Malware on laptop #2

[LiquidTension]

Apparently not.

Why not? Do you receive an error?

and then slows down dramatically!

We can address this once I've seen all your logs.

Please post Fixlist.txt, and the ESET log once the scan is complete.
And please answer my question concerning the Windows Update.

[captngaryr]

I could install and run Malwarebytes, but it would not let me click Update Now (or other requested choices) but instead posted a pop-up that said my trial license had expired. The ESET scan is running now, but is running very slowly. I will post it as soon as it finishes.

Best regards,
Gary

[captngaryr]

Yes, KB3004394 is installed. All Windows is up to date as of yesterday.

Fixlog.txt
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 10-12-2014 01
Ran by Jan at 2014-12-11 12:15:27 Run:1
Running from C:\Users\Jan\Desktop
Loaded Profiles: Jan & Gary (Available profiles: Jan & Gary)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKU\S-1-5-21-307368558-4187912120-227459302-1000\...\MountPoints2: {2dda9459-3161-11df-bdc6-806e6f6e6963} - D:\Setup.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - No File
Toolbar: HKU\S-1-5-21-307368558-4187912120-227459302-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-307368558-4187912120-227459302-1000 -> No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
Toolbar: HKU\S-1-5-21-307368558-4187912120-227459302-1000 -> No Name - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - No File
Toolbar: HKU\S-1-5-21-307368558-4187912120-227459302-1004 -> No Name - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - No File
Toolbar: HKU\S-1-5-21-307368558-4187912120-227459302-1004 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-307368558-4187912120-227459302-1004 -> No Name - {9302E698-7E00-43AB-B867-C6E759BC2ADA} - No File
Toolbar: HKU\S-1-5-21-307368558-4187912120-227459302-1004 -> No Name - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
S3 RapportIaso; \??\c:\programdata\trusteer\rapport\store\exts\rapportms\39624\rapportiaso.sys [X]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2014-12-11 06:25 - 2014-12-11 06:25 - 00000000 __SHD () C:\Users\Jan\AppData\Local\EmieBrowserModeList
2014-12-09 12:17 - 2014-12-09 12:18 - 05162080 _____ (Piriform Ltd) C:\Users\Jan\Downloads\ccsetup500.exe
C:\Users\Jan\gotomypc_533.exe
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Gary\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> "C:\Users\Jan\AppData\Local\Google\Update\GoogleUpdate.exe" No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.21.99\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> "C:\Users\Jan\AppData\Local\Google\Update\1.3.21.123\GoogleUpdateOnDemand.exe" No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> "C:\Users\Jan\AppData\Local\Google\Update\1.3.21.123\GoogleUpdateOnDemand.exe" No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.21.79\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> "C:\Users\Jan\AppData\Local\Google\Update\1.3.21.123\GoogleUpdateOnDemand.exe" No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> "C:\Users\Jan\AppData\Local\Google\Chrome\Application\22.0.1229.79\delegate_execute.exe" No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{8a7d2060-824d-4b17-b00a-759b1b5f30d9}\InprocServer32 -> C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14SrcAs.dll No File
C:\Program Files\TotalRecipeSearch_14
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{B6CE1A28-A831-43E4-A81F-E2B429D66231}\InprocServer32 -> C:\Users\Gary\AppData\Local\ASKTOO~1\DOWNLO~1\Nero.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> "C:\Users\Jan\AppData\Local\Google\Update\1.3.21.123\GoogleUpdateOnDemand.exe" No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gary\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gary\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gary\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gary\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll No File
CustomCLSID: HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\Gary\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************

