Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Please Help, Services.exe infected with trojan


(!)

andrewbfraser's Avatar
andrewbfraser   (Andrew) andrewbfraser is offline
Computer Specs
Member with 17 posts.
THREAD STARTER
 
Join Date: Sep 2012
Location: Michigan
Experience: Intermediate
01-Oct-2012, 02:36 PM #1
Please Help, Services.exe infected with trojan
Hello,
While performing my weekly virus scans, Symantec Endpoint Protection notified me that C:/Windows/System32/services.exe has been infected with a Trojan. Being that it's a system file Symantec will not clean or remove it. I also ran a scan with Malwarebytes and it did not find any risks. I am generally pretty good with computers and have never gotten any virus's before, at first my computer showed no signs of being infected but it has been almost 2 weeks and now it is running very slow. All of my files are still where they should be, and its starts up fine but I would like to get rid of it as soon is possible.
Here is the log file requested, hopefully someone can help me.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:11:08 PM, on 9/24/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Bradford Networks\Persistent Agent\bncsaui.exe
C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe
C:\Users\Andrew Fraser\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Stardock\ObjectDockFree\ObjectDock.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Users\Andrew Fraser\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\TwoFingerScroll.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\Downloads\HijackThis.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin .dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
O4 - HKLM\..\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Andrew Fraser\AppData\Local\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Andrew Fraser\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
O4 - HKCU\..\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
O4 - HKCU\..\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
O4 - HKCU\..\Run: [MaxTo] "C:\Program Files (x86)\MaxTo\MaxTo.exe" --start-hidden
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files (x86)\Stardock\ObjectDockFree\ObjectDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bradford Persistent Agent Service (BNPagent) - Bradford Networks - C:\Program Files (x86)\Bradford Networks\Persistent Agent\bndaemon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service 64 - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: FF Install Filter Service (InstallFilterService) - Unknown owner - C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: Autodesk Moldflow Inventor Tool Suite Integration 2012 Job Manager (mitsijm2012) - Autodesk, Inc. - C:\Program Files\Autodesk\Inventor 2012\Moldflow\bin\mitsijm.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TurboBoost - Intel(R) Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 17444 bytes


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by Andrew Fraser at 21:14:31 on 2012-09-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.1529 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files (x86)\Bradford Networks\Persistent Agent\bndaemon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Bradford Networks\Persistent Agent\bncsaui.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Autodesk\Inventor 2012\Moldflow\bin\mitsijm.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\Andrew Fraser\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Stardock\ObjectDockFree\ObjectDock.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\conhost.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files (x86)\Stardock\ObjectDockFree\Dock64.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Andrew Fraser\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Andrew Fraser\TwoFingerScroll.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew Fraser\Downloads\HijackThis.exe
C:\Users\Andrew Fraser\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin .dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
uRun: [Akamai NetSession Interface] "C:\Users\Andrew Fraser\AppData\Local\Akamai\netsession_win.exe"
uRun: [Google Update] "C:\Users\Andrew Fraser\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [MaxTo] "C:\Program Files (x86)\MaxTo\MaxTo.exe" --start-hidden
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
StartupFolder: C:\Users\ANDREW~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startu p\STARDO~1.LNK - C:\Program Files (x86)\Stardock\ObjectDockFree\ObjectDock.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 141.218.1.100 141.218.20.114
TCP: Interfaces\{44CDFEE5-E95C-48A3-BB17-93C909A80C2F} : DhcpNameServer = 141.218.1.100 141.218.20.114
