Jump to content

help with stubborn virus


Recommended Posts

Think I got this from vipbox.com when I foolishly downloaded their "hd sports viewer".  Anyway it installed the sweet packs virus, a bunch of other stuff.  I ran malwarebytes free version, but something wasn't removed.  So, I started in safe mode, ran it again, and found a ransom virus, and removed it.  However, I am getting an increasing number of Trojan.gen.2 virus detections by my Symantec endpoint protection, and the number is increasing every day.  Today it was 410 Trojans!!

 

I tried uninstalling malwarebytes, and getting a clean copy on a thumbdrive and reinstalling it under safe mode, and when I did, it didn't find anything. 

 

.

DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/28/2011 2:17:58 PM
System Uptime: 10/10/2013 3:26:00 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 01RV5R
Processor: Intel® Core i5 CPU       M 520  @ 2.40GHz | Microprocessor | 2400/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 232 GiB total, 128.761 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_02EF1028&REV_00\4&7D69AB4&0&0AF0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_02EF1028&REV_00\4&7D69AB4&0&0AF0
Service:
.
Class GUID:
Description: Broadcom USH
Device ID: USB\VID_0A5C&PID_5800&MI_00\7&66DE6C9&0&0000
Manufacturer:
Name: Broadcom USH
PNP Device ID: USB\VID_0A5C&PID_5800&MI_00\7&66DE6C9&0&0000
Service:
.
==== System Restore Points ===================
.
RP100: 9/10/2013 5:41:31 PM - Windows Update
RP101: 9/11/2013 5:59:26 PM - Windows Update
RP102: 9/19/2013 3:39:40 PM - Scheduled Checkpoint
RP103: 10/7/2013 11:15:24 AM - Scheduled Checkpoint
RP104: 10/8/2013 3:55:34 PM - Installed Motorola Device Manager
RP105: 10/9/2013 5:58:48 PM - Windows Update
RP106: 10/10/2013 2:08:13 PM - Windows Update
.
==== Hosts File Hijack ======================
.
Hosts: 127.0.0.1  ads.mcafee.com
Hosts: 192.168.164.23 domsat
Hosts: 192.168.164.23 domsat.yuroktribe.nsn.us
Hosts: 192.168.164.126 ytep-sql
Hosts: 192.168.164.126 ytep-sql.yuroktribe.nsn.us
Hosts: 192.168.168.12 fiscalsql
Hosts: 192.168.168.1 ytmain
Hosts: 192.168.168.1 ytmain.yuroktribe.nsn.us
Hosts: 192.168.168.12 fiscalsql.yuroktribe.nsn.us
Hosts: 192.168.168.4 www.myspace.com
Hosts: 192.168.168.4 myspace.com
.
==== Installed Programs ======================
.
 Update for Microsoft Office 2007 (KB2508958)
7-Zip 4.65 (x64 edition)
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.8)
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BlackBerry Desktop Software 7.1
Bonjour
BovadaPoker
Brother HL-2170W
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MG5200 series MP Drivers
Cisco WebEx Meetings
Citrix Online Launcher
CutePDF Writer 2.7
Dell Touchpad
Dropbox
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 5.7.0.1172
GPL Ghostscript 8.70
iTunes
Java 7 Update 25
Java Auto Updater
Java 6 Update 31
JavaFX 2.1.1
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Backward compatibility
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Motorola Device Manager
Motorola Device Software Update
Motorola Mobile Drivers Installation 6.2.0
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2758694)
NVIDIA Control Panel 275.33
NVIDIA Graphics Driver 275.33
NVIDIA Install Application
NVIDIA nView 135.85
NVIDIA nView Desktop Manager
QlikView OCX
Sage 100 Fund Accounting Workstation
Sage AutoUpdate PlugIn For Sage Fund Accounting
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2827329) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office Outlook 2007 (KB2825999) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2827330) 32-Bit Edition
SUPERAntiSpyware
Symantec Endpoint Protection
Tax Forms and E-Filing by Aatrix
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2827325) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
.
==== Event Viewer Messages From Past Week ========
.
10/9/2013 6:00:18 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft XML Core Services 4.0 Service Pack 3 for x64-based Systems (KB2758694).
10/9/2013 4:01:33 PM, Error: Microsoft-Windows-GroupPolicy [1129]  - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
10/8/2013 3:57:33 PM, Error: Service Control Manager [7030]  - The PST Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
10/8/2013 12:18:22 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
10/8/2013 10:09:59 AM, Error: Microsoft-Windows-GroupPolicy [1030]  - The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
10/10/2013 3:50:39 PM, Error: NetBT [4321]  - The name "YUROK1         :1d" could not be registered on the interface with IP address 192.168.0.159. The computer with the IP address 192.168.0.169 did not allow the name to be claimed by this computer.
10/10/2013 3:27:44 PM, Error: Microsoft-Windows-DNS-Client [1012]  - There was an error while attempting to read the local hosts file.
10/10/2013 3:27:41 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  and APPID  {344ED43D-D086-4961-86A6-1106F4ACAD9B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
10/10/2013 3:26:33 PM, Error: Microsoft-Windows-GroupPolicy [1055]  - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:  a) Name Resolution failure on the current domain controller.  b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
10/10/2013 3:26:32 PM, Error: NETLOGON [5719]  - This computer was not able to set up a secure session with a domain controller in domain YUROK1 due to the following:  There are currently no logon servers available to service the logon request.  This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
10/10/2013 3:24:09 PM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:21:49 PM, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:20:13 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
10/10/2013 2:20:13 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
10/10/2013 2:20:10 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/10/2013 2:20:03 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
10/10/2013 2:19:50 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
10/10/2013 2:19:49 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache eeCtrl SASDIFSV SASKUTIL spldr SRTSP SRTSPX Wanarpv6
10/10/2013 2:18:28 PM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:15:14 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
10/10/2013 2:15:14 PM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/10/2013 2:14:28 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD CSC DfsC discache eeCtrl NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr SRTSP SRTSPX tdx vwififlt Wanarpv6 WfpLwf WPS
10/10/2013 2:14:26 PM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:14:26 PM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
10/10/2013 2:14:26 PM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:14:26 PM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:14:26 PM, Error: Service Control Manager [7001]  - The PST Service service depends on the Workstation service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:14:26 PM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:14:26 PM, Error: Service Control Manager [7001]  - The Netlogon service depends on the Workstation service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:14:26 PM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
10/10/2013 2:14:25 PM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
10/10/2013 2:14:25 PM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
10/10/2013 2:14:25 PM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
10/10/2013 2:14:25 PM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
.
==== End Of File ===========================