"HKU\S-1-5-21-307368558-4187912120-227459302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2dda9459-3161-11df-bdc6-806e6f6e6963}" => Key deleted successfully.
"HKCR\CLSID\{2dda9459-3161-11df-bdc6-806e6f6e6963}" => Key not found.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{ba00b7b1-0351-477a-b948-23e3ee5a73d4} => value deleted successfully.
"HKCR\CLSID\{ba00b7b1-0351-477a-b948-23e3ee5a73d4}" => Key not found.
HKU\S-1-5-21-307368558-4187912120-227459302-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
HKU\S-1-5-21-307368558-4187912120-227459302-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{71576546-354D-41C9-AAE8-31F2EC22BF0D} => value deleted successfully.
"HKCR\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D}" => Key not found.
HKU\S-1-5-21-307368558-4187912120-227459302-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BA00B7B1-0351-477A-B948-23E3EE5A73D4} => value deleted successfully.
"HKCR\CLSID\{BA00B7B1-0351-477A-B948-23E3EE5A73D4}" => Key not found.
HKU\S-1-5-21-307368558-4187912120-227459302-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BA00B7B1-0351-477A-B948-23E3EE5A73D4} => value deleted successfully.
"HKCR\CLSID\{BA00B7B1-0351-477A-B948-23E3EE5A73D4}" => Key not found.
HKU\S-1-5-21-307368558-4187912120-227459302-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
HKU\S-1-5-21-307368558-4187912120-227459302-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9302E698-7E00-43AB-B867-C6E759BC2ADA} => value deleted successfully.
"HKCR\CLSID\{9302E698-7E00-43AB-B867-C6E759BC2ADA}" => Key not found.
HKU\S-1-5-21-307368558-4187912120-227459302-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{71576546-354D-41C9-AAE8-31F2EC22BF0D} => value deleted successfully.
"HKCR\CLSID\{71576546-354D-41C9-AAE8-31F2EC22BF0D}" => Key not found.
RapportIaso => Service deleted successfully.
SBRE => Service deleted successfully.
Synth3dVsc => Service deleted successfully.
tsusbhub => Service deleted successfully.
VGPU => Service deleted successfully.
C:\Users\Jan\AppData\Local\EmieBrowserModeList => Moved successfully.
C:\Users\Jan\Downloads\ccsetup500.exe => Moved successfully.
C:\Users\Jan\gotomypc_533.exe => Moved successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{8a7d2060-824d-4b17-b00a-759b1b5f30d9}" => Key deleted successfully.
"C:\Program Files\TotalRecipeSearch_14" => File/Directory not found.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{B6CE1A28-A831-43E4-A81F-E2B429D66231}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => Key deleted successfully.
"HKU\S-1-5-21-307368558-4187912120-227459302-1004_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}" => Key deleted successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Route, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========

EmptyTemp: => Removed 336.1 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

MyEsetLog.txt
C:\ccsetup311.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
C:\FRST\Quarantine\C\Users\Jan\Downloads\ccsetup500.exe.xBAD Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo\124\content.js JS/Chromex.Agent.L trojan
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo\124\S.js JS/Kryptik.ATB trojan
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc\222\content.js JS/Chromex.Agent.L trojan
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc\222\GQz1fi6I.js JS/Kryptik.ATB trojan
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo\103\lsdb.js JS/Kryptik.ATB trojan
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo\103\z5M3W.js JS/Kryptik.ATB trojan
C:\Users\Gary\AppData\Roaming\Blitware\FileHelper\updates\2.5.1.0\filehelper_setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo\124\content.js JS/Chromex.Agent.L trojan
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo\124\S.js JS/Kryptik.ATB trojan
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc\222\content.js JS/Chromex.Agent.L trojan
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc\222\GQz1fi6I.js JS/Kryptik.ATB trojan
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo\103\lsdb.js JS/Kryptik.ATB trojan
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo\103\z5M3W.js JS/Kryptik.ATB trojan
C:\Users\Jan\Documents\SweetImSetup.exe a variant of Win32/SweetIM.B potentially unwanted application
C:\Users\Jan\Documents\SplashMoney\To Palm\SecurityScannerFull.msi a variant of Win32/Adware.DisableSpyware application
C:\Users\Jan\Downloads\AdwCleaner.exe a variant of Win32/InstallCore.TR potentially unwanted application
C:\Users\Jan\Downloads\filehelper_setup_eps.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Jan\Downloads\iTunes_Setup (1).exe Win32/InstallCore.MM potentially unwanted application
C:\Users\Jan\Downloads\iTunes_Setup.exe Win32/InstallCore.MM potentially unwanted application
C:\Users\Jan\Downloads\WeatherBugSetup (1).msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Jan\Downloads\WeatherBugSetup (2).msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Jan\Downloads\WeatherBugSetup.msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Jan\Pictures\CouponPrinter.exe a variant of Win32/Adware.Softomate.AD application
C:\Users\Jan\Pictures\CrawlerScreensaver.exe Win32/Toolbar.Crawler.A potentially unwanted application

