Jump to content

Recommended Posts

I've been infected by cryptowall and no matter what I try I can't get rid of it. I've done many full scans with malwarebytes in safe-mode, in normal boot mode after running RKill and nothing is working. The dllhost.exe file seems to be the infected file as Malwarebytes is constantly blocking outgoing transmissions from that file location and the dllhost.exe process takes up a lot of working memory in normal boot mode. On a possibly related note, I have upwards of 10 svchost.exe processes running at all times and I think this may be hindering the ability of RKill and/or Malwarebytes to detect malicious files. Please help.

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin...

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2014 02

Ran by Chris (administrator) on CHRIS-PC on 12-06-2014 17:32:09

Running from C:\Users\Chris\Desktop

Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

 

The only official download link for FRST:



Download link from any site other than Bleeping Computer is unpermitted or outdated.


 

==================== Processes (Whitelisted) =================

 

(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe

(IObit) C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe

(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe

(Microsoft ® Corporation) C:\Users\Chris\Forefront UAG Remote Access Agent\mydocsocdsbca\portal1\uagqecsvc.exe

(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.7\GoogleCrashHandler.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.7\GoogleCrashHandler64.exe

(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe

() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe

(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

() C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe

() C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE

(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe

(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Stardock Corporation) C:\Program Files\Dell\DellDock\DellDock.exe

(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

 

 

==================== Registry (Whitelisted) ==================

 

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8306208 2009-10-20] (Realtek Semiconductor)

HKLM\...\Run: [dleamon.exe] => C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe [770728 2010-08-09] ()

HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe [139944 2010-08-09] ()

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472992 2013-03-21] (Adobe Systems Incorporated)

HKLM\...\Run: [inreusuqhiwei] => "C:\Users\Chris\AppData\Roaming\Miimic\booseg.exe"

HKLM-x32\...\Run: [iAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [switchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)

HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [560128 2011-09-26] (Dell)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [719672 2012-01-20] (Microsoft Corporation)

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\Run: [AdobeBridge] => [X]

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\Run: [skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20472992 2013-10-02] (Skype Technologies S.A.)

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\Run: [iLivid] => "C:\Users\Chris\AppData\Local\iLivid\iLivid.exe" -autorun

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\Run: [inreusuqhiwei] => C:\Users\Chris\AppData\Roaming\Miimic\booseg.exe

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\Run: [syncMalwarebytes] => C:\Users\Chris\AppData\Roaming\Malwarebytes\syncMalwarebytes.exe

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\Policies\Explorer: [HideSCAHealth] 1

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\MountPoints2: J - J:\PcOptions.exe

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\MountPoints2: {4b1a762f-b562-11df-b40a-806e6f6e6963} - D:\eBook.exe

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\MountPoints2: {644ea708-3017-11e0-a72b-002564874846} - J:\PcOptions.exe

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\MountPoints2: {644ea841-3017-11e0-a72b-002564874846} - J:\PcOptions.exe

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...\MountPoints2: {f0f04d25-a940-11e3-9479-002564874846} - E:\USBAutoRun.exe

HKU\S-1-5-21-1366849451-1050349464-438197190-1001\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-1366849451-1050349464-438197190-1001\$2333507468a4acc43a14ab15a99a5599\n. ATTENTION! ====> ZeroAccess?

Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML ()

Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT ()

InternetURL: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL -> https://kpai7ycr7jxqkilp.tor2www.com/7mah

Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk

ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk

ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

HKLM\...\AppCertDlls: [x86] -> C:\Program Files (x86)\Movies Toolbar\Datamngr\apcrtldr.dll <===== ATTENTION

HKLM\...\AppCertDlls: [x64] -> C:\Program Files (x86)\Movies Toolbar\Datamngr\x64\apcrtldr.dll <===== ATTENTION

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

URLSearchHook: HKCU - (No Name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No File

StartMenuInternet: IEXPLORE.EXE - iexplore.exe

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}

SearchScopes: HKLM-x32 - DefaultScope {D71B7DF8-B3A8-4083-BC55-D29A3EC6C345} URL = 

SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}


SearchScopes: HKLM-x32 - {BAFB89A9-9DCE-476B-893E-AFA8B14050E1} URL = ${SEARCH_URL}{searchTerms}

SearchScopes: HKCU - DefaultScope {D71B7DF8-B3A8-4083-BC55-D29A3EC6C345} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3286042&CUI=UN31295965011771205&UM=2

SearchScopes: HKCU - DB5183D506EE4C3A8E51C8A8DB15801D URL = http://ca.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo



SearchScopes: HKCU - {6FBCED1F-DBB6-4A82-B40E-3E11C7BA171D} URL = 

SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={FA573AD2-C8C8-482A-9E88-C2575CA36F29}&mid=45d79893d12c47d1b51ed16c2263a1b5-385b88986c0b5c1e5021c227e80c281c2ba5a181〈=en&ds=AVG&pr=fr&d=2012-09-18 17:23:19&v=10.0.0.7&sap=dsp&q={searchTerms}

SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=164&systemid=406&sr=0&q={searchTerms}


SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = 

SearchScopes: HKCU - {BAFB89A9-9DCE-476B-893E-AFA8B14050E1} URL = http://www.dogpile.com/search/web?fcoid=417&fcop=topnav&fpid=27&ql=&q={searchTerms}

SearchScopes: HKCU - {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80399&lng=en



BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll (AVG Technologies CZ, s.r.o.)

BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)

BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO-x32: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)

BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File

Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File

Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File

Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File

Toolbar: HKCU - No Name - {B2ED7FAF-72A0-46D1-9D9D-602226F5CB9F} -  No File


DPF: HKLM-x32 {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab

DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: HKLM-x32 {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/PCMagnum/controls/PCPitstop2.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll (AVG Technologies CZ, s.r.o.)