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.25.2
Run by mbelchik at 15:57:00 on 2013-10-10
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4020.2141 [GMT -7:00]
.
AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Users\mbelchik\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files (x86)\Brownie\BrStsW64.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Brownie\Brnipmon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_9_900_117_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.



mWinlogon: Userinit = userinit.exe,
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mRun: [brStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\mbelchik\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\mbelchik\AppData\Roaming\Dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}







TCP: NameServer = 192.168.0.2 192.168.168.1 192.168.164.2
TCP: Interfaces\{7AFF94A1-5737-4A51-AFBD-41587C1026D6} : DHCPNameServer = 192.168.0.2 192.168.168.1 192.168.164.2
TCP: Interfaces\{7AFF94A1-5737-4A51-AFBD-41587C1026D6}\2656C6B696E6E2931303 : DHCPNameServer = 192.168.1.2
TCP: Interfaces\{7AFF94A1-5737-4A51-AFBD-41587C1026D6}\4416D6265737475627 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{7AFF94A1-5737-4A51-AFBD-41587C1026D6}\F66666963656 : DHCPNameServer = 192.168.0.2 192.168.168.1 192.168.164.2
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files (x86)\QlikView\QvProtocol\Qvp.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 ads.mcafee.com
Hosts: 192.168.164.23 domsat
Hosts: 192.168.164.23 domsat.yuroktribe.nsn.us
Hosts: 192.168.164.126 ytep-sql
Hosts: 192.168.164.126 ytep-sql.yuroktribe.nsn.us
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Users\mbelchik\AppData\Local\Citrix\Plugins\104\npappdetector.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-12 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-5-4 128384]
R2 Motorola Device Manager;Motorola Device Manager Service;C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [2013-7-31 137528]
R2 PST Service;PST Service;C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [2013-10-8 65657]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2011-3-23 1822296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-8-27 140376]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-1-9 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-29 1255736]
S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
.
=============== Created Last 30 ================
.
2013-10-10 21:21:18 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-10-10 21:21:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-09 18:14:08 633856 ----a-w- C:\Windows\System32\comctl32.dll
2013-10-09 18:14:07 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll
2013-10-09 18:14:05 41472 ----a-w- C:\Windows\System32\lpk.dll
2013-10-09 18:14:05 368128 ----a-w- C:\Windows\System32\atmfd.dll
2013-10-09 18:14:05 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2013-10-09 18:14:05 14336 ----a-w- C:\Windows\System32\dciman32.dll
2013-10-09 18:14:05 10240 ----a-w- C:\Windows\SysWow64\dciman32.dll
2013-10-09 18:14:04 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2013-10-09 18:14:04 25600 ----a-w- C:\Windows\SysWow64\lpk.dll
2013-10-09 18:14:04 100864 ----a-w- C:\Windows\System32\fontsub.dll
2013-10-09 18:14:03 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-10-09 18:14:03 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2013-10-08 23:00:19 -------- d-----w- C:\ProgramData\Motorola
2013-10-08 22:57:42 -------- d-----w- C:\Users\mbelchik\AppData\Roaming\Motorola Mobility
2013-10-08 22:57:42 -------- d-----w- C:\Temp
2013-10-08 22:57:31 -------- d-----w- C:\Program Files (x86)\Motorola Mobility
2013-10-08 22:57:31 -------- d-----w- C:\Program Files (x86)\Motorola
2013-10-08 22:57:31 -------- d-----w- C:\Program Files (x86)\Common Files\MSSoap
2013-10-08 22:56:15 -------- d-----w- C:\Program Files\Motorola Inc
2013-10-08 22:56:14 -------- d-----w- C:\Program Files\Common Files\Motorola Shared
2013-10-08 22:54:47 -------- d-----w- C:\Users\mbelchik\AppData\Roaming\Motorola
2013-09-30 00:27:56 -------- d-----w- C:\Users\mbelchik\AppData\Local\Programs
2013-09-29 16:30:19 -------- d-----w- C:\ProgramData\Conduit
2013-09-29 16:30:08 -------- d-----w- C:\Users\mbelchik\AppData\Local\Conduit
2013-09-29 16:29:54 -------- d-----w- C:\Users\mbelchik\AppData\Local\CRE
2013-09-29 16:29:53 -------- d-----w- C:\Program Files (x86)\Conduit
2013-09-29 16:29:06 829264 ----a-w- C:\Windows\System32\msvcr100.dll
2013-09-29 16:29:06 608080 ----a-w- C:\Windows\System32\msvcp100.dll
2013-09-29 16:28:03 -------- d-----w- C:\Program Files (x86)\VipBoxSportsApp.com
.
==================== Find3M  ====================
.
2013-10-08 17:38:52 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-08 17:38:52 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-10-03 19:02:16 233120 ----a-w- C:\Windows\System32\drivers\wpshelper.sys
2013-09-22 23:28:06 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-09-22 23:27:48 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-09-22 23:27:48 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-09-22 22:55:10 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-09-22 22:54:51 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-09-22 22:54:50 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-09-22 22:54:50 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-09-21 03:38:39 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-09-21 03:30:24 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-09-21 02:48:36 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-09-21 02:39:47 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-09-04 12:12:11 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2013-09-04 12:11:51 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2013-09-04 12:11:49 99840 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2013-09-04 12:11:43 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-09-04 12:11:43 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2013-09-04 12:11:42 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2013-09-04 12:11:40 7808 ----a-w- C:\Windows\System32\drivers\usbd.sys
2013-08-28 01:21:06 3155968 ----a-w- C:\Windows\System32\win32k.sys
2013-08-02 02:23:53 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-02 02:15:44 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-02 02:15:03 362496 ----a-w- C:\Windows\System32\wow64win.dll
2013-08-02 02:15:03 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-02 02:15:03 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2013-08-02 02:14:57 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-08-02 02:14:11 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2013-08-02 02:13:34 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-08-02 01:59:30 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-02 01:50:42 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-02 01:50:42 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\Windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\Windows\System32\smss.exe
2013-08-02 00:45:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-02 00:45:36 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-02 00:45:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-02 00:43:05 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-08-01 12:09:36 983488 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-07-30 19:23:33 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-30 19:23:31 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-07-30 19:23:31 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-20 10:33:12 102608 ----a-w- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2013-07-20 10:33:08 124112 ----a-w- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
.
============= FINISH: 15:57:07.09 ===============