RogueKiller did not generate a report for some reason. Should I rerun it?

Best regards,
Gary

[captngaryr]

Oops, here is the RogueKiller report:

RogueKiller V10.1.0.0 [Dec 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Jan [Administrator]
Mode : Scan -- Date : 12/11/2014 12:55:45

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 12 ¤¤¤
[PUM.HomePage] HKEY_USERS\S-1-5-21-307368558-4187912120-227459302-1000\Software\Microsoft\Internet Explorer\Main | Start Page : www.google.com -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 71.243.0.12 [UNITED STATES (US)] -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 71.243.0.12 [UNITED STATES (US)] -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 71.243.0.12 [UNITED STATES (US)] -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2EF5681-3DCE-4ADD-82F8-E1DF063A883B} | DhcpNameServer : 192.168.1.1 71.243.0.12 [UNITED STATES (US)] -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B2EF5681-3DCE-4ADD-82F8-E1DF063A883B} | DhcpNameServer : 192.168.1.1 71.243.0.12 [UNITED STATES (US)] -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{B2EF5681-3DCE-4ADD-82F8-E1DF063A883B} | DhcpNameServer : 192.168.1.1 71.243.0.12 [UNITED STATES (US)] -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-307368558-4187912120-227459302-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-307368558-4187912120-227459302-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: FUJITSU MHZ2120BH G2 ATA Device +++++
--- User ---
[MBR] a995b15356cdb4e86f93edbb9c75f57e
[BSP] b2a406d82b9d7e1efead4fc3dfdf45ff : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114470 MB
User = LL1 ... OK
User = LL2 ... OK

Best regards,
Gary

[LiquidTension]

Hi Gary,

could install and run Malwarebytes, but it would not let me click Update Now (or other requested choices) but instead posted a pop-up that said my trial license had expired.

You should have the option to revert MBAM back to the free version, which will allow you to use the programme as an on-demand scanner.

Yes, KB3004394 is installed. All Windows is up to date as of yesterday.

There's an issue with KB3004394. See below.

• http://answers.micro...m=1418317736941
• http://www.sevenforu...-caution-3.html
• http://www.sevenforu...stem-files.html
• http://www.infoworld...il-defende.html
• http://www.bleepingc...error-messages/
• http://forums.whatth...129065&p=859478

We need to uninstall the update.

• Follow these instructions on creating a Restore Point.
• Press the Windows Key + r on your keyboard at the same time. Type wuapp.exe and click OK.
• Click Installed Updates.
• Scroll down to KB3004394, right-click the item and click Uninstall. Accept any prompts.

Please do the following afterwards.
Let me know how the PC is performing once complete. Are you still experiencing slowness?

STEP 1
Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  start
  C:\ccsetup311.exe
  C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo
  C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc
  C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo
  C:\Users\Gary\AppData\Roaming\Blitware
  C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo
  C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc
  C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo
  C:\Users\Jan\Documents\SweetImSetup.exe
  C:\Users\Jan\Documents\SplashMoney\To Palm\SecurityScannerFull.msi
  C:\Users\Jan\Downloads\AdwCleaner.exe
  C:\Users\Jan\Downloads\filehelper_setup_eps.exe
  C:\Users\Jan\Downloads\iTunes_Setup (1).exe
  C:\Users\Jan\Downloads\iTunes_Setup.exe
  C:\Users\Jan\Downloads\WeatherBugSetup (1).msi
  C:\Users\Jan\Downloads\WeatherBugSetup (2).msi
  C:\Users\Jan\Downloads\WeatherBugSetup.msi
  C:\Users\Jan\Pictures\CouponPrinter.exe
  C:\Users\Jan\Pictures\CrawlerScreensaver.exe
  CMD: ipconfig /flushdns
  EmptyTemp:
  end