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)

Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)

Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)

Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)

Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

Tcpip\..\Interfaces\{5FDCD26F-CAC0-42C6-8187-04C5B8D78E62}: [NameServer]8.8.8.8,8.8.8.8

 

FireFox:

========

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll ()

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)

FF Plugin: adobe.com/AdobeExManDetect - C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll (Adobe Systems)

FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll ()

FF Plugin-x32: @java.com/DTPlugin,version=10.11.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.11.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE - disabled No File

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF Plugin-x32: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll No File

FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File

FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: adobe.com/AdobeAAMDetect - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)

FF Plugin-x32: adobe.com/AdobeExManDetect - C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll (Adobe Systems)

FF Plugin HKCU: @doubletwist.com/NPPodcast - C:\Program Files (x86)\Common Files\doubleTwist\NPPodcast.dll No File

FF HKLM-x32\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files (x86)\AVG\AVG2012\Firefox4\

FF Extension: AVG Safe Search - C:\Program Files (x86)\AVG\AVG2012\Firefox4\ []

FF HKLM-x32\...\Firefox\Extensions: [seeSimilar@SeeSimilar.com] - C:\Users\Chris\AppData\Roaming\Mozilla\Extensions\SeeSimilar@SeeSimilar.com

FF Extension: SeeSimilar - C:\Users\Chris\AppData\Roaming\Mozilla\Extensions\SeeSimilar@SeeSimilar.com [2013-08-22]

FF HKCU\...\Firefox\Extensions: [seeSimilar@SeeSimilar.com] - C:\Users\Chris\AppData\Roaming\Mozilla\Extensions\SeeSimilar@SeeSimilar.com

FF Extension: SeeSimilar - C:\Users\Chris\AppData\Roaming\Mozilla\Extensions\SeeSimilar@SeeSimilar.com [2013-08-22]

FF StartMenuInternet: FIREFOX.EXE - firefox.exe

 

Chrome: 

=======

CHR Extension: (Google Docs) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-02-19]

CHR Extension: (Google Drive) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-19]

CHR Extension: (YouTube) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-02-19]

CHR Extension: (Google Search) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-02-19]

CHR Extension: (AdBlock) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-02-23]

CHR Extension: (Hola Better Internet) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2014-03-29]

CHR Extension: (Reddit Enhancement Suite) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2014-03-12]

CHR Extension: (Google Wallet) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-30]

CHR Extension: (Gmail) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-08-30]

CHR HKCU\...\Chrome\Extension: [apjkpjchfbckhjhokinlgdbmibpbbjak] - C:\Users\Chris\AppData\Local\CRE\apjkpjchfbckhjhokinlgdbmibpbbjak.crx [2013-08-30]

CHR HKCU\...\Chrome\Extension: [mmlkabjddkpgkgfhdhpimhcbonapngoh] - C:\Users\Chris\AppData\Local\CRE\mmlkabjddkpgkgfhdhpimhcbonapngoh.crx [2013-08-30]

CHR HKLM-x32\...\Chrome\Extension: [cdjbnddbclciabnckgeahmneohjlahdm] - C:\Users\Chris\AppData\Local\d7a09920-b80e-4324-a969-cf75616342d9.crx [2013-08-30]

CHR HKLM-x32\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files (x86)\AVG\AVG2012\Chrome\safesearch.crx [2011-12-21]

CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]

CHR HKLM-x32\...\Chrome\Extension: [mmlkabjddkpgkgfhdhpimhcbonapngoh] - C:\Users\Chris\AppData\Local\CRE\mmlkabjddkpgkgfhdhpimhcbonapngoh.crx [2013-05-14]

 

==================== Services (Whitelisted) =================

 

S4 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [4433248 2011-10-12] (AVG Technologies CZ, s.r.o.)

S4 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [192776 2011-08-02] (AVG Technologies CZ, s.r.o.)

S4 dlea_device; C:\Windows\system32\dleacoms.exe [1052328 2010-05-21] ( )

S4 dlea_device; C:\Windows\SysWOW64\dleacoms.exe [598696 2010-05-21] ( )

R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)

R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)

S4 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]

R2 uagqecsvc; C:\Users\Chris\Forefront UAG Remote Access Agent\mydocsocdsbca\portal1\uagqecsvc.exe [146312 2013-01-21] (Microsoft ® Corporation)

 

==================== Drivers (Whitelisted) ====================

 

R1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [22600 2013-03-06] (AVAST Software)

S3 hwmobilehsn; C:\Windows\System32\DRIVERS\hwmob01.sys [120960 2009-07-08] (QUALCOMM Incorporated)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-06-12] (Malwarebytes Corporation)

R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)

S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)

S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)

R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()

S3 cpuz134; \??\C:\Users\Chris\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]

S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]

S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]

S2 iPodDrv; \??\C:\Windows\system32\drivers\iPodDrv.sys [X]

S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== One Month Created Files and Folders ========

 

2014-06-12 17:32 - 2014-06-12 17:33 - 00025170 _____ () C:\Users\Chris\Desktop\FRST.txt

2014-06-12 16:52 - 2014-06-12 16:53 - 00037068 _____ () C:\Users\Chris\Desktop\Addition.txt

2014-06-12 16:48 - 2014-06-12 17:32 - 00000000 ____D () C:\FRST

2014-06-12 16:48 - 2014-06-12 16:48 - 02081792 _____ (Farbar) C:\Users\Chris\Desktop\FRST64.exe

2014-06-12 16:47 - 2014-06-12 16:54 - 00002926 _____ () C:\Users\Chris\Desktop\Rkill.txt

2014-06-12 16:47 - 2014-06-12 16:47 - 01061112 _____ (Bleeping Computer, LLC) C:\Users\Chris\Desktop\rkill64.com

2014-06-11 17:19 - 2014-06-11 17:19 - 01940216 _____ (Bleeping Computer, LLC) C:\Users\Chris\Desktop\rkill.com

2014-06-11 16:32 - 2014-06-12 17:29 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-06-11 16:32 - 2014-06-11 20:57 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-06-11 16:32 - 2014-06-11 16:32 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-06-11 16:32 - 2014-06-11 16:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-06-11 16:32 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-06-11 16:32 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2014-06-11 16:32 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-06-11 16:29 - 2014-06-11 16:29 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Chris\Downloads\mbam-setup-2.0.2.1012.exe

2014-06-10 16:34 - 2014-06-10 17:37 - 00025088 _____ () C:\Users\Chris\Downloads\ClimateChangeSummative

2014-06-09 19:05 - 2014-06-09 19:05 - 00000086 _____ () C:\dleaPpx.log

2014-06-09 16:56 - 2014-06-09 16:56 - 01679570 _____ () C:\ProgramData\SPL7B29.tmp