 

 

 

Link to post
Share on other sites

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, Adobe host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Here's the report...

 

RogueKiller V8.7.2 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mbelchik [Admin rights]
Mode : Scan -- Date : 10/10/2013 17:00:02
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\n. [x]) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1  localhost
192.168.164.23 domsat
192.168.164.23 domsat.yuroktribe.nsn.us
192.168.164.126 ytep-sql
192.168.164.126 ytep-sql.yuroktribe.nsn.us
192.168.168.12 fiscalsql
192.168.168.1 ytmain
192.168.168.1 ytmain.yuroktribe.nsn.us
192.168.168.12 fiscalsql.yuroktribe.nsn.us
192.168.168.4 www.myspace.com
192.168.168.4 myspace.com
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  www.abcsearcher.com #[spamdexing][Microsoft.Strider]
127.0.0.1  www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1  adserver.adbunker.com
127.0.0.1  phpadsnew.abac.com
127.0.0.1  a.abnad.net
127.0.0.1  b.abnad.net
127.0.0.1  c.abnad.net #[iE-SpyAd]
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - TOSHIBA MK2561GSYFN +++++
--- User ---
[MBR] f151f49702d3728140a62fbf3881ba92
[bSP] 6bce99382969da86bc939937211cb209 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 750 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1617920 | Size: 237684 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) (Standard disk drives) - PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] 741608d92d0d514c3ab62573bb9a9cef
[bSP] a83a24340e59ea8cbbf2d8eaa19e98b0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7701 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) (Standard disk drives) - ST310003 33AS USB Device +++++
--- User ---
[MBR] 7435b395373533bcd39085cd12602a0e
[bSP] 3a263ec662f61a27d74cd7a536bc3337 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_10102013_170002.txt >>

 

 

Link to post
Share on other sites

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\n. [x]) -> FOUND


Now click Delete on the right hand column under Options

-------------

Now click Fix Host on the right hand column under Options

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There's signs of the ZeroAccess backdoor trojan on the system, we have to check a little deeper:

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system) (64bit for you)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

MrC

Link to post
Share on other sites

Your system is 64 bit:
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
 
This is the ZeroAccess backdoor trojan:
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\n. [x]) -> FOUND
 

This is a company computer???, cause I had you restore the original host file because of these: (we can restore them if needed)

192.168.164.23 domsat
192.168.164.23 domsat.yuroktribe.nsn.us
192.168.164.126 ytep-sql
192.168.164.126 ytep-sql.yuroktribe.nsn.us
192.168.168.12 fiscalsql
192.168.168.1 ytmain
192.168.168.1 ytmain.yuroktribe.nsn.us
192.168.168.12 fiscalsql.yuroktribe.nsn.us
192.168.168.4 www.myspace.com
192.168.168.4 myspace.com

 

 
MrC

Link to post
Share on other sites

everything except the myspace looks legit from work from that last list.  We have a VPN (I think that's what it is) to the Klamath office from this office which is a remote office.  YT stands for Yurok Tribe, which is the Indian Tribe I work for.  My Internet's working OK, but I can't currently access bleepingcomputer.com;  my co-worker sitting next to me couldn't either.  My IT guy gave me the go-ahead to work with you on this. 

 

So to recap:  I re-ran the roguekiller, deleted the zero access registry key, but couldn't get on to the bleeping computer site to get the farbar recovery scan tool;  I will try it again.  My coworker cannot access that site right now from a different computer either. 

 

Mike

Link to post
Share on other sites

The site is down....run this scan instead:

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

Link to post
Share on other sites

oops, forgot to attach logs...

 

Text paste: 

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.10.10.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
mbelchik :: JKS5RL1-FISH [administrator]

10/10/2013 5:57:31 PM
mbar-log-2013-10-10 (17-57-31).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 267055
Time elapsed: 14 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} (Hijack.Trojan.Siredef.C) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 3
C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\U (Trojan.Siredef.C) -> Delete on reboot.
C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\L (Trojan.Siredef.C) -> Delete on reboot.
C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39 (Trojan.Siredef.C) -> Delete on reboot.

