Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 31

Thread: AdCash, YourAdExchange, etc. on my Computer

  1. #11
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Apply the fix I mentioned in PM.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  2. #12
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
    Emergency Backup Procedure - Tech Support Forum

    Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

    How to use ComboFix

    Download ComboFix from here:
    Link 1
    Link 2
    Link 3

    Place ComboFix.exe on your Desktop <--Important
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
      * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.



      You can get help on disabling your protection programs here
    • Double click on ComboFix.exe & follow the prompts.
    • You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
    • Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
    • When finished, it shall produce a log for you. Post that log in your next reply

      Note:
      Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


      Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

      ---------------------------------------------------------------------------------------------
    • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

      Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
      Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
      ---------------------------------------------------------------------------------------------
    • If there are Internet issues after running ComboFix:

      Internet Explorer:
      Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
      Firefox:
      Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
      Chrome:
      Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
      Safari
      Launch Safari
      Go to general settings menu
      Then in Preferences/ Advanced
      Then on line click Proxies change settings ...
      Click Internet Options, then click the Connections tab, click Network Settings.
      Disable option (uncheck) for the use of proxy server ...
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #13
    Junior Member
    Join Date
    Dec 2014
    Posts
    18

    Default Combofix Log

    ComboFix 14-12-14.01 - Welch 12/16/2014 17:14:20.1.4 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.7365.5699 [GMT -6:00]
    Running from: c:\users\Welch\Desktop\ComboFix.exe
    AV: Spybot - Search and Destroy *Disabled/Updated* {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
    SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-11-16 to 2014-12-16 )))))))))))))))))))))))))))))))
    .
    .
    2014-12-16 23:17 . 2014-12-16 23:17 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-12-16 22:53 . 2014-12-16 22:53 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABFAB8E6-8BFE-4103-843B-C0F2DB021A7B}\offreg.dll
    2014-12-16 15:02 . 2014-12-16 15:02 -------- d-----w- c:\windows\ERUNT
    2014-12-16 14:55 . 2014-12-16 21:56 -------- d-----w- C:\AdwCleaner
    2014-12-16 11:10 . 2014-12-02 10:26 11870360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ABFAB8E6-8BFE-4103-843B-C0F2DB021A7B}\mpengine.dll
    2014-12-15 15:03 . 2014-12-15 15:03 -------- d-----w- C:\RegBackup
    2014-12-15 14:55 . 2014-12-16 22:02 -------- d-----w- C:\FRST
    2014-12-15 14:49 . 2014-12-15 14:49 -------- d-----w- c:\program files (x86)\Tweaking.com
    2014-12-11 22:26 . 2013-09-20 16:49 21040 ----a-w- c:\windows\system32\sdnclean64.exe
    2014-12-11 22:26 . 2014-12-11 23:15 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2014-12-11 22:25 . 2014-12-12 15:04 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
    2014-12-09 21:52 . 2014-12-09 21:52 -------- d-----w- c:\windows\system32\appraiser
    2014-12-09 21:46 . 2014-12-09 21:46 -------- d-----w- c:\program files\CCleaner
    2014-12-09 21:35 . 2014-10-18 02:05 4121600 ----a-w- c:\windows\system32\mf.dll
    2014-12-09 21:35 . 2014-10-18 01:33 3209728 ----a-w- c:\windows\SysWow64\mf.dll
    2014-12-09 20:21 . 2014-12-04 02:50 413184 ----a-w- c:\windows\system32\generaltel.dll
    2014-12-09 20:21 . 2014-12-04 02:50 741376 ----a-w- c:\windows\system32\invagent.dll
    2014-12-09 20:21 . 2014-12-04 02:50 396800 ----a-w- c:\windows\system32\devinv.dll
    2014-12-09 20:21 . 2014-12-04 02:50 227328 ----a-w- c:\windows\system32\aepdu.dll
    2014-12-09 20:21 . 2014-12-04 02:50 192000 ----a-w- c:\windows\system32\aepic.dll
    2014-12-09 20:21 . 2014-12-04 02:44 1083392 ----a-w- c:\windows\system32\aeinv.dll
    2014-12-09 20:21 . 2014-12-01 23:28 1232040 ----a-w- c:\windows\system32\aitstatic.exe