2014-06-09 15:55 - 2014-06-09 19:02 - 00000000 ____D () C:\Windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP

2014-06-09 11:13 - 2014-06-09 11:13 - 00003094 _____ () C:\Windows\System32\Tasks\{0C9ED80C-98C6-4ACA-9A4E-74FF27816ED6}

2014-06-08 20:27 - 2014-06-12 16:52 - 00023585 _____ () C:\ProgramData\dlea.log

2014-06-08 20:13 - 2014-06-08 20:13 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Chris\Documents\sh-remover.exe

2014-06-08 14:58 - 2014-06-08 14:58 - 00000000 ____D () C:\Windows\pss

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\Users\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\Users\Chris\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\Users\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\Users\Chris\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\Users\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\Users\Chris\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\DECRYPT_INSTRUCTION.URL

2014-06-06 18:29 - 2014-06-06 18:29 - 00008116 _____ () C:\Users\Chris\Downloads\DECRYPT_INSTRUCTION.HTML

2014-06-06 18:29 - 2014-06-06 18:29 - 00004062 _____ () C:\Users\Chris\Downloads\DECRYPT_INSTRUCTION.TXT

2014-06-06 18:29 - 2014-06-06 18:29 - 00000264 _____ () C:\Users\Chris\Downloads\DECRYPT_INSTRUCTION.URL

2014-06-06 18:27 - 2014-06-06 18:27 - 00008116 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.HTML

2014-06-06 18:27 - 2014-06-06 18:27 - 00004062 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.TXT

2014-06-06 18:27 - 2014-06-06 18:27 - 00000264 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.URL

2014-06-06 17:07 - 2014-06-06 17:07 - 00008116 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.HTML

2014-06-06 17:07 - 2014-06-06 17:07 - 00008116 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.HTML

2014-06-06 17:07 - 2014-06-06 17:07 - 00004062 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.TXT

2014-06-06 17:07 - 2014-06-06 17:07 - 00004062 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.TXT

2014-06-06 17:07 - 2014-06-06 17:07 - 00000264 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.URL

2014-06-06 17:07 - 2014-06-06 17:07 - 00000264 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.URL

2014-06-06 17:00 - 2014-06-06 17:00 - 00008116 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.HTML

2014-06-06 17:00 - 2014-06-06 17:00 - 00008116 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML

2014-06-06 17:00 - 2014-06-06 17:00 - 00004062 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.TXT

2014-06-06 17:00 - 2014-06-06 17:00 - 00004062 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT

2014-06-06 17:00 - 2014-06-06 17:00 - 00000264 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.URL

2014-06-06 17:00 - 2014-06-06 17:00 - 00000264 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL

2014-06-06 16:51 - 2014-06-08 17:30 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Miimic

2014-06-06 16:51 - 2014-06-06 16:51 - 00003810 _____ () C:\Windows\System32\Tasks\Security Center Update - 2845511889

2014-05-28 18:19 - 2014-06-07 16:04 - 00000000 ____D () C:\Users\Public\Documents\Adobe

2014-05-28 18:19 - 2014-06-06 17:01 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2014-05-24 18:19 - 2014-05-24 18:19 - 00003094 _____ () C:\Windows\System32\Tasks\{F63CEE15-18AC-40AB-B191-6815257360AA}

 

==================== One Month Modified Files and Folders =======

 

2014-06-12 17:33 - 2014-06-12 17:32 - 00025170 _____ () C:\Users\Chris\Desktop\FRST.txt

2014-06-12 17:33 - 2010-09-11 15:28 - 00000000 ____D () C:\Users\Chris\AppData\Local\Temp

2014-06-12 17:32 - 2014-06-12 16:48 - 00000000 ____D () C:\FRST

2014-06-12 17:30 - 2009-07-14 00:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-06-12 17:30 - 2009-07-14 00:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-06-12 17:29 - 2014-06-11 16:32 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-06-12 17:29 - 2011-01-18 08:55 - 00349163 _____ () C:\ProgramData\dleascan.log

2014-06-12 17:28 - 2010-08-31 19:20 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks

2014-06-12 17:28 - 2010-08-31 19:20 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks

2014-06-12 17:28 - 2010-08-31 19:00 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup

2014-06-12 17:27 - 2012-08-19 20:35 - 00259725 _____ () C:\Windows\setupact.log

2014-06-12 17:27 - 2012-02-24 18:06 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-06-12 17:27 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-06-12 17:11 - 2009-07-14 01:10 - 01903724 _____ () C:\Windows\WindowsUpdate.log

2014-06-12 17:02 - 2010-12-19 21:57 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Skype

2014-06-12 16:58 - 2010-09-11 15:40 - 00000000 ____D () C:\ProgramData\Microsoft Help

2014-06-12 16:54 - 2014-06-12 16:47 - 00002926 _____ () C:\Users\Chris\Desktop\Rkill.txt

2014-06-12 16:53 - 2014-06-12 16:52 - 00037068 _____ () C:\Users\Chris\Desktop\Addition.txt

2014-06-12 16:52 - 2014-06-08 20:27 - 00023585 _____ () C:\ProgramData\dlea.log

2014-06-12 16:48 - 2014-06-12 16:48 - 02081792 _____ (Farbar) C:\Users\Chris\Desktop\FRST64.exe

2014-06-12 16:47 - 2014-06-12 16:47 - 01061112 _____ (Bleeping Computer, LLC) C:\Users\Chris\Desktop\rkill64.com

2014-06-12 16:18 - 2012-02-24 18:06 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-06-11 21:33 - 2012-08-19 20:35 - 00123718 _____ () C:\Windows\PFRO.log

2014-06-11 21:13 - 2013-10-26 17:13 - 00000290 _____ () C:\Windows\Tasks\Dealply.job

2014-06-11 20:58 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\PolicyDefinitions

2014-06-11 20:57 - 2014-06-11 16:32 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-06-11 20:44 - 2012-05-05 18:36 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2014-06-11 17:19 - 2014-06-11 17:19 - 01940216 _____ (Bleeping Computer, LLC) C:\Users\Chris\Desktop\rkill.com