Files Detected: 1
C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\@ (Trojan.Siredef.C) -> Delete on reboot.

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

system log:

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16721

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 4215455744, free: 2523660288

Downloaded database version: v2013.10.10.07
Downloaded database version: v2013.10.08.02
=======================================
Initializing...
------------ Kernel report ------------
     10/10/2013 17:57:26
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\pcmcia.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\drivers\iaStorV.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\SRTSP64.SYS
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20131010.007\EX64.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20131010.007\ENG64.SYS
\SystemRoot\System32\Drivers\SRTSPX64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\??\C:\Windows\system32\drivers\wpsdrvnt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\Drivers\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\b57nd60a.sys
\SystemRoot\system32\drivers\1394ohci.sys
\SystemRoot\system32\drivers\sdbus.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\System32\Drivers\RootMdm.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\RimSerial_AMD64.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\teefer2.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStorV.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WinUsb.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\System32\DRIVERS\scfilter.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\rdpdr.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\System32\ATMFD.DLL
\??\C:\Windows\system32\drivers\WpsHelper.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\advapi32.dll
\Windows\System32\wininet.dll
\Windows\System32\ole32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\psapi.dll
\Windows\System32\comdlg32.dll
\Windows\System32\lpk.dll
\Windows\System32\imm32.dll
\Windows\System32\nsi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\ws2_32.dll
\Windows\System32\gdi32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\setupapi.dll
\Windows\System32\kernel32.dll
\Windows\System32\normaliz.dll
\Windows\System32\urlmon.dll
\Windows\System32\user32.dll
\Windows\System32\msctf.dll
\Windows\System32\shell32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\iertutil.dll
\Windows\System32\difxapi.dll
\Windows\System32\shlwapi.dll
\Windows\System32\oleaut32.dll
\Windows\System32\usp10.dll
\Windows\System32\sechost.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\wintrust.dll
\Windows\System32\comctl32.dll
\Windows\System32\devobj.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800523a060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004423050
Lower Device Driver Name: \Driver\iaStorV\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800523a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800523aab0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800523a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004423050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStorV\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8A427EA7

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920  Numsec = 1536000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1617920  Numsec = 486776832

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Done!
Infected: C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\@ --> [Trojan.Siredef.C]
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} --> [Hijack.Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\U --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39\L --> [Trojan.Siredef.C]
Infected: C:\$Recycle.Bin\S-1-5-21-484763869-1450960922-725345543-1675\$3590ce1f405739065d780673be3ffe39 --> [Trojan.Siredef.C]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16721

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 4215455744, free: 3119292416

=======================================

system-log.txt

mbar-log-2013-10-10 (17-57-31).txt

Link to post
Share on other sites

You're definitely infected with ZeroAccess (backdoor trojan)

We have to wait until bleepingcomputer.com is back up before we continue so we can download FRST and another program.

--------------------------------------

Please read this about the ZeroAccess trojan:
 

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

I would change all my passwords and keep a close eye on all your sensitive accounts.


-------------------------------

It's late hear so hopefully bleepingcomputer.com will be back soon.

Be back in the AM........MrC

 

Link to post
Share on other sites

ran farbar...

 

Pasted frst.txt as instructed and attached addition.txt as instructed. 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by mbelchik (administrator) on JKS5RL1-FISH on 11-10-2013 09:55:41
Running from C:\Users\mbelchik\Desktop\farbar
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Symantec Corporation) C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
(Dropbox, Inc.) C:\Users\mbelchik\AppData\Roaming\Dropbox\bin\Dropbox.exe
(CANON INC.) C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
(brother) C:\Program Files (x86)\Brownie\BrStsW64.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brownie\Brnipmon.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil64_11_9_900_117_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Windows\system32\msiexec.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [1692264 2011-05-05] ()
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2280232 2010-08-06] (Synaptics Incorporated)
HKCU\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-01-09] (Google Inc.)
HKCU\...\Policies\Explorer: [NoWelcomeScreen] 1
MountPoints2: {8711ce57-100e-11e3-85a9-b8ac6f50f0c6} - E:\MotorolaDeviceManagerSetup.exe -a
HKLM-x32\...\Run: [ccApp] - C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe [115560 2011-03-23] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iJNetworkScanUtility] - C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
HKLM-x32\...\Run: [brStsWnd] - C:\Program Files (x86)\Brownie\BrstsW64.exe [967168 2008-09-18] (brother)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
Startup: C:\Users\mbelchik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\mbelchik\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

SearchScopes: HKCU - DefaultScope {8C88E40A-2265-4B3D-9907-23C031D96C11} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=&UM=2
SearchScopes: HKCU - {50EF48D0-F663-4B14-89D3-575B8F332668} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=20C25B87-6E06-498D-877C-B14BDD129BB8&apn_sauid=9E7D5A50-4E20-465A-8917-67C6479D95E3&
SearchScopes: HKCU - {8C88E40A-2265-4B3D-9907-23C031D96C11} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=&UM=2
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {1896F800-6EFB-422F-A04B-AA7D44D9A4A9} http://208.180.37.53:88/WebClient.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP31-13320/webex/ieatgpc1.cab
Handler: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} -  No File
Handler-x32: qvp - {4BA78E3D-CA25-4BFF-B8F0-8A3359E4B520} - C:\Program Files (x86)\QlikView\QvProtocol\Qvp.dll (QlikTech AB)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.2 192.168.168.1 192.168.164.2