    2014-12-09 19:58 . 2014-11-11 03:09 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2014-12-09 19:57 . 2014-11-11 02:44 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
    2014-12-09 19:57 . 2014-11-11 01:46 119296 ----a-w- c:\windows\system32\drivers\tdx.sys
    2014-12-09 19:52 . 2014-10-30 02:03 165888 ----a-w- c:\windows\system32\charmap.exe
    2014-12-09 19:52 . 2014-10-30 01:45 155136 ----a-w- c:\windows\SysWow64\charmap.exe
    2014-12-09 19:52 . 2014-10-03 02:12 310272 ----a-w- c:\windows\system32\WsmWmiPl.dll
    2014-12-09 19:52 . 2014-10-03 02:12 2020352 ----a-w- c:\windows\system32\WsmSvc.dll
    2014-12-09 19:52 . 2014-10-03 02:12 346624 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
    2014-12-09 19:52 . 2014-10-03 02:12 181248 ----a-w- c:\windows\system32\WsmAuto.dll
    2014-12-09 19:52 . 2014-10-03 02:11 266240 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
    2014-12-09 19:52 . 2014-10-03 01:45 248832 ----a-w- c:\windows\SysWow64\WSManMigrationPlugin.dll
    2014-12-09 19:52 . 2014-10-03 01:45 1177088 ----a-w- c:\windows\SysWow64\WsmSvc.dll
    2014-12-09 19:52 . 2014-10-03 01:45 214016 ----a-w- c:\windows\SysWow64\WsmWmiPl.dll
    2014-12-09 19:52 . 2014-10-03 01:45 145920 ----a-w- c:\windows\SysWow64\WsmAuto.dll
    2014-12-09 19:52 . 2014-10-03 01:44 198656 ----a-w- c:\windows\SysWow64\WSManHTTPConfig.exe
    2014-12-09 19:51 . 2014-11-08 03:16 2048 ----a-w- c:\windows\system32\tzres.dll
    2014-12-09 19:51 . 2014-11-08 02:45 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2014-11-26 15:22 . 2014-12-10 15:05 -------- d-----r- c:\users\Welch\Dropbox
    2014-11-26 14:55 . 2014-12-09 17:45 -------- d-----w- c:\users\Welch\AppData\Roaming\Dropbox
    2014-11-25 16:57 . 2014-12-11 23:06 -------- d-----w- c:\program files (x86)\On-Screen Takeoff 3
    2014-11-25 16:57 . 2014-11-25 16:57 -------- d-----w- c:\program files (x86)\Common Files\Crystal Decisions
    2014-11-25 16:57 . 2014-11-25 16:57 -------- d-----w- C:\OCS Documents
    2014-11-25 16:57 . 2014-11-25 16:57 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared
    2014-11-20 19:57 . 2012-06-01 05:39 14848 ----a-w- c:\windows\system32\wamregps.dll
    2014-11-20 19:57 . 2012-06-01 05:36 192000 ----a-w- c:\windows\system32\iisRtl.dll
    2014-11-20 19:57 . 2012-06-01 05:36 11264 ----a-w- c:\windows\system32\iisrstap.dll
    2014-11-20 19:57 . 2012-06-01 05:35 60928 ----a-w- c:\windows\system32\ahadmin.dll
    2014-11-20 19:57 . 2012-06-01 05:34 55296 ----a-w- c:\windows\system32\admwprox.dll
    2014-11-20 19:57 . 2012-06-01 05:33 16896 ----a-w- c:\windows\system32\iisreset.exe
    2014-11-20 19:57 . 2012-06-01 04:40 10752 ----a-w- c:\windows\SysWow64\wamregps.dll
    2014-11-20 19:57 . 2012-06-01 04:37 8192 ----a-w- c:\windows\SysWow64\iisrstap.dll
    2014-11-20 19:57 . 2012-06-01 04:37 154624 ----a-w- c:\windows\SysWow64\iisRtl.dll
    2014-11-20 19:57 . 2012-06-01 04:35 26624 ----a-w- c:\windows\SysWow64\ahadmin.dll
    2014-11-20 19:57 . 2012-06-01 04:35 50688 ----a-w- c:\windows\SysWow64\admwprox.dll
    2014-11-20 19:57 . 2012-06-01 04:34 15360 ----a-w- c:\windows\SysWow64\iisreset.exe
    2014-11-20 15:15 . 2014-12-03 15:33 -------- d-----w- c:\users\DefaultAppPool
    2014-11-20 15:00 . 2014-11-20 15:00 -------- d-----w- c:\windows\SysWow64\BestPractices
    2014-11-20 14:59 . 2014-11-20 14:59 -------- d-----w- c:\windows\system32\BestPractices
    2014-11-20 14:59 . 2014-11-20 14:59 -------- d-----w- C:\inetpub
    2014-11-19 09:15 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll
    2014-11-19 09:15 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll
    2014-11-19 09:15 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
    2014-11-19 09:15 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-12-10 02:32 . 2014-05-08 14:24 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-12-10 02:32 . 2014-05-08 14:24 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2014-12-09 21:35 . 2014-05-07 20:54 112710672 ----a-w- c:\windows\system32\MRT.exe
    2014-12-05 11:04 . 2014-10-07 15:01 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2014-11-24 20:04 . 2010-11-21 03:27 275080 ------w- c:\windows\system32\MpSigStub.exe
    2014-10-25 01:57 . 2014-11-11 21:28 77824 ----a-w- c:\windows\system32\packager.dll
    2014-10-25 01:32 . 2014-11-11 21:28 67584 ----a-w- c:\windows\SysWow64\packager.dll
    2014-10-18 02:05 . 2014-11-11 21:28 861696 ----a-w- c:\windows\system32\oleaut32.dll
    2014-10-18 01:33 . 2014-11-11 21:28 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
    2014-10-17 15:56 . 2014-10-17 15:55 32371688 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
    2014-10-15 16:12 . 2014-10-15 16:12 379392 ----a-w- c:\windows\system32\subinacl.msi
