Jump to content

Malware Removal Help

tombenedict

By tombenedict
in Resolved Malware Removal Logs

 Share

Recommended Posts

tombenedict

tombenedict

Posted
Posted

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16506  BrowserJavaVersion: 1.5.0_22
Run by benedt at 9:52:09 on 2013-12-10
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.16342.14162 [GMT -6:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\LogonUI.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Dell\KACE\AMPAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\SW2013_INSTALL\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe
C:\Program Files\SW2013_INSTALL\SolidWorks Flow Simulation\binCFW\dispatcher.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\PrintIsolationHost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
C:\Program Files\Evoluent\VMouse\V4\EvoMouseExec.exe
C:\Program Files\SW2013_INSTALL\SolidWorks\sldworks_fs.exe
C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe
\\WIN-DC04.bench.com\netlogon\cymdir_64.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.



uProxyServer = proxy.corp.bench.com:80
uProxyOverride = *.bench.com;*.mn.bench.com;*.pmtr.net;*.guidant.com;ssl.seagate.com;ssl-okc.seagate.com;<local>
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: QuickShare Widget: {ae07101b-46d4-4a98-af68-0333ea26e113} -
uRun: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe /autoRun
uRun: [iWOAIsrv] "C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe"
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [mobilegeni daemon] C:\Program Files (x86)\Mobogenie\DaemonProcess.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\EVOLUE~1.LNK - C:\Windows\Installer\{0F8F4447-1F0B-4703-9BD5-53F0274CE856}\_B5CB566BBFE908A7621D0F.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SOLIDW~2.LNK - C:\Windows\Installer\{B6B5EA7E-B91F-443D-A958-B0062FB53804}\NewShortcut2_87EDF6C81D0A4B7B84F42FE0C6A9D608.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SOLIDW~1.LNK - C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoWindowsUpdate = dword:1
uPolicies-Explorer: NoSimpleStartMenu = dword:1
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
uPolicies-System: ConnectHomeDirToRoot = dword:1
uPolicies-Windows\System: ExcludeProfileDirs = My Music;Music;My Pictures;Pictures;My Videos;Videos;Downloads;Documents;My Documents;Contacts;Temporary Internet Files;Desktop;Local Settings;Palm;WinCE Stuff;.Agile;.AgileCM;Saved Games;Cookies;Reader9;Application Data;Temp;History;Start Menu;My Recent Documents;.VirtualBox;Recent;webex;interwise;tracking;_rpcs;perl;workspace;pcbenv;oracle;lv;dropbox;.eclipse
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableInstallerDetection = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: daptive.com
Trusted Zone: skillport.com
Trusted Zone: skillwsa.com






TCP: NameServer = 167.67.1.29 167.67.4.5
TCP: Interfaces\{FFE4E88C-205B-4D3B-A5B4-17345BD39A6A} : DHCPNameServer = 167.67.1.29 167.67.4.5
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>

x64-mWinlogon: Userinit = C:\Windows\System32\KUsrInit.exe,
x64-BHO: QuickShare WidgetEngine: {31ad400d-1b06-4e33-a59a-90c2c140cba0} -
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: QuickShare Widget: {ae07101b-46d4-4a98-af68-0333ea26e113} -
x64-Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
x64-Run: [OfficeScanNT Monitor]  -HideWindow
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
x64-Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Trusted Zone: daptive.com
x64-Trusted Zone: skillport.com
x64-Trusted Zone: skillwsa.com



