Jump to content

I'm Infected With Something! Help!


Recommended Posts

Yesterday as my computer resumed from hybernation, a java script file called b3.mookie1.com kept popping up on my screen asking to be run. Cancelling the request brought more and more requests with me having to sometimes hit cancel option more than 20 times to get rid of them.

I ran my Malwarebytes Anti-Malware several times thinking I was infected with a virus - MBAM found pups but nothing that seemed related to this event.

Finally the pop up java requests have stopped but now when I click on any anything in windows, at first it responds then after a while it takes a long time to respond. When I try to restore my computer to an earlier time, it fails with a catastrophic error.

 

I downloaded and ran DDS with the instructions provided. It says it will place 2 files to my desktop, but it only produces one  - attach.txt, even after running it several times using both dds.scr and dds.com

 

I have copied and pasted the attach.txt file below. Any assistance will be greatly appreciated.

 

Thanks! 

 

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Ultimate N 
Boot Device: \Device\HarddiskVolume2
Install Date: 5/28/2013 8:37:58 PM
System Uptime: 3/22/2014 10:02:50 AM (0 hours ago)
.
Motherboard: ASRock |  | Z77M
Processor: Intel® Core i7-3770 CPU @ 3.40GHz | CPUSocket | 2788/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 388.67 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 932 GiB total, 809.488 GiB free.
F: is Removable
J: is FIXED (NTFS) - 932 GiB total, 798.443 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Realtek PCIe GBE Family Controller
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_81681849&REV_06\4&2B8260C3&0&00E4
Manufacturer: Realtek
Name: Realtek PCIe GBE Family Controller
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_81681849&REV_06\4&2B8260C3&0&00E4
Service: RTL8167
.
==== System Restore Points ===================
.
RP181: 3/11/2014 4:40:16 AM - Windows Update
RP182: 3/12/2014 3:00:23 AM - Windows Update
RP184: 3/17/2014 11:35:34 PM - Windows Defender Checkpoint
RP185: 3/18/2014 3:00:10 AM - Windows Update
RP186: 3/21/2014 4:04:08 AM - Windows Update
RP188: 3/21/2014 4:08:43 AM - Windows Defender Checkpoint
.
==== Image File Execution Options =============
.
.
==== Installed Programs ======================
.
.
==== End Of File ===========================
 
Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Let me see those logs in your next reply...

 

Kevin

Link to post
Share on other sites

Thanks for your help Kevin! Here are the reports:

==============================================================================================

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.03.24.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Richard :: RICHARD-PC [administrator]
 
Protection: Enabled
 
3/23/2014 10:12:25 PM
MBAM-log-2014-03-23 (22-32-52).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 318485
Time elapsed: 15 minute(s), 38 second(s)
 
Memory Processes Detected: 7
C:\Windows\SysWOW64\vointa.exe (Trojan.Zbot.RSE) -> 2092 -> No action taken.
C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe (Trojan.Zbot.RSE) -> 8992 -> No action taken.
C:\Windows\SysWOW64\inwemyiq.exe (Trojan.Agent.SCS) -> 18156 -> No action taken.
C:\Windows\SysWOW64\ifavsyromi.exe (Trojan.Agent.SCS) -> 5112 -> No action taken.
C:\Windows\SysWOW64\olnusidi.exe (Trojan.Agent.SCS) -> 9296 -> No action taken.
C:\Windows\SysWOW64\toarniep.exe (Trojan.Agent.SCS) -> 17388 -> No action taken.
C:\Windows\SysWOW64\zoaxsyakzy.exe (Trojan.Agent.SCS) -> 6684 -> No action taken.
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 6
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer8202235 (Trojan.Zbot.RSE) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer1643077630 (Trojan.Agent.SCS) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer214126202 (Trojan.Agent.SCS) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer2588727021 (Trojan.Agent.SCS) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer2836789679 (Trojan.Agent.SCS) -> No action taken.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer3055749110 (Trojan.Agent.SCS) -> No action taken.
 
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ihefadl (Trojan.Zbot.RSE) -> Data: C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ihefadl (Trojan.Zbot.RSE) -> Data: C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe -> No action taken.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 18
C:\Windows\SysWOW64\vointa.exe (Trojan.Zbot.RSE) -> No action taken.
C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe (Trojan.Zbot.RSE) -> No action taken.
C:\Windows\System32\vointa.exe (Trojan.Zbot.RSE) -> No action taken.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_063c68dc.exe (Trojan.Agent.ED) -> No action taken.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_11b0f7b5.exe (Trojan.Zbot.EC) -> No action taken.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_19da3e72.exe (Trojan.Zbot.RSE) -> No action taken.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_3a2dace3.exe (Trojan.Inject.ED) -> No action taken.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_6a26bb02.exe (Trojan.Inject.ED) -> No action taken.
C:\Windows\Tasks\Security Center Update - 1643077630.job (Trojan.Agent.RvGen) -> No action taken.
C:\Windows\Tasks\Security Center Update - 214126202.job (Trojan.Agent.RvGen) -> No action taken.
C:\Windows\Tasks\Security Center Update - 2588727021.job (Trojan.Agent.RvGen) -> No action taken.
C:\Windows\Tasks\Security Center Update - 2836789679.job (Trojan.Agent.RvGen) -> No action taken.
C:\Windows\Tasks\Security Center Update - 3055749110.job (Trojan.Agent.RvGen) -> No action taken.
C:\Windows\SysWOW64\inwemyiq.exe (Trojan.Agent.SCS) -> No action taken.
C:\Windows\SysWOW64\ifavsyromi.exe (Trojan.Agent.SCS) -> No action taken.
C:\Windows\SysWOW64\olnusidi.exe (Trojan.Agent.SCS) -> No action taken.
C:\Windows\SysWOW64\toarniep.exe (Trojan.Agent.SCS) -> No action taken.
C:\Windows\SysWOW64\zoaxsyakzy.exe (Trojan.Agent.SCS) -> No action taken.
 
(end)
 
Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.03.24.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Richard :: RICHARD-PC [administrator]
 
Protection: Enabled
 
3/23/2014 10:12:25 PM
mbam-log-2014-03-23 (22-12-25).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 318485
Time elapsed: 15 minute(s), 38 second(s)
 
Memory Processes Detected: 7
C:\Windows\SysWOW64\vointa.exe (Trojan.Zbot.RSE) -> 2092 -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe (Trojan.Zbot.RSE) -> 8992 -> Delete on reboot.
C:\Windows\SysWOW64\inwemyiq.exe (Trojan.Agent.SCS) -> 18156 -> Delete on reboot.
C:\Windows\SysWOW64\ifavsyromi.exe (Trojan.Agent.SCS) -> 5112 -> Delete on reboot.
C:\Windows\SysWOW64\olnusidi.exe (Trojan.Agent.SCS) -> 9296 -> Delete on reboot.
C:\Windows\SysWOW64\toarniep.exe (Trojan.Agent.SCS) -> 17388 -> Delete on reboot.
C:\Windows\SysWOW64\zoaxsyakzy.exe (Trojan.Agent.SCS) -> 6684 -> Delete on reboot.
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 6
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer8202235 (Trojan.Zbot.RSE) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer1643077630 (Trojan.Agent.SCS) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer214126202 (Trojan.Agent.SCS) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer2588727021 (Trojan.Agent.SCS) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer2836789679 (Trojan.Agent.SCS) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer3055749110 (Trojan.Agent.SCS) -> Quarantined and deleted successfully.
 
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ihefadl (Trojan.Zbot.RSE) -> Data: C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ihefadl (Trojan.Zbot.RSE) -> Data: C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe -> Quarantined and deleted successfully.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 18
C:\Windows\SysWOW64\vointa.exe (Trojan.Zbot.RSE) -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe (Trojan.Zbot.RSE) -> Delete on reboot.
C:\Windows\System32\vointa.exe (Trojan.Zbot.RSE) -> Delete on reboot.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_063c68dc.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_11b0f7b5.exe (Trojan.Zbot.EC) -> Quarantined and deleted successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_19da3e72.exe (Trojan.Zbot.RSE) -> Quarantined and deleted successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_3a2dace3.exe (Trojan.Inject.ED) -> Quarantined and deleted successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_6a26bb02.exe (Trojan.Inject.ED) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 1643077630.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 214126202.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 2588727021.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 2836789679.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 3055749110.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\inwemyiq.exe (Trojan.Agent.SCS) -> Delete on reboot.
C:\Windows\SysWOW64\ifavsyromi.exe (Trojan.Agent.SCS) -> Delete on reboot.
C:\Windows\SysWOW64\olnusidi.exe (Trojan.Agent.SCS) -> Delete on reboot.
C:\Windows\SysWOW64\toarniep.exe (Trojan.Agent.SCS) -> Delete on reboot.
C:\Windows\SysWOW64\zoaxsyakzy.exe (Trojan.Agent.SCS) -> Delete on reboot.
 
(end)
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Richard (administrator) on RICHARD-PC on 23-03-2014 23:09:16
Running from C:\Users\Richard\Desktop
Windows 7 Ultimate N Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link for 32-Bit version:
Download link for 64-Bit Version:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(CANON INC.) C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
() C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe
() C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe
() C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe
() C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe
() C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe
() C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe
() C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe
() C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13307496 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [ihefadl] - "C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe"
HKLM\...\Run: [usgimeyqufybkyy] - C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe [296126 2013-12-23] ()
HKLM\...\Run: [beuqy] - C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe [299209 2013-12-26] ()
HKLM-x32\...\Run: [uSB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-26] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NBAgent] - C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBAgent.exe [1493288 2011-09-20] (Nero AG)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-03-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [295512 2013-09-13] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [iJNetworkScanUtility] - C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [udahmaytuf] - "C:\Users\Richard\AppData\Roaming\Fyucqusy\koigsyi.exe"
HKLM-x32\...\Run: [usgimeyqufybkyy] - C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe [296126 2013-12-23] ()
HKLM-x32\...\Run: [Xenekyvycac] - C:\Users\Richard\AppData\Roaming\Dofawy\zegaerl.exe [296126 2014-02-22] ()
HKLM-x32\...\Run: [Cokoofogcuiveq] - C:\Users\Richard\AppData\Roaming\Fyfecual\cueho.exe [304882 2013-09-14] ()
HKLM-x32\...\Run: [Nixiydpop] - C:\Users\Richard\AppData\Roaming\Syalcero\ukocg.exe [304882 2013-07-29] ()
HKLM-x32\...\Run: [beuqy] - C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe [299209 2013-12-26] ()
HKLM-x32\...\Run: [ihefadl] - "C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe"
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-05-28] (Google Inc.)
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [Google Update] - C:\Users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-07-13] (Google Inc.)
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [ApplePhotoStreams] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [iCloudServices] - C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [cnqsvluq] - "C:\Users\Richard\AppData\Local\wwbhthva.exe"
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [ocrmmcxa] - C:\Users\Richard\AppData\Local\kpbpivdt.exe [110592 2014-03-19] ()
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [jtcjwpur] - C:\Users\Richard\AppData\Local\aqucfugc.exe [106496 2014-03-20] ()
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [oaeqltse] - C:\Users\Richard\AppData\Local\mgtkkvgh.exe [106496 2014-03-22] ()
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [xdhsaitq] - C:\Users\Richard\AppData\Local\pmtbhdqk.exe [106496 2014-03-22] ()
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [usgimeyqufybkyy] - C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe [296126 2013-12-23] ()
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [ckhistei] - C:\Users\Richard\AppData\Local\fioftvoc.exe [114688 2014-03-23] ()
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [beuqy] - C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe [299209 2013-12-26] ()
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [ihefadl] - C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xAE49739D165CCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKCU - {369F37B6-421E-40D3-BCF2-E9BD155FEAC4} URL = http://us.yhs4.search.yahoo.com/yhs/search?p={searchTerms}&ei=UTF-8&hspart=w3i&hsimp=yhs-synd1&type=W3i_DS,221,0_0,Search,20130625,0,0,6,7635
SearchScopes: HKCU - {B9194313-1CA3-4C3A-B5D0-CF4ACB4719D3} URL = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms}
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Nero Kwik Media Helper) - C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll No File
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Java Platform SE 7 U25) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Microsoft Office 2013) - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2013) - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\SysWOW64\npDeployJava1.dll No File
CHR Extension: (YouTube) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-12]
CHR Extension: (Google Search) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-12]
CHR Extension: (RealDownloader) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-09-13]
CHR Extension: (Google Wallet) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-12]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
 
==================== Services (Whitelisted) =================
 
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2169016 2014-03-01] (Microsoft Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-21] ()
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [133632 2012-02-09] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
 
==================== Drivers (Whitelisted) ====================
 
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [25536 2012-02-09] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [25536 2012-02-09] ()
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-02-09] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2014-03-23] ()
S3 AsrCDDrv; \??\C:\Windows\SysWOW64\Drivers\AsrCDDrv.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-23 23:03 - 2014-03-23 23:05 - 00047571 _____ () C:\Users\Richard\Desktop\Addition.txt
2014-03-23 23:01 - 2014-03-23 23:09 - 00017114 _____ () C:\Users\Richard\Desktop\FRST.txt
2014-03-23 22:58 - 2014-03-23 23:09 - 00000000 ____D () C:\FRST
2014-03-23 22:40 - 2014-03-23 22:40 - 02157056 _____ (Farbar) C:\Users\Richard\Desktop\FRST64.exe
2014-03-23 21:57 - 2014-03-23 21:57 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Piatymvy
2014-03-23 16:51 - 2014-03-23 16:51 - 00114688 _____ () C:\Users\Richard\AppData\Local\fioftvoc.exe
2014-03-23 16:39 - 2014-03-23 16:39 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Syalcero
2014-03-23 04:37 - 2014-03-23 04:37 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Fyfecual
2014-03-23 00:43 - 2014-03-23 00:43 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Dofawy
2014-03-22 21:12 - 2014-03-22 21:12 - 00106496 _____ () C:\Users\Richard\AppData\Local\pmtbhdqk.exe
2014-03-22 21:12 - 2014-03-22 21:12 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Miinhy
2014-03-22 10:03 - 2014-03-22 10:03 - 00688992 ____R (Swearware) C:\Users\Richard\Desktop\dds.scr
2014-03-22 07:00 - 2014-03-22 07:00 - 00005911 _____ () C:\Users\Richard\AppData\Local\lcqibmel
2014-03-22 05:29 - 2014-03-22 05:29 - 00106496 _____ () C:\Users\Richard\AppData\Local\mgtkkvgh.exe
2014-03-21 14:39 - 2014-03-21 14:39 - 00005911 _____ () C:\Users\Richard\AppData\Local\gvupnbox
2014-03-21 02:00 - 2014-03-23 22:40 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-21 01:59 - 2014-03-23 22:37 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2014-03-20 15:27 - 2014-03-20 15:27 - 00106496 _____ () C:\Users\Richard\AppData\Local\aqucfugc.exe
2014-03-20 12:39 - 2014-03-22 01:29 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Fyucqusy
2014-03-20 09:09 - 2014-03-20 09:09 - 00005911 _____ () C:\Users\Richard\AppData\Local\eboboaqd
2014-03-19 20:37 - 2014-03-23 22:37 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Xafoivug
2014-03-19 14:28 - 2014-03-19 14:28 - 00110592 _____ () C:\Users\Richard\AppData\Local\kpbpivdt.exe
2014-03-19 09:11 - 2014-03-19 09:11 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Mozilla
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files\iTunes
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files\iPod
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-17 00:00 - 2014-03-17 00:00 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-03-14 20:33 - 2014-03-14 20:33 - 00012326 _____ () C:\Users\Richard\AppData\Local\xuhgjnch
2014-03-14 20:32 - 2014-03-14 20:32 - 00068465 _____ () C:\Users\Richard\AppData\Local\eccrerso
2014-03-14 20:31 - 2014-03-14 20:31 - 00000000 _____ () C:\Users\Richard\AppData\Roaming\SharedSettings.ccs
2014-03-11 17:35 - 2014-03-01 01:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-11 17:35 - 2014-03-01 00:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-11 17:35 - 2014-03-01 00:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-11 17:35 - 2014-02-28 23:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-11 17:35 - 2014-02-28 23:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-11 17:35 - 2014-02-28 23:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-11 17:35 - 2014-02-28 23:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-11 17:35 - 2014-02-28 23:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-11 17:35 - 2014-02-28 23:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-11 17:35 - 2014-02-28 23:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-11 17:35 - 2014-02-28 23:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-11 17:35 - 2014-02-28 23:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-11 17:35 - 2014-02-28 23:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-11 17:35 - 2014-02-28 23:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-11 17:35 - 2014-02-28 23:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-11 17:35 - 2014-02-28 23:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-11 17:35 - 2014-02-28 23:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-11 17:35 - 2014-02-28 22:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-11 17:35 - 2014-02-28 22:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-11 17:35 - 2014-02-28 22:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-11 17:35 - 2014-02-28 22:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-11 17:35 - 2014-02-28 22:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-11 17:35 - 2014-02-28 22:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-11 17:35 - 2014-02-28 22:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-11 17:35 - 2014-02-28 22:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-11 17:35 - 2014-02-28 22:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-11 17:35 - 2014-02-28 22:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-11 17:35 - 2014-02-28 22:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-11 17:35 - 2014-02-28 22:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-11 17:35 - 2014-02-28 22:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-11 17:35 - 2014-02-28 22:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-11 17:35 - 2014-02-28 22:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-11 17:35 - 2014-02-28 22:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-11 17:35 - 2014-02-28 22:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-11 17:35 - 2014-02-28 21:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-11 17:35 - 2014-02-28 21:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-11 17:35 - 2014-02-28 21:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-11 17:35 - 2014-02-28 21:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-11 17:35 - 2014-02-28 21:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-11 17:35 - 2014-02-28 21:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-11 17:35 - 2014-02-06 20:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-11 17:35 - 2014-01-28 21:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-11 17:35 - 2014-01-28 21:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-11 17:35 - 2014-01-27 21:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-11 17:34 - 2014-02-03 21:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-11 17:34 - 2014-02-03 21:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-11 17:34 - 2014-02-03 21:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-11 17:34 - 2014-02-03 21:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-10 20:02 - 2014-03-11 23:35 - 00000000 ____D () C:\Users\Richard\Documents\Tax Docs 2013
 