    2014-10-14 02:16 . 2014-11-11 21:41 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
    2014-10-14 02:13 . 2014-11-11 21:41 683520 ----a-w- c:\windows\system32\termsrv.dll
    2014-10-14 02:13 . 2014-11-11 21:28 3241984 ----a-w- c:\windows\system32\msi.dll
    2014-10-14 02:12 . 2014-11-11 21:41 1460736 ----a-w- c:\windows\system32\lsasrv.dll
    2014-10-14 02:09 . 2014-11-11 21:41 146432 ----a-w- c:\windows\system32\msaudite.dll
    2014-10-14 02:07 . 2014-11-11 21:41 681984 ----a-w- c:\windows\system32\adtschema.dll
    2014-10-14 01:50 . 2014-11-11 21:41 22016 ----a-w- c:\windows\SysWow64\secur32.dll
    2014-10-14 01:50 . 2014-11-11 21:28 2363904 ----a-w- c:\windows\SysWow64\msi.dll
    2014-10-14 01:49 . 2014-11-11 21:41 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
    2014-10-14 01:47 . 2014-11-11 21:41 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
    2014-10-14 01:46 . 2014-11-11 21:41 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
    2014-10-10 00:57 . 2014-11-11 21:28 3198976 ----a-w- c:\windows\system32\win32k.sys
    2014-10-07 09:06 . 2014-05-08 16:41 590536 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
    2014-10-03 02:12 . 2014-11-11 21:36 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll
    2014-10-03 02:11 . 2014-11-11 21:36 284672 ----a-w- c:\windows\system32\EncDump.dll
    2014-10-03 02:11 . 2014-11-11 21:36 680960 ----a-w- c:\windows\system32\audiosrv.dll
    2014-10-03 02:11 . 2014-11-11 21:36 440832 ----a-w- c:\windows\system32\AudioEng.dll
    2014-10-03 02:11 . 2014-11-11 21:36 296448 ----a-w- c:\windows\system32\AudioSes.dll
    2014-10-03 01:44 . 2014-11-11 21:36 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll
    2014-10-03 01:44 . 2014-11-11 21:36 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll
    2014-10-03 01:44 . 2014-11-11 21:36 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll
    2014-09-25 02:08 . 2014-10-01 07:10 371712 ----a-w- c:\windows\system32\qdvd.dll
    2014-09-25 01:40 . 2014-10-01 07:10 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
    2014-09-19 09:42 . 2014-11-11 21:30 210944 ----a-w- c:\windows\system32\wdigest.dll
    2014-09-19 09:42 . 2014-11-11 21:30 86528 ----a-w- c:\windows\system32\TSpkg.dll
    2014-09-19 09:42 . 2014-11-11 21:30 342016 ----a-w- c:\windows\system32\schannel.dll
    2014-09-19 09:42 . 2014-11-11 21:30 309760 ----a-w- c:\windows\system32\ncrypt.dll
    2014-09-19 09:42 . 2014-11-11 21:30 314880 ----a-w- c:\windows\system32\msv1_0.dll
    2014-09-19 09:42 . 2014-11-11 21:30 22016 ----a-w- c:\windows\system32\credssp.dll
    2014-09-19 09:23 . 2014-11-11 21:30 172032 ----a-w- c:\windows\SysWow64\wdigest.dll
    2014-09-19 09:23 . 2014-11-11 21:30 65536 ----a-w- c:\windows\SysWow64\TSpkg.dll
    2014-09-19 09:23 . 2014-11-11 21:30 248832 ----a-w- c:\windows\SysWow64\schannel.dll
    2014-09-19 09:23 . 2014-11-11 21:30 221184 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2014-09-19 09:23 . 2014-11-11 21:30 259584 ----a-w- c:\windows\SysWow64\msv1_0.dll
    2014-09-19 09:23 . 2014-11-11 21:30 17408 ----a-w- c:\windows\SysWow64\credssp.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
    @="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
    [HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
    2014-05-08 16:46 222920 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
    @="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
    [HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
    2014-05-08 16:46 222920 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
    @="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
    [HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
    2014-05-08 16:46 222920 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2013-11-01 389120]
    "ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
    "Grid"="c:\program files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [2013-11-01 401408]
    "CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-11-21 7063832]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2013-11-01 766208]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-11-20 1021128]
    "IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2011-08-02 46952]
    "PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2011-08-02 30568]
    "PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
    "PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
    "ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-11-19 143360]
    "BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-07-31 3084288]
    "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2011-4-29 276328]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