FireFox:
========
FF ProfilePath: C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default
FF user.js: detected! => C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\user.js
FF DefaultSearchEngine: SweetPacks Customized Web Search
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\mbelchik\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF SearchPlugin: C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\searchplugins\conduit.xml
FF SearchPlugin: C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\searchplugins\MyStart Search.xml
FF Extension: SweetPacks  - C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\Extensions\{7e8a1050-cf67-4575-92df-dcc60e7d952d}
FF Extension: fhdp3 - C:\Users\mbelchik\AppData\Roaming\Mozilla\Firefox\Profiles\plj0l5eh.default\Extensions\fhdp3@freehdsp.tv.xpi

Chrome:
=======
CHR HomePage: https://www.google.com/

CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.76\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (RIM Handheld Application Loader) - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Java Platform SE 7 U5) - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\mbelchik\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\mbelchik\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\mbelchik\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\Users\mbelchik\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM-x32\...\Chrome\Extension: [banjjklfojcdbofbhbgiedekefohoaff] - C:\Users\mbelchik\AppData\Local\CRE\banjjklfojcdbofbhbgiedekefohoaff.crx

==================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [128384 2011-05-04] (SUPERAntiSpyware.com)
R2 ccEvtMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2011-03-23] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2011-03-23] (Symantec Corporation)
S3 LiveUpdate; C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE [3093880 2010-02-17] (Symantec Corporation)
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2013-07-31] (Motorola Mobility LLC)
R2 SmcService; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe [3217344 2011-03-23] (Symantec Corporation)
S4 SNAC; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE [419656 2011-03-23] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1822296 2011-03-23] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-08-27] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-08-27] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-08-27] (Symantec Corporation)
R3 NAVENG; C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20131010.023\ENG64.SYS [126040 2013-10-09] (Symantec Corporation)
R3 NAVENG; C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20131010.023\ENG64.SYS [126040 2013-10-09] (Symantec Corporation)
R3 NAVEX15; C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20131010.023\EX64.SYS [2099288 2013-10-09] (Symantec Corporation)
R3 NAVEX15; C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20131010.023\EX64.SYS [2099288 2013-10-09] (Symantec Corporation)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [447536 2011-03-23] (Symantec Corporation)
R1 SRTSP; C:\Windows\SysWow64\Drivers\SRTSP64.SYS [447536 2011-03-23] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [482352 2011-03-23] (Symantec Corporation)
S3 SRTSPL; C:\Windows\SysWow64\Drivers\SRTSPL64.SYS [482352 2011-03-23] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2011-03-23] (Symantec Corporation)
R1 SRTSPX; C:\Windows\SysWow64\Drivers\SRTSPX64.SYS [32304 2011-03-23] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [172592 2011-12-28] (Symantec Corporation)
R3 Teefer2; C:\Windows\System32\DRIVERS\teefer2.sys [64048 2011-03-23] (Symantec Corporation)
R1 WPS; C:\Windows\system32\drivers\wpsdrvnt.sys [52784 2011-03-23] (Symantec Corporation)
R3 WpsHelper; C:\Windows\system32\drivers\WpsHelper.sys [233120 2013-10-03] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-11 09:55 - 2013-10-11 09:55 - 00000000 ____D C:\FRST
2013-10-11 09:53 - 2013-10-11 09:54 - 00000000 ____D C:\Users\mbelchik\Desktop\farbar
2013-10-10 17:57 - 2013-10-10 18:45 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-10-10 17:56 - 2013-10-10 18:45 - 00000000 ____D C:\Users\mbelchik\Desktop\mbar
2013-10-10 17:52 - 2013-10-10 17:53 - 12907592 _____ (Malwarebytes Corp.) C:\Users\mbelchik\Desktop\mbar-1.07.0.1005.exe
2013-10-10 17:27 - 2013-10-10 17:27 - 00001562 _____ C:\Users\mbelchik\Desktop\RKreport[0]_H_10102013_172734.txt
2013-10-10 17:26 - 2013-10-10 17:26 - 00002647 _____ C:\Users\mbelchik\Desktop\RKreport[0]_D_10102013_172655.txt
2013-10-10 17:22 - 2013-10-10 17:22 - 00002553 _____ C:\Users\mbelchik\Desktop\RKreport[0]_S_10102013_172231.txt
2013-10-10 17:00 - 2013-10-10 17:00 - 00003246 _____ C:\Users\mbelchik\Desktop\RKreport[0]_S_10102013_170002.txt
2013-10-10 16:24 - 2013-10-10 17:26 - 00000000 ____D C:\Users\mbelchik\Desktop\RK_Quarantine
2013-10-10 16:23 - 2013-10-10 16:23 - 00951296 _____ C:\Users\mbelchik\Desktop\RogueKiller.exe
2013-10-10 15:57 - 2013-10-10 15:57 - 00017504 _____ C:\Users\mbelchik\Desktop\dds.txt
2013-10-10 15:57 - 2013-10-10 15:57 - 00017062 _____ C:\Users\mbelchik\Desktop\attach.txt
2013-10-10 15:55 - 2013-10-10 15:56 - 00688992 ____R (Swearware) C:\Users\mbelchik\Desktop\dds.scr
2013-10-10 15:26 - 2013-10-10 18:18 - 00000112 _____ C:\Windows\setupact.log
2013-10-10 15:26 - 2013-10-10 15:26 - 00000000 _____ C:\Windows\setuperr.log