2014-06-11 16:32 - 2014-06-11 16:32 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-06-11 16:32 - 2014-06-11 16:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-06-11 16:32 - 2012-09-18 16:44 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-06-11 16:29 - 2014-06-11 16:29 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Chris\Downloads\mbam-setup-2.0.2.1012.exe

2014-06-11 16:26 - 2012-09-18 16:44 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-06-11 11:22 - 2010-10-07 14:15 - 00000000 ____D () C:\Users\Chris\AppData\Local\Adobe

2014-06-10 17:46 - 2013-12-16 19:27 - 00000000 ____D () C:\Users\Chris\Documents\Adam School

2014-06-10 17:45 - 2011-01-18 09:00 - 00000000 ____D () C:\ProgramData\dl_Cats

2014-06-10 17:37 - 2014-06-10 16:34 - 00025088 _____ () C:\Users\Chris\Downloads\ClimateChangeSummative

2014-06-09 19:05 - 2014-06-09 19:05 - 00000086 _____ () C:\dleaPpx.log

2014-06-09 19:02 - 2014-06-09 15:55 - 00000000 ____D () C:\Windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP

2014-06-09 16:56 - 2014-06-09 16:56 - 01679570 _____ () C:\ProgramData\SPL7B29.tmp

2014-06-09 11:13 - 2014-06-09 11:13 - 00003094 _____ () C:\Windows\System32\Tasks\{0C9ED80C-98C6-4ACA-9A4E-74FF27816ED6}

2014-06-08 20:13 - 2014-06-08 20:13 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Chris\Documents\sh-remover.exe

2014-06-08 17:30 - 2014-06-06 16:51 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Miimic

2014-06-08 14:58 - 2014-06-08 14:58 - 00000000 ____D () C:\Windows\pss

2014-06-08 14:37 - 2011-01-26 20:03 - 00065060 _____ () C:\ProgramData\dleaJSW.log

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\Users\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\Users\Chris\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00008118 _____ () C:\DECRYPT_INSTRUCTION.HTML

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\Users\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\Users\Chris\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00004064 _____ () C:\DECRYPT_INSTRUCTION.TXT

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\Users\Public\Documents\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\Users\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\Users\Chris\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-06-07 16:04 - 00000266 _____ () C:\DECRYPT_INSTRUCTION.URL

2014-06-07 16:04 - 2014-05-28 18:19 - 00000000 ____D () C:\Users\Public\Documents\Adobe

2014-06-07 16:04 - 2010-09-11 15:28 - 00000000 ___RD () C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

2014-06-07 16:04 - 2010-09-11 15:28 - 00000000 ____D () C:\Users\Chris

2014-06-06 19:25 - 2010-10-10 15:22 - 00000000 ____D () C:\Users\Chris\Shared

2014-06-06 18:38 - 2013-02-27 17:44 - 00000000 ___RD () C:\Users\Chris\Dropbox

2014-06-06 18:38 - 2013-01-21 21:05 - 00000000 ____D () C:\Users\Chris\Forefront UAG Remote Access Agent

2014-06-06 18:38 - 2010-10-10 15:22 - 00000000 ____D () C:\Users\Chris\Incomplete

2014-06-06 18:29 - 2014-06-06 18:29 - 00008116 _____ () C:\Users\Chris\Downloads\DECRYPT_INSTRUCTION.HTML

2014-06-06 18:29 - 2014-06-06 18:29 - 00004062 _____ () C:\Users\Chris\Downloads\DECRYPT_INSTRUCTION.TXT

2014-06-06 18:29 - 2014-06-06 18:29 - 00000264 _____ () C:\Users\Chris\Downloads\DECRYPT_INSTRUCTION.URL

2014-06-06 18:29 - 2014-04-26 13:48 - 00008472 _____ () C:\Users\Chris\Downloads\MovieReview-ResearchNotes.odt

2014-06-06 18:29 - 2014-04-21 08:45 - 06624792 _____ () C:\Users\Chris\Downloads\Happy_Republic_Day_to_Banana_Republic.pps

2014-06-06 18:29 - 2014-01-19 18:24 - 00020504 _____ () C:\Users\Chris\Downloads\Summative-PartB.odt

2014-06-06 18:29 - 2013-11-20 20:01 - 00763672 _____ () C:\Users\Chris\Downloads\WritingKillerThesisStatements.ppt

2014-06-06 18:29 - 2013-09-18 19:55 - 00016664 _____ () C:\Users\Chris\Downloads\WW1 Journal Project.odt

2014-06-06 18:28 - 2014-05-07 20:42 - 03585560 _____ () C:\Users\Chris\Downloads\Ancient Greece - The Persian and Peloponnesian Wars.ppt

2014-06-06 18:28 - 2014-04-09 16:14 - 00015896 _____ () C:\Users\Chris\Downloads\Disease Project.odt

2014-06-06 18:28 - 2014-01-08 19:48 - 00000280 _____ () C:\Users\Chris\Downloads\Creative Project.txt

2014-06-06 18:28 - 2013-10-08 14:19 - 00000000 ____D () C:\Users\Chris\Downloads\ADayToRemember-CommonCourtesy

2014-06-06 18:27 - 2014-06-06 18:27 - 00008116 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.HTML

2014-06-06 18:27 - 2014-06-06 18:27 - 00004062 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.TXT

2014-06-06 18:27 - 2014-06-06 18:27 - 00000264 _____ () C:\Users\Chris\Documents\DECRYPT_INSTRUCTION.URL

2014-06-06 18:27 - 2011-12-30 02:28 - 00000000 ____D () C:\Users\Chris\Documents\Word Files

2014-06-06 18:23 - 2012-03-12 21:43 - 00000000 ____D () C:\Users\Chris\Documents\VideoCopilot

2014-06-06 18:17 - 2012-11-24 21:39 - 00000000 ____D () C:\Users\Chris\Documents\Random

2014-06-06 17:45 - 2013-09-11 16:53 - 00000000 ____D () C:\Users\Chris\Documents\Josh Resume

2014-06-06 17:45 - 2013-03-20 20:59 - 00000000 ____D () C:\Users\Chris\Documents\Anti-Malware

2014-06-06 17:45 - 2012-12-13 17:24 - 00000000 ____D () C:\Users\Chris\Documents\Adobe

2014-06-06 17:45 - 2012-01-11 23:16 - 00002840 _____ () C:\Users\Chris\Documents\Atticus Sketch.txt