==================== One Month Modified Files and Folders =======
 
2014-03-23 23:09 - 2014-03-23 23:01 - 00017114 _____ () C:\Users\Richard\Desktop\FRST.txt
2014-03-23 23:09 - 2014-03-23 22:58 - 00000000 ____D () C:\FRST
2014-03-23 23:05 - 2014-03-23 23:03 - 00047571 _____ () C:\Users\Richard\Desktop\Addition.txt
2014-03-23 22:57 - 2009-07-14 00:12 - 00803274 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-23 22:55 - 2013-05-28 21:49 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-23 22:54 - 2013-05-28 12:40 - 01582294 _____ () C:\Windows\WindowsUpdate.log
2014-03-23 22:52 - 2013-05-28 21:49 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-23 22:44 - 2009-07-13 23:50 - 00025408 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-23 22:44 - 2009-07-13 23:50 - 00025408 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-23 22:40 - 2014-03-23 22:40 - 02157056 _____ (Farbar) C:\Users\Richard\Desktop\FRST64.exe
2014-03-23 22:40 - 2014-03-21 02:00 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-23 22:40 - 2013-09-13 10:14 - 00003218 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-23 22:39 - 2013-05-28 21:49 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-23 22:39 - 2013-05-28 20:50 - 00000828 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2014-03-23 22:37 - 2014-03-21 01:59 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2014-03-23 22:37 - 2014-03-19 20:37 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Xafoivug
2014-03-23 22:37 - 2013-07-01 23:50 - 00010206 _____ () C:\Windows\setupact.log
2014-03-23 22:37 - 2013-07-01 23:49 - 00280966 _____ () C:\Windows\PFRO.log
2014-03-23 22:37 - 2013-05-28 20:56 - 00034752 _____ () C:\Windows\system32\Drivers\WPRO_41_2001.sys
2014-03-23 22:37 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-23 22:10 - 2013-07-19 14:08 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000UA.job
2014-03-23 22:01 - 2013-06-02 15:09 - 00000000 ____D () C:\Users\Richard\Documents\Outlook Files
2014-03-23 21:57 - 2014-03-23 21:57 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Piatymvy
2014-03-23 16:51 - 2014-03-23 16:51 - 00114688 _____ () C:\Users\Richard\AppData\Local\fioftvoc.exe
2014-03-23 16:39 - 2014-03-23 16:39 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Syalcero
2014-03-23 16:38 - 2013-05-30 00:44 - 00000000 ____D () C:\Users\Richard\AppData\Local\CrashDumps
2014-03-23 16:37 - 2013-05-28 20:50 - 00000830 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2014-03-23 04:37 - 2014-03-23 04:37 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Fyfecual
2014-03-23 03:10 - 2013-07-19 14:08 - 00000864 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000Core.job
2014-03-23 00:43 - 2014-03-23 00:43 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Dofawy
2014-03-22 21:12 - 2014-03-22 21:12 - 00106496 _____ () C:\Users\Richard\AppData\Local\pmtbhdqk.exe
2014-03-22 21:12 - 2014-03-22 21:12 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Miinhy
2014-03-22 10:03 - 2014-03-22 10:03 - 00688992 ____R (Swearware) C:\Users\Richard\Desktop\dds.scr
2014-03-22 07:00 - 2014-03-22 07:00 - 00005911 _____ () C:\Users\Richard\AppData\Local\lcqibmel
2014-03-22 05:29 - 2014-03-22 05:29 - 00106496 _____ () C:\Users\Richard\AppData\Local\mgtkkvgh.exe
2014-03-22 01:29 - 2014-03-20 12:39 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Fyucqusy
2014-03-22 01:08 - 2013-05-29 00:46 - 00000000 ____D () C:\Users\Richard\Documents\Flight Simulator X Files
2014-03-21 14:39 - 2014-03-21 14:39 - 00005911 _____ () C:\Users\Richard\AppData\Local\gvupnbox
2014-03-21 13:00 - 2013-05-31 19:40 - 00000000 ____D () C:\ProgramData\cOOntiNuetaosave
2014-03-20 15:27 - 2014-03-20 15:27 - 00106496 _____ () C:\Users\Richard\AppData\Local\aqucfugc.exe
2014-03-20 09:09 - 2014-03-20 09:09 - 00005911 _____ () C:\Users\Richard\AppData\Local\eboboaqd
2014-03-19 14:28 - 2014-03-19 14:28 - 00110592 _____ () C:\Users\Richard\AppData\Local\kpbpivdt.exe
2014-03-19 09:11 - 2014-03-19 09:11 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Mozilla
2014-03-18 23:18 - 2013-06-01 13:13 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-03-18 03:01 - 2013-07-14 03:00 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-18 03:00 - 2013-05-28 22:59 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-17 23:33 - 2014-02-17 01:50 - 00000000 ____D () C:\ProgramData\MSNDynFiles
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files\iTunes
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files\iPod
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-17 00:00 - 2014-03-17 00:00 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-03-14 20:33 - 2014-03-14 20:33 - 00012326 _____ () C:\Users\Richard\AppData\Local\xuhgjnch
2014-03-14 20:32 - 2014-03-14 20:32 - 00068465 _____ () C:\Users\Richard\AppData\Local\eccrerso
2014-03-14 20:31 - 2014-03-14 20:31 - 00000000 _____ () C:\Users\Richard\AppData\Roaming\SharedSettings.ccs
2014-03-12 03:19 - 2009-07-13 23:50 - 00451704 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-12 03:18 - 2014-01-01 12:25 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-12 03:18 - 2014-01-01 12:25 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-11 23:35 - 2014-03-10 20:02 - 00000000 ____D () C:\Users\Richard\Documents\Tax Docs 2013
2014-03-11 20:52 - 2013-05-28 21:49 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-11 20:52 - 2013-05-28 21:49 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-11 20:52 - 2013-05-28 21:49 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-10 00:30 - 2013-11-23 21:42 - 00003370 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-10 00:30 - 2013-11-23 21:42 - 00003240 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-01 01:05 - 2014-03-11 17:35 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-01 00:17 - 2014-03-11 17:35 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-01 00:16 - 2014-03-11 17:35 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-02-28 23:58 - 2014-03-11 17:35 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-28 23:52 - 2014-03-11 17:35 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-28 23:51 - 2014-03-11 17:35 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-02-28 23:42 - 2014-03-11 17:35 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-28 23:40 - 2014-03-11 17:35 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-28 23:37 - 2014-03-11 17:35 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-28 23:33 - 2014-03-11 17:35 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-28 23:33 - 2014-03-11 17:35 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-02-28 23:32 - 2014-03-11 17:35 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-02-28 23:30 - 2014-03-11 17:35 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-28 23:27 - 2013-05-29 23:47 - 00000000 ____D () C:\ProgramData\Esellerate
2014-02-28 23:23 - 2014-03-11 17:35 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-02-28 23:17 - 2014-03-11 17:35 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-28 23:11 - 2014-03-11 17:35 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-28 23:02 - 2014-03-11 17:35 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-28 22:54 - 2014-03-11 17:35 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-28 22:52 - 2014-03-11 17:35 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 22:51 - 2014-03-11 17:35 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 22:47 - 2014-03-11 17:35 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 22:43 - 2014-03-11 17:35 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 22:43 - 2014-03-11 17:35 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 22:42 - 2014-03-11 17:35 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-28 22:40 - 2014-03-11 17:35 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 22:38 - 2014-03-11 17:35 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 22:37 - 2014-03-11 17:35 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 22:35 - 2014-03-11 17:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-28 22:18 - 2014-03-11 17:35 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-28 22:16 - 2014-03-11 17:35 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 22:14 - 2014-03-11 17:35 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 22:10 - 2014-03-11 17:35 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-28 22:03 - 2014-03-11 17:35 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 22:00 - 2014-03-11 17:35 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 21:57 - 2014-03-11 17:35 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 21:38 - 2014-03-11 17:35 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-28 21:32 - 2014-03-11 17:35 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 21:27 - 2014-03-11 17:35 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 21:25 - 2014-03-11 17:35 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-28 21:25 - 2014-03-11 17:35 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-25 00:01 - 2013-05-28 20:43 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-02-24 20:09 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
 
Files to move or delete:
====================
C:\Users\Richard\FlightBeam_Phoenix Sky Harbor - HD.reg
C:\Users\Richard\FlightBeam_San Francisco X.reg
C:\Users\Richard\FSDreamTeam_Chicago Ohare.reg
C:\Users\Richard\FSDreamTeam_Dallas-Fort Worth.reg
C:\Users\Richard\FSDreamTeam_Geneva.reg
C:\Users\Richard\FSDreamTeam_GSX.reg
C:\Users\Richard\FSDreamTeam_JFK V2.reg
C:\Users\Richard\FSDreamTeam_JFK.reg
C:\Users\Richard\FSDreamTeam_KFLL.reg
C:\Users\Richard\FSDreamTeam_KLAS.reg
C:\Users\Richard\FSDreamTeam_Los Angeles V2.reg
C:\Users\Richard\FSDreamTeam_Vancouver CYVR.reg
C:\Users\Richard\FSDreamTeam_ZurichX.reg
C:\Users\Richard\QualityWings_Ultimate 757 Collection.reg
 
 
Some content of TEMP:
====================
C:\Users\Richard\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Richard\AppData\Local\Temp\lowproc.exe
C:\Users\Richard\AppData\Local\Temp\stubhelper.dll
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_1b831219.exe
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_2949ed18.exe
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_7d466054.exe
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_a5b6c43b.exe
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_d14764c5.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-21 04:05
 
==================== End Of Log ============================
 
 

Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 


Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done you'll see: Pending: Uncheck any elements you don't want removed.
Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look over the log especially under Files/Folders for any program you want to save.
If there's a program you want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review.
If you're ready to clean it all up.....click the Clean button.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
To restore an item that has been deleted (if necessary):
Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log..

 

Next,

 

Download CKScanner from here: http://downloads.malwareremoval.com/CKScanner.exe

Important - Save it to your desktop.

Doubleclick CKScanner.exe (Right click and "Run as administrator" in Vista/Win7).

Give permission if necessary, and click Search For Files.

After a very short time, when the cursor hourglass disappears, click Save List To File.

A message box will verify the file saved. Please run the program once only.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

 

Let me see those logs, let me know if any remaining issues or concerns...

 

Kevin

 

fixlist.txt

Link to post
Share on other sites

Here are the results Kevin. Things appeared to be moving snappy at first, but as I play around, there is latency launching browsers and applications  - even closing them is problematic sometimes. There is even latency doing a restart.

 

Thanks!

 

========================================================================================================================================================

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Richard at 2014-03-24 10:06:21 Run:1
Running from C:\Users\Richard\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Start
HKLM\...\Run: [ihefadl] - "C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe"
C:\Users\Richard\AppData\Roaming\Xafoivug
HKLM\...\Run: [usgimeyqufybkyy] - C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe [296126 2013-12-23] ()
C:\Users\Richard\AppData\Roaming\Miinhy
HKLM\...\Run: [beuqy] - C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe [299209 2013-12-26] ()
C:\Users\Richard\AppData\Roaming\Piatymvy
HKLM-x32\...\Run: [udahmaytuf] - "C:\Users\Richard\AppData\Roaming\Fyucqusy\koigsyi.exe"
C:\Users\Richard\AppData\Roaming\Fyucqusy
HKLM-x32\...\Run: [usgimeyqufybkyy] - C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe [296126 2013-12-23] ()
C:\Users\Richard\AppData\Roaming\Miinhy
HKLM-x32\...\Run: [Xenekyvycac] - C:\Users\Richard\AppData\Roaming\Dofawy\zegaerl.exe [296126 2014-02-22] ()
C:\Users\Richard\AppData\Roaming\Dofawy
HKLM-x32\...\Run: [Cokoofogcuiveq] - C:\Users\Richard\AppData\Roaming\Fyfecual\cueho.exe [304882 2013-09-14] ()
C:\Users\Richard\AppData\Roaming\Fyfecual
HKLM-x32\...\Run: [Nixiydpop] - C:\Users\Richard\AppData\Roaming\Syalcero\ukocg.exe [304882 2013-07-29] ()
HKLM-x32\...\Run: [beuqy] - C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe [299209 2013-12-26] ()
C:\Users\Richard\AppData\Roaming\Piatymvy
HKLM-x32\...\Run: [ihefadl] - "C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe"
C:\Users\Richard\AppData\Roaming\Xafoivug
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [cnqsvluq] - "C:\Users\Richard\AppData\Local\wwbhthva.exe"
C:\Users\Richard\AppData\Local\wwbhthva.exe
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [ocrmmcxa] - C:\Users\Richard\AppData\Local\kpbpivdt.exe [110592 2014-03-19] ()
C:\Users\Richard\AppData\Local\kpbpivdt.exe
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [jtcjwpur] - C:\Users\Richard\AppData\Local\aqucfugc.exe [106496 2014-03-20] ()
C:\Users\Richard\AppData\Local\aqucfugc.exe
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [oaeqltse] - C:\Users\Richard\AppData\Local\mgtkkvgh.exe [106496 2014-03-22] ()
C:\Users\Richard\AppData\Local\mgtkkvgh.exe
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [xdhsaitq] - C:\Users\Richard\AppData\Local\pmtbhdqk.exe [106496 2014-03-22] ()
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [usgimeyqufybkyy] - C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe [296126 2013-12-23] ()
C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [ckhistei] - C:\Users\Richard\AppData\Local\fioftvoc.exe [114688 2014-03-23] ()
C:\Users\Richard\AppData\Local\fioftvoc.exe
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [beuqy] - C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe [299209 2013-12-26] ()
C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [ihefadl] - C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe
C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe
SearchScopes: HKCU - {B9194313-1CA3-4C3A-B5D0-CF4ACB4719D3} URL = http://search.condui...urce=45&UM=2&q={searchTerms}
S3 AsrCDDrv; \??\C:\Windows\SysWOW64\Drivers\AsrCDDrv.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Richard\FlightBeam_Phoenix Sky Harbor - HD.reg
C:\Users\Richard\FlightBeam_San Francisco X.reg
C:\Users\Richard\FSDreamTeam_Chicago Ohare.reg
C:\Users\Richard\FSDreamTeam_Dallas-Fort Worth.reg
C:\Users\Richard\FSDreamTeam_Geneva.reg
C:\Users\Richard\FSDreamTeam_GSX.reg
C:\Users\Richard\FSDreamTeam_JFK V2.reg
C:\Users\Richard\FSDreamTeam_JFK.reg
C:\Users\Richard\FSDreamTeam_KFLL.reg
C:\Users\Richard\FSDreamTeam_KLAS.reg
C:\Users\Richard\FSDreamTeam_Los Angeles V2.reg
C:\Users\Richard\FSDreamTeam_Vancouver CYVR.reg
C:\Users\Richard\FSDreamTeam_ZurichX.reg
C:\Users\Richard\QualityWings_Ultimate 757 Collection.reg
C:\Users\Richard\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Richard\AppData\Local\Temp\lowproc.exe
C:\Users\Richard\AppData\Local\Temp\stubhelper.dll
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_1b831219.exe
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_2949ed18.exe
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_7d466054.exe
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_a5b6c43b.exe
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_d14764c5.exe
2009-07-13 21:34 - 2013-06-07 00:08 - 00001943 ____A C:\Windows\system32\Drivers\etc\hosts
Task: {89CED01B-5A42-48E2-8F52-E8C8EF129833} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {E01BF966-DF19-4C07-895A-39813EC57F4F} - System32\Tasks\4882 => Wscript.exe C:\Users\Richard\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:00934A10
AlternateDataStreams: C:\ProgramData\TEMP:74603393
End
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Ihefadl => Value deleted successfully.
C:\Users\Richard\AppData\Roaming\Xafoivug => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Usgimeyqufybkyy => Value deleted successfully.
C:\Users\Richard\AppData\Roaming\Miinhy => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Beuqy => Value deleted successfully.
C:\Users\Richard\AppData\Roaming\Piatymvy => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Udahmaytuf => Value deleted successfully.
C:\Users\Richard\AppData\Roaming\Fyucqusy => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Usgimeyqufybkyy => Value deleted successfully.
"C:\Users\Richard\AppData\Roaming\Miinhy" => File/Directory not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Xenekyvycac => Value deleted successfully.
C:\Users\Richard\AppData\Roaming\Dofawy => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Cokoofogcuiveq => Value deleted successfully.
C:\Users\Richard\AppData\Roaming\Fyfecual => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Nixiydpop => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Beuqy => Value deleted successfully.
"C:\Users\Richard\AppData\Roaming\Piatymvy" => File/Directory not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Ihefadl => Value deleted successfully.
"C:\Users\Richard\AppData\Roaming\Xafoivug" => File/Directory not found.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\cnqsvluq => Value deleted successfully.
"C:\Users\Richard\AppData\Local\wwbhthva.exe" => File/Directory not found.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ocrmmcxa => Value deleted successfully.
C:\Users\Richard\AppData\Local\kpbpivdt.exe => Moved successfully.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\jtcjwpur => Value deleted successfully.
C:\Users\Richard\AppData\Local\aqucfugc.exe => Moved successfully.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\oaeqltse => Value deleted successfully.
C:\Users\Richard\AppData\Local\mgtkkvgh.exe => Moved successfully.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\xdhsaitq => Value deleted successfully.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Usgimeyqufybkyy => Value deleted successfully.
"C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe" => File/Directory not found.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ckhistei => Value deleted successfully.
C:\Users\Richard\AppData\Local\fioftvoc.exe => Moved successfully.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Beuqy => Value deleted successfully.
C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe => Moved successfully.
HKU\S-1-5-21-2902050937-303955776-554964296-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Ihefadl => Value deleted successfully.
"C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe" => File/Directory not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B9194313-1CA3-4C3A-B5D0-CF4ACB4719D3} => Key deleted successfully.
HKCR\CLSID\{B9194313-1CA3-4C3A-B5D0-CF4ACB4719D3} => Key not found.
AsrCDDrv => Service deleted successfully.
VGPU => Service deleted successfully.
C:\Users\Richard\FlightBeam_Phoenix Sky Harbor - HD.reg => Moved successfully.
C:\Users\Richard\FlightBeam_San Francisco X.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_Chicago Ohare.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_Dallas-Fort Worth.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_Geneva.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_GSX.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_JFK V2.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_JFK.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_KFLL.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_KLAS.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_Los Angeles V2.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_Vancouver CYVR.reg => Moved successfully.
C:\Users\Richard\FSDreamTeam_ZurichX.reg => Moved successfully.
C:\Users\Richard\QualityWings_Ultimate 757 Collection.reg => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\lowproc.exe => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\stubhelper.dll => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_1b831219.exe => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_2949ed18.exe => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_7d466054.exe => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_a5b6c43b.exe => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_d14764c5.exe => Moved successfully.
C:\Windows\system32\Drivers\etc\hosts => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{89CED01B-5A42-48E2-8F52-E8C8EF129833} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{89CED01B-5A42-48E2-8F52-E8C8EF129833} => Key deleted successfully.
C:\Windows\System32\Tasks\0 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E01BF966-DF19-4C07-895A-39813EC57F4F} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E01BF966-DF19-4C07-895A-39813EC57F4F} => Key deleted successfully.
C:\Windows\System32\Tasks\4882 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4882 => Key deleted successfully.
C:\ProgramData\TEMP => ":00934A10" ADS removed successfully.
C:\ProgramData\TEMP => ":74603393" ADS removed successfully.
 