x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: DB495CC5-B015-B30F-4FBB-F5C07A81BBFF - "C:\Windows\SysWOW64\msiexec.exe" /fpu {CC8C6973-85DF-49BD-9883-9C9986C5285E} /q
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2013-2-11 24496]
R0 iaStorS;iaStorS;C:\Windows\System32\drivers\iaStorS.sys [2013-2-11 639408]
R2 AMPAgent;Dell KACE Agent;C:\Program Files (x86)\Dell\KACE\AMPAgent.exe [2013-8-23 2872424]
R2 DraftSight API Service;DraftSight API Service;C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [2012-12-27 123392]
R2 RemoteSolverDispatcher;Remote Solver for Flow Simulation 2013;C:\Program Files\SW2013_INSTALL\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe [2013-2-22 218248]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-2-27 383264]
R2 TmFilter;Trend Micro Filter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [2009-12-4 344864]
R2 TmPreFilter;Trend Micro PreFilter;C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmpreflt.sys [2009-12-4 42272]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-2-11 2656536]
R3 EvoMouseDriverFilterHidUsb;Evoluent Mouse Driver Filter;C:\Windows\System32\drivers\EvoMouseDriverFilterHidUsb.sys [2010-6-23 25144]
R3 EvoMouseDriverMini;EvoMouseDriverMini;C:\Windows\System32\drivers\EvoMouseDriverMini.sys [2010-6-23 22584]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-11-19 80384]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-11-19 181248]
R3 TmProxy;OfficeScan NT Proxy Service;C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [2010-1-7 917768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;C:\Program Files\SW2013_INSTALL\SolidWorks\swScheduler\DTSCoordinatorService.exe [2013-3-28 77352]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2013-7-3 1431888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-2-11 19456]
S3 Remote Solver for Flow Simulation 2012;Remote Solver for Flow Simulation 2012;C:\Program Files\SolidWorks-2012\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [2012-8-9 114824]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-2-11 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-2-11 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-2-11 30208]
.
=============== File Associations ===============
.
FileExt: .vbe: VBEFile=C:\Windows\SysWow64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2013-12-10 15:25:16 -------- d-----w- C:\Users\benedt\AppData\Roaming\Malwarebytes
2013-12-10 15:17:50 -------- d-----w- C:\Program Files (x86)\Mobogenie
2013-12-10 14:35:33 20312 ----a-w- C:\Windows\System32\roboot64.exe
2013-12-03 17:46:12 -------- d-----w- C:\ProgramData\VS Revo Group
2013-11-27 17:17:54 439296 ----a-w- C:\Windows\System32\AdpeakProxy64.dll
2013-11-26 17:16:15 348160 ------w- C:\Windows\SysWow64\msvcr71.dll
2013-11-26 17:15:18 -------- d-----w- C:\Program Files\Level Quality Watcher
2013-11-12 21:09:41 -------- d-----w- C:\_download
.
==================== Find3M  ====================
.
.
============= FINISH:  9:52:16.25 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/27/2013 1:13:44 PM
System Uptime: 12/10/2013 9:46:43 AM (0 hours ago)
.
Motherboard: Dell Inc. |  | 0PTTT9
Processor: Intel® Xeon® CPU E5-1620 0 @ 3.60GHz | CPU 1 | 3564/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 238 GiB total, 131.683 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP65: 9/29/2013 - Scheduled Checkpoint
RP66: 10/6/2013 - Scheduled Checkpoint
RP67: 10/6/2013 4:00:12 AM - Windows Update
RP68: 10/14/2013 - Scheduled Checkpoint
RP69: 10/17/2013 11:14:56 AM - Installed 7-Zip 9.20 (x64 edition)
RP70: 10/25/2013 - Scheduled Checkpoint
RP71: 11/2/2013 - Scheduled Checkpoint
RP72: 11/9/2013 - Scheduled Checkpoint
RP73: 11/16/2013 - Scheduled Checkpoint
RP74: 11/23/2013 12:09:26 AM - Scheduled Checkpoint
RP75: 12/1/2013 - Scheduled Checkpoint
RP76: 12/3/2013 11:36:00 AM - Removed ScorpionSaver Services
RP78: 12/3/2013 11:46:37 AM - Revo Uninstaller Pro's restore point - QuickShare
RP80: 12/3/2013 11:47:55 AM - Revo Uninstaller Pro's restore point - The Weather Channel Desktop 6
RP81: 12/10/2013 8:37:45 AM - RegClean Pro Tue, Dec 10, 13  08:37
.
==== Installed Programs ======================
.
7-Zip 9.20 (x64 edition)
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Help Manager
Adobe Illustrator CS6
Adobe Reader XI (11.0.01)
Amazon Browser Bar
AT&T Conferencing Outlook Add-in v9.0.73
AT&T Connect Participant Application v8.9.35
Bonjour
Cisco Jabber
Creo Thumbnail Viewer 1.0
Crystal Reports ActiveX Viewer 11.5
CutePDF Writer 2.7
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Client System Update
Dell KACE Agent
Dell Support Center
DraftSight x64
eDrawings for ProENGINEER (x64)