    R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
    R3 MSICDSetup;MSICDSetup;d:\cdriver64.sys;d:\CDriver64.sys [x]
    R3 NTIOLib_1_0_C;NTIOLib_1_0_C;d:\ntiolib_x64.sys;d:\NTIOLib_X64.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys;c:\windows\SYSNATIVE\DRIVERS\WSDScan.sys [x]
    S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
    S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
    S1 SDHookDriver;Hook Test Driver;c:\program files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys;c:\program files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
    S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
    S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
    S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
    S3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\amdhub30.sys;c:\windows\SYSNATIVE\DRIVERS\amdhub30.sys [x]
    S3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\amdxhc.sys;c:\windows\SYSNATIVE\DRIVERS\amdxhc.sys [x]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
    S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
    S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]
    S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-12-16 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-05-08 02:32]
    .
    2014-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-15 20:56]
    .
    2014-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-15 20:56]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
    @="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
    [HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
    2014-05-08 16:46 261832 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
    @="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
    [HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
    2014-05-08 16:46 261832 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
    @="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
    [HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
    2014-05-08 16:46 261832 ----a-w- c:\users\Welch\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
    @="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
    [HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
    2014-10-14 18:27 2334928 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
    @="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
    [HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
    2014-10-14 18:27 2334928 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
    @="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
    [HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
    2014-10-14 18:27 2334928 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt1"]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt2"]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt3"]
    @="{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}]
    2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt4"]
    @="{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}]
    2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt5"]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt6"]
    @="{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}]
    2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt7"]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\"DropboxExt8"]
    @="{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}]
    2014-08-17 04:10 164760 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NUSB3MON"="c:\program files (x86)\ATI Technologies\AMDUSB3DeviceDetector\nusb3mon.exe" [2012-04-11 97280]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.foxnews.com/
    mStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyServer = localhost:21320
    Trusted Zone: microsoft.com\www
    Trusted Zone: nfl.com\www
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13}: NameServer = 5.135.12.56,199.203.35.78
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Notify-SDWinLogon - SDWinLogon.dll
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_246_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_246_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_246_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_246_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.15"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_246.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker6"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-12-16 17:19:19
    ComboFix-quarantined-files.txt 2014-12-16 23:19
    .
    Pre-Run: 943,832,678,400 bytes free
    Post-Run: 943,642,677,248 bytes free
    .
    - - End Of File - - 82AFC20130EF67BF90173B8DCD7DBC92
    A36C5E4F47E84449FF07ED3517B43A31
    Thank you very much!