==== End of Fixlog ====
 
# AdwCleaner v3.022 - Report created 24/03/2014 at 21:35:44
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Ultimate N Service Pack 1 (64 bits)
# Username : Richard - RICHARD-PC
# Running from : C:\Users\Richard\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\StarApp
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\ProgramData\cOOntiNuetaosave
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : HKLM\Software\SProtector
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16521
 
 
-\\ Google Chrome v33.0.1750.154
 
[ File : C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2554 octets] - [24/03/2014 10:17:47]
AdwCleaner[s0].txt - [2404 octets] - [24/03/2014 21:35:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2464 octets] ##########
 
 
2014/03/25 00:04:07 -0500 RICHARD-PC Richard IP-BLOCK 72.227.178.35 (Type: outgoing, Port: 49411, Process: explorer.exe)
2014/03/25 00:04:56 -0500 RICHARD-PC Richard IP-BLOCK 72.227.178.35 (Type: outgoing, Port: 49836, Process: explorer.exe)
2014/03/25 00:05:39 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 50094, Process: svchost.exe)
2014/03/25 00:10:49 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 52675, Process: svchost.exe)
2014/03/25 00:16:00 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 57038, Process: svchost.exe)
2014/03/25 00:21:17 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 60201, Process: svchost.exe)
2014/03/25 00:25:55 -0500 RICHARD-PC Richard IP-BLOCK 109.236.82.184 (Type: outgoing, Port: 63958, Process: inpoy.exe)
2014/03/25 00:26:04 -0500 RICHARD-PC Richard IP-BLOCK 109.236.82.184 (Type: outgoing, Port: 64054, Process: inpoy.exe)
2014/03/25 00:37:10 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Local\xvdgxbkk.exe Trojan.Agent.ED QUARANTINE
2014/03/25 00:41:49 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 59465, Process: svchost.exe)
2014/03/25 00:47:23 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 63375, Process: svchost.exe)
2014/03/25 00:52:37 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 51009, Process: svchost.exe)
2014/03/25 00:58:07 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 54779, Process: svchost.exe)
2014/03/25 01:03:27 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 57119, Process: svchost.exe)
2014/03/25 01:08:42 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 60914, Process: svchost.exe)
2014/03/25 01:14:08 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 63633, Process: svchost.exe)
2014/03/25 01:17:38 -0500 RICHARD-PC Richard MESSAGE Executing scheduled update:  Daily
2014/03/25 01:17:50 -0500 RICHARD-PC Richard MESSAGE Scheduled update executed successfully:  database updated from version v2014.03.25.01 to version v2014.03.25.02
2014/03/25 01:17:50 -0500 RICHARD-PC Richard MESSAGE Starting database refresh
2014/03/25 01:17:50 -0500 RICHARD-PC Richard MESSAGE Stopping IP protection
2014/03/25 01:18:00 -0500 RICHARD-PC Richard MESSAGE IP Protection stopped successfully
2014/03/25 01:24:58 -0500 RICHARD-PC Richard MESSAGE Database refreshed successfully
2014/03/25 01:24:58 -0500 RICHARD-PC Richard MESSAGE Starting IP protection
2014/03/25 01:25:04 -0500 RICHARD-PC Richard MESSAGE IP Protection started successfully
2014/03/25 01:25:15 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 51574, Process: svchost.exe)
2014/03/25 02:01:55 -0500 RICHARD-PC Richard IP-BLOCK 96.228.234.199 (Type: outgoing, Port: 62696, Process: explorer.exe)
2014/03/25 02:02:11 -0500 RICHARD-PC Richard IP-BLOCK 46.163.172.235 (Type: outgoing, Port: 62764, Process: explorer.exe)
2014/03/25 02:02:28 -0500 RICHARD-PC Richard IP-BLOCK 109.86.215.143 (Type: outgoing, Port: 62883, Process: explorer.exe)
2014/03/25 02:02:44 -0500 RICHARD-PC Richard IP-BLOCK 72.225.139.217 (Type: outgoing, Port: 62940, Process: explorer.exe)
2014/03/25 02:04:54 -0500 RICHARD-PC Richard IP-BLOCK 109.86.215.143 (Type: outgoing, Port: 63446, Process: explorer.exe)
2014/03/25 02:04:54 -0500 RICHARD-PC Richard IP-BLOCK 72.225.139.217 (Type: outgoing, Port: 63448, Process: explorer.exe)
2014/03/25 02:07:50 -0500 RICHARD-PC Richard IP-BLOCK 109.86.215.143 (Type: outgoing, Port: 63711, Process: explorer.exe)
2014/03/25 02:07:50 -0500 RICHARD-PC Richard IP-BLOCK 72.225.139.217 (Type: outgoing, Port: 63751, Process: explorer.exe)
2014/03/25 02:10:23 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 02:10:23 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 02:21:59 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 02:21:59 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 02:22:21 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 02:22:21 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 02:22:35 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 02:22:35 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 02:23:01 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 56861, Process: explorer.exe)
2014/03/25 02:23:18 -0500 RICHARD-PC Richard IP-BLOCK 109.86.215.143 (Type: outgoing, Port: 57364, Process: explorer.exe)
2014/03/25 02:23:18 -0500 RICHARD-PC Richard IP-BLOCK 72.225.139.217 (Type: outgoing, Port: 57379, Process: explorer.exe)
2014/03/25 02:24:06 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 57986, Process: inpoy.exe)
2014/03/25 02:31:13 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 61751, Process: inpoy.exe)
2014/03/25 02:32:10 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 62288, Process: explorer.exe)
2014/03/25 02:33:15 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 64024, Process: explorer.exe)
2014/03/25 02:48:02 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 02:48:03 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 02:56:25 -0500 RICHARD-PC Richard IP-BLOCK 109.202.21.156 (Type: outgoing, Port: 55850, Process: explorer.exe)
2014/03/25 02:56:25 -0500 RICHARD-PC Richard IP-BLOCK 95.78.166.17 (Type: outgoing, Port: 55852, Process: explorer.exe)
2014/03/25 02:57:44 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 02:57:44 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 02:57:49 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 02:57:49 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 02:58:26 -0500 RICHARD-PC Richard IP-BLOCK 72.225.139.217 (Type: outgoing, Port: 57199, Process: explorer.exe)
2014/03/25 02:59:15 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 57930, Process: explorer.exe)
2014/03/25 02:59:15 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 57974, Process: explorer.exe)
2014/03/25 02:59:23 -0500 RICHARD-PC Richard IP-BLOCK 109.202.21.156 (Type: outgoing, Port: 58221, Process: explorer.exe)
2014/03/25 02:59:23 -0500 RICHARD-PC Richard IP-BLOCK 95.78.166.17 (Type: outgoing, Port: 58236, Process: explorer.exe)
2014/03/25 03:01:19 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 03:01:19 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 03:01:32 -0500 RICHARD-PC Richard IP-BLOCK 72.225.139.217 (Type: outgoing, Port: 60123, Process: explorer.exe)
2014/03/25 03:01:32 -0500 RICHARD-PC Richard IP-BLOCK 109.202.21.156 (Type: outgoing, Port: 60128, Process: explorer.exe)
2014/03/25 03:01:32 -0500 RICHARD-PC Richard IP-BLOCK 95.78.166.17 (Type: outgoing, Port: 60133, Process: explorer.exe)
2014/03/25 03:04:22 -0500 RICHARD-PC Richard IP-BLOCK 62.122.110.119 (Type: outgoing, Port: 62323, Process: explorer.exe)
2014/03/25 03:06:27 -0500 RICHARD-PC Richard IP-BLOCK 188.231.147.199 (Type: outgoing, Port: 63085, Process: explorer.exe)
2014/03/25 03:06:27 -0500 RICHARD-PC Richard IP-BLOCK 188.239.5.123 (Type: outgoing, Port: 63086, Process: explorer.exe)
2014/03/25 03:06:27 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 63087, Process: explorer.exe)
2014/03/25 03:13:28 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 64539, Process: explorer.exe)
2014/03/25 03:13:28 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 64540, Process: explorer.exe)
2014/03/25 03:13:28 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 64550, Process: explorer.exe)
2014/03/25 03:13:28 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 64554, Process: explorer.exe)
2014/03/25 03:13:28 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 64556, Process: explorer.exe)
2014/03/25 03:14:38 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 03:14:39 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 03:14:47 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 03:14:47 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 03:15:31 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 03:15:31 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 03:16:02 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 49348, Process: inpoy.exe)
2014/03/25 03:16:02 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 49388, Process: inpoy.exe)
2014/03/25 03:16:13 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Syalcero\ukocg.exe Spyware.Zbot QUARANTINE
2014/03/25 03:16:18 -0500 RICHARD-PC Richard DETECTION c:\users\richard\appdata\roaming\syalcero\ukocg.exe Spyware.Zbot QUARANTINE
2014/03/25 03:16:18 -0500 RICHARD-PC Richard ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2014/03/25 03:17:07 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 49854, Process: inpoy.exe)
2014/03/25 03:17:59 -0500 RICHARD-PC Richard DETECTION c:\users\richard\appdata\roaming\syalcero\ukocg.exe Spyware.Zbot QUARANTINE
2014/03/25 03:17:59 -0500 RICHARD-PC Richard ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2014/03/25 03:19:48 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 51181, Process: explorer.exe)
2014/03/25 03:25:07 -0500 RICHARD-PC Richard DETECTION c:\users\richard\appdata\roaming\syalcero\ukocg.exe Spyware.Zbot QUARANTINE
2014/03/25 03:25:07 -0500 RICHARD-PC Richard ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2014/03/25 03:28:22 -0500 RICHARD-PC Richard IP-BLOCK 78.140.143.46 (Type: outgoing, Port: 56347, Process: inpoy.exe)
2014/03/25 03:37:40 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 03:37:40 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 03:37:44 -0500 RICHARD-PC Richard DETECTION c:\users\richard\appdata\roaming\syalcero\ukocg.exe Spyware.Zbot QUARANTINE
2014/03/25 03:37:44 -0500 RICHARD-PC Richard ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2014/03/25 03:42:54 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 03:42:54 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 03:46:20 -0500 RICHARD-PC Richard DETECTION c:\users\richard\appdata\roaming\syalcero\ukocg.exe Spyware.Zbot QUARANTINE
2014/03/25 03:46:20 -0500 RICHARD-PC Richard ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2014/03/25 03:49:59 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 03:49:59 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 03:50:02 -0500 RICHARD-PC Richard DETECTION c:\users\richard\appdata\roaming\syalcero\ukocg.exe Spyware.Zbot QUARANTINE
2014/03/25 03:50:02 -0500 RICHARD-PC Richard ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2014/03/25 03:50:59 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe Spyware.Zbot QUARANTINE
2014/03/25 03:50:59 -0500 RICHARD-PC Richard ERROR Quarantine failed:  DeleteFile failed with error code 5
2014/03/25 03:51:02 -0500 RICHARD-PC Richard DETECTION c:\users\richard\appdata\roaming\syalcero\ukocg.exe Spyware.Zbot QUARANTINE
2014/03/25 03:51:02 -0500 RICHARD-PC Richard ERROR Quarantine failed:  SDKQuarantine failed with error code 2
2014/03/25 03:59:46 -0500 RICHARD-PC (null) MESSAGE Starting protection
2014/03/25 03:59:46 -0500 RICHARD-PC (null) MESSAGE Protection started successfully
2014/03/25 03:59:46 -0500 RICHARD-PC (null) MESSAGE Starting IP protection
2014/03/25 03:59:47 -0500 RICHARD-PC (null) MESSAGE IP Protection started successfully
2014/03/25 04:03:00 -0500 RICHARD-PC Richard IP-BLOCK 176.73.253.215 (Type: outgoing, Port: 49238, Process: osiziz.exe)
2014/03/25 04:08:44 -0500 RICHARD-PC Richard IP-BLOCK 176.73.253.215 (Type: outgoing, Port: 51042, Process: explorer.exe)
2014/03/25 04:10:07 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 52135, Process: svchost.exe)
2014/03/25 04:15:30 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 55156, Process: svchost.exe)
2014/03/25 04:20:48 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 55585, Process: svchost.exe)
2014/03/25 04:22:22 -0500 RICHARD-PC (null) MESSAGE Starting protection
2014/03/25 04:22:22 -0500 RICHARD-PC (null) MESSAGE Protection started successfully
2014/03/25 04:22:22 -0500 RICHARD-PC (null) MESSAGE Starting IP protection
2014/03/25 04:22:23 -0500 RICHARD-PC (null) MESSAGE IP Protection started successfully
2014/03/25 04:28:46 -0500 RICHARD-PC Richard IP-BLOCK 83.242.229.18 (Type: outgoing, Port: 49433, Process: explorer.exe)
2014/03/25 04:30:57 -0500 RICHARD-PC Richard IP-BLOCK 80.255.144.237 (Type: outgoing, Port: 50661, Process: inpoy.exe)
2014/03/25 04:31:54 -0500 RICHARD-PC Richard IP-BLOCK 80.255.144.237 (Type: outgoing, Port: 51285, Process: inpoy.exe)
2014/03/25 04:32:43 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 51688, Process: svchost.exe)
2014/03/25 04:37:38 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.77 (Type: outgoing, Port: 53985, Process: explorer.exe)
2014/03/25 04:37:38 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.77 (Type: outgoing, Port: 53986, Process: explorer.exe)
2014/03/25 04:38:10 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 54628, Process: svchost.exe)
2014/03/25 04:40:36 -0500 RICHARD-PC Richard DETECTION C:\Users\Richard\AppData\Local\pogedwtv.exe Trojan.Agent.ED QUARANTINE
2014/03/25 04:43:23 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 58110, Process: svchost.exe)
2014/03/25 04:48:39 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 61256, Process: svchost.exe)
2014/03/25 04:54:09 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 49598, Process: svchost.exe)
2014/03/25 04:59:15 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 53016, Process: svchost.exe)
2014/03/25 05:04:15 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 57219, Process: svchost.exe)
2014/03/25 05:09:41 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 49505, Process: svchost.exe)
2014/03/25 05:15:14 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 56818, Process: svchost.exe)
2014/03/25 05:20:48 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 64826, Process: svchost.exe)
2014/03/25 05:26:03 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 55008, Process: svchost.exe)
2014/03/25 05:28:20 -0500 RICHARD-PC (null) MESSAGE Starting protection
2014/03/25 05:28:21 -0500 RICHARD-PC (null) MESSAGE Protection started successfully
2014/03/25 05:28:21 -0500 RICHARD-PC (null) MESSAGE Starting IP protection
2014/03/25 05:28:22 -0500 RICHARD-PC (null) MESSAGE IP Protection started successfully
2014/03/25 05:35:23 -0500 RICHARD-PC Richard IP-BLOCK 192.133.137.15 (Type: outgoing, Port: 49295, Process: osiziz.exe)
2014/03/25 05:41:24 -0500 RICHARD-PC Richard IP-BLOCK 146.185.239.20 (Type: outgoing, Port: 52579, Process: svchost.exe)
 