2014-06-06 17:45 - 2012-01-11 23:15 - 00003608 _____ () C:\Users\Chris\Documents\Jem Sketch.txt

2014-06-06 17:44 - 2014-02-16 04:34 - 00000000 ____D () C:\Users\Chris\Desktop\New folder

2014-06-06 17:44 - 2013-03-20 19:08 - 00000000 ____D () C:\Users\Chris\Desktop\Sparticus Workout

2014-06-06 17:44 - 2012-09-18 18:04 - 00000000 ____D () C:\Users\Chris\Desktop\Editing

2014-06-06 17:07 - 2014-06-06 17:07 - 00008116 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.HTML

2014-06-06 17:07 - 2014-06-06 17:07 - 00008116 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.HTML

2014-06-06 17:07 - 2014-06-06 17:07 - 00004062 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.TXT

2014-06-06 17:07 - 2014-06-06 17:07 - 00004062 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.TXT

2014-06-06 17:07 - 2014-06-06 17:07 - 00000264 _____ () C:\Users\Chris\AppData\Roaming\DECRYPT_INSTRUCTION.URL

2014-06-06 17:07 - 2014-06-06 17:07 - 00000264 _____ () C:\Users\Chris\AppData\DECRYPT_INSTRUCTION.URL

2014-06-06 17:07 - 2013-11-13 19:16 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\TeamViewer

2014-06-06 17:07 - 2012-02-09 21:20 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Sony

2014-06-06 17:03 - 2012-09-18 16:44 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Malwarebytes

2014-06-06 17:03 - 2012-05-05 18:54 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Real

2014-06-06 17:03 - 2011-12-30 02:24 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\MAXON

2014-06-06 17:03 - 2011-09-21 20:18 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\IObit

2014-06-06 17:03 - 2011-09-08 21:36 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\saves

2014-06-06 17:03 - 2010-10-10 15:21 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\MP3Rocket

2014-06-06 17:01 - 2014-05-28 18:19 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2014-06-06 17:01 - 2012-11-04 19:17 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Gyazo

2014-06-06 17:01 - 2012-03-05 15:27 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant

2014-06-06 17:01 - 2011-11-23 19:55 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\.minecraft

2014-06-06 17:01 - 2010-10-10 15:17 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Apple Computer

2014-06-06 17:01 - 2010-09-11 16:50 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Adobe

2014-06-06 17:00 - 2014-06-06 17:00 - 00008116 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.HTML

2014-06-06 17:00 - 2014-06-06 17:00 - 00008116 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML

2014-06-06 17:00 - 2014-06-06 17:00 - 00004062 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.TXT

2014-06-06 17:00 - 2014-06-06 17:00 - 00004062 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT

2014-06-06 17:00 - 2014-06-06 17:00 - 00000264 _____ () C:\Users\Chris\AppData\Local\DECRYPT_INSTRUCTION.URL

2014-06-06 17:00 - 2014-06-06 17:00 - 00000264 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL

2014-06-06 17:00 - 2013-09-10 11:39 - 00000000 __HDC () C:\ProgramData\{0F0BAF8F-D9EA-46BA-9C33-0B28FF5413CC}

2014-06-06 17:00 - 2012-08-19 21:56 - 00000000 ____D () C:\Twixtor5AEManual

2014-06-06 17:00 - 2012-02-09 21:21 - 00000000 ____D () C:\Users\Chris\AppData\Local\Sony

2014-06-06 17:00 - 2011-08-18 14:50 - 00000000 ____D () C:\Users\Chris\AppData\Local\Babylon

2014-06-06 17:00 - 2011-02-04 01:40 - 00000000 ____D () C:\Users\Chris\AppData\Local\doubleTwist Corporation

2014-06-06 17:00 - 2010-10-10 15:17 - 00000000 ____D () C:\Users\Chris\AppData\Local\Apple Computer

2014-06-06 17:00 - 2010-10-10 15:17 - 00000000 ____D () C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}

2014-06-06 17:00 - 2010-09-18 22:40 - 00000000 ____D () C:\Users\Chris\AppData\Local\Microsoft Games

2014-06-06 17:00 - 2010-09-11 16:50 - 00000000 ____D () C:\Users\Chris\AppData\Local\Google

2014-06-06 16:57 - 2011-05-15 14:20 - 00000000 ____D () C:\ProgramData\Skype Extras

2014-06-06 16:57 - 2010-08-31 19:07 - 00000000 ____D () C:\ProgramData\Sonic

2014-06-06 16:57 - 2010-08-31 19:07 - 00000000 ____D () C:\ProgramData\Skype

2014-06-06 16:56 - 2013-10-08 14:01 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69

2014-06-06 16:56 - 2011-09-21 20:20 - 00000000 ____D () C:\ProgramData\IObit

2014-06-06 16:56 - 2010-08-31 19:10 - 00000000 ____D () C:\ProgramData\Dell

2014-06-06 16:51 - 2014-06-06 16:51 - 00003810 _____ () C:\Windows\System32\Tasks\Security Center Update - 2845511889

2014-06-06 16:50 - 2012-12-02 18:15 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt

2014-05-24 18:19 - 2014-05-24 18:19 - 00003094 _____ () C:\Windows\System32\Tasks\{F63CEE15-18AC-40AB-B191-6815257360AA}

2014-05-23 20:19 - 2014-02-19 21:24 - 00002145 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

2014-05-15 07:58 - 2009-07-14 01:13 - 00726270 _____ () C:\Windows\system32\PerfStringBackup.INI

 

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$2333507468a4acc43a14ab15a99a5599

 

Some content of TEMP:

====================

C:\Users\Chris\AppData\Local\Temp\a8wn5hiv.dll

C:\Users\Chris\AppData\Local\Temp\ASCSetup.exe

C:\Users\Chris\AppData\Local\Temp\avguidx.dll

C:\Users\Chris\AppData\Local\Temp\BundleSweetIMSetup.exe

C:\Users\Chris\AppData\Local\Temp\CommonInstaller.exe

C:\Users\Chris\AppData\Local\Temp\conduitinstaller.exe

C:\Users\Chris\AppData\Local\Temp\Delta.exe

C:\Users\Chris\AppData\Local\Temp\DeltaTB.exe

C:\Users\Chris\AppData\Local\Temp\iGearedHelper.dll

C:\Users\Chris\AppData\Local\Temp\MachineIdCreator.exe

C:\Users\Chris\AppData\Local\Temp\MybabylonTB.exe

C:\Users\Chris\AppData\Local\Temp\NGM.exe

C:\Users\Chris\AppData\Local\Temp\NGMDll.dll

C:\Users\Chris\AppData\Local\Temp\NGMResource.dll

C:\Users\Chris\AppData\Local\Temp\o47qqyrt.dll

C:\Users\Chris\AppData\Local\Temp\propsys.dll

C:\Users\Chris\AppData\Local\Temp\ro7ikuep.dll

C:\Users\Chris\AppData\Local\Temp\SHSetup.exe

C:\Users\Chris\AppData\Local\Temp\SkypeSetup.exe

C:\Users\Chris\AppData\Local\Temp\ToolbarInstaller.exe

C:\Users\Chris\AppData\Local\Temp\UNINSTALL.EXE

C:\Users\Chris\AppData\Local\Temp\WSSetup.exe

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-06-08 00:49

 

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes 2.0, run a Threat Scan

 


On the Dashboard, click the 'Update Now >>' link
After the update completes, click the 'Scan Now >>' button.
Or, on the Dashboard, click the Scan Now >> button.
If an update is available, click the Update Now button.
A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In most cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.

 


After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

Let me see those logs, let me know if there are any remaining issues or concerns..

 

Kevin

 

 

 

 

fixlist.txt

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

  • 2 weeks later...

I started one scan on MBAM and then had to stop and do another but here are the logs of both starting with the first and attached you'll find the fixlog.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 29/06/2014
Scan Time: 3:23:26 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.06.29.08
Rootkit Database: v2014.06.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Chris
 
Scan Type: Threat Scan
Result: Cancelled
Objects Scanned: 50442
Time Elapsed: 3 min, 31 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 2
PUP.Optional.Babylon.A, HKU\S-1-5-21-1366849451-1050349464-438197190-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}, Quarantined, [73c94935e5963cfa16d9c87f3ec4c13f], 
PUP.Optional.InboxToolBar.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}, Quarantined, [9ca081fd4d2e04327f10ff49f0120df3], 
 
Registry Values: 2
PUP.Optional.InboxToolBar.A, HKU\S-1-5-21-1366849451-1050349464-438197190-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS|{D3D233D5-9F6D-436C-B6C7-E63F77503B30}, Quarantined, [9ca081fd4d2e04327f10ff49f0120df3], 
PUP.Optional.InboxToolBar.A, HKU\S-1-5-21-1366849451-1050349464-438197190-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}, Quarantined, [e05c2856ee8da591b2ddbb8ddb2734cc], 
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 29/06/2014
Scan Time: 3:30:44 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.06.29.08
Rootkit Database: v2014.06.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Chris
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 437165
Time Elapsed: 1 hr, 12 min, 48 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

Fixlog.txt

Link to post
Share on other sites

What is the current status of your system, any remaining issues or concerns?

 

Run the following:

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...

 

Let me see both logs....

Link to post
Share on other sites

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Post back the report which should be located on your desktop.

 

Kevin...

Link to post
Share on other sites

RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Software





 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : Chris [Admin rights]

Mode : Scan -- Date : 07/02/2014  18:39:22

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 13 ¤¤¤

[PUM.SysRestore] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

 

¤¤¤ Scheduled tasks : 4 ¤¤¤

[suspicious.Path] Dealply.job -- C:\Users\Chris\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND

[suspicious.Path] \\{6529A849-E8D5-4E0C-B7BF-D72EC0AC4321} -- C:\Windows\system32\pcalua.exe (-a "C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E75N730M\FDMSetup[1].exe" -d C:\Users\Chris\Desktop) -> FOUND

[suspicious.Path] \\{91C62E32-B4CE-44DA-AEA4-4698EDC782A9} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Chris\Downloads\Win7Vista_151718.exe -d C:\Users\Chris\Downloads) -> FOUND

[Rogue.AntiSpy-ST] \\{93C8CFA1-DDD6-4ACD-AFCC-BA4E258D5AE0} -- C:\Windows\system32\pcalua.exe (-a C:\ProgramData\0C1CFB130048318915B3DB29F875F002\0C1CFB130048318915B3DB29F875F002.exe -c -u) -> FOUND

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ HOSTS File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKS-75V0A0 ATA Device +++++

--- User ---

[MBR] 4151d6eec81fdd72f78c5ff1ffcbd14b

[bSP] 4556c1c5d7172108693fe5d86725391e : HP MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB

1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 11718 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 24080384 | Size: 465181 MB

User = LL1 ... OK

User = LL2 ... OK

 

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

 

+++++ PhysicalDrive5: Dell USB Mass Storage USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )
Link to post
Share on other sites

Read the following link before we continue and run Combofix:

 

ComboFix usage, Questions, Help? - Look here

 

Next,

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

http://www.infospyware.net/antimalware/combofix/

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites

ComboFix 14-07-03.01 - Chris 03/07/2014  11:06:50.1.2 - x64

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3037.2023 [GMT -4:00]

Running from: c:\users\Chris\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 * Created a new restore point

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\END

C:\prefs.js

c:\program files (x86)\DealPly

c:\program files (x86)\DealPly\uninst.exe

c:\program files (x86)\Java\jre7\bin\jp2ssv.dll

c:\programdata\SPL35D.tmp

c:\programdata\SPL6853.tmp

c:\programdata\SPL6A65.tmp

c:\programdata\SPL7B29.tmp

c:\programdata\SPL8565.tmp

c:\users\Chris\AppData\Local\ewr.exe

c:\users\Chris\AppData\Local\fmn.exe

c:\users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{0487AB94-B62F-449F-B3D2-F7E9C9A58D40}.xps

c:\users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{15159326-FECD-44E4-A97B-F22948A42AE6}.xps

c:\users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B2EEF312-1CFF-40C6-BA02-0F8B1700FD37}.xps

c:\users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DFBFBCE3-636F-48AE-8695-B3703B736E44}.xps

c:\users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{EEC9DCAF-0056-4BEC-BCDB-C0A89D33DFC9}.xps

c:\users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F6F5814A-50C8-4D1C-9459-B8BA4A1B00CC}.xps

c:\users\Chris\AppData\Roaming\SearchProtect

.