TCP: Interfaces\{44CDFEE5-E95C-48A3-BB17-93C909A80C2F}\14C6C60295F65727022416375602142756022456C6F6E6760245F6025537 : DhcpNameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{44CDFEE5-E95C-48A3-BB17-93C909A80C2F}\1647E64627E616C6E6 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{44CDFEE5-E95C-48A3-BB17-93C909A80C2F}\2375942554639323 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{44CDFEE5-E95C-48A3-BB17-93C909A80C2F}\75966696E45647934383 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{44CDFEE5-E95C-48A3-BB17-93C909A80C2F}\84F6C6964616970294E6E60254870727563737023536861657D626572776 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{44CDFEE5-E95C-48A3-BB17-93C909A80C2F}\C696E6B6379737 : DhcpNameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{5DD213EE-F4CF-48BA-831F-17EBF3143D68}\4413233343536373D25343736303 : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin .dll
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun-x64: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 stdflt;Disk Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdflt.sys --> C:\Windows\system32\DRIVERS\stdflt.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-5-11 98208]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 BNPagent;Bradford Persistent Agent Service;C:\Program Files (x86)\Bradford Networks\Persistent Agent\bndaemon.exe [2011-3-7 3079960]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 InstallFilterService;FF Install Filter Service;C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [2010-9-10 60928]
R2 mitsijm2012;Autodesk Moldflow Inventor Tool Suite Integration 2012 Job Manager;C:\Program Files\Autodesk\Inventor 2012\Moldflow\bin\mitsijm.exe [2010-12-7 848184]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-9-10 705856]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2009-9-17 2477304]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-9-10 2320920]
R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Acceler.sys --> C:\Windows\system32\DRIVERS\Acceler.sys [?]
R3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-10 138912]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
R3 wdkmd;Intel WiDi KMD;C:\Windows\system32\DRIVERS\WDKMD.sys --> C:\Windows\system32\DRIVERS\WDKMD.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 athrusb;Atheros Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrxusb.sys --> C:\Windows\system32\DRIVERS\athrxusb.sys [?]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-1-5 1431888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-1-19 315664]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 tapoas;TAP-Win32 Adapter OAS;C:\Windows\system32\DRIVERS\tapoas.sys --> C:\Windows\system32\DRIVERS\tapoas.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-3-31 47128]
S4 SQLAgent$MSSMLBIZ;SQL Server Agent (MSSMLBIZ);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2012-09-21 18:10:52 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-09-20 22:25:41 -------- d-----w- C:\Users\Andrew Fraser\Object Dock Logos
2012-09-19 16:48:38 -------- d-----w- C:\Users\Andrew Fraser\DCIM
2012-09-18 23:52:37 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-18 20:11:54 -------- d-----w- C:\Users\Andrew Fraser\AppData\Roaming\Synaptics
2012-09-18 20:05:38 -------- d-----w- C:\ProgramData\Synaptics
2012-09-18 20:05:38 -------- d-----w- C:\Program Files (x86)\Synaptics
2012-09-12 21:05:28 -------- d-----w- C:\Users\Andrew Fraser\AppData\Roaming\WindSolutions
2012-09-12 20:56:33 -------- d-----w- C:\ProgramData\WindSolutions
2012-09-12 16:36:22 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-09-12 16:36:22 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
2012-09-12 16:36:19 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-09-12 16:36:19 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-09-12 16:36:17 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-09-12 16:36:17 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-09-12 16:36:17 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-09-11 19:33:23 -------- d-----w- C:\Users\Andrew Fraser\AppData\Roaming\Malwarebytes
2012-09-11 19:33:17 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-11 19:33:16 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-11 19:33:15 -------- d-----w- C:\Program Files (x86)\aaa
2012-09-10 18:48:33 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-10 18:48:33 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-09-10 18:32:14 -------- d-----w- C:\Users\Andrew Fraser\AppData\Roaming\Guitar Pro 6
2012-09-10 18:32:14 -------- d-----w- C:\ProgramData\Guitar Pro 6
2012-09-06 20:33:41 -------- d-----w- C:\Users\Andrew Fraser\AppData\Local\Digital_Creations_AS
2012-09-06 20:33:28 -------- d-sh--w- C:\Windows\SysWow64\AI_RecycleBin
2012-08-31 22:33:12 -------- d-----w- C:\Users\Andrew Fraser\AppData\Local\assembly
2012-08-31 22:32:20 -------- d-----w- C:\Users\Andrew Fraser\AppData\Local\TechSmith
.
==================== Find3M ====================
.
2012-09-06 13:20:28 225328 ----a-w- C:\Windows\System32\drivers\wpshelper.sys
2012-08-10 20:44:38 43361640 ----a-w- C:\Users\Andrew Fraser\iCloudSetup.exe
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-06 20:07:42 552960 ----a-w- C:\Windows\System32\drivers\bthport.sys
2012-07-06 02:06:30 772544 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-07-06 02:06:20 687544 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 21:16:09.51 ===============
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,708 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
02-Oct-2012, 03:01 AM #2
Run the following scans please:

Download Farbar Recovery Scan Toolx64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next,

Boot to System Recovery Options and run FRST as you did to get the log.

Type the following in the edit box after "Search:".

services.exe

It then should look like:



Click Search button and post the log (Search.txt) it makes to your reply.

Post both logs in tnext reply,

Kevin
andrewbfraser's Avatar
andrewbfraser   (Andrew) andrewbfraser is offline
Computer Specs
Member with 17 posts.
THREAD STARTER
 
Join Date: Sep 2012
Location: Michigan
Experience: Intermediate
02-Oct-2012, 10:53 AM #3
Kevin,
I ran both of the scans that you requested, here are the two logs,
Andrew


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 30-09-2012 01
Ran by SYSTEM at 02-10-2012 11:37:51
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9642528 2009-12-03] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe [3203440 2010-04-06] (Dell Inc.)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1926928 2010-01-19] (Intel(R) Corporation)
HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe [2384896 2009-07-22] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2399632 2011-04-13] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1862952 2009-10-13] (Synaptics Incorporated)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe" [115560 2009-07-08] (Symantec Corporation)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe [x]
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-08-27] (Apple Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1259376 2011-07-28] ()
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)
HKU\Andrew Fraser\...\Run: [Akamai NetSession Interface] "C:\Users\Andrew Fraser\AppData\Local\Akamai\netsession_win.exe" [4440896 2012-08-10] (Akamai Technologies, Inc.)
HKU\Andrew Fraser\...\Run: [Google Update] "C:\Users\Andrew Fraser\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-12-25] (Google Inc.)
HKU\Andrew Fraser\...\Run: [AdobeBridge] [x]
HKU\Andrew Fraser\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Andrew Fraser\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59240 2012-02-23] (Apple Inc.)
HKU\Andrew Fraser\...\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59240 2012-02-24] (Apple Inc.)
HKU\Andrew Fraser\...\Run: [MaxTo] "C:\Program Files (x86)\MaxTo\MaxTo.exe" --start-hidden [x]
HKU\Andrew Fraser\...\Policies\system: [LogonHoursAction] 2
HKU\Andrew Fraser\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-05] (Dell)
HKLM-x32\...\RunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [165184 2011-01-13] (Softthinks)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 141.218.1.100 141.218.20.114
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Andrew Fraser\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
ShortcutTarget: Stardock ObjectDock.lnk -> C:\Program Files (x86)\Stardock\ObjectDockFree\ObjectDock.exe (Stardock)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Services (Whitelisted) ===================

2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_5891ae0.dll [4537664 2012-09-10] (Akamai Technologies, Inc.)
2 BNPagent; "C:\Program Files (x86)\Bradford Networks\Persistent Agent\bndaemon.exe" [3079960 2011-03-07] (Bradford Networks)
2 ccEvtMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-07-08] (Symantec Corporation)
2 ccSetMgr; "C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [108392 2009-07-08] (Symantec Corporation)
2 InstallFilterService; C:\Program Files (x86)\STMicroelectronics\Accelerometer\InstallFilterService.exe [60928 2009-06-23] ()
3 LiveUpdate; "C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE" [3093880 2009-07-13] (Symantec Corporation)
2 mitsijm2012; "C:\Program Files\Autodesk\Inventor 2012\Moldflow\bin\mitsijm.exe" [848184 2010-12-07] (Autodesk, Inc.)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [315664 2010-01-19] ()
2 SmcService; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe" [3197256 2009-09-17] (Symantec Corporation)
4 SNAC; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE" [411976 2009-09-17] (Symantec Corporation)
4 SQLAgent$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE" -i MSSMLBIZ [366936 2009-03-30] (Microsoft Corporation)
2 Symantec AntiVirus; "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe" [2477304 2009-09-17] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

3 athrusb; C:\Windows\System32\DRIVERS\athrxusb.sys [1075712 2008-07-29] (Atheros Communications, Inc.)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-09-17] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-10] (Symantec Corporation)
3 NAVENG; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20121001.004\ENG64.SYS [126112 2012-09-17] (Symantec Corporation)
3 NAVEX15; \??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20121001.004\EX64.SYS [2084000 2012-09-17] (Symantec Corporation)
1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [443952 2009-08-25] (Symantec Corporation)
3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [481840 2009-08-25] (Symantec Corporation)
1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2009-08-25] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2010-12-26] (Symantec Corporation)
3 tapoas; C:\Windows\System32\Drivers\tapoas.sys [30720 2011-08-19] (The OpenVPN Project)
3 Teefer2; C:\Windows\System32\Drivers\Teefer2.sys [62512 2009-05-27] (Symantec Corporation)
2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [13784 2009-11-02] ()
1 WPS; \??\C:\Windows\system32\drivers\wpsdrvnt.sys [52784 2009-09-17] (Symantec Corporation)
3 WpsHelper; C:\Windows\System32\Drivers\WpsHelper.sys [225328 2012-09-06] (Symantec Corporation)
2 PnkBstrA; [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-10-02 10:25 - 2012-10-02 10:25 - 01456149 ____A (Farbar) C:\Users\Andrew Fraser\Downloads\FRST64.exe
2012-09-25 20:27 - 2012-08-21 12:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-09-25 20:25 - 2012-09-25 20:27 - 00000000 ____D C:\Program Files\iTunes
2012-09-25 20:25 - 2012-09-25 20:27 - 00000000 ____D C:\Program Files (x86)\iTunes
2012-09-25 20:25 - 2012-09-25 20:25 - 00000000 ____D C:\Program Files\iPod
2012-09-25 20:16 - 2012-09-25 20:17 - 80521624 ____A (Apple Inc.) C:\Users\Andrew Fraser\Downloads\iTunes64Setup.exe
2012-09-24 20:18 - 2012-09-24 20:18 - 00018445 ____A C:\Users\Andrew Fraser\Desktop\Attach.txt
2012-09-24 20:17 - 2012-09-24 20:17 - 00028561 ____A C:\Users\Andrew Fraser\Desktop\DDS.txt
2012-09-24 20:17 - 2012-09-24 20:17 - 00017446 ____A C:\Users\Andrew Fraser\Desktop\hijackthis.log
2012-09-24 20:14 - 2012-09-24 20:14 - 00607260 ___RA (Swearware) C:\Users\Andrew Fraser\Desktop\dds.com
2012-09-24 20:11 - 2012-09-24 20:11 - 00017446 ____A C:\Users\Andrew Fraser\Downloads\hijackthis.log
2012-09-24 19:59 - 2012-09-24 19:59 - 00388608 ____A (Trend Micro Inc.) C:\Users\Andrew Fraser\Desktop\HijackThis.exe
2012-09-24 19:52 - 2012-09-24 19:52 - 00509440 ____A (Tech Support Guy System) C:\Users\Andrew Fraser\Desktop\SysInfo.exe
2012-09-24 19:50 - 2012-09-24 19:50 - 01454541 ____A (Farbar) C:\Users\Andrew Fraser\Desktop\FRST64.exe
2012-09-23 09:48 - 2012-09-23 09:49 - 00262144 ____A C:\Windows\Minidump\092312-23072-01.dmp
2012-09-21 13:10 - 2012-09-23 10:41 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-09-21 13:05 - 2012-09-21 13:05 - 00262144 ____A C:\Windows\Minidump\092112-34117-01.dmp
2012-09-21 12:57 - 2012-09-21 12:57 - 00262144 ____A C:\Windows\Minidump\092112-18174-01.dmp
2012-09-21 12:54 - 2012-09-21 12:55 - 00262144 ____A C:\Windows\Minidump\092112-21496-01.dmp
2012-09-21 12:41 - 2012-09-21 12:42 - 00262144 ____A C:\Windows\Minidump\092112-22666-01.dmp
2012-09-21 12:35 - 2012-09-21 12:35 - 00262144 ____A C:\Windows\Minidump\092112-18408-01.dmp
2012-09-21 12:27 - 2012-09-21 12:28 - 00262144 ____A C:\Windows\Minidump\092112-81744-01.dmp
2012-09-20 21:43 - 2012-09-20 21:44 - 00262144 ____A C:\Windows\Minidump\092012-21434-01.dmp
2012-09-20 21:40 - 2012-09-20 21:41 - 00262144 ____A C:\Windows\Minidump\092012-19968-01.dmp
2012-09-20 21:38 - 2012-09-20 21:38 - 00262144 ____A C:\Windows\Minidump\092012-25818-01.dmp
2012-09-20 21:36 - 2012-09-20 21:36 - 00262144 ____A C:\Windows\Minidump\092012-25350-01.dmp
2012-09-20 21:34 - 2012-09-20 21:34 - 00262144 ____A C:\Windows\Minidump\092012-25724-01.dmp
2012-09-20 17:25 - 2012-09-20 18:01 - 00000000 ____D C:\Users\Andrew Fraser\Object Dock Logos
2012-09-19 19:24 - 2012-09-19 19:48 - 00000000 ____D C:\Users\Andrew Fraser\My Documents\Digital Logic (2)
2012-09-19 19:24 - 2012-09-19 19:48 - 00000000 ____D C:\Users\Andrew Fraser\Documents\Digital Logic (2)
2012-09-19 11:48 - 2012-09-19 11:48 - 00000000 ____D C:\Users\Andrew Fraser\DCIM
2012-09-18 18:52 - 2012-09-25 20:27 - 00000000 ____D C:\Users\All Users\Application Data\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-18 18:52 - 2012-09-25 20:27 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-18 15:11 - 2012-09-18 15:11 - 00000000 ____D C:\Users\Andrew Fraser\Application Data\Synaptics
2012-09-18 15:11 - 2012-09-18 15:11 - 00000000 ____D C:\Users\Andrew Fraser\AppData\Roaming\Synaptics
2012-09-18 15:05 - 2012-09-18 15:13 - 00000000 ____D C:\Users\All Users\Synaptics
2012-09-18 15:05 - 2012-09-18 15:13 - 00000000 ____D C:\Users\All Users\Application Data\Synaptics
2012-09-18 15:05 - 2012-09-18 15:05 - 00000000 ____D C:\Program Files (x86)\Synaptics
2012-09-12 16:10 - 2012-09-12 16:10 - 00012036 ____A C:\Users\Andrew Fraser\My Documents\iPhone 4S Outlook.csv
2012-09-12 16:10 - 2012-09-12 16:10 - 00012036 ____A C:\Users\Andrew Fraser\Documents\iPhone 4S Outlook.csv
2012-09-12 16:05 - 2012-09-23 10:40 - 00000000 ____D C:\Users\Andrew Fraser\Application Data\WindSolutions
2012-09-12 16:05 - 2012-09-23 10:40 - 00000000 ____D C:\Users\Andrew Fraser\AppData\Roaming\WindSolutions
2012-09-12 15:56 - 2012-09-12 15:56 - 00000000 ____D C:\Users\All Users\WindSolutions
2012-09-12 15:56 - 2012-09-12 15:56 - 00000000 ____D C:\Users\All Users\Application Data\WindSolutions
2012-09-12 15:55 - 2012-09-23 10:46 - 00000000 ____D C:\Users\Andrew Fraser\Downloads\CopyTransContactsv0.913_DLC
2012-09-12 15:53 - 2012-09-12 15:53 - 07993747 ____A C:\Users\Andrew Fraser\Downloads\CopyTransContactsv0.913_DLC.zip
2012-09-12 11:36 - 2012-08-22 13:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-09-12 11:36 - 2012-08-22 13:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-09-12 11:36 - 2012-08-22 13:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-09-12 11:36 - 2012-08-22 13:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-09-12 11:36 - 2012-08-02 12:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-09-12 11:36 - 2012-08-02 11:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-09-12 11:36 - 2012-07-04 15:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys
2012-09-11 14:33 - 2012-09-23 10:46 - 00000000 ____D C:\Program Files (x86)\aaa
2012-09-11 14:33 - 2012-09-23 10:40 - 00000000 ____D C:\Users\Andrew Fraser\Application Data\Malwarebytes
2012-09-11 14:33 - 2012-09-23 10:40 - 00000000 ____D C:\Users\Andrew Fraser\AppData\Roaming\Malwarebytes
2012-09-11 14:33 - 2012-09-23 10:39 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-11 14:33 - 2012-09-23 10:39 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-09-11 14:33 - 2012-09-07 16:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-11 10:17 - 2012-09-11 10:17 - 00001258 ____A C:\Users\Andrew Fraser\Downloads\chap2.txt
2012-09-10 13:48 - 2012-09-23 10:46 - 00000000 ____D C:\Windows\System32\Macromed
2012-09-10 13:48 - 2012-09-10 13:48 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-10 13:48 - 2012-09-10 13:48 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-10 13:32 - 2012-09-11 13:02 - 00000000 ____D C:\Users\Andrew Fraser\Application Data\Guitar Pro 6
2012-09-10 13:32 - 2012-09-11 13:02 - 00000000 ____D C:\Users\Andrew Fraser\AppData\Roaming\Guitar Pro 6
2012-09-10 13:32 - 2012-09-10 13:32 - 00000000 ____D C:\Users\All Users\Guitar Pro 6
2012-09-10 13:32 - 2012-09-10 13:32 - 00000000 ____D C:\Users\All Users\Application Data\Guitar Pro 6
2012-09-08 12:56 - 2012-09-23 10:46 - 00000000 ____D C:\Users\Andrew Fraser\Downloads\Men in Black 3 (2012) DVDRip XviD-MAXSPEED
2012-09-08 12:54 - 2012-09-23 10:46 - 00000000 ____D C:\Users\Andrew Fraser\Downloads\Snow White and the Huntsman (2012) DVDRip XviD-MAXSPEED
2012-09-08 12:54 - 2012-09-23 10:46 - 00000000 ____D C:\Users\Andrew Fraser\Downloads\Men.In.Black.3.2012.DVDRip.XviD-DEPRiVED
2012-09-08 12:42 - 2012-09-08 13:26 - 00000000 ____D C:\Users\Andrew Fraser\Downloads\Starting.Out.with.Java.From.Control.Structures.through.Dat a.Structures.2nd.Edition
2012-09-07 10:17 - 2012-09-08 12:41 - 00085263 ____A C:\Users\Andrew Fraser\My Documents\WMU.dwg
2012-09-07 10:17 - 2012-09-08 12:41 - 00085263 ____A C:\Users\Andrew Fraser\Documents\WMU.dwg
2012-09-06 15:33 - 2012-09-23 10:46 - 00000000 ____D C:\Users\Andrew Fraser\Local Settings\Digital_Creations_AS
2012-09-06 15:33 - 2012-09-23 10:46 - 00000000 ____D C:\Users\Andrew Fraser\Local Settings\Application Data\Digital_Creations_AS
2012-09-06 15:33 - 2012-09-23 10:46 - 00000000 ____D C:\Users\Andrew Fraser\AppData\Local\Digital_Creations_AS
2012-09-06 15:33 - 2012-09-06 15:47 - 00000000 __SHD C:\Windows\SysWOW64\AI_RecycleBin
2012-09-05 16:57 - 2012-09-26 14:29 - 00000000 ____D C:\Users\Andrew Fraser\My Documents\ANTH 1200
2012-09-05 16:57 - 2012-09-26 14:29 - 00000000 ____D C:\Users\Andrew Fraser\Documents\ANTH 1200
2012-09-05 11:36 - 2012-10-01 12:01 - 00000000 ____D C:\Users\Andrew Fraser\My Documents\CS 1110 (2)
2012-09-05 11:36 - 2012-10-01 12:01 - 00000000 ____D C:\Users\Andrew Fraser\Documents\CS 1110 (2)


==================== 3 Months Modified Files ==================

2012-10-02 10:30 - 2010-12-25 14:12 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-993845009-3110868454-4033552744-1001Core.job
2012-10-02 10:25 - 2012-10-02 10:25 - 01456149 ____A (Farbar) C:\Users\Andrew Fraser\Downloads\FRST64.exe
2012-10-02 10:23 - 2009-07-14 00:13 - 00870760 ____A C:\Windows\System32\PerfStringBackup.INI
2012-10-02 10:21 - 2010-12-25 14:12 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-993845009-3110868454-4033552744-1001UA.job
2012-10-02 10:20 - 2009-07-13 23:51 - 00094222 ____A C:\Windows\setupact.log
2012-10-01 11:30 - 2011-11-21 16:10 - 00000360 ____A C:\Windows\Tasks\RegistryBooster.job
2012-09-27 17:21 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-27 17:21 - 2009-07-13 23:45 - 00014240 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-27 17:14 - 2009-07-14 00:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-26 19:40 - 2009-07-14 00:10 - 01307363 ____A C:\Windows\WindowsUpdate.log
2012-09-25 20:17 - 2012-09-25 20:16 - 80521624 ____A (Apple Inc.) C:\Users\Andrew Fraser\Downloads\iTunes64Setup.exe
2012-09-24 20:18 - 2012-09-24 20:18 - 00018445 ____A C:\Users\Andrew Fraser\Desktop\Attach.txt
2012-09-24 20:17 - 2012-09-24 20:17 - 00028561 ____A C:\Users\Andrew Fraser\Desktop\DDS.txt
2012-09-24 20:17 - 2012-09-24 20:17 - 00017446 ____A C:\Users\Andrew Fraser\Desktop\hijackthis.log
2012-09-24 20:14 - 2012-09-24 20:14 - 00607260 ___RA (Swearware) C:\Users\Andrew Fraser\Desktop\dds.com
2012-09-24 20:11 - 2012-09-24 20:11 - 00017446 ____A C:\Users\Andrew Fraser\Downloads\hijackthis.log
2012-09-24 19:59 - 2012-09-24 19:59 - 00388608 ____A (Trend Micro Inc.) C:\Users\Andrew Fraser\Desktop\HijackThis.exe
2012-09-24 19:52 - 2012-09-24 19:52 - 00509440 ____A (Tech Support Guy System) C:\Users\Andrew Fraser\Desktop\SysInfo.exe
2012-09-24 19:50 - 2012-09-24 19:50 - 01454541 ____A (Farbar) C:\Users\Andrew Fraser\Desktop\FRST64.exe
2012-09-23 11:54 - 2010-09-10 19:31 - 00245378 ____A C:\Windows\PFRO.log
2012-09-23 09:49 - 2012-09-23 09:48 - 00262144 ____A C:\Windows\Minidump\092312-23072-01.dmp
2012-09-23 09:48 - 2011-07-07 18:16 - 528158240 ____A C:\Windows\MEMORY.DMP
2012-09-21 13:05 - 2012-09-21 13:05 - 00262144 ____A C:\Windows\Minidump\092112-34117-01.dmp
2012-09-21 12:57 - 2012-09-21 12:57 - 00262144 ____A C:\Windows\Minidump\092112-18174-01.dmp
2012-09-21 12:55 - 2012-09-21 12:54 - 00262144 ____A C:\Windows\Minidump\092112-21496-01.dmp
2012-09-21 12:42 - 2012-09-21 12:41 - 00262144 ____A C:\Windows\Minidump\092112-22666-01.dmp
2012-09-21 12:35 - 2012-09-21 12:35 - 00262144 ____A C:\Windows\Minidump\092112-18408-01.dmp
2012-09-21 12:28 - 2012-09-21 12:27 - 00262144 ____A C:\Windows\Minidump\092112-81744-01.dmp
2012-09-20 21:44 - 2012-09-20 21:43 - 00262144 ____A C:\Windows\Minidump\092012-21434-01.dmp
2012-09-20 21:41 - 2012-09-20 21:40 - 00262144 ____A C:\Windows\Minidump\092012-19968-01.dmp
2012-09-20 21:38 - 2012-09-20 21:38 - 00262144 ____A C:\Windows\Minidump\092012-25818-01.dmp
2012-09-20 21:36 - 2012-09-20 21:36 - 00262144 ____A C:\Windows\Minidump\092012-25350-01.dmp
2012-09-20 21:34 - 2012-09-20 21:34 - 00262144 ____A C:\Windows\Minidump\092012-25724-01.dmp
2012-09-13 02:01 - 2010-12-31 01:05 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-09-12 16:10 - 2012-09-12 16:10 - 00012036 ____A C:\Users\Andrew Fraser\My Documents\iPhone 4S Outlook.csv
2012-09-12 16:10 - 2012-09-12 16:10 - 00012036 ____A C:\Users\Andrew Fraser\Documents\iPhone 4S Outlook.csv
2012-09-12 15:53 - 2012-09-12 15:53 - 07993747 ____A C:\Users\Andrew Fraser\Downloads\CopyTransContactsv0.913_DLC.zip
2012-09-11 10:17 - 2012-09-11 10:17 - 00001258 ____A C:\Users\Andrew Fraser\Downloads\chap2.txt
2012-09-10 13:48 - 2012-09-10 13:48 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-09-10 13:48 - 2012-09-10 13:48 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-09-08 12:41 - 2012-09-07 10:17 - 00085263 ____A C:\Users\Andrew Fraser\My Documents\WMU.dwg
2012-09-08 12:41 - 2012-09-07 10:17 - 00085263 ____A C:\Users\Andrew Fraser\Documents\WMU.dwg
2012-09-07 16:04 - 2012-09-11 14:33 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-06 08:20 - 2010-12-26 00:18 - 00225328 ____A (Symantec Corporation) C:\Windows\System32\Drivers\wpshelper.sys
2012-08-22 13:12 - 2012-09-12 11:36 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-08-22 13:12 - 2012-09-12 11:36 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys
2012-08-22 13:12 - 2012-09-12 11:36 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-22 13:12 - 2012-09-12 11:36 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS
2012-08-21 12:01 - 2012-09-25 20:27 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-08-21 12:01 - 2010-12-25 09:21 - 00125872 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi64.dll
2012-08-21 12:01 - 2010-12-25 09:21 - 00106928 ____A (GEAR Software Inc.) C:\Windows\SysWOW64\GEARAspi.dll
2012-08-16 02:24 - 2009-07-13 23:45 - 05077592 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-11 10:10 - 2011-11-21 16:05 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2012-08-11 10:10 - 2011-11-21 16:05 - 00174064 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2012-08-10 16:06 - 2012-08-10 16:06 - 00012945 ____A C:\Users\Andrew Fraser\iCloud - Shortcut.lnk
2012-08-10 15:44 - 2012-08-10 15:32 - 43361640 ____A (Apple Inc.) C:\Users\Andrew Fraser\iCloudSetup.exe
2012-08-02 12:58 - 2012-09-12 11:36 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2012-08-02 11:57 - 2012-09-12 11:36 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2012-07-18 13:15 - 2012-08-15 16:41 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-09 12:42 - 2012-07-09 12:42 - 04547984 ____A (Apple, Inc.) C:\Windows\System32\usbaaplrc.dll
2012-07-09 12:42 - 2012-07-09 12:42 - 00052736 ____A (Apple, Inc.) C:\Windows\System32\Drivers\usbaapl64.sys
2012-07-08 11:36 - 2012-07-08 11:36 - 00000925 ____A C:\Users\Andrew Fraser\BitTorrent.lnk
2012-07-06 15:07 - 2012-08-16 02:04 - 00552960 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\bthport.sys
2012-07-05 21:06 - 2012-08-11 10:11 - 00227760 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2012-07-05 21:06 - 2012-04-15 16:25 - 00772544 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
2012-07-05 21:06 - 2010-09-10 17:39 - 00687544 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll


ZeroAccess:
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\L
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\L\00000004.@
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\L\201d3dde
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-14 16:54:08
Restore point made on: 2012-09-21 13:35:59
Restore point made on: 2012-09-23 22:09:18
Restore point made on: 2012-09-25 20:23:23

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 3892.54 MB
Available physical RAM: 3270.44 MB
Total Pagefile: 3890.69 MB
Available Pagefile: 3264.34 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:227.05 GB) NTFS
3 Drive e: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:6.8 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (FRASER) (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 7648 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 100 MB 1024 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 451 GB 14 GB

=========================================================================== =======

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 100 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 E RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7647 MB 40 KB

=========================================================================== =======

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FRASER FAT32 Removable 7647 MB Healthy

=========================================================

Last Boot: 2012-09-07 20:53

==================== End Of Log =============================























Farbar Recovery Scan Tool (x64) Version: 30-09-2012 01
Ran by SYSTEM at 2012-10-02 11:39:51
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\ser vices.exe
[2009-07-13 18:19] - [2009-07-13 20:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 18:19] - [2009-07-13 20:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,708 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
02-Oct-2012, 11:45 AM #4
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Code:
start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
C:\Windows\SysWOW64\%APPDATA%
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end
Now please enter System Recovery Options as you did to get the log.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot to Normal Windows and run this:

Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Please download
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post both logs in your reply, give update on issues/concerns..

Kevin...
andrewbfraser's Avatar
andrewbfraser   (Andrew) andrewbfraser is offline
Computer Specs
Member with 17 posts.
THREAD STARTER
 
Join Date: Sep 2012
Location: Michigan
Experience: Intermediate
02-Oct-2012, 02:45 PM #5
Thank you so much! Your a life saver man. I did what you told me to and there is no sign of infected files. Malwarebytes did not find anything, but even when it was infected it wasn't finding anything. I use Symantec Endpoint Protection and it was what alerted me that there was a problem and it is not finding anything anymore either. Thank you so much for replying and helping me out.

The only issue i had was that ever since services.exe got infected, Symantec was finding a new backdoor trojan almost every minute when my computer was running, almost always from a C:\Windows\Installer location. It is not finding them anymore so that leads me to believe it was caused by the infected services.exe. If you think it might have been from anything else please let me know what i should do be sure it is gone. But otherwise I can't thank you enough, my computer runs fine again.

Below are the logs from the fix and scan.

Thanks again,
Andrew



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-09-2012 01
Ran by SYSTEM at 2012-10-02 15:18:01 Run:1
Running from F:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\ser vices.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\SysWOW64\%APPDATA% moved successfully.
C:\Windows\Installer\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====





Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.02.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Andrew Fraser :: ANDREWFRASER-PC [administrator]

10/2/2012 3:25:44 PM
mbam-log-2012-10-02 (15-25-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209613
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,708 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
02-Oct-2012, 05:04 PM #6
Thanks for the reply, i`d like to confirm no remnants of the infection with an online AV scan, run the following:

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Kevin
andrewbfraser's Avatar
andrewbfraser   (Andrew) andrewbfraser is offline
Computer Specs
Member with 17 posts.
THREAD STARTER
 
Join Date: Sep 2012
Location: Michigan
Experience: Intermediate
02-Oct-2012, 09:41 PM #7
Kevin, here is the log from the eset scan:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=2e527f58a77b2b4f967084f4068a0ec1
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-10-03 02:17:37
# local_time=2012-10-02 10:17:37 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776638 66 94 39749063 100760900 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=299587
# found=10
# cleaned=0
# scan_time=13206
C:\FRST\Quarantine\services.exe Win64/Patched.A.Gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_ubm.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
C:\Users\All Users\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application (unable to clean) 00000000000000000000000000000000 I
${Memory} Win32/RegistryBooster application 00000000000000000000000000000000 I


Thanks, Andrew
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,708 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
03-Oct-2012, 02:35 AM #8
Thanks for the reply Andrew,

Continue as follows:

Uninstall Uniblue via Start > Control Panel > Uninstall a Program.

Next,

Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....
  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Files
    ipconfig /flushdns /c
    C:\FRST
    C:\ProgramData\Tarma Installer
    C:\Users\All Users\Tarma Installer
    :Commands
    [EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Post that log please, tell me how your system is OK, also if any issues or concerns remain, if none we can clean up..

Kevin
andrewbfraser's Avatar
andrewbfraser   (Andrew) andrewbfraser is offline
Computer Specs
Member with 17 posts.
THREAD STARTER
 
Join Date: Sep 2012
Location: Michigan
Experience: Intermediate
03-Oct-2012, 12:24 PM #9
Hey Kevin, thanks for the reply, i uninstalled that program and ran the OTM program and my system runs great.

Just curious, was that Uniblue program harmful at all to my computer at all?