2013-10-10 14:21 - 2013-10-10 14:21 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-10 14:21 - 2013-10-10 14:21 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-10 14:21 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-10-09 18:09 - 2013-09-22 16:28 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-10-09 18:09 - 2013-09-22 16:28 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-10-09 18:09 - 2013-09-22 16:27 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-10-09 18:09 - 2013-09-22 15:55 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-10-09 18:09 - 2013-09-22 15:55 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-10-09 18:09 - 2013-09-22 15:55 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-10-09 18:09 - 2013-09-22 15:54 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 02647552 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-10-09 18:09 - 2013-09-22 15:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-10-09 18:09 - 2013-09-20 20:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-10-09 18:09 - 2013-09-20 20:30 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-10-09 18:09 - 2013-09-20 19:48 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-10-09 18:09 - 2013-09-20 19:39 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-10-09 18:08 - 2013-09-22 16:27 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-10-09 18:08 - 2013-09-22 15:54 - 19252224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-10-09 18:00 - 2013-10-10 14:09 - 00261782 _____ C:\Windows\msxml4-KB2758694-enu.LOG
2013-10-09 11:14 - 2013-07-04 05:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2013-10-09 11:14 - 2013-07-04 04:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2013-10-09 11:14 - 2013-06-05 22:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2013-10-09 11:14 - 2013-06-05 22:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2013-10-09 11:14 - 2013-06-05 22:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2013-10-09 11:14 - 2013-06-05 22:47 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2013-10-09 11:14 - 2013-06-05 21:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2013-10-09 11:14 - 2013-06-05 21:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2013-10-09 11:14 - 2013-06-05 21:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2013-10-09 11:14 - 2013-06-05 20:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2013-10-09 11:14 - 2013-06-05 20:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2013-10-09 11:14 - 2013-06-05 20:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2013-10-09 11:13 - 2013-09-04 05:12 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2013-10-09 11:13 - 2013-09-04 05:11 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2013-10-09 11:13 - 2013-09-04 05:11 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2013-10-09 11:13 - 2013-09-04 05:11 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2013-10-09 11:13 - 2013-09-04 05:11 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2013-10-09 11:13 - 2013-09-04 05:11 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2013-10-09 11:13 - 2013-09-04 05:11 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2013-10-09 11:13 - 2013-08-27 18:21 - 03155968 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-10-09 11:13 - 2013-08-01 05:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2013-10-09 11:13 - 2013-07-20 03:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-10-09 11:13 - 2013-07-20 03:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2013-10-09 11:13 - 2013-07-12 03:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbcir.sys
2013-10-09 11:13 - 2013-07-02 21:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys
2013-10-09 11:13 - 2013-07-02 21:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidparse.sys
2013-10-09 11:13 - 2013-06-25 15:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2013-10-09 11:13 - 2012-11-28 15:56 - 00054376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdfLdr.sys
2013-10-09 11:13 - 2012-11-28 15:56 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\Wdfres.dll
2013-10-09 11:13 - 2012-11-28 15:56 - 00000003 _____ C:\Windows\system32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2013-10-08 16:00 - 2013-10-08 16:00 - 00000000 ____D C:\ProgramData\Motorola
2013-10-08 15:57 - 2013-10-08 15:57 - 00003492 _____ C:\Windows\System32\Tasks\Motorola Device Manager Update
2013-10-08 15:57 - 2013-10-08 15:57 - 00003474 _____ C:\Windows\System32\Tasks\Motorola Device Manager Engine
2013-10-08 15:57 - 2013-10-08 15:57 - 00003300 _____ C:\Windows\System32\Tasks\Motorola Device Manager Initial Update
2013-10-08 15:57 - 2013-10-08 15:57 - 00000000 ____D C:\Users\mbelchik\AppData\Roaming\Motorola Mobility
2013-10-08 15:57 - 2013-10-08 15:57 - 00000000 ____D C:\Program Files (x86)\Motorola Mobility
2013-10-08 15:57 - 2013-10-08 15:57 - 00000000 ____D C:\Program Files (x86)\Motorola
2013-10-08 15:56 - 2013-10-08 15:56 - 00000000 ____D C:\Program Files\Motorola Inc
2013-10-08 15:56 - 2013-10-08 15:56 - 00000000 ____D C:\Program Files\Common Files\Motorola Shared
2013-10-08 15:54 - 2013-10-08 15:54 - 00000000 ____D C:\Users\mbelchik\AppData\Roaming\Motorola
2013-09-29 09:30 - 2013-09-29 17:37 - 00000000 ____D C:\ProgramData\Conduit
2013-09-29 09:30 - 2013-09-29 09:44 - 00000000 ____D C:\Users\mbelchik\AppData\Local\Conduit
2013-09-29 09:29 - 2013-09-29 09:31 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-09-29 09:29 - 2013-09-29 09:31 - 00000000 _____ C:\END
2013-09-29 09:29 - 2013-09-29 09:29 - 00000000 ____D C:\Users\mbelchik\AppData\Local\CRE
2013-09-29 09:29 - 2013-07-04 00:11 - 00829264 _____ (Microsoft Corporation) C:\Windows\system32\msvcr100.dll
2013-09-29 09:29 - 2013-07-04 00:11 - 00608080 _____ (Microsoft Corporation) C:\Windows\system32\msvcp100.dll
2013-09-29 09:28 - 2013-09-29 22:11 - 00000000 ____D C:\Users\mbelchik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VipBoxSportsApp.com
2013-09-29 09:28 - 2013-09-29 16:25 - 00000000 ____D C:\Program Files (x86)\VipBoxSportsApp.com
2013-09-19 17:17 - 2013-09-19 17:17 - 00019479 _____ C:\Users\mbelchik\Desktop\general ledger fy 2011 macroinverts.xlsx
2013-09-19 17:16 - 2013-09-19 17:16 - 00012189 _____ C:\Users\mbelchik\Desktop\rev expense fy 2011 macroinvert.xlsx