 
CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.CNAPXZ
 ----- EOF ----- 
 
 
 
Link to post
Share on other sites

Continue as follows please:

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Link to post
Share on other sites

Hello Kevin,

 

Well I wish I could report things were better, but they're either the same  or decidedly worse. As I tested the system everything at first seemed okay - just slight delays in launching things like browsers and programs. Then the issues began to show their ugly heads again - browsers staying blank for a long time; failing and recovering, and applications taking 5 minutes to launch and then stuttering through their execution. Rebooting the computer is an affair all by itself with the screen blinking rapidly and then going back to the un-rebooted state. The final reboot I've done tonight came back to a screen that's entirely striped like a pajama suit. I'm so surprised that MBAM let whatever is affecting me through. I hope you have other suggestions that could help me otherwise I think I'm hosed!

 

Thanks for the help! The logs follow......

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
 
Database version: v2014.03.25.04
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Richard :: RICHARD-PC [administrator]
 
3/25/2014 10:42:41 AM
mbar-log-2014-03-25 (10-42-41).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 261633
Time elapsed: 17 minute(s), 34 second(s)
 
Memory Processes Detected: 8
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> 1464 -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> 16620 -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> 20560 -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> 14340 -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> 18812 -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> 9744 -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> 21404 -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> 19032 -> Delete on reboot.
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Fyzierneabmued (Spyware.Zbot) -> Data: "C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe" -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Fyzierneabmued (Spyware.Zbot) -> Data: C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe -> Delete on reboot.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run|Fyzierneabmued (Spyware.Zbot) -> Data: C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe -> Delete on reboot.
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run|Fyzierneabmued (Spyware.Zbot) -> Data: C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Beuqy (Spyware.Zbot) -> Data: "C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe" -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Beuqy (Spyware.Zbot) -> Data: "C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe" -> Delete on reboot.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run|Beuqy (Spyware.Zbot) -> Data: C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe -> Delete on reboot.
HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run|Beuqy (Spyware.Zbot) -> Data: C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe -> Delete on reboot.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 3
C:\Users\Richard\AppData\Roaming\Qihynak\osiziz.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\Richard\AppData\Roaming\Piatymvy\inpoy.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_627dec2b.exe (Spyware.Zbot) -> Delete on reboot.
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
 
Database version: v2014.03.25.05
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Richard :: RICHARD-PC [administrator]
 
3/25/2014 11:09:34 AM
mbar-log-2014-03-25 (11-09-34).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 260710
Time elapsed: 2 hour(s), 17 minute(s), 13 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Users\Richard\AppData\Local\Temp\UpdateFlashPlayer_da5f38ae.exe (Trojan.Agent.ED) -> Delete on reboot.
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
 
Database version: v2014.03.26.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Richard :: RICHARD-PC [administrator]
 
3/25/2014 10:47:57 PM
mbar-log-2014-03-25 (22-47-57).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 260882
Time elapsed: 17 minute(s), 8 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 

 

system-log.txt

Link to post
Share on other sites

Yes I can see there maybe bad issues, lots of malware/infection on your system, do you have access to another PC and a Flash drive (USB Memory stick) if so run FRST from outside of windows:

 

Please download Farbar Recovery Scan Tool from here:                                                                  

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

Plug the flash drive into the infected PC.

 

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

 

If you are using Vista or Windows 7 enter System Recovery Options.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options I give two methods, use whichever is convenient for you.

 

To enter System Recovery Options from the Advanced Boot Options:


Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

 

To enter System Recovery Options by using Windows installation disc:


Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select Your Country as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

 

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

 


Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

Thanks,

 

Kevin....

Link to post
Share on other sites

Hello Kevin,

 

Here is the log file;

 

Thanks!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by SYSTEM on MININT-DVOPIPO on 27-03-2014 02:21:27
Running from F:\
Windows 7 Ultimate N Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link for 32-Bit version:
Download link for 64-Bit Version:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13307496 2011-10-16] (Realtek Semiconductor)
HKLM\...\Run: [usgimeyqufybkyy] - "C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe"
HKLM-x32\...\Run: [uSB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-26] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NBAgent] - C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBAgent.exe [1493288 2011-09-20] (Nero AG)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-03-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [295512 2013-09-13] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [iJNetworkScanUtility] - C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKU\Richard\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-05-28] (Google Inc.)
HKU\Richard\...\Run: [Google Update] - C:\Users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-07-12] (Google Inc.)
HKU\Richard\...\Run: [ApplePhotoStreams] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\Richard\...\Run: [iCloudServices] - C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
HKU\Richard\...\Run: [bqdckkbd] - C:\Users\Richard\AppData\Local\ebrpqrsg.exe [118784 2014-03-25] ()
 
==================== Services (Whitelisted) =================
 
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2169016 2014-03-01] (Microsoft Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-21] ()
S2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [133632 2012-02-09] ()
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
 
==================== Drivers (Whitelisted) ====================
 
S1 ejgzteza; C:\Windows\system32\drivers\ejgzteza.sys [55104 2014-03-25] (Microsoft Corporation)
S3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [25536 2012-02-09] ()
S3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [25536 2012-02-09] ()
S3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-02-09] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2014-03-25] ()
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-25 23:12 - 2014-03-25 23:12 - 00055104 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ejgzteza.sys
2014-03-25 12:21 - 2014-03-25 12:21 - 00118784 _____ () C:\Users\Richard\AppData\Local\ebrpqrsg.exe
2014-03-25 08:07 - 2014-03-25 21:23 - 00094656 _____ (CACE Technologies) C:\Windows\System32\WPRO_41_2001woem.tmp
2014-03-25 07:42 - 2014-03-25 19:47 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-03-25 07:39 - 2014-03-25 20:31 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-03-25 07:39 - 2014-03-25 20:15 - 00000000 ____D () C:\Users\Richard\Desktop\mbar
2014-03-25 03:01 - 2014-03-25 03:01 - 00006338 _____ () C:\Users\Richard\AppData\Local\duxqofwl
2014-03-25 02:31 - 2014-03-25 20:27 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 01:00 - 2014-03-25 01:23 - 00003370 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-24 18:36 - 2014-03-25 08:06 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Qihynak
2014-03-24 07:17 - 2014-03-24 18:35 - 00000000 ____D () C:\AdwCleaner
2014-03-24 07:08 - 2014-03-25 08:04 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Piatymvy
2014-03-24 07:08 - 2014-03-25 00:59 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Miinhy
2014-03-23 20:36 - 2014-03-23 20:36 - 00000000 ____D () C:\Users\Richard\Documents\New folder (2)
2014-03-23 20:31 - 2014-03-23 20:31 - 00000000 ____D () C:\Users\Richard\Documents\New folder
2014-03-23 19:58 - 2014-03-27 02:21 - 00000000 ____D () C:\FRST
2014-03-23 13:39 - 2014-03-25 00:16 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Syalcero
2014-03-22 18:12 - 2014-03-22 18:12 - 00106496 _____ () C:\Users\Richard\AppData\Local\pmtbhdqk.exe
2014-03-22 04:00 - 2014-03-22 04:00 - 00005911 _____ () C:\Users\Richard\AppData\Local\lcqibmel
2014-03-21 11:39 - 2014-03-21 11:39 - 00005911 _____ () C:\Users\Richard\AppData\Local\gvupnbox
2014-03-20 06:09 - 2014-03-20 06:09 - 00005911 _____ () C:\Users\Richard\AppData\Local\eboboaqd
2014-03-19 06:11 - 2014-03-19 06:11 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Mozilla
2014-03-16 21:02 - 2014-03-16 21:02 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-16 21:02 - 2014-03-16 21:02 - 00000000 ____D () C:\Program Files\iTunes
2014-03-16 21:02 - 2014-03-16 21:02 - 00000000 ____D () C:\Program Files\iPod
2014-03-16 21:02 - 2014-03-16 21:02 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-16 21:00 - 2014-03-16 21:00 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-03-14 17:33 - 2014-03-14 17:33 - 00012326 _____ () C:\Users\Richard\AppData\Local\xuhgjnch
2014-03-14 17:32 - 2014-03-14 17:32 - 00068465 _____ () C:\Users\Richard\AppData\Local\eccrerso
2014-03-14 17:31 - 2014-03-14 17:31 - 00000000 _____ () C:\Users\Richard\AppData\Roaming\SharedSettings.ccs
2014-03-11 14:35 - 2014-02-28 22:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-03-11 14:35 - 2014-02-28 21:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-03-11 14:35 - 2014-02-28 21:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
2014-03-11 14:35 - 2014-02-28 20:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-03-11 14:35 - 2014-02-28 20:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-03-11 14:35 - 2014-02-28 20:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
2014-03-11 14:35 - 2014-02-28 20:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-03-11 14:35 - 2014-02-28 20:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-03-11 14:35 - 2014-02-28 20:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-03-11 14:35 - 2014-02-28 20:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-03-11 14:35 - 2014-02-28 20:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
2014-03-11 14:35 - 2014-02-28 20:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
2014-03-11 14:35 - 2014-02-28 20:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-11 14:35 - 2014-02-28 20:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-11 14:35 - 2014-02-28 20:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-03-11 14:35 - 2014-02-28 20:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-11 14:35 - 2014-02-28 20:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-03-11 14:35 - 2014-02-28 19:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-03-11 14:35 - 2014-02-28 19:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-11 14:35 - 2014-02-28 19:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-11 14:35 - 2014-02-28 19:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-11 14:35 - 2014-02-28 19:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-11 14:35 - 2014-02-28 19:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-11 14:35 - 2014-02-28 19:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-03-11 14:35 - 2014-02-28 19:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-11 14:35 - 2014-02-28 19:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-11 14:35 - 2014-02-28 19:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-11 14:35 - 2014-02-28 19:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-03-11 14:35 - 2014-02-28 19:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-03-11 14:35 - 2014-02-28 19:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-11 14:35 - 2014-02-28 19:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-11 14:35 - 2014-02-28 19:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-03-11 14:35 - 2014-02-28 19:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-11 14:35 - 2014-02-28 19:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-11 14:35 - 2014-02-28 18:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-11 14:35 - 2014-02-28 18:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-03-11 14:35 - 2014-02-28 18:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-11 14:35 - 2014-02-28 18:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-11 14:35 - 2014-02-28 18:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2014-03-11 14:35 - 2014-02-28 18:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-11 14:35 - 2014-02-06 17:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-03-11 14:35 - 2014-01-28 18:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\System32\wer.dll
2014-03-11 14:35 - 2014-01-28 18:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-11 14:35 - 2014-01-27 18:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\System32\wwansvc.dll
2014-03-11 14:34 - 2014-02-03 18:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2014-03-11 14:34 - 2014-02-03 18:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2014-03-11 14:34 - 2014-02-03 18:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-11 14:34 - 2014-02-03 18:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-10 17:02 - 2014-03-11 20:35 - 00000000 ____D () C:\Users\Richard\Documents\Tax Docs 2013
 