Evoluent Mouse Manager
FileZilla Client 3.6.0.2
Filzip 3.06
Infor BW
Intel® Management Engine Components
Intel® Network Connections Drivers
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 22
Java Auto Updater
Java 6 Update 13 (64-bit)
Java 6 Update 25
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office 2003 Web Components
Microsoft Office 2010 Primary Interop Assemblies
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Excel MUI (English) 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Standard 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft Visual Basic for Applications 7.1 (x64)
Microsoft Visual Basic for Applications 7.1 (x64) English
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2005 Remote Debugger Light (x64) - ENU
Microsoft Visual Studio 2005 Tools for Applications - ENU
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime Language Pack
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA 3D Vision Controller Driver 311.06
NVIDIA 3D Vision Driver 311.35
NVIDIA Control Panel 311.35
NVIDIA Graphics Driver 311.35
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
NVIDIA nView 140.49
NVIDIA Stereoscopic 3D Driver
PDF-Viewer
PDF Settings CS6
PDF Split And Merge Basic
Pro/ENGINEER Release Wildfire 5.0 Datecode M060
ProductView Express 9.1
QuickShare
Realtek High Definition Audio Driver
Renesas Electronics USB 3.0 Host Controller Driver
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Excel 2010 (KB2760597) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2760406) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687276) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Outlook 2010 (KB2794707) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760769) 32-Bit Edition
SolidWorks 2012 x64 Edition SP05
SolidWorks 2013 x64 Edition SP03
SolidWorks eDrawings 2012 x64 Edition SP05
SolidWorks eDrawings 2013 x64 Edition SP03
SolidWorks Explorer 2012 SP05 x64 Edition
SolidWorks Explorer 2013 SP03 x64 Edition
SolidWorks Flow Simulation 2012 SP05 x64 Edition
SolidWorks Flow Simulation 2013 SP03 x64 Edition
SolidWorks Plastics 2013 SP03 x64 Edition
Trend Micro OfficeScan Client
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553157) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589370) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760758) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Visual Studio 2005 Tools for Office Second Edition Runtime
.
==== Event Viewer Messages From Past Week ========
.
12/8/2013 11:32:43 AM, Error: Microsoft-Windows-GroupPolicy [1054]  - The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
12/10/2013 9:50:58 AM, Error: Microsoft-Windows-TerminalServices-Printers [1111]  - Driver PDFCreator required for printer PDFCreator is unknown. Contact the administrator to install the driver before you log in again.
12/10/2013 9:50:57 AM, Error: Microsoft-Windows-TerminalServices-Printers [1111]  - Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
12/10/2013 9:50:44 AM, Error: Microsoft-Windows-TerminalServices-Printers [1111]  - Driver CutePDF Writer required for printer CutePDF Writer is unknown. Contact the administrator to install the driver before you log in again.
12/10/2013 9:47:16 AM, Error: Application Management Group Policy [108]  - Failed to apply changes to software installation settings.  Software changes could not be applied.  A previous log entry with details should exist.  The error was : %%2147746153
12/10/2013 9:46:53 AM, Error: Service Control Manager [7000]  - The Security Center service failed to start due to the following error:  The account specified for this service is different from the account specified for other services running in the same process.
12/10/2013 9:46:52 AM, Error: Service Control Manager [7023]  - The Function Discovery Resource Publication service terminated with the following error:  %%-2147024891
12/10/2013 9:46:52 AM, Error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
12/10/2013 9:46:52 AM, Error: Service Control Manager [7003]  - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
12/10/2013 9:46:52 AM, Error: Service Control Manager [7003]  - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
12/10/2013 5:06:56 AM, Error: Microsoft-Windows-GroupPolicy [1058]  - The processing of Group Policy failed. Windows attempted to read the file \\bench.com\sysvol\bench.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:  a) Name Resolution/Network Connectivity to the current domain controller.  b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).  c) The Distributed File System (DFS) client has been disabled.
.
==== End Of File ===========================
 