• Click File, Save As and type fixlist.txt as the File Name.
• Important: The file must be saved in the same location as FRST.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST.exe and select Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop.Copy the contents of the log and paste in your next reply.

STEP 2
Browser Reset

Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

• Internet Explorer: Backup Internet Explorer Favourites
• Chrome: Backup Chrome Bookmarks

Proceed with the reset once done.

• Internet Explorer: How to reset Internet Explorer settings
• Chrome: Chrome - Reset browser settings

[captngaryr]

The informational links associated with KB3004394 appear to be broken. Therefore I couldn't read them.
Never-the-less, I did remove KB3004394.

See fixlog.txt below:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 10-12-2014 01
Ran by Jan at 2014-12-11 22:18:13 Run:2
Running from C:\Users\Jan\Desktop
Loaded Profile: Jan (Available profiles: Jan & Gary)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
C:\ccsetup311.exe
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo
C:\Users\Gary\AppData\Roaming\Blitware
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo
C:\Users\Jan\Documents\SweetImSetup.exe
C:\Users\Jan\Documents\SplashMoney\To Palm\SecurityScannerFull.msi
C:\Users\Jan\Downloads\AdwCleaner.exe
C:\Users\Jan\Downloads\filehelper_setup_eps.exe
C:\Users\Jan\Downloads\iTunes_Setup (1).exe
C:\Users\Jan\Downloads\iTunes_Setup.exe
C:\Users\Jan\Downloads\WeatherBugSetup (1).msi
C:\Users\Jan\Downloads\WeatherBugSetup (2).msi
C:\Users\Jan\Downloads\WeatherBugSetup.msi
C:\Users\Jan\Pictures\CouponPrinter.exe
C:\Users\Jan\Pictures\CrawlerScreensaver.exe
CMD: ipconfig /flushdns
EmptyTemp:
end
*****************

C:\ccsetup311.exe => Moved successfully.
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo => Moved successfully.
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc => Moved successfully.
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo => Moved successfully.
C:\Users\Gary\AppData\Roaming\Blitware => Moved successfully.
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\akgpcdalpfphjmfifkmfbpdmgdmeeaeo => Moved successfully.
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\inmmlmagkbjnbhonjmeihmahmeabaafc => Moved successfully.
C:\Users\Jan\AppData\Local\Google\Chrome\User Data\Backup Default\Extensions\kfkpnakihjiclpakoaggnpaphjjjjelo => Moved successfully.
C:\Users\Jan\Documents\SweetImSetup.exe => Moved successfully.
C:\Users\Jan\Documents\SplashMoney\To Palm\SecurityScannerFull.msi => Moved successfully.
C:\Users\Jan\Downloads\AdwCleaner.exe => Moved successfully.
C:\Users\Jan\Downloads\filehelper_setup_eps.exe => Moved successfully.
C:\Users\Jan\Downloads\iTunes_Setup (1).exe => Moved successfully.
C:\Users\Jan\Downloads\iTunes_Setup.exe => Moved successfully.
C:\Users\Jan\Downloads\WeatherBugSetup (1).msi => Moved successfully.
C:\Users\Jan\Downloads\WeatherBugSetup (2).msi => Moved successfully.
C:\Users\Jan\Downloads\WeatherBugSetup.msi => Moved successfully.
C:\Users\Jan\Pictures\CouponPrinter.exe => Moved successfully.
C:\Users\Jan\Pictures\CrawlerScreensaver.exe => Moved successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => Removed 159.2 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

I will try to revert Malwarebytes back to a free version and will report back.