==================== One Month Modified Files and Folders =======
 
2014-03-27 02:21 - 2014-03-23 19:58 - 00000000 ____D () C:\FRST
2014-03-26 00:20 - 2013-07-19 11:08 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000UA.job
2014-03-26 00:19 - 2013-07-19 11:08 - 00000864 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000Core.job
2014-03-26 00:00 - 2013-05-28 09:40 - 01775871 _____ () C:\Windows\WindowsUpdate.log
2014-03-25 23:52 - 2013-05-28 18:49 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-25 23:49 - 2013-05-28 18:49 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-25 23:42 - 2013-06-02 12:09 - 00000000 ____D () C:\Users\Richard\Documents\Outlook Files
2014-03-25 23:12 - 2014-03-25 23:12 - 00055104 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ejgzteza.sys
2014-03-25 22:32 - 2013-05-28 22:56 - 00007605 _____ () C:\Users\Richard\AppData\Local\resmon.resmoncfg
2014-03-25 22:21 - 2013-05-28 21:46 - 00000000 ____D () C:\Users\Richard\Documents\Flight Simulator X Files
2014-03-25 21:37 - 2009-07-13 20:50 - 00025408 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-25 21:37 - 2009-07-13 20:50 - 00025408 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-25 21:23 - 2014-03-25 08:07 - 00094656 _____ (CACE Technologies) C:\Windows\System32\WPRO_41_2001woem.tmp
2014-03-25 21:23 - 2013-07-01 20:50 - 00010878 _____ () C:\Windows\setupact.log
2014-03-25 21:23 - 2013-07-01 20:49 - 00296740 _____ () C:\Windows\PFRO.log
2014-03-25 21:23 - 2013-05-28 18:49 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-25 21:23 - 2013-05-28 17:56 - 00034752 _____ () C:\Windows\System32\Drivers\WPRO_41_2001.sys
2014-03-25 21:23 - 2013-05-28 17:50 - 00000828 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2014-03-25 21:23 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-25 21:00 - 2013-05-29 21:44 - 00000000 ____D () C:\Users\Richard\AppData\Local\CrashDumps
2014-03-25 20:33 - 2013-09-13 09:19 - 00000000 ____D () C:\Users\Richard\AppData\Local\Apple Computer
2014-03-25 20:31 - 2014-03-25 07:39 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-03-25 20:27 - 2014-03-25 02:31 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 20:27 - 2013-09-13 07:14 - 00003218 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 20:15 - 2014-03-25 07:39 - 00000000 ____D () C:\Users\Richard\Desktop\mbar
2014-03-25 19:47 - 2014-03-25 07:42 - 00119000 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-03-25 19:18 - 2009-07-13 21:38 - 00000000 ____D () C:\Windows\addins
2014-03-25 12:21 - 2014-03-25 12:21 - 00118784 _____ () C:\Users\Richard\AppData\Local\ebrpqrsg.exe
2014-03-25 10:13 - 2013-05-28 17:50 - 00000830 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2014-03-25 08:06 - 2014-03-24 18:36 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Qihynak
2014-03-25 08:04 - 2014-03-24 07:08 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Piatymvy
2014-03-25 03:01 - 2014-03-25 03:01 - 00006338 _____ () C:\Users\Richard\AppData\Local\duxqofwl
2014-03-25 02:11 - 2014-02-16 22:50 - 00000000 ____D () C:\ProgramData\MSNDynFiles
2014-03-25 01:23 - 2014-03-25 01:00 - 00003370 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 01:23 - 2013-11-23 18:42 - 00003240 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 00:59 - 2014-03-24 07:08 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Miinhy
2014-03-25 00:16 - 2014-03-23 13:39 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Syalcero
2014-03-25 00:13 - 2013-07-19 11:08 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000UA
2014-03-25 00:13 - 2013-07-19 11:08 - 00003498 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000Core
2014-03-24 18:35 - 2014-03-24 07:17 - 00000000 ____D () C:\AdwCleaner
2014-03-24 07:08 - 2013-05-28 17:37 - 00000000 ____D () C:\users\Richard
2014-03-23 20:36 - 2014-03-23 20:36 - 00000000 ____D () C:\Users\Richard\Documents\New folder (2)
2014-03-23 20:31 - 2014-03-23 20:31 - 00000000 ____D () C:\Users\Richard\Documents\New folder
2014-03-23 19:57 - 2009-07-13 21:12 - 00803274 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-03-22 18:12 - 2014-03-22 18:12 - 00106496 _____ () C:\Users\Richard\AppData\Local\pmtbhdqk.exe
2014-03-22 04:00 - 2014-03-22 04:00 - 00005911 _____ () C:\Users\Richard\AppData\Local\lcqibmel
2014-03-21 11:39 - 2014-03-21 11:39 - 00005911 _____ () C:\Users\Richard\AppData\Local\gvupnbox
2014-03-20 06:09 - 2014-03-20 06:09 - 00005911 _____ () C:\Users\Richard\AppData\Local\eboboaqd
2014-03-19 06:11 - 2014-03-19 06:11 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Mozilla
2014-03-18 20:18 - 2013-06-01 10:13 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-03-18 00:01 - 2013-07-14 00:00 - 00000000 ____D () C:\Windows\System32\MRT
2014-03-18 00:00 - 2013-05-28 19:59 - 90015360 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-03-16 21:02 - 2014-03-16 21:02 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-16 21:02 - 2014-03-16 21:02 - 00000000 ____D () C:\Program Files\iTunes
2014-03-16 21:02 - 2014-03-16 21:02 - 00000000 ____D () C:\Program Files\iPod
2014-03-16 21:02 - 2014-03-16 21:02 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-16 21:00 - 2014-03-16 21:00 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-03-14 17:33 - 2014-03-14 17:33 - 00012326 _____ () C:\Users\Richard\AppData\Local\xuhgjnch
2014-03-14 17:32 - 2014-03-14 17:32 - 00068465 _____ () C:\Users\Richard\AppData\Local\eccrerso
2014-03-14 17:31 - 2014-03-14 17:31 - 00000000 _____ () C:\Users\Richard\AppData\Roaming\SharedSettings.ccs
2014-03-12 00:19 - 2009-07-13 20:50 - 00451704 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-03-12 00:18 - 2014-01-01 09:25 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-12 00:18 - 2014-01-01 09:25 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-11 20:35 - 2014-03-10 17:02 - 00000000 ____D () C:\Users\Richard\Documents\Tax Docs 2013
2014-03-11 17:52 - 2013-05-28 18:49 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-11 17:52 - 2013-05-28 18:49 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-11 17:52 - 2013-05-28 18:49 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-28 22:05 - 2014-03-11 14:35 - 23133696 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-02-28 21:17 - 2014-03-11 14:35 - 02724864 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-02-28 21:16 - 2014-03-11 14:35 - 00004096 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollectorres.dll
2014-02-28 20:58 - 2014-03-11 14:35 - 02765824 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-02-28 20:52 - 2014-03-11 14:35 - 00066048 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-02-28 20:51 - 2014-03-11 14:35 - 00048640 _____ (Microsoft Corporation) C:\Windows\System32\ieetwproxystub.dll
2014-02-28 20:42 - 2014-03-11 14:35 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-02-28 20:40 - 2014-03-11 14:35 - 00033792 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-02-28 20:37 - 2014-03-11 14:35 - 00574976 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2014-02-28 20:33 - 2014-03-11 14:35 - 00139264 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2014-02-28 20:33 - 2014-03-11 14:35 - 00111616 _____ (Microsoft Corporation) C:\Windows\System32\ieetwcollector.exe
2014-02-28 20:32 - 2014-03-11 14:35 - 00708608 _____ (Microsoft Corporation) C:\Windows\System32\jscript9diag.dll
2014-02-28 20:30 - 2014-03-11 14:35 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-28 20:27 - 2013-05-29 20:47 - 00000000 ____D () C:\ProgramData\Esellerate
2014-02-28 20:23 - 2014-03-11 14:35 - 00940032 _____ (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2014-02-28 20:17 - 2014-03-11 14:35 - 00218624 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-02-28 20:11 - 2014-03-11 14:35 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-28 20:02 - 2014-03-11 14:35 - 00195584 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-02-28 19:54 - 2014-03-11 14:35 - 05768704 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-02-28 19:52 - 2014-03-11 14:35 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 19:51 - 2014-03-11 14:35 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 19:47 - 2014-03-11 14:35 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 19:43 - 2014-03-11 14:35 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 19:43 - 2014-03-11 14:35 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 19:42 - 2014-03-11 14:35 - 00627200 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-02-28 19:40 - 2014-03-11 14:35 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 19:38 - 2014-03-11 14:35 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 19:37 - 2014-03-11 14:35 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 19:35 - 2014-03-11 14:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-02-28 19:18 - 2014-03-11 14:35 - 13051904 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-02-28 19:16 - 2014-03-11 14:35 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 19:14 - 2014-03-11 14:35 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 19:10 - 2014-03-11 14:35 - 02334208 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-02-28 19:03 - 2014-03-11 14:35 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 19:00 - 2014-03-11 14:35 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 18:57 - 2014-03-11 14:35 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 18:38 - 2014-03-11 14:35 - 01393664 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-02-28 18:32 - 2014-03-11 14:35 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 18:27 - 2014-03-11 14:35 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 18:25 - 2014-03-11 14:35 - 00817664 _____ (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2014-02-28 18:25 - 2014-03-11 14:35 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
 
Some content of TEMP:
====================
C:\Users\Richard\AppData\Local\Temp\Quarantine.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2014-03-21 01:04:23
Restore point made on: 2014-03-21 01:08:53
Restore point made on: 2014-03-25 08:03:51
Restore point made on: 2014-03-25 16:17:52
Restore point made on: 2014-03-25 19:00:32
Restore point made on: 2014-03-25 23:12:23
 
==================== Memory info =========================== 
 
Percentage of memory in use: 10%
Total physical RAM: 8146.68 MB
Available physical RAM: 7331.33 MB
Total Pagefile: 8144.88 MB
Available Pagefile: 7315.87 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:465.75 GB) (Free:387.12 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive d: (Games) (Fixed) (Total:931.51 GB) (Free:809.49 GB) NTFS
Drive e: (GSP1RMCNULXFRER_EN_DVD) (CDROM) (Total:2.77 GB) (Free:0 GB) UDF
Drive f: (USB30FD) (Removable) (Total:59.36 GB) (Free:55.93 GB) FAT32
Drive g: (Elements) (Fixed) (Total:931.51 GB) (Free:798.44 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 4CEFF2DC)
Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 932 GB) (Disk ID: F2B80514)
 
Partition: GPT Partition Type.
 
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 59 GB) (Disk ID: C3072E18)
 
Partition: GPT Partition Type.
 
========================================================
Disk: 3 (MBR Code: Windows XP) (Size: 932 GB) (Disk ID: 000AD541)
 
Partition: GPT Partition Type.
 
 
LastRegBack: 2014-03-21 01:05
 
==================== End Of Log ============================
Link to post
Share on other sites

Save the attached file color=red]fixlist.txt to your flash drive, same place as FRST.

Now please enter System Recovery Options as you did to get the log.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

See if your system will boot, if so run Malwarebytes and post fresh log

 

Kevin

fixlist.txt

Link to post
Share on other sites

Hello Kevin - No boot, logs below.  Thanks!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by SYSTEM at 2014-03-27 09:03:26 Run:2
Running from F:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
Start
HKLM\...\Run: [usgimeyqufybkyy] - "C:\Users\Richard\AppData\Roaming\Miinhy\novevo.exe"
C:\Users\Richard\AppData\Roaming\Miinhy
HKU\Richard\...\Run: [bqdckkbd] - C:\Users\Richard\AppData\Local\ebrpqrsg.exe [118784 2014-03-25] ()
C:\Users\Richard\AppData\Local\ebrpqrsg.exe
S1 ejgzteza; C:\Windows\system32\drivers\ejgzteza.sys [55104 2014-03-25] (Microsoft Corporation)
C:\Windows\system32\drivers\ejgzteza.sys
2014-03-24 18:36 - 2014-03-25 08:06 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Qihynak
2014-03-24 07:08 - 2014-03-25 08:04 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Piatymvy
2014-03-24 07:08 - 2014-03-25 00:59 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Miinhy
2014-03-23 13:39 - 2014-03-25 00:16 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Syalcero
2014-03-22 18:12 - 2014-03-22 18:12 - 00106496 _____ () C:\Users\Richard\AppData\Local\pmtbhdqk.exe
2014-03-22 04:00 - 2014-03-22 04:00 - 00005911 _____ () C:\Users\Richard\AppData\Local\lcqibmel
2014-03-21 11:39 - 2014-03-21 11:39 - 00005911 _____ () C:\Users\Richard\AppData\Local\gvupnbox
2014-03-20 06:09 - 2014-03-20 06:09 - 00005911 _____ () C:\Users\Richard\AppData\Local\eboboaqd
2014-03-14 17:33 - 2014-03-14 17:33 - 00012326 _____ () C:\Users\Richard\AppData\Local\xuhgjnch
2014-03-14 17:32 - 2014-03-14 17:32 - 00068465 _____ () C:\Users\Richard\AppData\Local\eccrerso
End
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Usgimeyqufybkyy => Value deleted successfully.
C:\Users\Richard\AppData\Roaming\Miinhy => Moved successfully.
HKU\Richard\Software\Microsoft\Windows\CurrentVersion\Run\\bqdckkbd => Value deleted successfully.
C:\Users\Richard\AppData\Local\ebrpqrsg.exe => Moved successfully.
ejgzteza => Service deleted successfully.
C:\Windows\system32\drivers\ejgzteza.sys => Moved successfully.
C:\Users\Richard\AppData\Roaming\Qihynak => Moved successfully.
C:\Users\Richard\AppData\Roaming\Piatymvy => Moved successfully.
"C:\Users\Richard\AppData\Roaming\Miinhy" => File/Directory not found.
C:\Users\Richard\AppData\Roaming\Syalcero => Moved successfully.
C:\Users\Richard\AppData\Local\pmtbhdqk.exe => Moved successfully.
C:\Users\Richard\AppData\Local\lcqibmel => Moved successfully.
C:\Users\Richard\AppData\Local\gvupnbox => Moved successfully.
C:\Users\Richard\AppData\Local\eboboaqd => Moved successfully.
C:\Users\Richard\AppData\Local\xuhgjnch => Moved successfully.
C:\Users\Richard\AppData\Local\eccrerso => Moved successfully.
 
==== End of Fixlog ====
Link to post
Share on other sites

Save the attached file fixlist.txt to your flash drive, same place as FRST.

Now please enter System Recovery Options as you did to get the log.
 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

It will also save this file "MBR.txt" to the flash drive, can you zip that file and attach it please

 

See if your system will boot,

fixlist.txt

Link to post
Share on other sites

Hello Kevin,

 

System rebooted and full scan performed! Logs follow. Thanks!

 

2014/03/27 23:22:57 -0500 RICHARD-PC (null) MESSAGE Executing scheduled update:  Daily
2014/03/27 23:22:59 -0500 RICHARD-PC (null) MESSAGE Starting protection
2014/03/27 23:22:59 -0500 RICHARD-PC (null) MESSAGE Protection started successfully
2014/03/27 23:22:59 -0500 RICHARD-PC (null) MESSAGE Starting IP protection
2014/03/27 23:23:00 -0500 RICHARD-PC (null) MESSAGE IP Protection started successfully
2014/03/27 23:23:11 -0500 RICHARD-PC (null) MESSAGE Scheduled update executed successfully:  database updated from version v2014.03.26.02 to version v2014.03.28.01
2014/03/27 23:23:11 -0500 RICHARD-PC (null) MESSAGE Starting database refresh
2014/03/27 23:23:11 -0500 RICHARD-PC (null) MESSAGE Stopping IP protection
2014/03/27 23:23:11 -0500 RICHARD-PC (null) MESSAGE IP Protection stopped successfully
2014/03/27 23:23:13 -0500 RICHARD-PC (null) MESSAGE Database refreshed successfully
2014/03/27 23:23:13 -0500 RICHARD-PC (null) MESSAGE Starting IP protection
2014/03/27 23:23:13 -0500 RICHARD-PC (null) MESSAGE IP Protection started successfully
2014/03/27 23:30:17 -0500 RICHARD-PC Richard IP-BLOCK 46.229.172.156 (Type: outgoing, Port: 49455, Process: explorer.exe)
2014/03/27 23:30:17 -0500 RICHARD-PC Richard IP-BLOCK 37.9.49.237 (Type: outgoing, Port: 49462, Process: explorer.exe)
2014/03/27 23:30:17 -0500 RICHARD-PC Richard IP-BLOCK 46.229.172.156 (Type: outgoing, Port: 49465, Process: explorer.exe)
2014/03/27 23:51:04 -0500 RICHARD-PC Richard IP-BLOCK 99.249.29.20 (Type: outgoing, Port: 57642, Process: explorer.exe)
2014/03/27 23:55:55 -0500 RICHARD-PC Richard IP-BLOCK 74.70.132.222 (Type: outgoing, Port: 60576, Process: explorer.exe)
 
2014/03/28 00:24:49 -0500 RICHARD-PC Richard IP-BLOCK 80.255.144.237 (Type: outgoing, Port: 60409, Process: explorer.exe)
2014/03/28 00:32:27 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 64471, Process: explorer.exe)
2014/03/28 00:33:17 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 65021, Process: explorer.exe)
2014/03/28 00:46:31 -0500 RICHARD-PC Richard IP-BLOCK 74.70.132.222 (Type: outgoing, Port: 55705, Process: explorer.exe)
2014/03/28 00:46:54 -0500 RICHARD-PC Richard IP-BLOCK 80.255.144.237 (Type: outgoing, Port: 55888, Process: explorer.exe)
2014/03/28 01:10:04 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 54895, Process: explorer.exe)
2014/03/28 01:19:39 -0500 RICHARD-PC Richard MESSAGE Executing scheduled update:  Daily
2014/03/28 01:19:51 -0500 RICHARD-PC Richard MESSAGE Scheduled update executed successfully:  database updated from version v2014.03.28.01 to version v2014.03.28.02
2014/03/28 01:19:52 -0500 RICHARD-PC Richard MESSAGE Starting database refresh
2014/03/28 01:19:52 -0500 RICHARD-PC Richard MESSAGE Stopping IP protection
2014/03/28 01:19:55 -0500 RICHARD-PC Richard MESSAGE IP Protection stopped successfully
2014/03/28 01:22:05 -0500 RICHARD-PC Richard MESSAGE Database refreshed successfully
2014/03/28 01:22:05 -0500 RICHARD-PC Richard MESSAGE Starting IP protection
2014/03/28 01:22:08 -0500 RICHARD-PC Richard MESSAGE IP Protection started successfully
2014/03/28 01:26:18 -0500 RICHARD-PC Richard IP-BLOCK 78.140.143.46 (Type: outgoing, Port: 49423, Process: explorer.exe)
2014/03/28 02:02:04 -0500 RICHARD-PC Richard IP-BLOCK 78.140.143.46 (Type: outgoing, Port: 58202, Process: explorer.exe)
2014/03/28 02:16:47 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 49544, Process: explorer.exe)
2014/03/28 02:16:55 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 49610, Process: explorer.exe)
2014/03/28 02:16:55 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 49611, Process: explorer.exe)
2014/03/28 02:17:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 49830, Process: explorer.exe)
2014/03/28 02:17:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 49831, Process: explorer.exe)
2014/03/28 02:17:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 49836, Process: explorer.exe)
2014/03/28 02:17:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 49837, Process: explorer.exe)
2014/03/28 02:25:10 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 54681, Process: explorer.exe)
2014/03/28 02:32:10 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 58911, Process: explorer.exe)
2014/03/28 02:32:10 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 58912, Process: explorer.exe)
2014/03/28 02:32:10 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 58916, Process: explorer.exe)
2014/03/28 02:32:10 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 58917, Process: explorer.exe)
2014/03/28 02:43:48 -0500 RICHARD-PC Richard IP-BLOCK 88.214.193.174 (Type: outgoing, Port: 64869, Process: explorer.exe)
2014/03/28 03:02:14 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 59919, Process: explorer.exe)
2014/03/28 03:02:22 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 59920, Process: explorer.exe)
2014/03/28 03:02:30 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 60088, Process: explorer.exe)
2014/03/28 03:02:30 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 60089, Process: explorer.exe)
2014/03/28 03:03:36 -0500 RICHARD-PC Richard IP-BLOCK 109.251.115.16 (Type: outgoing, Port: 60857, Process: explorer.exe)
2014/03/28 03:03:36 -0500 RICHARD-PC Richard IP-BLOCK 184.64.59.68 (Type: outgoing, Port: 60858, Process: explorer.exe)
2014/03/28 03:03:36 -0500 RICHARD-PC Richard IP-BLOCK 188.129.241.164 (Type: outgoing, Port: 60859, Process: explorer.exe)
2014/03/28 03:03:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 60860, Process: explorer.exe)
2014/03/28 03:05:29 -0500 RICHARD-PC Richard IP-BLOCK 188.231.147.199 (Type: outgoing, Port: 62157, Process: explorer.exe)
2014/03/28 03:05:29 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 62178, Process: explorer.exe)
2014/03/28 03:05:29 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 62179, Process: explorer.exe)
2014/03/28 03:20:28 -0500 RICHARD-PC Richard IP-BLOCK 188.239.5.123 (Type: outgoing, Port: 55936, Process: explorer.exe)
2014/03/28 03:28:28 -0500 RICHARD-PC Richard IP-BLOCK 188.231.147.199 (Type: outgoing, Port: 59778, Process: explorer.exe)
2014/03/28 03:28:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 59868, Process: explorer.exe)
2014/03/28 03:28:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 59869, Process: explorer.exe)
2014/03/28 03:28:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 59930, Process: explorer.exe)
2014/03/28 03:28:36 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 59931, Process: explorer.exe)
2014/03/28 03:31:13 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 62438, Process: explorer.exe)
2014/03/28 03:31:13 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 62446, Process: explorer.exe)
2014/03/28 03:31:13 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 62481, Process: explorer.exe)
2014/03/28 03:31:13 -0500 RICHARD-PC Richard IP-BLOCK 62.16.38.131 (Type: outgoing, Port: 62483, Process: explorer.exe)
2014/03/28 03:44:07 -0500 RICHARD-PC Richard IP-BLOCK 188.239.5.123 (Type: outgoing, Port: 49972, Process: explorer.exe)
2014/03/28 05:03:14 -0500 RICHARD-PC (null) MESSAGE Starting protection
2014/03/28 05:03:14 -0500 RICHARD-PC (null) MESSAGE Protection started successfully
2014/03/28 05:03:14 -0500 RICHARD-PC (null) MESSAGE Starting IP protection
2014/03/28 05:03:15 -0500 RICHARD-PC (null) MESSAGE IP Protection started successfully
2014/03/28 05:04:59 -0500 RICHARD-PC Richard IP-BLOCK 188.254.235.254 (Type: outgoing, Port: 49199, Process: explorer.exe)
 