 

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites
tombenedict

tombenedict

Posted
  • Author
Posted

RogueKiller V8.7.11 _x64_ [Nov 25 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : benedt [Admin rights]
Mode : Scan -- Date : 12/10/2013 10:11:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (proxy.corp.bench.com:80 [Country: (Private Address) (XX), City: (Private Address)]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19\n. [x]) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19\n. [x]) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][sUSP PATH] Dealply.job : C:\Users\thielr\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
[V2][sUSP PATH] Dealply : C:\Users\thielr\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) ATA SAMSUNG SSD PM83 SCSI Disk Device +++++
--- User ---
[MBR] 1697ddce25816cf2b91de9a180fb11c7
[bSP] 6c6763ee13529b27d63fd8cf0a18ac27 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 244196 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12102013_101141.txt >>

 

 

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Did you have a ZeroAccess infection in the past:

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19\n. [x]) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19\n. [x]) -> FOUND

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK.....

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19\n. [x]) -> FOUND

[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19\n. [x]) -> FOUND

Now click Delete on the right hand column under Options

-------------

Then.........

Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system.....Which system am I using?)

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites
tombenedict

tombenedict

Posted
  • Author
Posted

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-12-2013
Ran by benedt (administrator) on C1678 on 10-12-2013 10:31:07
Running from C:\Users\benedt\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Dell Inc.) C:\Program Files (x86)\Dell\KACE\AMPAgent.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dassault Systèmes) C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7Debug\mdm.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\Ntrtscan.exe
(Mentor Graphics Corporation) C:\Program Files\SW2013_INSTALL\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe
(Mentor Graphics Corporation) C:\Program Files\SW2013_INSTALL\SolidWorks Flow Simulation\binCFW\dispatcher.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
(AT&T) C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe
(Evoluent) C:\Program Files\Evoluent\VMouse\V4\EvoMouseExec.exe
(Dassault Systèmes SolidWorks Corp.) C:\Program Files\SW2013_INSTALL\SolidWorks\sldworks_fs.exe
(Dassault Systèmes SolidWorks Corp.) C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe
() \\WIN-DC04.bench.com\netlogon\cymdir_64.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Java\jre6\bin\jusched.exe [170496 2013-02-25] (Sun Microsystems, Inc.)
HKLM\...\Run: [OfficeScanNT Monitor] -  -HideWindow
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe [2907240 2011-07-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2716960 2013-02-27] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Winlogon: [userinit] C:\Windows\System32\KUsrInit.exe,
HKCU\...\Run: [] - [x]
HKCU\...\Run: [iWOAIsrv] - C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe [32768 2011-06-05] (AT&T)
HKCU\...\Policies\system: [ConnectHomeDirToRoot] 1
HKCU\...\Policies\Explorer: [NoWindowsUpdate] 1
HKCU\...\Policies\Explorer: [NoResolveSearch] 1
HKCU\...\Policies\Explorer: [NoSimpleStartMenu] 1
HKCU\...\Policies\Explorer: [ForceStartMenuLogOff] 1
HKLM-x32\...\Run: [NUSB3MON] - C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253672 2011-01-07] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [OfficeScanNT Monitor] - C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe [1364696 2010-10-15] (Trend Micro Inc.)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] - C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [mobilegeni daemon] - C:\Program Files (x86)\Mobogenie\DaemonProcess.exe
HKU\andrem\...\Run: [] - [x]
HKU\andrem\...\Run: [iWOAIsrv] - C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe [32768 2011-06-05] (AT&T)
HKU\andrem\...\Policies\system: [ConnectHomeDirToRoot] 1
HKU\crudej\...\Run: [] - [x]
HKU\crudej\...\Run: [iWOAIsrv] - C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe [32768 2011-06-05] (AT&T)
HKU\crudej\...\Policies\system: [ConnectHomeDirToRoot] 1
HKU\marmsg\...\Run: [] - [x]
HKU\marmsg\...\Run: [iWOAIsrv] - C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe [32768 2011-06-05] (AT&T)
HKU\marmsg\...\Run: [Push Client] - C:\Users\marmsg\AppData\Local\ATT Connect\Participant\pull.exe
HKU\marmsg\...\Policies\system: [ConnectHomeDirToRoot] 1
HKU\roweke\...\Run: [] - [x]
HKU\roweke\...\Run: [iWOAIsrv] - C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe [32768 2011-06-05] (AT&T)
HKU\roweke\...\Policies\system: [ConnectHomeDirToRoot] 1
HKU\thielr\...\Run: [] - [x]
HKU\thielr\...\Run: [iWOAIsrv] - C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe [32768 2011-06-05] (AT&T)
HKU\thielr\...\Run: [Push Client] - C:\Users\thielr\AppData\Local\ATT Connect\Participant\pull.exe [965872 2010-06-03] (AT&T Inc.)
HKU\thielr\...\Run: [Cisco Jabber] - C:\Program Files (x86)\Cisco Systems\Cisco Jabber\CiscoJabber.exe [128000 2013-08-02] (Cisco Systems, Inc)
HKU\thielr\...\Run: [AdobeBridge] - [x]
HKU\thielr\...\Run: [DW7] - "C:\Program Files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe"
HKU\thielr\...\RunOnce: [Del1498155] - cmd.exe /Q /D /c del "C:\Users\thielr\AppData\Local\Temp\0.del"
HKU\thielr\...\Policies\system: [ConnectHomeDirToRoot] 1
HKU\whiter\...\Run: [] - [x]
HKU\whiter\...\Run: [iWOAIsrv] - C:\Program Files (x86)\ATT Connect\OutlookAddin\Server\IWOAISRV.exe [32768 2011-06-05] (AT&T)
HKU\whiter\...\Policies\system: [ConnectHomeDirToRoot] 1
Startup: C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hours log.xls - Shortcut.lnk
ShortcutTarget: Hours log.xls - Shortcut.lnk -> G:\users\Hours log\Hours log.xls (No File)
Startup: C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Internet Explorer.lnk
ShortcutTarget: Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation)
Startup: C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Outlook 2010.lnk
ShortcutTarget: Microsoft Outlook 2010.lnk -> C:\Windows\Installer\{90140000-0012-0000-0000-0000000FF1CE}\outicon.exe ()
Startup: C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WIP - Shortcut ()
Startup: C:\Users\thielr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