==================== One Month Modified Files and Folders =======

2013-10-11 09:55 - 2013-10-11 09:55 - 00000000 ____D C:\FRST
2013-10-11 09:54 - 2013-10-11 09:53 - 00000000 ____D C:\Users\mbelchik\Desktop\farbar
2013-10-11 09:43 - 2011-12-28 15:19 - 01695072 _____ C:\Windows\WindowsUpdate.log
2013-10-11 09:33 - 2012-04-19 10:43 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-11 09:32 - 2012-01-09 22:53 - 00000902 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-11 09:32 - 2011-12-28 17:49 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl
2013-10-10 18:45 - 2013-10-10 17:57 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-10-10 18:45 - 2013-10-10 17:56 - 00000000 ____D C:\Users\mbelchik\Desktop\mbar
2013-10-10 18:26 - 2009-07-13 21:45 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-10 18:26 - 2009-07-13 21:45 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-10 18:23 - 2009-07-13 22:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-10 18:20 - 2012-07-26 10:27 - 00000000 ____D C:\Users\mbelchik\AppData\Roaming\Dropbox
2013-10-10 18:20 - 2012-06-11 10:14 - 00000338 _____ C:\Windows\Brownie.ini
2013-10-10 18:20 - 2011-12-29 14:26 - 00000000 ___RD C:\Users\mbelchik\Documents\My Dropbox
2013-10-10 18:19 - 2012-01-09 22:53 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-10 18:19 - 2011-12-29 13:46 - 00000480 __RSH C:\Users\mbelchik\ntuser.pol
2013-10-10 18:19 - 2011-12-29 13:45 - 00000000 ____D C:\Users\mbelchik
2013-10-10 18:18 - 2013-10-10 15:26 - 00000112 _____ C:\Windows\setupact.log
2013-10-10 18:18 - 2011-12-28 17:47 - 00035762 _____ C:\Windows\PFRO.log
2013-10-10 18:18 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-10 18:13 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\Globalization
2013-10-10 17:53 - 2013-10-10 17:52 - 12907592 _____ (Malwarebytes Corp.) C:\Users\mbelchik\Desktop\mbar-1.07.0.1005.exe
2013-10-10 17:27 - 2013-10-10 17:27 - 00001562 _____ C:\Users\mbelchik\Desktop\RKreport[0]_H_10102013_172734.txt
2013-10-10 17:26 - 2013-10-10 17:26 - 00002647 _____ C:\Users\mbelchik\Desktop\RKreport[0]_D_10102013_172655.txt
2013-10-10 17:26 - 2013-10-10 16:24 - 00000000 ____D C:\Users\mbelchik\Desktop\RK_Quarantine
2013-10-10 17:22 - 2013-10-10 17:22 - 00002553 _____ C:\Users\mbelchik\Desktop\RKreport[0]_S_10102013_172231.txt
2013-10-10 17:00 - 2013-10-10 17:00 - 00003246 _____ C:\Users\mbelchik\Desktop\RKreport[0]_S_10102013_170002.txt
2013-10-10 16:23 - 2013-10-10 16:23 - 00951296 _____ C:\Users\mbelchik\Desktop\RogueKiller.exe
2013-10-10 15:57 - 2013-10-10 15:57 - 00017504 _____ C:\Users\mbelchik\Desktop\dds.txt
2013-10-10 15:57 - 2013-10-10 15:57 - 00017062 _____ C:\Users\mbelchik\Desktop\attach.txt
2013-10-10 15:56 - 2013-10-10 15:55 - 00688992 ____R (Swearware) C:\Users\mbelchik\Desktop\dds.scr
2013-10-10 15:26 - 2013-10-10 15:26 - 00000000 _____ C:\Windows\setuperr.log
2013-10-10 15:24 - 2013-07-26 07:49 - 00000000 ____D C:\Windows\Minidump
2013-10-10 14:21 - 2013-10-10 14:21 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-10 14:21 - 2013-10-10 14:21 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-10 14:10 - 2011-12-28 17:51 - 00011410 __RSH C:\ProgramData\ntuser.pol
2013-10-10 14:09 - 2013-10-09 18:00 - 00261782 _____ C:\Windows\msxml4-KB2758694-enu.LOG
2013-10-10 14:05 - 2011-12-29 14:34 - 00011814 _____ C:\Users\mbelchik\Desktop\billable projects.xlsx
2013-10-10 10:43 - 2009-07-13 21:45 - 00430736 _____ C:\Windows\system32\FNTCACHE.DAT
2013-10-09 18:11 - 2011-12-28 17:35 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-10-09 18:07 - 2013-03-13 23:23 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-10-09 18:07 - 2013-03-13 23:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-10-09 18:02 - 2013-08-14 16:28 - 00000000 ____D C:\Windows\system32\MRT
2013-10-09 18:00 - 2011-12-28 19:37 - 80541720 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-10-08 16:00 - 2013-10-08 16:00 - 00000000 ____D C:\ProgramData\Motorola
2013-10-08 15:57 - 2013-10-08 15:57 - 00003492 _____ C:\Windows\System32\Tasks\Motorola Device Manager Update
2013-10-08 15:57 - 2013-10-08 15:57 - 00003474 _____ C:\Windows\System32\Tasks\Motorola Device Manager Engine
2013-10-08 15:57 - 2013-10-08 15:57 - 00003300 _____ C:\Windows\System32\Tasks\Motorola Device Manager Initial Update
2013-10-08 15:57 - 2013-10-08 15:57 - 00000000 ____D C:\Users\mbelchik\AppData\Roaming\Motorola Mobility
2013-10-08 15:57 - 2013-10-08 15:57 - 00000000 ____D C:\Program Files (x86)\Motorola Mobility
2013-10-08 15:57 - 2013-10-08 15:57 - 00000000 ____D C:\Program Files (x86)\Motorola
2013-10-08 15:57 - 2013-07-26 10:03 - 00000000 ____D C:\Program Files (x86)\MSXML 4.0
2013-10-08 15:57 - 2011-12-29 13:46 - 00000000 ____D C:\Users\mbelchik\AppData\Local\VirtualStore
2013-10-08 15:56 - 2013-10-08 15:56 - 00000000 ____D C:\Program Files\Motorola Inc
2013-10-08 15:56 - 2013-10-08 15:56 - 00000000 ____D C:\Program Files\Common Files\Motorola Shared
2013-10-08 15:56 - 2012-06-11 10:15 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-10-08 15:54 - 2013-10-08 15:54 - 00000000 ____D C:\Users\mbelchik\AppData\Roaming\Motorola
2013-10-08 10:38 - 2012-04-19 10:43 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-10-08 10:38 - 2012-04-19 10:43 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-08 10:38 - 2011-12-29 11:32 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-08 10:33 - 2012-01-09 22:53 - 00000000 ____D C:\Users\mbelchik\AppData\Local\Google
2013-10-08 10:11 - 2012-01-09 22:53 - 00003898 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-08 10:11 - 2012-01-09 22:53 - 00003646 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-04 10:44 - 2012-02-07 14:45 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-03 12:02 - 2011-12-28 17:13 - 00233120 _____ (Symantec Corporation) C:\Windows\system32\Drivers\wpshelper.sys
2013-09-29 22:11 - 2013-09-29 09:28 - 00000000 ____D C:\Users\mbelchik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VipBoxSportsApp.com
2013-09-29 17:37 - 2013-09-29 09:30 - 00000000 ____D C:\ProgramData\Conduit
2013-09-29 16:25 - 2013-09-29 09:28 - 00000000 ____D C:\Program Files (x86)\VipBoxSportsApp.com
2013-09-29 11:27 - 2012-04-26 14:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-09-29 09:44 - 2013-09-29 09:30 - 00000000 ____D C:\Users\mbelchik\AppData\Local\Conduit
2013-09-29 09:31 - 2013-09-29 09:29 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-09-29 09:31 - 2013-09-29 09:29 - 00000000 _____ C:\END
2013-09-29 09:29 - 2013-09-29 09:29 - 00000000 ____D C:\Users\mbelchik\AppData\Local\CRE
2013-09-25 14:14 - 2011-12-29 14:20 - 00000000 ____D C:\Users\mbelchik\Documents\Belchik
2013-09-23 11:17 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2013-09-22 16:28 - 2013-10-09 18:09 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-22 16:28 - 2013-10-09 18:09 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-22 16:27 - 2013-10-09 18:09 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-09-22 16:27 - 2013-10-09 18:08 - 14335488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-22 15:55 - 2013-10-09 18:09 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-22 15:55 - 2013-10-09 18:09 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-22 15:55 - 2013-10-09 18:09 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-09-22 15:54 - 2013-10-09 18:09 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 02647552 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-22 15:54 - 2013-10-09 18:09 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-09-22 15:54 - 2013-10-09 18:08 - 19252224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-20 20:38 - 2013-10-09 18:09 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-20 20:30 - 2013-10-09 18:09 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-20 19:48 - 2013-10-09 18:09 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-09-20 19:39 - 2013-10-09 18:09 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-09-19 17:17 - 2013-09-19 17:17 - 00019479 _____ C:\Users\mbelchik\Desktop\general ledger fy 2011 macroinverts.xlsx
2013-09-19 17:16 - 2013-09-19 17:16 - 00012189 _____ C:\Users\mbelchik\Desktop\rev expense fy 2011 macroinvert.xlsx
2013-09-13 14:32 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2013-09-11 11:01 - 2011-12-29 13:46 - 00000000 ___RD C:\Users\mbelchik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-11 11:01 - 2011-12-29 13:46 - 00000000 ___RD C:\Users\mbelchik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools

Files to move or delete:
====================
C:\Users\mbelchik\jagex_cl_runescape_LIVE.dat
C:\Users\mbelchik\jagex_runescape_preferences.dat
C:\Users\mbelchik\jagex_runescape_preferences2.dat

Some content of TEMP:
====================
C:\Users\jnorton\AppData\Local\Temp\converter.exe
C:\Users\mbelchik\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\mbelchik\AppData\Local\Temp\MotoCast_Installer_2.0403.exe
C:\Users\mbelchik\AppData\Local\Temp\ntdll_dump.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-10-07 11:08

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites

Looks OK and your host file has remained the same as when we started.

There's lots of adware/spyware in the logs though.

Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

OK, this is somewhat embarrassing...  I went to the "how to use combofix" page.  I read the instructions; print them out.  There was a link at the top that said "download".  I'm on a safe site, right?  I click through the "next" next next...  And I install a bunch of adware, pop ups, extensions browser junk. Etc.  F****!!!!!!!  I thought I was downloading a zip file extractor what was going to be used for the combofix.  I go back to the site, and it was simply an ad.  The download link for combofix was further down in the text (duh!).  I now have adware I have to get rid of.  This'll take me awhile (I have uninstalled several of the programs), but I'm afraid I'm going to have to start over!!!

 

There should be a disclaimer on there that says "DON"T CLICK ON ANYTHING IN OUR ADS BECAUSE IT"S ALL JUNK!!!"  which I know already, but I thought the download button was for combofix, not an ad. 

 

I have to go to town and pick up my kid; would it be alright to pick this up tomorrow afternoon/evening?  I'm sorry, I thought I'd be done, but I screwed it up. 

 

:(

 

Mike

Link to post
Share on other sites

This will get rid of most of it: (make sure you click on the correct link)

Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.