    chessdude

  4. #14
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Please download RogueKiller and save it to your desktop.

    You can check here if you're not sure if your computer is 32-bit or 64-bit
    • Download RogueKiller to your desktop.

    • Quit all running programs.
    • For Windows XP, double-click to start.
    • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
    • Read and accept the EULA (End User Licene Agreement)
    • Click Scan to scan the system.
    • When the scan completes Close the program > Don't Fix anything!
    • Don't run any other options, they're not all bad!!
    • Post back the report which should be located on your desktop.


    ~~~~~~~~~~~~~~~~~~


    Malwarebytes Anti-Rootkit
    • Download Malwarebytes Anti-Rootkit
    • Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
    • Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
    • Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
    • Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
    • After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
    • Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
    • If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.



    • Please click by the introduction screen on the Next button to continue.




    • Next you will see the Update Database screen.
    • Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.




    • When the update has finished, click on the Next button.



    • Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
    • Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.




    • When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
    • Make sure everything is selected and that the option to create a restore point is checked.
    • Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
    • Click on Yes button to restart your computer.

    • There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
    • The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.
      • For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.

    • The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    please post the RogueKiller log
    MBAR log

    Give me some details as to what the computer is doing now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #15
    Junior Member
    Join Date
    Dec 2014
    Posts
    18

    Default New Logs

    RogueKiller V10.1.0.0 [Dec 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Welch [Administrator]
    Mode : Scan -- Date : 12/17/2014 08:19:13

    ¤¤¤ Processes : 46 ¤¤¤
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]
    [Suspicious.Path] agent.exe -- C:\ProgramData\FLEXnet\Connect\11\agent.exe[7] -> Killed [TermProc]

    ¤¤¤ Registry : 23 ¤¤¤
    [PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> Found
    [PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.foxnews.com/ -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.foxnews.com/ -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir...=ie&ar=msnhome -> Found
    [PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
    [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
    [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3724710116-182459274-2640236870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

    ¤¤¤ Web browsers : 1 ¤¤¤
    [PUM.HomePage][FIREFX:Config] dng8mxi4.default : user_pref("browser.startup.homepage", "http://www.foxnews.com/"); -> Found

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: TOSHIBA DT01ACA100 SATA Disk Device +++++
    --- User ---
    [MBR] 7225687d4c512851e6f0aabb72cde996
    [BSP] 23ee35f1e0de87789ba3e0d73699e74e : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
    User = LL1 ... OK
    User = LL2 ... OK
    Thank you very much!


    chessdude

  6. #16
    Junior Member
    Join Date
    Dec 2014
    Posts
    18

    Default MalwareBytes Rootkit

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.08.2.1001

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 11.0.9600.17501

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 3.892000 GHz
    Memory total: 7723237376, free: 5033291776

    Downloaded database version: v2014.12.17.02
    Downloaded database version: v2014.12.14.01
    Downloaded database version: v2014.12.06.01
    =======================================
    Initializing...
    ------------ Kernel report ------------
    12/17/2014 08:22:22
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_AuthenticAMD.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\DRIVERS\amd_sata.sys
    \SystemRoot\system32\DRIVERS\storport.sys
    \SystemRoot\system32\DRIVERS\amd_xata.sys
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\vmstorfl.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\drivers\disk.sys
    \SystemRoot\system32\drivers\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\serial.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \??\C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\System32\ckldrv.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\atikmpag.sys
    \SystemRoot\system32\DRIVERS\atikmdag.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\DRIVERS\rtl8192Ce.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\DRIVERS\amdxhc.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\usbfilter.sys
    \SystemRoot\system32\DRIVERS\usbohci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\serenum.sys
    \SystemRoot\system32\DRIVERS\parport.sys
    \SystemRoot\system32\DRIVERS\amdppm.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\serscan.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\rdpbus.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\amdhub30.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\AtihdW76.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\drivers\HdAudio.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_diskdump.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\dump_amd_sata.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\system32\DRIVERS\dc3d.sys
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\DRIVERS\vwifimp.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa80077e5060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000067\
    Lower Device Object: 0xfffffa80076cf9c0
    Lower Device Driver Name: \Driver\amd_sata\
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa80077e5060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8007ba8900, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa80077e5060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa80076d29d0, DeviceName: Unknown, DriverName: \Driver\amd_xata\
    DevicePointer: 0xfffffa80076cf9c0, DeviceName: \Device\00000067\, DriverName: \Driver\amd_sata\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    Done!
    Drive 0
    This is a System drive
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 3C43E0D3