.

(((((((((((((((((((((((((   Files Created from 2014-06-03 to 2014-07-03  )))))))))))))))))))))))))))))))

.

.

2014-07-03 15:27 . 2014-07-03 15:27 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-07-02 22:32 . 2014-07-02 22:32 -------- d-----w- c:\programdata\RogueKiller

2014-06-29 19:21 . 2014-06-30 17:13 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-06-29 19:21 . 2014-06-29 19:21 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware

2014-06-29 19:21 . 2014-05-12 11:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-06-29 19:21 . 2014-05-12 11:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-06-29 19:21 . 2014-05-12 11:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-06-16 14:33 . 2014-06-16 14:33 -------- d-sh--w- c:\users\Chris\AppData\Local\EmieUserList

2014-06-16 14:33 . 2014-06-16 14:33 -------- d-sh--w- c:\users\Chris\AppData\Local\EmieSiteList

2014-06-15 12:15 . 2013-11-23 18:26 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll

2014-06-15 12:15 . 2013-11-23 17:47 465920 ----a-w- c:\windows\system32\WMPhoto.dll

2014-06-15 12:15 . 2014-05-30 09:11 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe

2014-06-15 12:15 . 2013-12-24 23:09 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2014-06-15 12:15 . 2013-12-24 22:48 2565120 ----a-w- c:\windows\system32\d3d10warp.dll

2014-06-15 12:15 . 2013-11-26 08:16 3419136 ----a-w- c:\windows\SysWow64\d2d1.dll

2014-06-15 12:15 . 2013-11-22 22:48 3928064 ----a-w- c:\windows\system32\d2d1.dll

2014-06-15 12:15 . 2014-02-04 02:32 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll

2014-06-15 12:15 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll

2014-06-15 09:12 . 2014-06-15 09:12 -------- d-s---w- c:\windows\system32\CompatTel

2014-06-15 08:46 . 2014-06-15 08:48 -------- d-----w- c:\windows\system32\MRT

2014-06-15 08:44 . 2013-05-10 05:56 12625920 ----a-w- c:\windows\system32\wmploc.DLL

2014-06-15 08:44 . 2013-05-10 04:30 167424 ----a-w- c:\program files\Windows Media Player\wmplayer.exe

2014-06-15 08:44 . 2013-05-10 03:48 164864 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe

2014-06-15 08:44 . 2013-05-10 04:56 12625408 ----a-w- c:\windows\SysWow64\wmploc.DLL

2014-06-15 08:44 . 2013-05-10 05:56 14631424 ----a-w- c:\windows\system32\wmp.dll

2014-06-15 08:34 . 2014-06-15 08:34 -------- d-----w- c:\windows\Migration

2014-06-15 08:23 . 2013-10-14 22:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE

2014-06-15 08:16 . 2014-06-15 08:16 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2014-06-15 08:00 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui

2014-06-15 07:13 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll

2014-06-15 07:13 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll

2014-06-15 07:13 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2014-06-15 07:13 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2014-06-15 07:13 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe

2014-06-15 07:13 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll

2014-06-15 07:13 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2014-06-14 15:43 . 2013-02-12 04:12 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys

2014-06-14 15:43 . 2014-01-28 02:32 228864 ----a-w- c:\windows\system32\wwansvc.dll

2014-06-14 15:43 . 2013-03-19 05:53 48640 ----a-w- c:\windows\system32\wwanprotdim.dll

2014-06-14 15:43 . 2013-07-04 12:50 633856 ----a-w- c:\windows\system32\comctl32.dll

2014-06-14 15:43 . 2013-07-04 11:50 530432 ----a-w- c:\windows\SysWow64\comctl32.dll

2014-06-14 15:36 . 2014-04-05 02:47 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys

2014-06-14 15:36 . 2014-04-05 02:47 288192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2014-06-14 15:36 . 2013-11-26 11:40 376768 ----a-w- c:\windows\system32\drivers\netio.sys

2014-06-14 15:36 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe

2014-06-14 15:36 . 2013-02-27 05:47 70144 ----a-w- c:\windows\system32\appinfo.dll

2014-06-14 15:33 . 2013-06-06 05:50 41472 ----a-w- c:\windows\system32\lpk.dll

2014-06-14 15:32 . 2012-10-03 17:44 303104 ----a-w- c:\windows\system32\nlasvc.dll

2014-06-14 15:30 . 2013-04-26 05:51 751104 ----a-w- c:\windows\system32\win32spl.dll

2014-06-14 15:29 . 2014-03-25 02:43 14175744 ----a-w- c:\windows\system32\shell32.dll

2014-06-14 15:29 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys

2014-06-14 15:24 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll

2014-06-14 15:24 . 2012-10-09 18:17 226816 ----a-w- c:\windows\system32\dhcpcore6.dll

2014-06-14 15:24 . 2012-10-09 17:40 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll

2014-06-14 15:24 . 2012-10-09 17:40 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll

2014-06-14 15:23 . 2013-02-15 06:06 3717632 ----a-w- c:\windows\system32\mstscax.dll

2014-06-14 15:23 . 2013-02-15 04:37 3217408 ----a-w- c:\windows\SysWow64\mstscax.dll

2014-06-14 15:23 . 2013-02-15 06:02 158720 ----a-w- c:\windows\system32\aaclient.dll

2014-06-14 15:23 . 2013-02-15 04:34 131584 ----a-w- c:\windows\SysWow64\aaclient.dll

2014-06-14 15:23 . 2013-02-15 06:08 44032 ----a-w- c:\windows\system32\tsgqec.dll

2014-06-14 15:23 . 2013-02-15 03:25 36864 ----a-w- c:\windows\SysWow64\tsgqec.dll

2014-06-14 15:21 . 2014-04-25 02:34 801280 ----a-w- c:\windows\system32\usp10.dll

2014-06-14 15:21 . 2014-04-25 02:06 626688 ----a-w- c:\windows\SysWow64\usp10.dll

2014-06-14 15:16 . 2013-10-19 02:18 81408 ----a-w- c:\windows\system32\imagehlp.dll