Link to post
Share on other sites

Unfortunately the fix used may have taken the system back to an infected state to enable normal boot.. Can you run a fresh scan with FRST and post the logs to check...

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to post
Share on other sites

Here is the log Kevin. It didn't make an Addition.txt for some reason. 

 

Thanks!

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Richard (administrator) on RICHARD-PC on 28-03-2014 12:33:48
Running from C:\Users\Richard\Desktop
Windows 7 Ultimate N Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link for 32-Bit version:
Download link for 64-Bit Version:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Google Inc.) C:\Users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(CANON INC.) C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13307496 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [ihefadl] - "C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe"
HKLM-x32\...\Run: [uSB3MON] - C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-02-26] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NBAgent] - C:\Program Files (x86)\Nero\Nero 11\Nero BackItUp\NBAgent.exe [1493288 2011-09-20] (Nero AG)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-03-28] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [295512 2013-09-13] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [iJNetworkScanUtility] - C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [ihefadl] - C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe
HKLM-x32\...\Run: [udahmaytuf] - "C:\Users\Richard\AppData\Roaming\Fyucqusy\koigsyi.exe"
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-05-28] (Google Inc.)
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [Google Update] - C:\Users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-07-13] (Google Inc.)
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [ApplePhotoStreams] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-2902050937-303955776-554964296-1000\...\Run: [iCloudServices] - C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-11-20] (Apple Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xAE49739D165CCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
SearchScopes: HKCU - {369F37B6-421E-40D3-BCF2-E9BD155FEAC4} URL = http://us.yhs4.search.yahoo.com/yhs/search?p={searchTerms}&ei=UTF-8&hspart=w3i&hsimp=yhs-synd1&type=W3i_DS,221,0_0,Search,20130625,0,0,6,7635
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO-x32: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
 
Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Nero Kwik Media Helper) - C:\PROGRA~2\COMMON~1\Nero\BROWSE~1\NPBROW~1.DLL (Nero AG)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll No File
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Java Platform SE 7 U25) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Microsoft Office 2013) - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2013) - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\SysWOW64\npDeployJava1.dll No File
CHR Extension: (YouTube) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-12]
CHR Extension: (Google Search) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-12]
CHR Extension: (RealDownloader) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-09-13]
CHR Extension: (Google Wallet) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\Richard\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-12]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
 
==================== Services (Whitelisted) =================
 
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2169016 2014-03-01] (Microsoft Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-02-21] ()
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [133632 2012-02-09] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-21] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S2 SecurityCenterServer8202235; "C:\Windows\SysWOW64\vointa.exe" -service "C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe"
 
==================== Drivers (Whitelisted) ====================
 
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [25536 2012-02-09] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [25536 2012-02-09] ()
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [44992 2012-02-09] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2014-03-28] ()
S3 AsrCDDrv; \??\C:\Windows\SysWOW64\Drivers\AsrCDDrv.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-28 12:33 - 2014-03-28 12:33 - 00014187 _____ () C:\Users\Richard\Desktop\FRST.txt
2014-03-28 12:33 - 2014-03-23 22:40 - 02157056 _____ (Farbar) C:\Users\Richard\Desktop\FRST64.exe
2014-03-28 02:21 - 2014-03-28 02:21 - 00000000 ____D () C:\Windows\system32\config\HiveBackup
2014-03-27 23:22 - 2014-03-28 12:31 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2014-03-25 10:39 - 2014-03-25 23:31 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-03-25 10:39 - 2014-03-25 23:15 - 00000000 ____D () C:\Users\Richard\Desktop\mbar
2014-03-25 06:01 - 2014-03-25 06:01 - 00006338 _____ () C:\Users\Richard\AppData\Local\duxqofwl
2014-03-25 05:31 - 2014-03-25 23:27 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 04:00 - 2014-03-25 04:23 - 00003370 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-24 10:17 - 2014-03-24 21:35 - 00000000 ____D () C:\AdwCleaner
2014-03-23 22:58 - 2014-03-28 12:33 - 00000000 ____D () C:\FRST
2014-03-19 09:11 - 2014-03-19 09:11 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Mozilla
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files\iTunes
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files\iPod
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-17 00:00 - 2014-03-17 00:00 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-03-14 20:31 - 2014-03-14 20:31 - 00000000 _____ () C:\Users\Richard\AppData\Roaming\SharedSettings.ccs
2014-03-11 17:35 - 2014-03-01 01:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-11 17:35 - 2014-03-01 00:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-11 17:35 - 2014-03-01 00:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-11 17:35 - 2014-02-28 23:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-11 17:35 - 2014-02-28 23:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-11 17:35 - 2014-02-28 23:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-11 17:35 - 2014-02-28 23:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-11 17:35 - 2014-02-28 23:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-11 17:35 - 2014-02-28 23:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-11 17:35 - 2014-02-28 23:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-11 17:35 - 2014-02-28 23:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-11 17:35 - 2014-02-28 23:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-11 17:35 - 2014-02-28 23:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-11 17:35 - 2014-02-28 23:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-11 17:35 - 2014-02-28 23:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-11 17:35 - 2014-02-28 23:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-11 17:35 - 2014-02-28 23:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-11 17:35 - 2014-02-28 22:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-11 17:35 - 2014-02-28 22:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-11 17:35 - 2014-02-28 22:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-11 17:35 - 2014-02-28 22:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-11 17:35 - 2014-02-28 22:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-11 17:35 - 2014-02-28 22:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-11 17:35 - 2014-02-28 22:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-11 17:35 - 2014-02-28 22:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-11 17:35 - 2014-02-28 22:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-11 17:35 - 2014-02-28 22:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-11 17:35 - 2014-02-28 22:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-11 17:35 - 2014-02-28 22:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-11 17:35 - 2014-02-28 22:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-11 17:35 - 2014-02-28 22:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-11 17:35 - 2014-02-28 22:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-11 17:35 - 2014-02-28 22:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-11 17:35 - 2014-02-28 22:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-11 17:35 - 2014-02-28 21:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-11 17:35 - 2014-02-28 21:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-11 17:35 - 2014-02-28 21:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-11 17:35 - 2014-02-28 21:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-11 17:35 - 2014-02-28 21:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-11 17:35 - 2014-02-28 21:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-11 17:35 - 2014-02-06 20:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-11 17:35 - 2014-01-28 21:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-11 17:35 - 2014-01-28 21:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-11 17:35 - 2014-01-27 21:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-11 17:34 - 2014-02-03 21:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-11 17:34 - 2014-02-03 21:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-11 17:34 - 2014-02-03 21:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-11 17:34 - 2014-02-03 21:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-10 20:02 - 2014-03-11 23:35 - 00000000 ____D () C:\Users\Richard\Documents\Tax Docs 2013
 
==================== One Month Modified Files and Folders =======
 
2014-03-28 12:35 - 2014-03-28 12:33 - 00014187 _____ () C:\Users\Richard\Desktop\FRST.txt
2014-03-28 12:33 - 2014-03-23 22:58 - 00000000 ____D () C:\FRST
2014-03-28 12:32 - 2013-05-28 21:49 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-28 12:32 - 2013-05-28 20:50 - 00000828 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2014-03-28 12:31 - 2014-03-27 23:22 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2014-03-28 12:31 - 2013-07-01 23:50 - 00011898 _____ () C:\Windows\setupact.log
2014-03-28 12:31 - 2013-07-01 23:49 - 00300470 _____ () C:\Windows\PFRO.log
2014-03-28 12:31 - 2013-05-28 20:56 - 00034752 _____ () C:\Windows\system32\Drivers\WPRO_41_2001.sys
2014-03-28 12:31 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-28 07:40 - 2013-05-28 12:40 - 01836429 _____ () C:\Windows\WindowsUpdate.log
2014-03-28 07:19 - 2013-05-30 00:44 - 00000000 ____D () C:\Users\Richard\AppData\Local\CrashDumps
2014-03-28 07:08 - 2013-05-29 00:46 - 00000000 ____D () C:\Users\Richard\Documents\Flight Simulator X Files
2014-03-28 07:08 - 2013-05-28 21:49 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-28 06:52 - 2013-05-28 21:49 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-28 06:46 - 2009-07-13 23:50 - 00025408 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-28 06:46 - 2009-07-13 23:50 - 00025408 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-28 06:16 - 2013-06-02 15:09 - 00000000 ____D () C:\Users\Richard\Documents\Outlook Files
2014-03-28 05:03 - 2013-07-19 14:08 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000UA.job
2014-03-28 05:03 - 2013-07-19 14:08 - 00000864 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000Core.job
2014-03-28 05:00 - 2009-07-14 00:12 - 00803274 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-28 02:21 - 2014-03-28 02:21 - 00000000 ____D () C:\Windows\system32\config\HiveBackup
2014-03-28 00:03 - 2013-05-28 21:49 - 00003896 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-28 00:03 - 2013-05-28 21:49 - 00003644 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-26 01:32 - 2013-05-29 01:56 - 00007605 _____ () C:\Users\Richard\AppData\Local\resmon.resmoncfg
2014-03-25 23:33 - 2013-09-13 12:19 - 00000000 ____D () C:\Users\Richard\AppData\Local\Apple Computer
2014-03-25 23:31 - 2014-03-25 10:39 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-03-25 23:27 - 2014-03-25 05:31 - 00003348 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 23:27 - 2013-09-13 10:14 - 00003218 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 23:15 - 2014-03-25 10:39 - 00000000 ____D () C:\Users\Richard\Desktop\mbar
2014-03-25 22:18 - 2009-07-14 00:38 - 00000000 ____D () C:\Windows\addins
2014-03-25 13:13 - 2013-05-28 20:50 - 00000830 _____ () C:\Windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2014-03-25 06:01 - 2014-03-25 06:01 - 00006338 _____ () C:\Users\Richard\AppData\Local\duxqofwl
2014-03-25 05:11 - 2014-02-17 01:50 - 00000000 ____D () C:\ProgramData\MSNDynFiles
2014-03-25 04:23 - 2014-03-25 04:00 - 00003370 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 04:23 - 2013-11-23 21:42 - 00003240 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-2902050937-303955776-554964296-1000
2014-03-25 03:13 - 2013-07-19 14:08 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000UA
2014-03-25 03:13 - 2013-07-19 14:08 - 00003498 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2902050937-303955776-554964296-1000Core
2014-03-24 21:35 - 2014-03-24 10:17 - 00000000 ____D () C:\AdwCleaner
2014-03-24 10:08 - 2013-05-28 20:37 - 00000000 ____D () C:\Users\Richard
2014-03-23 22:40 - 2014-03-28 12:33 - 02157056 _____ (Farbar) C:\Users\Richard\Desktop\FRST64.exe
2014-03-19 09:11 - 2014-03-19 09:11 - 00000000 ____D () C:\Users\Richard\AppData\Roaming\Mozilla
2014-03-18 23:18 - 2013-06-01 13:13 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-03-18 03:01 - 2013-07-14 03:00 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-18 03:00 - 2013-05-28 22:59 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files\iTunes
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files\iPod
2014-03-17 00:02 - 2014-03-17 00:02 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-17 00:00 - 2014-03-17 00:00 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-03-14 20:31 - 2014-03-14 20:31 - 00000000 _____ () C:\Users\Richard\AppData\Roaming\SharedSettings.ccs
2014-03-12 03:19 - 2009-07-13 23:50 - 00451704 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-12 03:18 - 2014-01-01 12:25 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-12 03:18 - 2014-01-01 12:25 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-11 23:35 - 2014-03-10 20:02 - 00000000 ____D () C:\Users\Richard\Documents\Tax Docs 2013
2014-03-11 20:52 - 2013-05-28 21:49 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-11 20:52 - 2013-05-28 21:49 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-11 20:52 - 2013-05-28 21:49 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-01 01:05 - 2014-03-11 17:35 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-01 00:17 - 2014-03-11 17:35 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-01 00:16 - 2014-03-11 17:35 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-02-28 23:58 - 2014-03-11 17:35 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-28 23:52 - 2014-03-11 17:35 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-28 23:51 - 2014-03-11 17:35 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-02-28 23:42 - 2014-03-11 17:35 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-28 23:40 - 2014-03-11 17:35 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-28 23:37 - 2014-03-11 17:35 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-28 23:33 - 2014-03-11 17:35 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-28 23:33 - 2014-03-11 17:35 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-02-28 23:32 - 2014-03-11 17:35 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-02-28 23:30 - 2014-03-11 17:35 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-28 23:27 - 2013-05-29 23:47 - 00000000 ____D () C:\ProgramData\Esellerate
2014-02-28 23:23 - 2014-03-11 17:35 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-02-28 23:17 - 2014-03-11 17:35 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-28 23:11 - 2014-03-11 17:35 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-28 23:02 - 2014-03-11 17:35 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-28 22:54 - 2014-03-11 17:35 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-28 22:52 - 2014-03-11 17:35 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 22:51 - 2014-03-11 17:35 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 22:47 - 2014-03-11 17:35 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 22:43 - 2014-03-11 17:35 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 22:43 - 2014-03-11 17:35 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 22:42 - 2014-03-11 17:35 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-28 22:40 - 2014-03-11 17:35 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 22:38 - 2014-03-11 17:35 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 22:37 - 2014-03-11 17:35 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 22:35 - 2014-03-11 17:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-28 22:18 - 2014-03-11 17:35 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-28 22:16 - 2014-03-11 17:35 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 22:14 - 2014-03-11 17:35 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 22:10 - 2014-03-11 17:35 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-28 22:03 - 2014-03-11 17:35 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 22:00 - 2014-03-11 17:35 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 21:57 - 2014-03-11 17:35 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 21:38 - 2014-03-11 17:35 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-28 21:32 - 2014-03-11 17:35 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 21:27 - 2014-03-11 17:35 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 21:25 - 2014-03-11 17:35 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-28 21:25 - 2014-03-11 17:35 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
 
Some content of TEMP:
====================
C:\Users\Richard\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-21 04:05
 
==================== End Of Log ============================
Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Please download RogueKiller from here:

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe'>http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe'>http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                   

  • Make sure to get the correct version for your system.
  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
     
    RKLicence.png
     
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
     
    RK1A.png
     
  • When the scan completes select Report, copy and paste that to your reply.
     