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848 Numsec = 1953314816

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 1000204886016 bytes
    Sector size: 512 bytes

    Done!
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
    Removal finished
    Thank you very much!


    chessdude

  7. #17
    Junior Member
    Join Date
    Dec 2014
    Posts
    18

    Exclamation Details

    When I reset internet explorer, and have to reset the settings to default, I can go to my home page, and a deal of the day banner shows on the page as well. This is nasty, deeply rooted. It is still doing these things I mentioned before with no change. Have you found anything in the reports that look suspicious to you? Any recurring after cleaning?
    Thank you very much!


    chessdude

  8. #18
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    This is nasty, deeply rooted
    yeah it is and I have not found the entry point yet.

    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{65B50A6D-40BE-4DE7-B269-E291ED5CEE13} | NameServer : 5.135.12.56,199.203.35.78 [(Unknown Country?) (XX)][UNITED STATES (US)] -> Found


    the DNS-settings look suspicious..shows France and Israel IP's, you could check your DNS settings, or allow "roguekiller" to remove the "PUM.DNS" items that it flagged, which i assume would restore windows default settings for DNS..

    if you are using custom settings for DNS and you know that they are what they are suppose to be, then you don't need to worry about that..

    to check the DNS settings (in "windows" ), go to "control panel" / "network connections" and check the "properties" for the "connections" that you use for connecting to the internet..

    ~~~~~~~~

    Let's see if doing this will have any impact.

    Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

    start
    CloseProcesses:
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset all
    CMD: netsh int ipv4 reset
    CMD: netsh int ipv6 reset
    EmptyTemp:
    end
    Open FRST/FRST64 and press the Fix button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~~~`

    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
    Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory usually Local Disk C:.
    • Copy and paste the contents of that file in your next reply.


    ~~~~~~~~~~~~~~~~~~~~~~


    What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
    Most reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.


    Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
    • Note:
      For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
    • Click the blue Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
    • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
    • Click on Advanced Settings
    • Make sure that the option Remove found threats is unticked.
    • Ensure these options are ticked
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

    • Click Start
    • Wait for the scan to finish
    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
    • Close the ESET online scan.


    *************************************

    please post
    Fixlog.txt
    TDSSKiller log
    ESET log
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #19
    Junior Member
    Join Date
    Dec 2014
    Posts
    18

    Default Fixlog

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014
    Ran by Welch at 2014-12-17 11:09:10 Run:8
    Running from C:\Users\Welch\Desktop
    Loaded Profile: Welch (Available profiles: Welch & DefaultAppPool)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    start
    CloseProcesses:
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset all
    CMD: netsh int ipv4 reset
    CMD: netsh int ipv6 reset
    EmptyTemp:
    end
    *****************

    Processes closed successfully.

    ========= ipconfig /flushdns =========


    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========= End of CMD: =========


    ========= netsh winsock reset all =========


    Sucessfully reset the Winsock Catalog.
    You must restart the computer in order to complete the reset.


    ========= End of CMD: =========


    ========= netsh int ipv4 reset =========

    Reseting Global, OK!
    Reseting Interface, OK!
    Restart the computer to complete this action.


    ========= End of CMD: =========


    ========= netsh int ipv6 reset =========

    Reseting Interface, OK!
    Restart the computer to complete this action.


    ========= End of CMD: =========

    EmptyTemp: => Removed 81.8 MB temporary data.


    The system needed a reboot.

    ==== End of Fixlog ====
    Thank you very much!


    chessdude

  10. #20
    Junior Member
    Join Date
    Dec 2014
    Posts
    18

    Angry No reports from other two programs generated.

    Nothing found.
    Thank you very much!


    chessdude

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •