Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

MyPC Backup Virus? [Solved]

Started by scott IT by default , Oct 01 2013 03:51 PM

This topic is locked

#1
scott IT by default

Posted 01 October 2013 - 03:51 PM

Member

Member
27 posts

Hi,

Working on my friends computer that has constant pop-ups all of the sudden. I'm pretty sure it is the MyPC Backup virus, but can't be certain. I've run OTL and the scan results are as follows. Thanks in advance for any help that you can provide in getting rid of this annoyance.

OTL logfile created on: 10/1/2013 5:40:50 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\robert\Downloads
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16686)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 1.58 Gb Available Physical Memory | 52.93% Memory free
5.98 Gb Paging File | 4.42 Gb Available in Paging File | 74.01% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 145.96 Gb Total Space | 86.41 Gb Free Space | 59.20% Space Free | Partition Type: NTFS

Computer Name: RTKUNTZ04 | User Name: robert | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/10/01 17:40:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\robert\Downloads\OTL (1).com
PRC - [2013/09/20 09:01:14 | 000,815,496 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\Macromed\Flash\FlashUtil32_11_8_800_175_ActiveX.exe
PRC - [2013/07/30 11:15:06 | 000,308,816 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2013/07/16 15:34:59 | 000,107,520 | ---- | M] () -- C:\Users\robert\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe
PRC - [2013/07/11 19:09:02 | 000,217,992 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
PRC - [2013/07/01 13:55:38 | 001,945,128 | ---- | M] (MyPCBackup.com) -- C:\Program Files\MyPC Backup\MyPC Backup.exe
PRC - [2013/06/08 09:26:53 | 000,202,576 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2013/06/08 09:26:44 | 000,375,120 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2013/05/31 11:50:38 | 001,176,904 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2013/05/31 11:49:38 | 001,182,024 | ---- | M] (Intuit Inc.) -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE
PRC - [2013/05/31 11:02:22 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2013/01/27 12:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2013/01/27 12:11:46 | 000,284,304 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe
PRC - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/01/27 12:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/12/18 10:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/11/22 22:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012/09/23 20:43:48 | 003,477,640 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
PRC - [2011/10/13 12:48:18 | 001,248,256 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
PRC - [2011/09/16 16:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2011/09/16 16:10:50 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2011/08/26 14:17:24 | 002,938,736 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/02/14 09:55:16 | 000,043,520 | R--- | M] () -- C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe

========== Modules (No Company Name) ==========

MOD - [2013/08/15 03:18:04 | 000,628,224 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\5970036570c1e44e8ae0f6f94c1039aa\System.EnterpriseServices.ni.dll
MOD - [2013/08/15 03:18:03 | 000,627,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\4ada2213cefea889a5ed6e2fb6839b93\System.Transactions.ni.dll
MOD - [2013/08/15 03:18:02 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\764054efc88f51b54c8d7e44df26b671\System.Data.ni.dll
MOD - [2013/08/15 03:17:19 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\28ea347a952d20959ac6ae02d7457d39\System.Windows.Forms.ni.dll
MOD - [2013/08/15 03:17:07 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5aa44bce7933e4de09d935848f868a4b\System.Drawing.ni.dll
MOD - [2013/08/15 03:16:34 | 005,464,064 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09db78d6068543df01862a023aca785a\System.Xml.ni.dll
MOD - [2013/08/15 03:16:22 | 000,978,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\8f7d83126a3cf283e5ac97f2d6d99f12\System.Configuration.ni.dll
MOD - [2013/08/15 03:16:20 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\5d22a30e587e2cac106b81fb351e7c08\System.ni.dll
MOD - [2013/08/15 03:11:54 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\900d7d45b5a5498cbb97c36409f0afe1\System.Runtime.Remoting.ni.dll
MOD - [2013/08/15 03:06:32 | 013,199,360 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\1a3b614a84244ea5fa4147b5cf007333\System.Windows.Forms.ni.dll
MOD - [2013/08/15 03:06:30 | 001,014,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\df40dab689e9d8febfb943599ba79f8d\System.Configuration.ni.dll
MOD - [2013/08/15 03:06:28 | 005,628,928 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\884bcbd22130ebeb1211bc7bcc3910c9\System.Xml.ni.dll
MOD - [2013/08/15 03:06:17 | 001,667,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\3a3fc0216674bdea0be809b305517c98\System.Drawing.ni.dll
MOD - [2013/08/15 03:05:52 | 009,099,776 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\de853615c8224ba5d9aa9b76276c6d98\System.ni.dll
MOD - [2013/07/12 03:19:41 | 011,499,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9a6c1b7af18b4d5a91dc7f8d6617522f\mscorlib.ni.dll
MOD - [2013/07/12 03:12:32 | 014,416,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\cf58670896c5313b9b52f026f4455a5d\mscorlib.ni.dll
MOD - [2013/07/01 13:47:54 | 000,012,288 | ---- | M] () -- C:\Program Files\MyPC Backup\GetText.dll
MOD - [2013/07/01 13:43:36 | 000,904,704 | ---- | M] () -- C:\Program Files\MyPC Backup\x86\System.Data.SQLite.dll
MOD - [2013/05/31 11:50:12 | 000,138,568 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\QBMAPILibrary.dll
MOD - [2013/05/31 11:50:10 | 000,021,320 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\QBCompressor.DLL
MOD - [2013/05/31 11:50:02 | 000,042,824 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\mbpopup.dll
MOD - [2013/05/31 11:49:44 | 000,269,128 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\boost_regex-vc90-mt-p-1_33.dll
MOD - [2013/05/31 11:49:44 | 000,176,968 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\boost_serialization-vc90-mt-p-1_33.dll
MOD - [2013/05/31 11:49:42 | 000,380,744 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\BackupLib.dll
MOD - [2012/02/20 21:29:04 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2012/02/20 21:28:42 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/10/13 12:47:02 | 000,059,904 | ---- | M] () -- C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\zlib1.dll
MOD - [2011/02/14 09:55:16 | 000,043,520 | R--- | M] () -- C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
MOD - [2010/11/20 17:29:11 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2009/06/10 17:23:19 | 000,261,632 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

========== Services (SafeList) ==========

SRV - [2013/09/20 09:01:16 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/09/16 10:03:46 | 000,573,952 | ---- | M] () [Auto | Stopped] -- C:\Program Files\DefaultTab\DefaultTabSearch.exe -- (DefaultTabSearch)
SRV - [2013/07/16 15:34:59 | 000,107,520 | ---- | M] () [Auto | Running] -- C:\Users\robert\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe -- (DefaultTabUpdate)
SRV - [2013/07/01 13:55:40 | 000,032,808 | ---- | M] (Just Develop It) [Auto | Stopped] -- C:\Program Files\MyPC Backup\BackupStack.exe -- (BackupStack)
SRV - [2013/06/08 09:26:53 | 000,202,576 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2013/06/08 09:26:44 | 000,375,120 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2013/05/31 11:02:22 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2013/05/27 00:57:27 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/01/27 12:11:46 | 000,295,232 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/12/18 10:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/12/04 08:09:25 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2011/10/13 12:48:18 | 001,248,256 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe -- (QBVSS)
SRV - [2011/10/13 12:47:26 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2011/09/16 16:10:50 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2009/07/13 21:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\cpdcvnuh.sys -- (cpdcvnuh)
DRV - [2013/06/08 09:26:45 | 000,086,888 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2013/05/28 09:26:53 | 000,013,624 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2013/01/20 16:59:04 | 000,100,328 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/09/16 16:10:50 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2010/11/20 17:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 17:29:03 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 17:29:03 | 000,062,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dmvsc.sys -- (dmvsc)
DRV - [2010/11/20 17:29:03 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 17:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 17:29:03 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 17:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2010/11/20 17:29:03 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 17:29:03 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 18:02:50 | 000,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {07cbf788-1359-421b-a4e3-5a8d041b90a3} - C:\Program Files\InternetHelper3.1\prxtbInte.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {07cbf788-1359-421b-a4e3-5a8d041b90a3} - C:\Program Files\InternetHelper3.1\prxtbInte.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE10SR
IE - HKCU\..\SearchScopes\{0BCDB5C6-5176-4C18-868B-063FCDD023D0}: "URL" = http://search.condui...q={searchTerms}
IE - HKCU\..\SearchScopes\{5BDB9F3D-1990-4CC7-A89F-3E29B8E1F63A}: "URL" = http://search.condui...2491030262&UM=2
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7MXGB_enUS547
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_168.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2013/09/18 15:49:03 | 000,000,000 | ---D | M]

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.95\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.95\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\28.0.1500.95\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - Extension: Google Docs = C:\Users\robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: WebCake = C:\Users\robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh\1.0.3_0\
CHR - Extension: DefaultTab = C:\Users\robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc\1.1.19_0\
CHR - Extension: InternetHelper3.1 = C:\Users\robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\nemfjadlboooiffmcelkafilagddogim\10.16.70.501_0\
CHR - Extension: Gmail = C:\Users\robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2009/06/10 17:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (InternetHelper3.1 Toolbar) - {07cbf788-1359-421b-a4e3-5a8d041b90a3} - C:\Program Files\InternetHelper3.1\prxtbInte.dll (Conduit Ltd.)
O2 - BHO: (SySaver) - {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Users\robert\AppData\Local\SySaver\temp.dat File not found
O2 - BHO: (DefaultTab Browser Helper) - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\robert\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll (Search Results LLC.)
O2 - BHO: (no name) - {8984B388-A5BB-4DF7-B274-77B879E179DB} - No CLSID value found.
O2 - BHO: (Adobe Acrobat Create PDF Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe Acrobat Create PDF from Selection) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (InternetHelper3.1 Toolbar) - {07cbf788-1359-421b-a4e3-5a8d041b90a3} - C:\Program Files\InternetHelper3.1\prxtbInte.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Adobe Acrobat Create PDF Toolbar) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (InternetHelper3.1 Toolbar) - {07CBF788-1359-421B-A4E3-5A8D041B90A3} - C:\Program Files\InternetHelper3.1\prxtbInte.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe Acrobat Create PDF Toolbar) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe ()
O4 - HKCU..\Run: [Akamai NetSession Interface] "C:\Users\robert\AppData\Local\Akamai\netsession_win.exe" File not found
O4 - Startup: C:\Users\robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk = C:\Program Files\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} https://connect3.uc....ebInstaller.cab (AxWebInstaller Control)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=724 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.11 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtkuntz.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5541E1AE-EAB1-46A2-AE60-10C91B64D4EE}: DhcpNameServer = 192.168.1.11 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5541E1AE-EAB1-46A2-AE60-10C91B64D4EE}: NameServer = 192.168.1.11
O18 - Protocol\Handler\intu-help-qb5 {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2013/10/01 16:08:50 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{7952d326-1dec-11e1-b549-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{7952d326-1dec-11e1-b549-806e6f6e6963}\Shell\AutoRun\command - "" = "D:\Adobe Acrobat XI\Setup.exe"
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/10/01 16:15:57 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Autodesk
[2013/10/01 16:12:26 | 002,106,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_43.dll
[2013/10/01 16:12:26 | 000,527,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_7.dll
[2013/10/01 16:12:26 | 000,239,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_7.dll
[2013/10/01 16:12:26 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_5.dll
[2013/10/01 16:12:25 | 001,998,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_43.dll
[2013/10/01 16:12:25 | 001,868,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dcsx_43.dll
[2013/10/01 16:12:25 | 000,470,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_43.dll
[2013/10/01 16:12:25 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx11_43.dll
[2013/10/01 16:12:23 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine2_1.dll
[2013/10/01 16:12:23 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_1.dll
[2013/10/01 16:12:23 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\x3daudio1_0.dll
[2013/09/18 15:57:12 | 000,000,000 | ---D | C] -- C:\Users\robert\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat
[2013/09/18 15:50:45 | 000,000,000 | ---D | C] -- C:\ProgramData\regid.1986-12.com.adobe
[2013/09/18 09:10:07 | 000,000,000 | ---D | C] -- C:\home
[2013/09/18 09:04:10 | 000,000,000 | ---D | C] -- C:\Users\robert\AppData\Roaming\TeamViewer
[2013/09/16 11:03:32 | 000,000,000 | ---D | C] -- C:\Users\robert\Desktop\New folder
[2013/09/16 10:57:44 | 000,000,000 | ---D | C] -- C:\Users\robert\Desktop\Adobe Acrobat XI
[2013/09/16 10:56:25 | 000,000,000 | ---D | C] -- C:\Users\robert\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
[2013/09/16 10:56:22 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe Download Assistant
[2013/09/12 03:04:27 | 002,706,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/09/12 03:04:25 | 002,876,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/09/12 03:04:24 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/09/12 03:04:24 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2013/09/12 03:04:24 | 000,039,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/09/12 03:04:22 | 000,493,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/09/12 03:04:22 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2013/09/12 03:04:22 | 000,042,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2013/09/12 03:04:22 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2013/09/12 03:04:21 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2013/09/12 00:31:12 | 000,133,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ataport.sys
[2013/09/12 00:31:11 | 002,348,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/09/12 00:31:09 | 000,271,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
[2013/09/12 00:31:09 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2013/09/12 00:31:08 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-file-l1-1-0.dll
[2013/09/12 00:31:08 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processthreads-l1-1-0.dll
[2013/09/12 00:31:08 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-sysinfo-l1-1-0.dll
[2013/09/12 00:31:08 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-synch-l1-1-0.dll
[2013/09/12 00:31:08 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-misc-l1-1-0.dll
[2013/09/12 00:31:08 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localregistry-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-processenvironment-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-namedpipe-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-memory-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-interlocked-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-heap-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-string-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-rtlsupport-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-profile-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-handle-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-fibers-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-errorhandling-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-delayload-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-debug-l1-1-0.dll
[2013/09/12 00:31:08 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-datetime-l1-1-0.dll
[2013/09/12 00:31:07 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-security-base-l1-1-0.dll
[2013/09/12 00:31:07 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-threadpool-l1-1-0.dll
[2013/09/12 00:31:07 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-xstate-l1-1-0.dll
[2013/09/12 00:31:07 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-util-l1-1-0.dll
[2013/09/12 00:31:05 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-localization-l1-1-0.dll
[2013/09/12 00:31:05 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\System32\api-ms-win-core-console-l1-1-0.dll
[2013/09/05 10:40:33 | 000,000,000 | ---D | C] -- C:\Users\robert\Desktop\Expense Report

========== Files - Modified Within 30 Days ==========

[2013/10/01 17:41:59 | 000,022,912 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/10/01 17:41:59 | 000,022,912 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/10/01 17:40:02 | 000,660,068 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/10/01 17:40:02 | 000,120,996 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/10/01 17:35:06 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/10/01 17:34:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/10/01 17:34:06 | 2407,989,248 | -HS- | M] () -- C:\hiberfil.sys
[2013/10/01 17:28:31 | 000,372,648 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/10/01 17:01:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/10/01 16:16:56 | 000,002,135 | ---- | M] () -- C:\Users\Public\Desktop\DWG TrueView 2014.lnk
[2013/10/01 16:14:05 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/09/20 09:01:15 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/09/20 09:01:15 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/09/18 15:49:52 | 000,002,110 | ---- | M] () -- C:\Users\Public\Desktop\Adobe FormsCentral.lnk
[2013/09/18 15:49:52 | 000,001,996 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Acrobat XI Pro.lnk
[2013/09/16 08:25:45 | 000,001,103 | ---- | M] () -- C:\Users\robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2013/09/12 09:52:35 | 000,001,540 | RHS- | M] () -- C:\Users\robert\ntuser.pol

========== Files Created - No Company Name ==========

[2013/10/01 16:16:56 | 000,002,135 | ---- | C] () -- C:\Users\Public\Desktop\DWG TrueView 2014.lnk
[2013/09/18 15:49:52 | 000,002,453 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat XI Pro.lnk
[2013/09/18 15:49:52 | 000,002,180 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe FormsCentral.lnk
[2013/09/18 15:49:52 | 000,002,110 | ---- | C] () -- C:\Users\Public\Desktop\Adobe FormsCentral.lnk
[2013/09/18 15:49:52 | 000,002,019 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller XI.lnk
[2013/09/18 15:49:52 | 000,001,996 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Acrobat XI Pro.lnk
[2013/09/16 10:56:22 | 000,001,013 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Download Assistant.lnk
[2013/03/07 08:49:54 | 000,001,540 | RHS- | C] () -- C:\Users\robert\ntuser.pol
[2012/07/20 11:47:33 | 000,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2012/07/12 08:51:28 | 000,602,112 | ---- | C] () -- C:\Windows\System32\xvid.dll
[2011/12/03 21:41:44 | 000,000,111 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2011/12/03 21:38:46 | 000,002,412 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/12/03 10:51:19 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/10/13 12:34:08 | 000,667,280 | ---- | C] () -- C:\Windows\System32\tx12.dll
[2011/10/13 12:34:08 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx12_ic.ini
[2011/10/13 12:34:08 | 000,000,186 | ---- | C] () -- C:\Windows\System32\Gsw32.exe.config

========== ZeroAccess Check ==========

[2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/07/25 21:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 17:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 21:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

#2
gringo_pr

Posted 01 October 2013 - 07:26 PM

Trusted Helper

Malware Removal
7,268 posts

Hello scott IT by default

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

#3
scott IT by default

Posted 02 October 2013 - 07:45 AM

Member

Topic Starter
Member
27 posts

Gringo,

Thanks for the help. I've run Adwcleaner and JRT as you instructed. I've attached the log file from JRT below, but for some reason I can't access the logfile for the adwcleaner. It must have saved the log in a network file that I can't find at the moment. Please bear with me, I'm not the greatest IT person in the world.

FYI - Most of the popups have stopped at this point.

REgards,

Scott

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.3 (09.27.2013:1)
OS: Windows 7 Professional x86
Ran by robert on Wed 10/02/2013 at 8:32:03.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\protector_dll.protectorbho.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{38495740-0035-4471-851E-F5BBB86AB085}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3365019221-73808524-846590435-15618\Software\Wajam
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\mypc backup
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0BCDB5C6-5176-4C18-868B-063FCDD023D0}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5BDB9F3D-1990-4CC7-A89F-3E29B8E1F63A}

~~~ Files

Successfully deleted: [File] C:\Windows\System32\Tasks\digitalsite
Successfully deleted: [File] C:\Windows\Tasks\digitalsite.job

~~~ Folders

Successfully deleted: [Folder] "C:\Users\robert\appdata\local\cre"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\open it!"

~~~ Chrome

Successfully deleted: [Folder] C:\Users\robert\appdata\local\Google\Chrome\User Data\Default\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh
Successfully deleted: [Folder] C:\Users\robert\appdata\local\Google\Chrome\User Data\Default\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
Successfully deleted: [Folder] C:\Users\robert\appdata\local\Google\Chrome\User Data\Default\Extensions\licjnkifamhpbaefhdpacpmihicfbomb

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 10/02/2013 at 8:34:56.92
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#4
gringo_pr

Posted 02 October 2013 - 08:03 AM

Trusted Helper

Malware Removal
7,268 posts

Hello scott IT by default

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

#5
scott IT by default

Posted 02 October 2013 - 09:13 AM

Member

Topic Starter
Member
27 posts

Gringo,

Ran combofix. Log below. Computer still running well at this point. No problems with combofix.

ComboFix 13-10-01.03 - robert 10/02/2013 10:59:09.1.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3062.1863 [GMT -4:00]
Running from: c:\users\robert\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\robert\AppData\Local\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-09-02 to 2013-10-02 )))))))))))))))))))))))))))))))
.
.
2013-10-02 15:08 . 2013-10-02 15:12 -------- d-----w- c:\users\robert\AppData\Local\temp
2013-10-02 15:08 . 2013-10-02 15:08 -------- d-----w- c:\users\vladimir\AppData\Local\temp
2013-10-02 15:08 . 2013-10-02 15:08 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2013-10-02 15:08 . 2013-10-02 15:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-10-02 12:32 . 2013-10-02 12:32 -------- d-----w- c:\windows\ERUNT
2013-10-02 12:14 . 2013-10-02 12:14 -------- d-----w- c:\users\robert\AppData\Local\AVG SafeGuard toolbar
2013-10-02 12:14 . 2013-10-02 12:14 -------- d-----w- c:\users\robert\AppData\Roaming\0D0S1L2Z1P1B
2013-10-02 12:13 . 2013-10-02 12:13 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-10-02 12:13 . 2013-10-02 12:14 -------- d-----w- c:\programdata\AVG SafeGuard toolbar
2013-10-02 12:13 . 2013-10-02 12:13 -------- d-----w- c:\program files\AVG SafeGuard toolbar
2013-10-02 12:12 . 2013-10-02 12:12 -------- d-----w- c:\users\robert\AppData\Local\GreatArcadeHits
2013-10-02 12:12 . 2013-10-02 12:12 -------- d-----w- c:\users\robert\AppData\Local\Programs
2013-10-01 21:45 . 2013-09-05 05:02 7328304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{54030124-AD7C-4EBF-A0C7-697603D502FF}\mpengine.dll
2013-10-01 20:12 . 2010-06-02 08:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2013-10-01 20:12 . 2010-06-02 08:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2013-10-01 20:12 . 2010-06-02 08:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2013-10-01 20:12 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2013-10-01 20:12 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2013-10-01 20:12 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2013-10-01 20:12 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2013-10-01 20:12 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2013-09-30 12:25 . 2013-09-05 05:02 7328304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-18 19:57 . 2013-09-18 19:57 -------- d-----w- c:\users\robert\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat
2013-09-18 19:50 . 2013-09-18 20:16 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2013-09-18 13:10 . 2013-09-18 13:10 -------- d-----w- C:\home
2013-09-18 13:04 . 2013-09-18 13:04 -------- d-----w- c:\users\robert\AppData\Roaming\TeamViewer
2013-09-16 14:56 . 2013-09-16 14:56 -------- d-----w- c:\users\robert\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2013-09-16 14:56 . 2013-09-16 14:56 -------- d-----w- c:\program files\Adobe Download Assistant
2013-09-06 12:53 . 2013-09-06 12:52 718712 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{439DC9A2-CCAA-4E00-9A93-96792976DD07}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-20 13:01 . 2012-06-08 11:58 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-20 13:01 . 2012-06-08 11:58 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-22 18:44 . 2012-02-10 08:09 697992 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-08-09 19:45 . 2013-08-09 19:45 58672 ----a-r- c:\users\robert\AppData\Roaming\Microsoft\Installer\{F93FBF42-F9D6-4397-BF20-8A4429F1893F}\ARPPRODUCTICON.exe
2013-07-25 08:57 . 2013-08-14 10:05 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41 . 2013-08-14 10:05 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-09 05:03 . 2013-08-14 10:06 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03 . 2013-08-14 10:06 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53 . 2013-08-14 10:06 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52 . 2013-08-14 10:06 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50 . 2013-08-14 10:06 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46 . 2013-08-14 10:06 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 04:46 . 2013-08-14 10:06 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46 . 2013-08-14 10:06 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-06 05:05 . 2013-08-14 10:05 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{D0C21091-FF8E-432C-9006-0540E81BA9D7}]
2013-08-14 07:17 321488 ----a-w- c:\users\robert\AppData\Local\GreatArcadeHits\GreatArcadeHitsIE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-07-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2013-05-31 2786104]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2013-09-05 3478392]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2013-5-31 6258488]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-5-31 1176904]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe -keephidden [2011-8-26 2938736]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE -silent [2013-5-31 1182024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 cpdcvnuh;cpdcvnuh;c:\windows\system32\drivers\cpdcvnuh.sys [x]
R2 vToolbarUpdater17.0.12;vToolbarUpdater17.0.12;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-04 1343400]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-10-02 37664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2013-06-08 375120]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-28 13624]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-10-13 1248256]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-21 19:14 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-08 13:01]
.
2013-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-26 13:54]
.
2013-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-26 13:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.11 8.8.8.8
TCP: Interfaces\{5541E1AE-EAB1-46A2-AE60-10C91B64D4EE}: NameServer = 192.168.1.11
DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} - hxxps://connect3.uc.att.com/EventEntry/Websites/res/Windows/AxWebInstaller.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Akamai NetSession Interface - c:\users\robert\AppData\Local\Akamai\netsession_win.exe
c:\users\robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk - c:\program files\MyPC Backup\MyPC Backup.exe
AddRemove-DigitalSite - c:\users\robert\AppData\Roaming\DigitalSite\UpdateProc\UpdateTask.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\taskhost.exe
c:\program files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
c:\program files\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\sppsvc.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-10-02 11:18:17 - machine was rebooted
ComboFix-quarantined-files.txt 2013-10-02 15:18
ComboFix2.txt 2010-03-22 15:44
ComboFix3.txt 2010-03-22 14:34
ComboFix4.txt 2009-01-15 14:55
.
Pre-Run: 90,666,831,872 bytes free
Post-Run: 91,486,183,424 bytes free
.
- - End Of File - - BBCC5F9CBEBF8871D16D15B918E0FA94
A36C5E4F47E84449FF07ED3517B43A31

#6
gringo_pr

Posted 02 October 2013 - 09:37 AM

Trusted Helper

Malware Removal
7,268 posts

Hello scott IT by default

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\users\robert\AppData\Local\GreatArcadeHits

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

#7
scott IT by default

Posted 02 October 2013 - 10:22 AM

Member

Topic Starter
Member
27 posts

Gringo,

Log below. Computer running well. No problems.

ComboFix 13-10-01.03 - robert 10/02/2013 11:58:00.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3062.1941 [GMT -4:00]
Running from: c:\users\robert\Desktop\ComboFix.exe
Command switches used :: c:\users\robert\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\robert\AppData\Local\GreatArcadeHits
c:\users\robert\AppData\Local\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome.manifest
c:\users\robert\AppData\Local\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome\content\application.js
c:\users\robert\AppData\Local\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome\content\overlay.xul
c:\users\robert\AppData\Local\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome\content\page.js
c:\users\robert\AppData\Local\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\chrome\content\static.js
c:\users\robert\AppData\Local\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\icon.png
c:\users\robert\AppData\Local\GreatArcadeHits\{B21F5E31-B8E8-41CD-B74C-168A71A10E49}\install.rdf
c:\users\robert\AppData\Local\GreatArcadeHits\application.ico
c:\users\robert\AppData\Local\GreatArcadeHits\cookies.js
c:\users\robert\AppData\Local\GreatArcadeHits\gahff.xpi
c:\users\robert\AppData\Local\GreatArcadeHits\GAHUninstaller.exe
c:\users\robert\AppData\Local\GreatArcadeHits\GAHUpdate.exe
c:\users\robert\AppData\Local\GreatArcadeHits\GreatArcadeHitsIE.dll
c:\users\robert\AppData\Local\GreatArcadeHits\Play Games online on GreatArcadeHits.com.url
c:\users\robert\AppData\Local\GreatArcadeHits\premium.pem
c:\users\robert\AppData\Local\GreatArcadeHits\static.js
c:\users\robert\AppData\Local\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-09-02 to 2013-10-02 )))))))))))))))))))))))))))))))
.
.
2013-10-02 16:06 . 2013-10-02 16:06 -------- d-----w- c:\users\vladimir\AppData\Local\temp
2013-10-02 16:06 . 2013-10-02 16:06 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2013-10-02 16:06 . 2013-10-02 16:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-10-02 16:06 . 2013-10-02 16:06 -------- d-----w- c:\users\administrator\AppData\Local\temp
2013-10-02 16:06 . 2013-10-02 16:06 -------- d-----w- c:\users\admin\AppData\Local\temp
2013-10-02 15:08 . 2013-10-02 16:08 -------- d-----w- c:\users\robert\AppData\Local\temp
2013-10-02 12:32 . 2013-10-02 12:32 -------- d-----w- c:\windows\ERUNT
2013-10-02 12:14 . 2013-10-02 12:14 -------- d-----w- c:\users\robert\AppData\Local\AVG SafeGuard toolbar
2013-10-02 12:14 . 2013-10-02 12:14 -------- d-----w- c:\users\robert\AppData\Roaming\0D0S1L2Z1P1B
2013-10-02 12:13 . 2013-10-02 12:13 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-10-02 12:13 . 2013-10-02 12:14 -------- d-----w- c:\programdata\AVG SafeGuard toolbar
2013-10-02 12:13 . 2013-10-02 12:13 -------- d-----w- c:\program files\AVG SafeGuard toolbar
2013-10-02 12:12 . 2013-10-02 12:12 -------- d-----w- c:\users\robert\AppData\Local\Programs
2013-10-01 21:45 . 2013-09-05 05:02 7328304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{54030124-AD7C-4EBF-A0C7-697603D502FF}\mpengine.dll
2013-10-01 20:12 . 2010-06-02 08:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2013-10-01 20:12 . 2010-06-02 08:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2013-10-01 20:12 . 2010-06-02 08:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2013-10-01 20:12 . 2010-05-26 15:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2013-10-01 20:12 . 2010-05-26 15:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2013-10-01 20:12 . 2010-05-26 15:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2013-10-01 20:12 . 2010-05-26 15:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2013-10-01 20:12 . 2010-05-26 15:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2013-09-30 12:25 . 2013-09-05 05:02 7328304 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-18 19:57 . 2013-09-18 19:57 -------- d-----w- c:\users\robert\AppData\Roaming\com.adobe.formscentral.FormsCentralForAcrobat
2013-09-18 19:50 . 2013-09-18 20:16 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2013-09-18 13:10 . 2013-09-18 13:10 -------- d-----w- C:\home
2013-09-18 13:04 . 2013-09-18 13:04 -------- d-----w- c:\users\robert\AppData\Roaming\TeamViewer
2013-09-16 14:56 . 2013-09-16 14:56 -------- d-----w- c:\users\robert\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2013-09-16 14:56 . 2013-09-16 14:56 -------- d-----w- c:\program files\Adobe Download Assistant
2013-09-06 12:53 . 2013-09-06 12:52 718712 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{439DC9A2-CCAA-4E00-9A93-96792976DD07}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-20 13:01 . 2012-06-08 11:58 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-20 13:01 . 2012-06-08 11:58 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-22 18:44 . 2012-02-10 08:09 697992 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-08-09 19:45 . 2013-08-09 19:45 58672 ----a-r- c:\users\robert\AppData\Roaming\Microsoft\Installer\{F93FBF42-F9D6-4397-BF20-8A4429F1893F}\ARPPRODUCTICON.exe
2013-07-25 08:57 . 2013-08-14 10:05 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41 . 2013-08-14 10:05 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-09 05:03 . 2013-08-14 10:06 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03 . 2013-08-14 10:06 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53 . 2013-08-14 10:06 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52 . 2013-08-14 10:06 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50 . 2013-08-14 10:06 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46 . 2013-08-14 10:06 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 04:46 . 2013-08-14 10:06 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46 . 2013-08-14 10:06 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-06 05:05 . 2013-08-14 10:05 1293760 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-07-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2013-05-31 2786104]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2013-09-05 3478392]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2013-5-31 6258488]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-5-31 1176904]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe -keephidden [2011-8-26 2938736]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE -silent [2013-5-31 1182024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 cpdcvnuh;cpdcvnuh;c:\windows\system32\drivers\cpdcvnuh.sys [x]
R2 vToolbarUpdater17.0.12;vToolbarUpdater17.0.12;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-12-04 1343400]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-10-02 37664]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2013-06-08 375120]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-28 13624]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-10-13 1248256]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-21 19:14 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-08 13:01]
.
2013-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-26 13:54]
.
2013-10-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-03-26 13:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.11 8.8.8.8
TCP: Interfaces\{5541E1AE-EAB1-46A2-AE60-10C91B64D4EE}: NameServer = 192.168.1.11
DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} - hxxps://connect3.uc.att.com/EventEntry/Websites/res/Windows/AxWebInstaller.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D0C21091-FF8E-432C-9006-0540E81BA9D7} - c:\users\robert\AppData\Local\GreatArcadeHits\GreatArcadeHitsIE.dll
c:\users\robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk - c:\program files\MyPC Backup\MyPC Backup.exe
AddRemove-{856AD396-519D-4C7A-BED6-6785F64924BC} - c:\users\robert\AppData\Local\GreatArcadeHits\GAHUninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\taskhost.exe
c:\program files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
c:\program files\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2013-10-02 12:13:42 - machine was rebooted
ComboFix-quarantined-files.txt 2013-10-02 16:13
ComboFix2.txt 2013-10-02 15:18
ComboFix3.txt 2010-03-22 15:44
ComboFix4.txt 2010-03-22 14:34
ComboFix5.txt 2013-10-02 15:56
.
Pre-Run: 91,527,995,392 bytes free
Post-Run: 91,252,948,992 bytes free
.
- - End Of File - - 42EF5BA146D958C63B6057A2DD6B7F6B
A36C5E4F47E84449FF07ED3517B43A31

#8
gringo_pr

Posted 02 October 2013 - 11:04 AM

Trusted Helper

Malware Removal