I am not sure if the laptop is performing better or not, yet. Sometimes it appears to be slow and at other times it seems fine. I'm also not sure that the problem is malware related or someting else in the OS setup.

I will report back shortly.

Best regards,
Gary

[captngaryr]

Hi Adam,
I was unable to figure out how to revert Malwarebytes back to a free version. Any suggestions would be appreceiated.

This computer still goes through frequent spells where it is very slow (virtually locked up). I have no idea what is causing it.

Best regards,
Gary

[LiquidTension]

Hi Gary,

The informational links associated with KB3004394 appear to be broken.

Sorry about that. Here they are:

• http://answers.microsoft.com/en-us/w...=1418317736941
• http://www.sevenforums.com/windows-u...caution-3.html
• http://www.sevenforums.com/windows-u...tem-files.html
• http://www.infoworld.com/article/285...l-defende.html
• http://www.bleepingcomputer.com/foru...rror-messages/
• http://forums.whatthetech.com/index....29065&p=859478

I was unable to figure out how to revert Malwarebytes back to a free version. Any suggestions would be appreceiated.

See if this helps:
https://helpdesk.malwarebytes.org/hc...-free-version-

If not, we'll completely remove the programme, and install the Free version.

This computer still goes through frequent spells where it is very slow (virtually locked up). I have no idea what is causing it.

Okay.
Lets do a few more checks for malware, and we can move onto non-malware troubleshooting if necessary.


Follow these instructions on creating a Restore Point.

STEP 1
ComboFix

• Note: Please read through these instructions before running ComboFix.
• Please download ComboFix and save the file to your Desktop. << Important!
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click ComboFix.exe and select Run as administrator to run the programme.
• Follow the prompts.
• Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
• Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
• Re-enable your anti-virus software.

Important Notes:

• Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
• Do NOT use your computer whilst ComboFix is running.
• Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
  
  
• If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
• ComboFix will disconnect your machine from the Internet as soon as it starts.
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If you are unable to access the Internet after running ComboFix, please reboot your computer.

STEP 2
TDSSKiller Scan

• Please download TDSSKiller and save the file to your Desktop.
• Right-Click TDSSKiller.exe and select Run as administrator to run the programme.
• Click Change parameters. Place a checkmark next to Loaded Modules, Verfiy file digital signatures and Detect TDLFS file system.
• Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
• Click Start Scan. Do not use the computer during the scan.
• If objects are found, change the action to skip.
• Click Continue and close the window.
• A log will be created and saved to the root directory (usually C:\). Upload the file to my channel.

STEP 3
Emsisoft Emergency Kit (Portable)

• Please download Emsisoft Emergency Kit and save the file to a your Desktop.
• Double-click EmsisoftEmergencyKit.exe.
• Click Extract.
• Upon completion, double-click the Emsisoft Emergency Kit shortcut on your Desktop to start the programme.
• Click Yes to update the programme definitions.
• Click Yes to detect Potentially Unwanted Programs (PUP's).
• Click Scan now.
• Select Full Scan and click Scan.
• Close any High Risk notification screen that may appear.
• When the scan is finished click Quarantine selected objects if malicious objects were found.
• Click View Report, and open the most recent log.
• Copy the contents of the log and paste in your next reply.

======================================================

STEP 4
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Could you revert MBAM to the free version?
• ComboFix.txt
• TDSSKiller log (uploaded!)
• Emsisoft log

[captngaryr]

Hi Adam,
I was able to Malwarebytes running but it found no threats.