    RK2A.png
     
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller


     
    Post those two logs please,,
     
    Kevin
    fixlist.txt
Link to post
Share on other sites

Here you go kevin.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Richard at 2014-03-28 17:45:35 Run:4
Running from C:\Users\Richard\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Start
HKLM\...\Run: [ihefadl] - "C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe"
C:\Users\Richard\AppData\Roaming\Xafoivug
HKLM-x32\...\Run: [ihefadl] - C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe
HKLM-x32\...\Run: [udahmaytuf] - "C:\Users\Richard\AppData\Roaming\Fyucqusy\koigsyi.exe"
C:\Users\Richard\AppData\Roaming\Fyucqusy
Hosts: Hosts file not detected in the default directory
S2 SecurityCenterServer8202235; "C:\Windows\SysWOW64\vointa.exe" -service "C:\Users\Richard\AppData\Roaming\Xafoivug\namosec.exe"
C:\Windows\SysWOW64\vointa.exe
C:\Users\Richard\AppData\Local\duxqofwl
C:\Users\Richard\AppData\Local\Temp\Quarantine.exe
End
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Ihefadl => Value deleted successfully.
"C:\Users\Richard\AppData\Roaming\Xafoivug" => File/Directory not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Ihefadl => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Udahmaytuf => Value deleted successfully.
"C:\Users\Richard\AppData\Roaming\Fyucqusy" => File/Directory not found.
Hosts was reset successfully.
SecurityCenterServer8202235 => Service deleted successfully.
"C:\Windows\SysWOW64\vointa.exe" => File/Directory not found.
C:\Users\Richard\AppData\Local\duxqofwl => Moved successfully.
C:\Users\Richard\AppData\Local\Temp\Quarantine.exe => Moved successfully.
 
==== End of Fixlog ====
 
 
 
RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Richard [Admin rights]
Mode : Scan -- Date : 03/28/2014 18:02:47
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 6 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
[Address] EAT @explorer.exe (AppCacheCheckManifest) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF9D2BC)
[Address] EAT @explorer.exe (AppCacheCloseHandle) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF9A1D8)
[Address] EAT @explorer.exe (AppCacheDeleteGroup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1BE0)
[Address] EAT @explorer.exe (AppCacheDeleteIEGroup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1C38)
[Address] EAT @explorer.exe (AppCacheDuplicateHandle) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF9A2BC)
[Address] EAT @explorer.exe (AppCacheFinalize) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1C90)
[Address] EAT @explorer.exe (AppCacheFreeDownloadList) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1CE8)
[Address] EAT @explorer.exe (AppCacheFreeGroupList) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD005488)
[Address] EAT @explorer.exe (AppCacheFreeIESpace) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC8570)
[Address] EAT @explorer.exe (AppCacheFreeSpace) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1DCC)
[Address] EAT @explorer.exe (AppCacheGetDownloadList) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1E24)
[Address] EAT @explorer.exe (AppCacheGetFallbackUrl) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1E7C)
[Address] EAT @explorer.exe (AppCacheGetGroupList) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD005464)
[Address] EAT @explorer.exe (AppCacheGetIEGroupList) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1ED4)
[Address] EAT @explorer.exe (AppCacheGetInfo) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C1F2C)
[Address] EAT @explorer.exe (AppCacheGetManifestUrl) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF9BB30)
[Address] EAT @explorer.exe (AppCacheLookup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFB56B8)
[Address] EAT @explorer.exe (CommitUrlCacheEntryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA5F8C)
[Address] EAT @explorer.exe (CommitUrlCacheEntryBinaryBlob) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF5BF24)
[Address] EAT @explorer.exe (CommitUrlCacheEntryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF61F50)
[Address] EAT @explorer.exe (CreateMD5SSOHash) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD099180)
[Address] EAT @explorer.exe (CreateUrlCacheContainerA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC3808)
[Address] EAT @explorer.exe (CreateUrlCacheContainerW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC36B8)
[Address] EAT @explorer.exe (CreateUrlCacheEntryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA5CC0)
[Address] EAT @explorer.exe (CreateUrlCacheEntryExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD007200)
[Address] EAT @explorer.exe (CreateUrlCacheEntryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0071DC)
[Address] EAT @explorer.exe (CreateUrlCacheGroup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C2E4C)
[Address] EAT @explorer.exe (DeleteIE3Cache) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C7394)
[Address] EAT @explorer.exe (DeleteUrlCacheContainerA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC8BE0)
[Address] EAT @explorer.exe (DeleteUrlCacheContainerW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFB94D0)
[Address] EAT @explorer.exe (DeleteUrlCacheEntry) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFCBD40)
[Address] EAT @explorer.exe (DeleteUrlCacheEntryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFCBD40)
[Address] EAT @explorer.exe (DeleteUrlCacheEntryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFCA1B0)
[Address] EAT @explorer.exe (DeleteUrlCacheGroup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C2F4C)
[Address] EAT @explorer.exe (DeleteWpadCacheForNetworks) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD080270)
[Address] EAT @explorer.exe (DetectAutoProxyUrl) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD080694)
[Address] EAT @explorer.exe (DispatchAPICall) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF414E8)
[Address] EAT @explorer.exe (DllCanUnloadNow) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFBDC70)
[Address] EAT @explorer.exe (DllGetClassObject) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF57470)
[Address] EAT @explorer.exe (DllInstall) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFFCD10)
[Address] EAT @explorer.exe (DllRegisterServer) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD062E30)
[Address] EAT @explorer.exe (DllUnregisterServer) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD062E64)
[Address] EAT @explorer.exe (FindCloseUrlCache) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF4553C)
[Address] EAT @explorer.exe (FindFirstUrlCacheContainerA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF6183C)
[Address] EAT @explorer.exe (FindFirstUrlCacheContainerW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF4E8C8)
[Address] EAT @explorer.exe (FindFirstUrlCacheEntryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFBC580)
[Address] EAT @explorer.exe (FindFirstUrlCacheEntryExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF464A0)
[Address] EAT @explorer.exe (FindFirstUrlCacheEntryExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF589FC)
[Address] EAT @explorer.exe (FindFirstUrlCacheEntryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC2DE0)
[Address] EAT @explorer.exe (FindFirstUrlCacheGroup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C3044)
[Address] EAT @explorer.exe (FindNextUrlCacheContainerA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF61CA0)
[Address] EAT @explorer.exe (FindNextUrlCacheContainerW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF4EB5C)
[Address] EAT @explorer.exe (FindNextUrlCacheEntryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFBC704)
[Address] EAT @explorer.exe (FindNextUrlCacheEntryExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C318C)
[Address] EAT @explorer.exe (FindNextUrlCacheEntryExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C335C)
[Address] EAT @explorer.exe (FindNextUrlCacheEntryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF58680)
[Address] EAT @explorer.exe (FindNextUrlCacheGroup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C352C)
[Address] EAT @explorer.exe (ForceNexusLookup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD099390)
[Address] EAT @explorer.exe (ForceNexusLookupExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0993E0)
[Address] EAT @explorer.exe (FreeUrlCacheSpaceA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C3648)
[Address] EAT @explorer.exe (FreeUrlCacheSpaceW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC78B8)
[Address] EAT @explorer.exe (FtpCommandA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06D968)
[Address] EAT @explorer.exe (FtpCommandW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071494)
[Address] EAT @explorer.exe (FtpCreateDirectoryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06DA4C)
[Address] EAT @explorer.exe (FtpCreateDirectoryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071630)
[Address] EAT @explorer.exe (FtpDeleteFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06DAEC)
[Address] EAT @explorer.exe (FtpDeleteFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071798)
[Address] EAT @explorer.exe (FtpFindFirstFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06DB8C)
[Address] EAT @explorer.exe (FtpFindFirstFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071900)
[Address] EAT @explorer.exe (FtpGetCurrentDirectoryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06DDF8)
[Address] EAT @explorer.exe (FtpGetCurrentDirectoryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071AD8)
[Address] EAT @explorer.exe (FtpGetFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06DEB8)
[Address] EAT @explorer.exe (FtpGetFileEx) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071C60)
[Address] EAT @explorer.exe (FtpGetFileSize) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06E0DC)
[Address] EAT @explorer.exe (FtpGetFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071DF4)
[Address] EAT @explorer.exe (FtpOpenFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06E36C)
[Address] EAT @explorer.exe (FtpOpenFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071EF8)
[Address] EAT @explorer.exe (FtpPutFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06E44C)
[Address] EAT @explorer.exe (FtpPutFileEx) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD071F88)
[Address] EAT @explorer.exe (FtpPutFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0720EC)
[Address] EAT @explorer.exe (FtpRemoveDirectoryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06E7CC)
[Address] EAT @explorer.exe (FtpRemoveDirectoryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0721C0)
[Address] EAT @explorer.exe (FtpRenameFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06E86C)
[Address] EAT @explorer.exe (FtpRenameFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07231C)
[Address] EAT @explorer.exe (FtpSetCurrentDirectoryA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06E920)
[Address] EAT @explorer.exe (FtpSetCurrentDirectoryW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07253C)
[Address] EAT @explorer.exe (GetProxyDllInfo) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD058D3C)
[Address] EAT @explorer.exe (GetUrlCacheConfigInfoA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C3868)
[Address] EAT @explorer.exe (GetUrlCacheConfigInfoW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC73F4)
[Address] EAT @explorer.exe (GetUrlCacheEntryBinaryBlob) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFBB510)
[Address] EAT @explorer.exe (GetUrlCacheEntryInfoA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C3B04)
[Address] EAT @explorer.exe (GetUrlCacheEntryInfoExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C3CBC)
[Address] EAT @explorer.exe (GetUrlCacheEntryInfoExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFAAB20)
[Address] EAT @explorer.exe (GetUrlCacheEntryInfoW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA9C80)
[Address] EAT @explorer.exe (GetUrlCacheGroupAttributeA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C3F04)
[Address] EAT @explorer.exe (GetUrlCacheGroupAttributeW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C416C)
[Address] EAT @explorer.exe (GetUrlCacheHeaderData) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF736A0)
[Address] EAT @explorer.exe (GopherCreateLocatorA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherCreateLocatorW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherFindFirstFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherFindFirstFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherGetAttributeA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherGetAttributeW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherGetLocatorTypeA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherGetLocatorTypeW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherOpenFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (GopherOpenFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (HttpAddRequestHeadersA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF6C8C0)
[Address] EAT @explorer.exe (HttpAddRequestHeadersW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF72A20)
[Address] EAT @explorer.exe (HttpCheckDavCompliance) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD085078)
[Address] EAT @explorer.exe (HttpCloseDependencyHandle) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFABD00)
[Address] EAT @explorer.exe (HttpDuplicateDependencyHandle) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFABE60)
[Address] EAT @explorer.exe (HttpEndRequestA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA56C0)
[Address] EAT @explorer.exe (HttpEndRequestW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD085714)
[Address] EAT @explorer.exe (HttpGetServerCredentials) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD09D5FC)
[Address] EAT @explorer.exe (HttpGetTunnelSocket) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD067BD4)
[Address] EAT @explorer.exe (HttpOpenDependencyHandle) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFB6090)
[Address] EAT @explorer.exe (HttpOpenRequestA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD085D6C)
[Address] EAT @explorer.exe (HttpOpenRequestW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF6ABE0)
[Address] EAT @explorer.exe (HttpPushClose) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0688B4)
[Address] EAT @explorer.exe (HttpPushEnable) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD068964)
[Address] EAT @explorer.exe (HttpPushWait) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0689BC)
[Address] EAT @explorer.exe (HttpQueryInfoA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF6F8B0)
[Address] EAT @explorer.exe (HttpQueryInfoW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF7F3A0)
[Address] EAT @explorer.exe (HttpSendRequestA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD002A14)
[Address] EAT @explorer.exe (HttpSendRequestExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD085814)
[Address] EAT @explorer.exe (HttpSendRequestExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA54A4)
[Address] EAT @explorer.exe (HttpSendRequestW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF7287C)
[Address] EAT @explorer.exe (HttpWebSocketClose) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD095E40)
[Address] EAT @explorer.exe (HttpWebSocketCompleteUpgrade) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0963CC)
[Address] EAT @explorer.exe (HttpWebSocketQueryCloseStatus) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD095F88)
[Address] EAT @explorer.exe (HttpWebSocketReceive) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD096878)
[Address] EAT @explorer.exe (HttpWebSocketSend) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD096DBC)
[Address] EAT @explorer.exe (HttpWebSocketShutdown) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD09707C)
[Address] EAT @explorer.exe (IncrementUrlCacheHeaderData) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF904A4)
[Address] EAT @explorer.exe (InternetAlgIdToStringA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A2440)
[Address] EAT @explorer.exe (InternetAlgIdToStringW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A2618)
[Address] EAT @explorer.exe (InternetAttemptConnect) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05CC48)
[Address] EAT @explorer.exe (InternetAutodial) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD061EF0)
[Address] EAT @explorer.exe (InternetAutodialCallback) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05955C)
[Address] EAT @explorer.exe (InternetAutodialHangup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD061F88)
[Address] EAT @explorer.exe (InternetCanonicalizeUrlA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05CCB0)
[Address] EAT @explorer.exe (InternetCanonicalizeUrlW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05E0CC)
[Address] EAT @explorer.exe (InternetCheckConnectionA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05CDBC)
[Address] EAT @explorer.exe (InternetCheckConnectionW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05E1DC)
[Address] EAT @explorer.exe (InternetClearAllPerSiteCookieDecisions) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0867F8)
[Address] EAT @explorer.exe (InternetCloseHandle) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF68400)
[Address] EAT @explorer.exe (InternetCombineUrlA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D288)
[Address] EAT @explorer.exe (InternetCombineUrlW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF64DA8)
[Address] EAT @explorer.exe (InternetConfirmZoneCrossing) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A33E4)
[Address] EAT @explorer.exe (InternetConfirmZoneCrossingA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A33E4)
[Address] EAT @explorer.exe (InternetConfirmZoneCrossingW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFFFA00)
[Address] EAT @explorer.exe (InternetConnectA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D3A0)
[Address] EAT @explorer.exe (InternetConnectW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF71460)
[Address] EAT @explorer.exe (InternetCrackUrlA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF8C300)
[Address] EAT @explorer.exe (InternetCrackUrlW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC1DD0)
[Address] EAT @explorer.exe (InternetCreateUrlA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D4CC)
[Address] EAT @explorer.exe (InternetCreateUrlW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF64880)
[Address] EAT @explorer.exe (InternetDial) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD062018)
[Address] EAT @explorer.exe (InternetDialA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD062018)
[Address] EAT @explorer.exe (InternetDialW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0620D0)
[Address] EAT @explorer.exe (InternetEnumPerSiteCookieDecisionA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD086804)
[Address] EAT @explorer.exe (InternetEnumPerSiteCookieDecisionW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD08686C)
[Address] EAT @explorer.exe (InternetErrorDlg) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A349C)
[Address] EAT @explorer.exe (InternetFindNextFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD070DF0)
[Address] EAT @explorer.exe (InternetFindNextFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD073160)
[Address] EAT @explorer.exe (InternetFortezzaCommand) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD068A14)
[Address] EAT @explorer.exe (InternetFreeCookies) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA1254)
[Address] EAT @explorer.exe (InternetFreeProxyInfoList) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFD3098)
[Address] EAT @explorer.exe (InternetGetCertByURL) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF421A8)
[Address] EAT @explorer.exe (InternetGetCertByURLA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF421A8)
[Address] EAT @explorer.exe (InternetGetConnectedState) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF63FF0)
[Address] EAT @explorer.exe (InternetGetConnectedStateEx) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0061B4)
[Address] EAT @explorer.exe (InternetGetConnectedStateExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0061B4)
[Address] EAT @explorer.exe (InternetGetConnectedStateExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF812A4)
[Address] EAT @explorer.exe (InternetGetCookieA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD087B40)
[Address] EAT @explorer.exe (InternetGetCookieEx2) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA1224)
[Address] EAT @explorer.exe (InternetGetCookieExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD087B64)
[Address] EAT @explorer.exe (InternetGetCookieExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA126C)
[Address] EAT @explorer.exe (InternetGetCookieW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD087E70)
[Address] EAT @explorer.exe (InternetGetLastResponseInfoA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D564)
[Address] EAT @explorer.exe (InternetGetLastResponseInfoW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05E2D0)
[Address] EAT @explorer.exe (InternetGetPerSiteCookieDecisionA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD086950)
[Address] EAT @explorer.exe (InternetGetPerSiteCookieDecisionW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0869A0)
[Address] EAT @explorer.exe (InternetGetProxyForUrl) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFD2DE0)
[Address] EAT @explorer.exe (InternetGetSecurityInfoByURL) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D704)
[Address] EAT @explorer.exe (InternetGetSecurityInfoByURLA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D704)
[Address] EAT @explorer.exe (InternetGetSecurityInfoByURLW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05E48C)
[Address] EAT @explorer.exe (InternetGoOnline) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06217C)
[Address] EAT @explorer.exe (InternetGoOnlineA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD06217C)
[Address] EAT @explorer.exe (InternetGoOnlineW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD062220)
[Address] EAT @explorer.exe (InternetHangUp) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0622B8)
[Address] EAT @explorer.exe (InternetInitializeAutoProxyDll) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF5A100)
[Address] EAT @explorer.exe (InternetLockRequestFile) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFAB8D0)
[Address] EAT @explorer.exe (InternetOpenA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF846D0)
[Address] EAT @explorer.exe (InternetOpenUrlA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D81C)
[Address] EAT @explorer.exe (InternetOpenUrlW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05E590)
[Address] EAT @explorer.exe (InternetOpenW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF84540)
[Address] EAT @explorer.exe (InternetQueryDataAvailable) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF60660)
[Address] EAT @explorer.exe (InternetQueryFortezzaStatus) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD068A74)
[Address] EAT @explorer.exe (InternetQueryOptionA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF66F40)
[Address] EAT @explorer.exe (InternetQueryOptionW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF674F0)
[Address] EAT @explorer.exe (InternetReadFile) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF801F0)
[Address] EAT @explorer.exe (InternetReadFileExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFB6D90)
[Address] EAT @explorer.exe (InternetReadFileExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFB6D00)
[Address] EAT @explorer.exe (InternetSecurityProtocolToStringA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A27F0)
[Address] EAT @explorer.exe (InternetSecurityProtocolToStringW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A2960)
[Address] EAT @explorer.exe (InternetSetCookieA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD087E90)
[Address] EAT @explorer.exe (InternetSetCookieEx2) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD087EB8)
[Address] EAT @explorer.exe (InternetSetCookieExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD087F18)
[Address] EAT @explorer.exe (InternetSetCookieExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF8BDA0)
[Address] EAT @explorer.exe (InternetSetCookieW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD087FBC)
[Address] EAT @explorer.exe (InternetSetDialState) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD062338)
[Address] EAT @explorer.exe (InternetSetDialStateA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD062338)
[Address] EAT @explorer.exe (InternetSetDialStateW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD062390)
[Address] EAT @explorer.exe (InternetSetFilePointer) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD00763C)
[Address] EAT @explorer.exe (InternetSetOptionA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF65EB0)
[Address] EAT @explorer.exe (InternetSetOptionExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05EBA4)
[Address] EAT @explorer.exe (InternetSetOptionExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05ECA0)
[Address] EAT @explorer.exe (InternetSetOptionW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF66370)
[Address] EAT @explorer.exe (InternetSetPerSiteCookieDecisionA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD086A38)
[Address] EAT @explorer.exe (InternetSetPerSiteCookieDecisionW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD086AD0)
[Address] EAT @explorer.exe (InternetSetStatusCallback) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF864B0)
[Address] EAT @explorer.exe (InternetSetStatusCallbackA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF864B0)
[Address] EAT @explorer.exe (InternetSetStatusCallbackW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFCB9BC)
[Address] EAT @explorer.exe (InternetShowSecurityInfoByURL) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D8B0)
[Address] EAT @explorer.exe (InternetShowSecurityInfoByURLA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05D8B0)
[Address] EAT @explorer.exe (InternetShowSecurityInfoByURLW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD05E73C)
[Address] EAT @explorer.exe (InternetTimeFromSystemTime) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFB7860)
[Address] EAT @explorer.exe (InternetTimeFromSystemTimeA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFB7860)
[Address] EAT @explorer.exe (InternetTimeFromSystemTimeW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD01D9A8)
[Address] EAT @explorer.exe (InternetTimeToSystemTime) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD003590)
[Address] EAT @explorer.exe (InternetTimeToSystemTimeA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD003590)
[Address] EAT @explorer.exe (InternetTimeToSystemTimeW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0034C0)
[Address] EAT @explorer.exe (InternetUnlockRequestFile) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFAB644)
[Address] EAT @explorer.exe (InternetWriteFile) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA5760)
[Address] EAT @explorer.exe (InternetWriteFileExA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (InternetWriteFileExW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (IsHostInProxyBypassList) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF89E94)
[Address] EAT @explorer.exe (IsUrlCacheEntryExpiredA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C43A0)
[Address] EAT @explorer.exe (IsUrlCacheEntryExpiredW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0073E4)
[Address] EAT @explorer.exe (LoadUrlCacheContent) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD07A424)
[Address] EAT @explorer.exe (ParseX509EncodedCertificateForListBoxEntry) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A2AD0)
[Address] EAT @explorer.exe (PrivacyGetZonePreferenceW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF8D40C)
[Address] EAT @explorer.exe (PrivacySetZonePreferenceW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFFCF94)
[Address] EAT @explorer.exe (ReadUrlCacheEntryStream) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFA46E4)
[Address] EAT @explorer.exe (ReadUrlCacheEntryStreamEx) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C44F0)
[Address] EAT @explorer.exe (RegisterUrlCacheNotification) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF42A20)
[Address] EAT @explorer.exe (ResumeSuspendedDownload) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0613F8)
[Address] EAT @explorer.exe (RetrieveUrlCacheEntryFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C4600)
[Address] EAT @explorer.exe (RetrieveUrlCacheEntryFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C47DC)
[Address] EAT @explorer.exe (RetrieveUrlCacheEntryStreamA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C49B4)
[Address] EAT @explorer.exe (RetrieveUrlCacheEntryStreamW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD005FD0)
[Address] EAT @explorer.exe (RunOnceUrlCache) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF421A8)
[Address] EAT @explorer.exe (SetUrlCacheConfigInfoA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C4BB8)
[Address] EAT @explorer.exe (SetUrlCacheConfigInfoW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C4CEC)
[Address] EAT @explorer.exe (SetUrlCacheEntryGroup) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C4DEC)
[Address] EAT @explorer.exe (SetUrlCacheEntryGroupA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C4DEC)
[Address] EAT @explorer.exe (SetUrlCacheEntryGroupW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF889B0)
[Address] EAT @explorer.exe (SetUrlCacheEntryInfoA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF98EE8)
[Address] EAT @explorer.exe (SetUrlCacheEntryInfoW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C4FB8)
[Address] EAT @explorer.exe (SetUrlCacheGroupAttributeA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5174)
[Address] EAT @explorer.exe (SetUrlCacheGroupAttributeW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5364)
[Address] EAT @explorer.exe (SetUrlCacheHeaderData) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5524)
[Address] EAT @explorer.exe (ShowCertificate) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A2AD0)
[Address] EAT @explorer.exe (ShowClientAuthCerts) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A2AD0)
[Address] EAT @explorer.exe (ShowSecurityInfo) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A2AF0)
[Address] EAT @explorer.exe (ShowX509EncodedCertificate) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0A2C80)
[Address] EAT @explorer.exe (UnlockUrlCacheEntryFile) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5644)
[Address] EAT @explorer.exe (UnlockUrlCacheEntryFileA) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5644)
[Address] EAT @explorer.exe (UnlockUrlCacheEntryFileW) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C577C)
[Address] EAT @explorer.exe (UnlockUrlCacheEntryStream) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFCFA10)
[Address] EAT @explorer.exe (UpdateUrlCacheContentPath) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C58BC)
[Address] EAT @explorer.exe (UrlCacheCheckEntriesExist) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C59DC)
[Address] EAT @explorer.exe (UrlCacheCloseEntryHandle) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5A34)
[Address] EAT @explorer.exe (UrlCacheContainerSetEntryMaximumAge) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5A80)
[Address] EAT @explorer.exe (UrlCacheCreateContainer) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCF4EC5C)
[Address] EAT @explorer.exe (UrlCacheFindFirstEntry) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFC8948)
[Address] EAT @explorer.exe (UrlCacheFindNextEntry) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD008A90)
[Address] EAT @explorer.exe (UrlCacheFreeEntryInfo) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFD0A60)
[Address] EAT @explorer.exe (UrlCacheGetContentPaths) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5AD8)
[Address] EAT @explorer.exe (UrlCacheGetEntryInfo) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFBC358)
[Address] EAT @explorer.exe (UrlCacheGetGlobalLimit) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5B30)
[Address] EAT @explorer.exe (UrlCacheReadEntryStream) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5B88)
[Address] EAT @explorer.exe (UrlCacheReloadSettings) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5BE8)
[Address] EAT @explorer.exe (UrlCacheRetrieveEntryFile) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5C40)
[Address] EAT @explorer.exe (UrlCacheRetrieveEntryStream) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5C98)
[Address] EAT @explorer.exe (UrlCacheSetGlobalLimit) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD0C5CF8)
[Address] EAT @explorer.exe (UrlCacheUpdateEntryExtraData) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFCFB2E78)
[Address] EAT @explorer.exe (UrlZonesDetach) : WLDAP32.dll -> HOOKED (C:\Windows\system32\WININET.dll @ 0xFD09D998)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD5000AAKS-00V0A0 ATA Device +++++
--- User ---
[MBR] 531d890e5b32e08c48734c97b2e66802
[bSP] 3a8996086261ddbf25e5256e2620e61c : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 MB
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) WDC WD1001FALS-00E3A0 ATA Device +++++
--- User ---
[MBR] 2146da4ca91d46e2b75f876e2346653d
[bSP] 56c426319f86ed63111e4259364754e0 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE3 @ USB) PNY USB 3.0 FD USB Device +++++
--- User ---
[MBR] 0c8b3300e1f904fe24884ddd953622f3
[bSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 64 | Size: 60799 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )
 