7,268 posts

Hello scott IT by default

I would like to see a report that combofix makes.

extra combofix report

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

click ok

copy and paste the report into this topic for me to review

Gringo

#9
scott IT by default

Posted 02 October 2013 - 11:21 AM

Member

Topic Starter
Member
27 posts

Adobe Acrobat XI Pro
Adobe AIR
Adobe Download Assistant
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.6)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Autodesk DWG TrueView 2014
AVG SafeGuard toolbar
Backup Assistant Plus
Bonjour
Compatibility Pack for the 2007 Office system
DWG TrueView 2014
ffdshow [rev 2527] [2008-12-19]
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
GreatArcadeHits
iCloud
Intel® Graphics Media Accelerator Driver
iTunes
join.me
LogMeIn
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
QuickBooks
QuickBooks Enterprise Solutions 12.0
QuickTime
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VirtualCloneDrive
WModem Driver Installer
Zip Extractor Packages

#10
gringo_pr

Posted 02 October 2013 - 12:07 PM

Trusted Helper

Malware Removal
7,268 posts

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader X (10.1.6)
GreatArcadeHits

[/list]

Please download and install Revo Uninstaller Free

Double click Revo Uninstaller to run it.
From the list of programs double click on The Program to remove
When prompted if you want to uninstall click Yes.
Be sure the Moderate option is selected then click Next.
The program will run, If prompted again click Yes
when the built-in uninstaller is finished click on Next.
Once the program has searched for leftovers click Next.
Check/tick the bolded items only on the list then click Delete
when prompted click on Yes and then on next.
put a check on any folders that are found and select delete
when prompted select yes then on next
Once done click Finish.

.

Update Adobe reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com.../readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Clean Out Temp Files

This small application you may want to keep and use once a week to keep the computer clean.

Download CCleaner from here CCleaner
Run the installer to install the application.
When it gives you the option to install Yahoo toolbar uncheck the box next to it.
Run CCleaner. default settings are fine
Click Run Cleaner.
Close CCleaner.

Run Malwarebytes

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis program
Save HijackThis to your desktop.
Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
copy and paste hijackthis report into the topic

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

#11
scott IT by default

Posted 02 October 2013 - 01:29 PM

Member

Topic Starter
Member
27 posts

Gringo,

could not find or remove GreatArcadeHits. Removed Adobe Reader 10 as directed. Hijackthis and Mbam log below.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:33:36 PM, on 10/2/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16686)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
C:\Program Files\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_8_800_175_ActiveX.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\robert\Desktop\HijackThis.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgMgr.exe
C:\Windows\system32\DllHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../?LinkId=255141
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: [email protected] - {8984B388-A5BB-4DF7-B274-77B879E179DB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe Acrobat Create PDF Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Intuit Data Protect.lnk = C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O4 - Global Startup: QuickBooks_Standard_21.lnk = C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\QBW32.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} (AxWebInstaller Control) - https://connect3.uc....ebInstaller.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=724
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtkuntz.local
O17 - HKLM\Software\..\Telephony: DomainName = rtkuntz.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5541E1AE-EAB1-46A2-AE60-10C91B64D4EE}: NameServer = 192.168.1.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtkuntz.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{5541E1AE-EAB1-46A2-AE60-10C91B64D4EE}: NameServer = 192.168.1.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = rtkuntz.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{5541E1AE-EAB1-46A2-AE60-10C91B64D4EE}: NameServer = 192.168.1.11
O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 12.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QBIDPService (QBVSS) - Intuit Inc. - C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
O23 - Service: vToolbarUpdater17.0.12 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.0.12\ToolbarUpdater.exe (file missing)

--
End of file - 8752 bytes

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.02.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16686
robert :: RTKUNTZ04 [administrator]

10/2/2013 3:21:13 PM
mbam-log-2013-10-02 (15-21-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 294509
Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} (PUP.Optional.DefaultTab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2D33ED6-EBBD-467C-BF6F-F175D9B51363} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Users\robert\Downloads\Setup.exe (PUP.Optional.Solimba) -> Quarantined and deleted successfully.
C:\Users\robert\Downloads\Flash Player 12 (1).exe (PUP.Optional.AirInstaller) -> Quarantined and deleted successfully.
C:\Users\robert\Downloads\Flash Player 12.exe (PUP.Optional.AirInstaller) -> Quarantined and deleted successfully.
C:\Users\robert\Downloads\FlashPlayer_V.63517543c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.
C:\Users\robert\Downloads\FlashPlayer_V.63517958c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.
C:\Users\robert\Downloads\FlashPlayer_V.63518986c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.
C:\Users\robert\Downloads\Player_Setup.exe (PUP.OptionalBundleInstaller.A) -> Quarantined and deleted successfully.

(end)

#12
gringo_pr

Posted 02 October 2013 - 05:04 PM

Trusted Helper

Malware Removal
7,268 posts

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Run HijackThis (rightclick and run as admin)
Click on the Scan button
Put a check beside all of the items listed below (if present):
- O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
  O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
  O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
  O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
  O4 - HKLM\..\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
  O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
  O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
  O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
  O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brackets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the add/on to be installed
- Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

When the scan is complete

If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

If threats were found
click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish
close program
copy and paste the report here

Gringo

#13
scott IT by default

Posted 03 October 2013 - 10:09 AM

Member

Topic Starter
Member
27 posts

Gringo,

ESET Scan results listed below.

C:\Users\robert\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages\uninstaller.exe a variant of Win32/InstallCore.AZ application
C:\Users\robert\Downloads\ZipExtractorSetup.exe a variant of Win32/InstallCore.CW application
C:\Windows.old\Documents and Settings\brian\Local Settings\Temporary Internet Files\Content.IE5\M4YH4NJ3\erle[4].htm HTML/Iframe.B.Gen virus
