made on: 2013-01-04 22:15:41
    Restore point made on: 2013-01-05 13:01:02
    ==================== Memory info ===========================
    Percentage of memory in use: 14%
    Total physical RAM: 4094.98 MB
    Available physical RAM: 3504.77 MB
    Total Pagefile: 4093.13 MB
    Available Pagefile: 3494.72 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB
    ==================== Partitions =============================
    1 Drive c: (OS) (Fixed) (Total:451.07 GB) (Free:220.42 GB) NTFS
    2 Drive d: (WIN_7_HOMEPREMIUM) (CDROM) (Total:5.75 GB) (Free:0 GB) UDF
    3 Drive e: (KINGSTON) (Removable) (Total:0.46 GB) (Free:0.46 GB) FAT32
    7 Drive I: (My Book) (Fixed) (Total:931.28 GB) (Free:562.9 GB) FAT32
    9 Drive k: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B
    Disk 1 Online 931 GB 0 B
    Disk 2 Online 478 MB 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Disk 6 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 39 MB 31 KB
    Partition 2 Primary 14 GB 40 MB
    Partition 3 Primary 451 GB 14 GB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 9 FAT Partition 39 MB Healthy Hidden
    =========================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 K RECOVERY NTFS Partition 14 GB Healthy
    =========================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 451 GB Healthy
    =========================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 931 GB 31 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 I My Book FAT32 Partition 931 GB Healthy
    =========================================================
    Partitions of Disk 2:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 477 MB 16 KB
    ==================================================================================
    Disk: 2
    Partition 1
    Type : 0B
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 E KINGSTON FAT32 Removable 477 MB Healthy
    =========================================================
    Last Boot: 2013-01-04 19:02
    ==================== End Of Log =============================
  22. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    That looks good.

    How is computer doing?

    =====================

    Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    ============================

    Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    ==============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  23. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Computer is mixed. Programs seem but IE9 is hit and miss. Until today I couldn't get it running well enough to post the last log. Now it seems better, but I haven't really done anything.
    MalwareBytes is updating, and occasionally blocks access to "potentially malicious ip addresses" or something like that.

    Curiously, the time is out by an hour. But the time zone is correct and it recognizes that we are not in DST. Stuff like that is easy to fix, but I find a little disturbing.

    Onwards...

    (and IE9 just crashed but recovered when I tried to paste the AdwCleaner log below.)

    Question: I take I can allow mbamscheduler.exe access to the site it's searching for?
  24. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    # AdwCleaner v2.105 - Logfile created 01/09/2013 at 21:00:11
    # Updated 08/01/2013 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : EMW - EMW-OFFICE
    # Boot Mode : Normal
    # Running from : C:\Users\EMW\Desktop\adwcleaner.exe
    # Option [Delete]

    ***** [Services] *****

    ***** [Files / Folders] *****

    ***** [Registry] *****

    ***** [Internet Browsers] *****
    -\\ Internet Explorer v9.0.8112.16421
    [OK] Registry is clean.
    *************************
    AdwCleaner[S1].txt - [513 octets] - [09/01/2013 21:00:11]
    ########## EOF - C:\AdwCleaner[S1].txt - [572 octets] ##########
  25. E-Will 1.0

    E-Will 1.0 Newcomer, in training Topic Starter Posts: 57

    Have twice tried JRT.exe first time got a 'this software may not have installed correctly" error. I click 'yes it did' instead of 'reinstall using correct settings' and nothing happened. Second attempt (both Run as Admin) produced no error but all I got was a flash of a dos window and then nothing.

    thoughts?

    Thanks

    McAfee all disabled, MBAM exited.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.