Finished : << RKreport[0]_S_03282014_180247.txt >>
 
Link to post
Share on other sites

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Post those logs please, also let me know if there are any remaining issues or concerns...

 

Kevin

Link to post
Share on other sites

Hello Kevin,

 

The security check returns a message: "the system cannot find the file specified" at the end of its run - no notepad is generated.

 

Here are the logs from the virus scan:

 

C:\FRST\Quarantine\C\Users\Richard\AppData\Local\aqucfugc.exe.xBAD Win32/TrojanDownloader.Zortob.F trojan
C:\FRST\Quarantine\C\Users\Richard\AppData\Local\ebrpqrsg.exe.xBAD a variant of Win32/Kryptik.BYEJ trojan
C:\FRST\Quarantine\C\Users\Richard\AppData\Local\fioftvoc.exe.xBAD Win32/TrojanDownloader.Zortob.F trojan
C:\FRST\Quarantine\C\Users\Richard\AppData\Local\kpbpivdt.exe.xBAD a variant of Win32/Kryptik.BXPP trojan
C:\FRST\Quarantine\C\Users\Richard\AppData\Local\mgtkkvgh.exe.xBAD a variant of Win32/Kryptik.BTYP trojan
C:\FRST\Quarantine\C\Users\Richard\AppData\Local\pmtbhdqk.exe.xBAD a variant of Win32/Kryptik.BTYP trojan
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110179.dll Win32/bProtector.E potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110183.exe a variant of Win32/Toolbar.Babylon.I potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110184.dll a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110188.exe Win32/Toolbar.Montiera.B potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0113598.exe a variant of Win32/bProtector.A potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP503\A0131459.dll Win32/bProtector.E potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP503\A0131460.dll a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP504\A0131478.dll a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP504\A0131480.dll a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP523\A0135160.exe a variant of Win32/bProtector.A potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP523\A0135162.exe a variant of Win32/bProtector.A potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP543\A0138062.exe a variant of Win32/bProtector.A potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP543\A0138064.exe a variant of Win32/bProtector.A potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139111.dll a variant of Win32/bProtector.D potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139112.dll Win32/bProtector.E potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139114.dll a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP551\A0141944.dll a variant of Win32/Toolbar.Conduit.Y potentially unwanted application
C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\152HDWYS\flashplayer[1].exe a variant of Win32/Injected.F trojan
C:\Users\Richard\Downloads\Chrome.exe a variant of Win32/AirAdInstaller.A potentially unwanted application
C:\Users\Richard\Downloads\youtube_downloader_hd_setup.exe Win32/OpenCandy potentially unsafe application
C:\Windows\System32\flt1chk3.dll Win32/SuspLibLoad.B trojan
C:\Windows\SysWOW64\flt1chk3.dll Win32/SuspLibLoad.B trojan
Link to post
Share on other sites

Ok continue and run the following:

 

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files

    :Filesipconfig /flushdns /cC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110179.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110183.exeC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110184.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110188.exeC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0113598.exeC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP503\A0131459.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP503\A0131460.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP504\A0131478.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP504\A0131480.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP523\A0135160.exeC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP523\A0135162.exeC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP543\A0138062.exeC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP543\A0138064.exeC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139111.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139112.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139114.dllC:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP551\A0141944.dllC:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\152HDWYS\flashplayer[1].exeC:\Users\Richard\Downloads\Chrome.exeC:\Users\Richard\Downloads\youtube_downloader_hd_setup.exeC:\Windows\System32\flt1chk3.dllC:\Windows\SysWOW64\flt1chk3.dll:Commands[ClearAllRestorePoints][EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log..

 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Kevin

 

Link to post
Share on other sites

Here we go again Kevin!

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.03.29.02
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Richard :: RICHARD-PC [administrator]
 
Protection: Enabled
 
3/29/2014 10:53:09 AM
mbam-log-2014-03-29 (10-53-09).txt
 
Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 608299
Time elapsed: 2 hour(s), 14 minute(s), 11 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Richard\Desktop\cmd.bat deleted successfully.
C:\Users\Richard\Desktop\cmd.txt deleted successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110179.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110179.dll moved successfully.
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110183.exe moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110184.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110184.dll moved successfully.
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0110188.exe moved successfully.
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP476\A0113598.exe moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP503\A0131459.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP503\A0131459.dll moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP503\A0131460.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP503\A0131460.dll moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP504\A0131478.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP504\A0131478.dll moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP504\A0131480.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP504\A0131480.dll moved successfully.
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP523\A0135160.exe moved successfully.
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP523\A0135162.exe moved successfully.
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP543\A0138062.exe moved successfully.
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP543\A0138064.exe moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139111.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139111.dll moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139112.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139112.dll moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139114.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP546\A0139114.dll moved successfully.
DllUnregisterServer procedure not found in C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP551\A0141944.dll
C:\System Volume Information\_restore{0F20676C-A1A5-48F8-92AB-1ADAEB4B98E5}\RP551\A0141944.dll moved successfully.
C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\152HDWYS\flashplayer[1].exe moved successfully.
C:\Users\Richard\Downloads\Chrome.exe moved successfully.
C:\Users\Richard\Downloads\youtube_downloader_hd_setup.exe moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\flt1chk3.dll
File move failed. C:\Windows\System32\flt1chk3.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Windows\SysWOW64\flt1chk3.dll
File move failed. C:\Windows\SysWOW64\flt1chk3.dll scheduled to be moved on reboot.
========== COMMANDS ==========
 
Restore point Set: OTM Restore Point
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
User: Richard
->Temp folder emptied: 1519669 bytes
->Temporary Internet Files folder emptied: 3538411359 bytes
->Java cache emptied: 104328 bytes
->Google Chrome cache emptied: 411548539 bytes
->Flash cache emptied: 406861 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 94656 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 303924 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 41530 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42286783 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 3,810.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 03292014_100652
 
Files moved on Reboot...
C:\Windows\System32\flt1chk3.dll moved successfully.
File C:\Windows\SysWOW64\flt1chk3.dll not found!
C:\Users\Richard\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.
C:\Windows\SysNative\WPRO_41_2001woem.tmp moved successfully.
C:\Windows\temp\officeclicktorun.exe_c2ruidll(201403282350036DC).log moved successfully.
C:\Windows\temp\officeclicktorun.exe_streamserver(201403282350036DC).log moved successfully.
File move failed. C:\Windows\temp\ood_stream.x64.en-us.dat scheduled to be moved on reboot.
File move failed. C:\Windows\temp\ood_stream.x64.x-none.dat scheduled to be moved on reboot.
C:\Windows\temp\RICHARD-PC-20140328-2350.log moved successfully.
 
Registry entries deleted on Reboot...
 
Link to post
Share on other sites

I guess we need a bigger stick, continue please....

 

Read the following link before we continue and run Combofix:

 

ComboFix usage, Questions, Help? - Look here

 

Next,

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

http://www.infospyware.net/antimalware/combofix/

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post the log in next reply please...

 

Kevin

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.