C:\Windows.old\Windows\system32\otaxyzd.sys a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmp0_369500407052.bk.old a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmp0_75947873192.bk.old Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmp0_8167875780.bk.old a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmp6_236808543189.bk.old Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmp6_347883523553.bk.old a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_10382856955.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_107481788330.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_12231834213.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_124443379843.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_12515365005.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_139229344330.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_1402314252.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_143982279282.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_15191214831.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_155969240366.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_15993271336.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_161073859483.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_163264687819.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_170124801799.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_170336582928.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_174722381129.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_19000626109.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_202562105095.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_202655688962.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_208544584059.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_213136207845.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_222216537571.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_223306448099.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_235684661592.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_243634436310.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_26735249766.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_305078783653.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_30581519765.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_309641175213.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_314144215846.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_332694781077.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_334459704431.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_336244586704.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_341381348157.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_344608611595.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_347279312783.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_349778613723.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_370510123940.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_377132459649.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_382864807777.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_389785118792.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_39781585375.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_413031535826.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_42855455901.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_431134550683.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_432592384435.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_435943808559.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_43868577030.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_444322624995.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_447487843494.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_463607149629.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_464620270758.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_493201839196.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_493261482477.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_504557220999.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_506710418842.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_516984808362.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_528233482058.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_53482977262.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_541257671207.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_55434940127.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_554984458459.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_55580670990.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_557655159647.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_570799565243.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_580684665064.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_590189213298.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_590876495527.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_591087276656.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_593240654641.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_604401371277.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_608295640525.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_610757619837.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_615025550158.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_62035168126.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_633354417875.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_640321265755.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_640978139521.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_64251294091.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_653970687401.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_67593883799.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_702554754371.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_722882742582.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_727360655226.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_728758602855.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_730393768941.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_740451655754.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_755211398159.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_757217136935.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_763049808551.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_771518470961.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_775110719874.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_80056560162.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_814067532979.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_815492892976.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_828853497466.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_839782405697.bk Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_839825517563.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_84590816147.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_85958725114.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_869033425064.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_873383581731.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_8782899595.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_891305481687.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_90540730355.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_9470236789.bk a variant of Win32/Adware.Coolezweb application
C:\Windows.old\Windows\system32\tmpxr_9850598929.bk Win32/Adware.Coolezweb application

#14
gringo_pr

Posted 03 October 2013 - 08:12 PM

Trusted Helper

Malware Removal
7,268 posts

Hello scott IT by default

Most of what Eset found are part of an old install and is not active

delete files

Copy all text in the code box (below)...to Notepad.

@echo off
del /f /s /q "C:\Users\robert\AppData\Roaming\0D0S1L2Z1P1B\Zip Extractor Packages\uninstaller.exe"
del /f /s /q "C:\Users\robert\Downloads\ZipExtractorSetup.exe"
del %0

Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
It should look like this: <--XP<--vista
Double click on delfile.bat to execute it.
A black CMD window will flash, then disappear...this is normal.
The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.

:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

To re-enable your Emulation drivers, double click DeFogger to run the tool.
The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK.

Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

turn off all active protection software
push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box ComboFix /Uninstall and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

As Java seems to get exploited on a daily basis I advise to disable java in your web browsers - How to disable java in your web browsers - Disable Java

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as 'perfect security'. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->