Combofix.log
ComboFix 14-12-10.03 - Jan 12/12/2014 11:04:36.1.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.1918.721 [GMT -5:00]
Running from: c:\users\Jan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system64
c:\windows\system64\msvcp100.dll
c:\windows\system64\msvcr100.dll
.
.
((((((((((((((((((((((((( Files Created from 2014-11-12 to 2014-12-12 )))))))))))))))))))))))))))))))
.
.
2014-12-12 15:09 . 2014-12-12 15:12 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-12 15:09 . 2014-11-21 11:14 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-12-12 15:09 . 2014-11-21 11:14 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-12-12 15:09 . 2014-11-21 11:14 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-12-12 15:09 . 2014-12-12 15:09 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-12-12 03:12 . 2014-12-12 03:12 -------- d-----w- c:\users\Jan\AppData\Local\CrashDumps
2014-12-11 20:58 . 2014-11-02 04:17 8941456 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CDF0A757-F3E6-4E50-88BD-D13EDCEA3055}\mpengine.dll
2014-12-11 17:38 . 2014-12-11 17:38 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-12-11 17:38 . 2014-12-11 17:38 -------- d-----w- c:\programdata\RogueKiller
2014-12-11 17:33 . 2014-12-11 17:33 -------- d-----w- c:\users\Default\AppData\Local\Google
2014-12-11 17:20 . 2014-12-11 17:20 -------- d-sh--w- c:\users\Jan\AppData\Local\EmieBrowserModeList
2014-12-11 13:51 . 2014-12-11 13:51 -------- d-----w- c:\programdata\Unchecky
2014-12-11 13:51 . 2014-12-11 13:51 -------- d-----w- c:\program files\Unchecky
2014-12-10 18:21 . 2014-12-10 18:21 -------- d-----w- c:\windows\ERUNT
2014-12-10 17:06 . 2014-12-10 17:06 -------- d-----w- c:\windows\system32\appraiser
2014-12-10 17:04 . 2014-07-07 01:37 2048 ----a-w- c:\windows\system32\mferror.dll
2014-12-10 17:04 . 2014-07-07 01:40 103424 ----a-w- c:\windows\system32\mfps.dll
2014-12-10 17:04 . 2014-07-07 01:39 23040 ----a-w- c:\windows\system32\mfpmp.exe
2014-12-10 17:04 . 2014-10-18 01:33 3209728 ----a-w- c:\windows\system32\mf.dll
2014-12-10 17:04 . 2014-07-07 01:39 50176 ----a-w- c:\windows\system32\rrinstaller.exe
2014-12-10 16:32 . 2014-11-11 01:32 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-12-10 16:32 . 2014-11-11 02:44 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-12-10 16:30 . 2014-10-30 01:45 155136 ----a-w- c:\windows\system32\charmap.exe
2014-12-10 16:30 . 2014-10-03 01:45 248832 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2014-12-10 16:30 . 2014-10-03 01:45 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2014-12-10 16:30 . 2014-10-03 01:45 1177088 ----a-w- c:\windows\system32\WsmSvc.dll
2014-12-10 16:30 . 2014-10-03 01:44 198656 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2014-12-10 16:30 . 2014-10-03 01:45 145920 ----a-w- c:\windows\system32\WsmAuto.dll
2014-12-09 21:06 . 2014-12-09 21:06 -------- d-----w- c:\program files\Common Files\Java
2014-12-09 21:06 . 2014-12-09 21:06 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-12-09 20:55 . 2014-12-09 20:55 -------- d-----w- c:\programdata\Oracle
2014-12-09 17:11 . 2014-12-09 17:11 -------- d-----w- c:\programdata\Licenses
2014-12-09 17:11 . 2014-12-09 17:11 -------- d-----w- c:\program files\SpywareBlaster
2014-12-08 12:27 . 2014-12-12 03:18 -------- d-----w- C:\FRST
2014-12-03 06:31 . 2014-12-03 06:31 227048 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2014-11-19 18:35 . 2014-11-19 18:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-11-19 18:35 . 2014-11-19 18:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-11-19 18:35 . 2014-11-19 18:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-11-19 18:35 . 2014-11-19 18:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-11-19 18:35 . 2014-11-19 18:35 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-11-19 18:34 . 2014-11-19 18:35 -------- d-----w- c:\program files\QuickTime
2014-11-19 18:30 . 2014-11-19 18:31 -------- d-----w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-11-19 15:02 . 2014-11-11 02:44 186880 ----a-w- c:\windows\system32\pku2u.dll
2014-11-19 15:02 . 2014-11-11 02:44 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-11-18 19:56 . 2014-11-18 19:56 1202848 ----a-w- c:\windows\system32\FM20.DLL
2014-11-18 01:51 . 2014-12-12 11:12 -------- d-----r- c:\users\Jan\Google Drive