Here is the OTM log,
Andrew



All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Andrew Fraser\Desktop\cmd.bat deleted successfully.
C:\Users\Andrew Fraser\Desktop\cmd.txt deleted successfully.
C:\FRST\Quarantine\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\U folder moved successfully.
C:\FRST\Quarantine\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1}\L folder moved successfully.
C:\FRST\Quarantine\{678e0b4f-17c9-f768-10f6-97e8ee0ffbb1} folder moved successfully.
C:\FRST\Quarantine\%APPDATA%\Microsoft\Windows\IETldCache folder moved successfully.
C:\FRST\Quarantine\%APPDATA%\Microsoft\Windows folder moved successfully.
C:\FRST\Quarantine\%APPDATA%\Microsoft folder moved successfully.
C:\FRST\Quarantine\%APPDATA% folder moved successfully.
Folder move failed. C:\FRST\Quarantine scheduled to be moved on reboot.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Cache folder moved successfully.
C:\ProgramData\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9} folder moved successfully.
C:\ProgramData\Tarma Installer folder moved successfully.
File/Folder C:\Users\All Users\Tarma Installer not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Andrew Fraser
->Temp folder emptied: 172447376 bytes
->Temporary Internet Files folder emptied: 4187995 bytes
->Java cache emptied: 2489187 bytes
->Google Chrome cache emptied: 380976897 bytes
->Flash cache emptied: 71596 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 566941750 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\ Temporary Internet Files folder emptied: 697922126 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deploy ment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows \Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,741.00 mb


OTM by OldTimer - Version 3.1.21.0 log created on 10032012_131400

Files moved on Reboot...
File C:\FRST\Quarantine not found!
C:\Users\Andrew Fraser\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,708 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
03-Oct-2012, 02:18 PM #10
Hiya Andrew,

Thaks for the reply and good to hear your system is running well. Regrading Uniblue, I do not use or promote any application of that type which may alter the OS registry in any way. Its your choice to UNinstall, keep or RE-Install....

OK do the following:

Step 1

Remove ESET online scanner:
  • Click Start, type Uninstall a Program into the Search programs and files box, and then press ENTER.
  • Click to select ESET Online Scanner from the listing of installed products, and then click Uninstall/Change from the bar that displays the available tasks. Uninstall ESETonline Scanner, only re-boot if prompted.

Step 2
  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

Any tools/logs remaining on the Desktop can be deleted. Such as Farbar Reovery Scan Tool...

Step 3

Go here http://www.filehippo.com/updatechecker/ (Use the Stand Alone Version, not the installer) Run the FileHippo Update Checker, update all applications as suggested by the Update Checker. Ignore any Beta updates.
If Java or Adobe are updated please check under Start > Control Panel > Programs and Featues, ensure any old versions are removed. <--- Very Important

Step 4

Download TFC to your desktop, from either of the following links
Link 1
Link 2
  • Save any open work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program. Vista or Windows 7 users accept the UAC alert.
  • If prompted, click "Yes" to reboot.
TFC will automatically close any open programs, including your Desktop. Let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. TFC may re-boot your system, if not Re-boot it yourself to complete cleaning process <---- Very Important

Keep TFC it is an excellent, run weekly utility to keep your system optimized, it empties all user temp folders, Java cache etc etc. Always remember to re-boot after a run, even if not prompted

Step 5

Create a new restore point:

1. Right-click on Computer and go to Properties.
2. Next click on the System Protection link.
3. The System Properties dialog screen opens up and you will want to click on Create.
4. Type in a description for the restore point which will help you remember the point at which it was created. Click on create.
5. You should see the message "The restore point was created successfully

To remove all but the most recent restore point do the following:

1. Open Disk Cleanup by clicking the Start button . In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.
2. If prompted, select the drive that you want to clean up, and then click OK.
3. In the Disk Cleanup for (usually C:\) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
4. If prompted, select the drive that you want to clean up, and then click OK.
5. Click the More Options tab, under System Restore and Shadow Copies, click Clean up.
6. In the Disk Cleanup dialog box, click Delete.
7. Click Delete Files, and then click OK. Re-Boot your PC.

Let me know if those steps complete OK, if no more issues you can hit the "Mark Solved" tab at the top of the thread...

Thanks,

Kevin
andrewbfraser's Avatar
andrewbfraser   (Andrew) andrewbfraser is offline
Computer Specs
Member with 17 posts.
THREAD STARTER
 
Join Date: Sep 2012
Location: Michigan
Experience: Intermediate
03-Oct-2012, 03:16 PM #11
Hi Kevin, I finished the first couple steps and I have updated everything.
I checked to see if the old versions of adobe and java were removed and it appears the adobe was but the java was not. Before I do anything, I wanted to check with you and see if I should remove these or not. I attached a screenshot, should I uninstall all of the Java programs listed under Java 7 Update 7 (64-bit)?
Please let me know, thanks,
Andrew
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,708 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
03-Oct-2012, 04:10 PM #12
Yep, remove them all except for your latest update....
andrewbfraser's Avatar
andrewbfraser   (Andrew) andrewbfraser is offline
Computer Specs
Member with 17 posts.
THREAD STARTER
 
Join Date: Sep 2012
Location: Michigan
Experience: Intermediate
03-Oct-2012, 04:27 PM #13
Okay thank you so much, my only other question is that I just tried to run Windows Update, and it will check for updates but it fails immediately when trying to download and install them.The last time updates were installed was right around the time I got the virus. Please let me know if you know of any way to fix this too.
Thanks,
Andrew
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,708 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
03-Oct-2012, 04:51 PM #14
Run the following:

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
andrewbfraser's Avatar
andrewbfraser   (Andrew) andrewbfraser is offline
Computer Specs
Member with 17 posts.
THREAD STARTER
 
Join Date: Sep 2012
Location: Michigan
Experience: Intermediate
03-Oct-2012, 04:54 PM #15
Here is the log:



Farbar Service Scanner Version: 19-09-2012
Ran by Andrew Fraser (administrator) on 03-10-2012 at 17:53:24
Running from "C:\Users\Andrew Fraser\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.
IE proxy is enabled.



Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
infected, services.exe, trojan, virus

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2