2014-06-14 15:16 . 2013-10-19 01:36 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll

2014-06-12 22:10 . 2014-01-29 02:32 484864 ----a-w- c:\windows\system32\wer.dll

2014-06-12 22:10 . 2014-01-29 02:06 381440 ----a-w- c:\windows\SysWow64\wer.dll

2014-06-12 22:10 . 2013-11-12 02:23 2048 ----a-w- c:\windows\system32\tzres.dll

2014-06-12 22:10 . 2013-11-12 02:07 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2014-06-12 22:01 . 2013-07-25 09:25 1888768 ----a-w- c:\windows\system32\WMVDECOD.DLL

2014-06-12 21:57 . 2013-07-04 12:57 259584 ----a-w- c:\windows\system32\WebClnt.dll

2014-06-12 21:57 . 2013-07-04 11:57 205824 ----a-w- c:\windows\SysWow64\WebClnt.dll

2014-06-12 21:57 . 2013-07-04 12:50 102400 ----a-w- c:\windows\system32\davclnt.dll

2014-06-12 21:57 . 2013-07-04 11:51 81920 ----a-w- c:\windows\SysWow64\davclnt.dll

2014-06-12 21:57 . 2013-07-04 10:11 140800 ----a-w- c:\windows\system32\drivers\mrxdav.sys

2014-06-12 21:55 . 2013-10-03 02:23 404480 ----a-w- c:\windows\system32\gdi32.dll

2014-06-12 21:54 . 2014-02-04 02:32 624128 ----a-w- c:\windows\system32\qedit.dll

2014-06-12 21:52 . 2012-08-21 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe

2014-06-12 21:40 . 2013-09-08 02:27 327168 ----a-w- c:\windows\system32\mswsock.dll

2014-06-12 21:40 . 2013-09-08 02:03 231424 ----a-w- c:\windows\SysWow64\mswsock.dll

2014-06-12 20:48 . 2014-06-29 19:29 -------- d-----w- C:\FRST

2014-06-09 19:55 . 2014-06-09 23:02 -------- d-----w- c:\windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-06-01 21:17 . 2010-09-11 19:58 95414520 ----a-w- c:\windows\system32\MRT.exe

2014-04-15 06:34 . 2014-04-15 06:34 1070232 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2013-04-22 720064]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-11-14 20584608]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-09-26 560128]

.

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 228552]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe /firstrun [2009-12-15 1324384]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys;c:\windows\SYSNATIVE\drivers\iPodDrv.sys [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;c:\users\Chris\Forefront UAG Remote Access Agent\mydocsocdsbca\portal1\uagqecsvc.exe;c:\users\Chris\Forefront UAG Remote Access Agent\mydocsocdsbca\portal1\uagqecsvc.exe [x]

R3 cpuz134;cpuz134;c:\users\Chris\AppData\Local\Temp\cpuz134\cpuz134_x64.sys;c:\users\Chris\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [x]

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

R3 hwmobilehsn;High Speed USB Modem and USB Serial For Normal;c:\windows\system32\DRIVERS\hwmob01.sys;c:\windows\SYSNATIVE\DRIVERS\hwmob01.sys [x]

R3 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R4 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [x]

R4 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [x]

R4 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe;c:\windows\SYSNATIVE\dleacoms.exe [x]

R4 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]

S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys;c:\windows\SYSNATIVE\Drivers\SmartDefragDriver.sys [x]

S1 aswKbd;aswKbd; [x]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe;c:\program files\Dell\DellDock\DockLogin.exe [x]

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-06-15 07:19 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-07-03 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 22:44]

.

2014-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-24 22:06]

.

2014-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-24 22:06]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2014-06-05 21:46 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]

2014-06-05 21:46 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]

2014-06-05 21:46 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2014-06-05 21:46 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2014-06-05 21:46 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2014-06-05 21:46 777032 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]

"dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-08-09 770728]

"EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2010-08-09 139944]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]

"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-03-21 472992]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.ca

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{5FDCD26F-CAC0-42C6-8187-04C5B8D78E62}: NameServer = 8.8.8.8,8.8.8.8

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Toolbar-10 - (no file)

Wow6432Node-HKCU-Run-AdobeBridge - (no file)

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

Toolbar-10 - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]

@Allowed: (B 1 4 5 6) (S-1-5-5-0-103577)

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2014-07-03  11:31:56

ComboFix-quarantined-files.txt  2014-07-03 15:31

.

Pre-Run: 323,128,864,768 bytes free

Post-Run: 372,271,177,728 bytes free

.

- - End Of File - - D50144A57715D243D79CA972F3375A98

CDB4DE4BBD714F152979DA2DCBEF57EB
Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::

 

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

Run ESET Online Scan


Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    


Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.


Check esetAcceptTerms.png
Click the esetStart.png button.
Accept any security warnings from your browser.
Check esetScanArchives.png
Leave the tick out of remove found threats
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push esetListThreats.png
Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the esetBack.png button.
Push esetFinish.png

You can refer to this animation by neomage if needed.

Frequently asked questions available Here  Please read them before running the scan.

 

Also be aware this scan can take several hours to complete depending on the size of your system.

 

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

 

Let me see those logs..

 

Kevin

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

RegNull::[HKEY_USERS\S-1-5-21-1366849451-1050349464-438197190-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)

  • The file will be randomly named
  • Reboot to safe mode
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning

    drwebselect.JPG
  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats

    drwebfolders.JPG
  • Press start scan
  • The scan will now commence

    drwebscan.JPG
  • Once the scan has finished click open report

    drwebscancomplete.JPG
  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop



This log will be excessive,  Attach it to your next reply…

 

Next,

 

Run FRST one more time, post the produced log....

 

Let me see those logs.

 

Kevin

Link to post
Share on other sites

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


      Internet access
      Windows Update
      Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Run a Threat scan + Rootkit scan

 

Run Malwarebytes,

 


On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.
With some infections, you may see this message box.
'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.

 

Post the produced log, as follows:

 


After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply.

 

Kevin...

Link to post
Share on other sites

No threats were found, heres the log:

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 04/07/2014
Scan Time: 11:56:18 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.07.05.02
Rootkit Database: v2014.07.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Chris
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 296472
Time Elapsed: 11 min, 27 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.