2014-11-13 15:38 . 2014-10-18 01:33 571904 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-13 15:38 . 2014-08-12 01:36 701440 ----a-w- c:\windows\system32\IMJP10K.DLL
2014-11-13 15:38 . 2014-10-14 01:50 2363904 ----a-w- c:\windows\system32\msi.dll
2014-11-13 15:36 . 2014-10-25 01:32 67584 ----a-w- c:\windows\system32\packager.dll
2014-11-13 15:36 . 2014-10-14 01:46 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-11-13 15:36 . 2014-10-14 01:50 523776 ----a-w- c:\windows\system32\termsrv.dll
2014-11-13 15:36 . 2014-10-14 01:56 136632 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-11-13 15:36 . 2014-10-14 01:50 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-11-13 15:36 . 2014-10-14 01:47 146432 ----a-w- c:\windows\system32\msaudite.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-02 04:17 . 2011-10-09 22:20 8941456 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-30 11:24 . 2010-03-16 22:28 229000 ------w- c:\windows\system32\MpSigStub.exe
2014-10-02 19:23 . 2014-10-02 19:23 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2014-10-02 19:23 . 2014-10-02 19:23 69632 ----a-w- c:\windows\system32\QuickTime.qts
2014-09-27 12:42 . 2014-09-27 12:42 675988 ----a-w- c:\windows\system32\Minecraft-Installer.exe
2014-09-25 01:40 . 2014-09-30 21:34 519680 ----a-w- c:\windows\system32\qdvd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-10-21 22:52 577864 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-10-21 22:52 577864 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-10-21 22:52 577864 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-10-21 22:52 577864 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-10-21 22:52 577864 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2014-11-21 43816]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2014-10-17 43816]
"AppleIEDAV"="c:\program files\Common Files\Apple\Internet Services\AppleIEDAV.exe" [2014-08-05 1080104]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2014-10-21 22869088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-10-02 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-03 1021128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-10-07 507776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder.lnk
backup=c:\windows\pss\Event Planner Reminder.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2014-12-03 06:31 1021128 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 06:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2014-10-11 18:05 60712 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScannerSelectorEX]
2011-07-25 15:10 468112 ----a-w- c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2014-10-15 10:42 157480 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 19:16 997920 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-06-08 22:40 128560 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2014-10-02 19:23 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wondershare Helper Compact]
2013-05-04 14:27 1694208 ----a-w- c:\program files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
.
R1 MpKslf1af6dfc;MpKslf1af6dfc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8137E546-70DE-40C4-A048-F9A9783463F9}\MpKslf1af6dfc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-11-22 102912]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2010-11-20 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-06 1343400]
R4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Unchecky;Unchecky;c:\program files\Unchecky\bin\unchecky_svc.exe [2014-12-11 111208]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-12-11 11:30 1087816 ----a-w- c:\program files\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-13 21:02]
.
2014-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-08-24 17:07]
.
2014-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-08-24 17:07]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = <-loopback>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
TCP: DhcpNameServer = 192.168.1.1 71.243.0.12
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-12 11:17:58
ComboFix-quarantined-files.txt 2014-12-12 16:17
.
Pre-Run: 40,743,718,912 bytes free
Post-Run: 40,703,213,568 bytes free
.
- - End Of File - - D8A7A71601DC929CE002485C4B25C02C
A36C5E4F47E84449FF07ED3517B43A31


I will upload TDSSKillerLog and run Emisoft next.

Best regards,
Gary

[captngaryr]

TDSSKillerLog Uploaded.
Gary