ProxyServer: proxy.corp.bench.com:80
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside/divisions/minnesota/SitePages/MinnesotaHome.aspx
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside/divisions/minnesota/SitePages/MinnesotaHome.aspx
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dsites&cd=2XzuyEtN2Y1L1QzuzytD0BtCtC0Czz0AyB0B0Dzy0A0EtCyBtN0D0Tzu0SyBtCtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=38860953&ir=
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites&cd=2XzuyEtN2Y1L1QzuzytD0BtCtC0Czz0AyB0B0Dzy0A0EtCyBtN0D0Tzu0SyBtCtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=38860953&ir=
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites&cd=2XzuyEtN2Y1L1QzuzytD0BtCtC0Czz0AyB0B0Dzy0A0EtCyBtN0D0Tzu0SyBtCtDtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=38860953&ir=
BHO: QuickShare WidgetEngine - {31ad400d-1b06-4e33-a59a-90c2c140cba0} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - QuickShare Widget - {ae07101b-46d4-4a98-af68-0333ea26e113} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - QuickShare Widget - {ae07101b-46d4-4a98-af68-0333ea26e113} - C:\Windows\\SysWOW64\mscoree.dll (Microsoft Corporation)
DPF: HKLM-x32 {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} https://www.solidworks.com/sw/support/subscription/sldimdownload.cab
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Winsock: Catalog9-x64 01 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.)
Winsock: Catalog9-x64 02 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.)
Winsock: Catalog9-x64 03 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.)
Winsock: Catalog9-x64 04 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.)
Winsock: Catalog9-x64 15 C:\Windows\system32\AdpeakProxy64.dll [439296] (Adpeak, Inc.)
Tcpip\Parameters: [DhcpNameServer] 167.67.1.29 167.67.4.5

==================== Services (Whitelisted) =================

R2 AMPAgent; C:\Program Files (x86)\Dell\KACE\AMPAgent.exe [2872424 2013-08-23] (Dell Inc.)
S3 CoordinatorServiceHost; C:\Program Files\SW2013_INSTALL\SolidWorks\swScheduler\DTSCoordinatorService.exe [77352 2013-03-28] (Dassault Systèmes SolidWorks Corp.)
R2 DraftSight API Service; C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [123392 2012-12-27] (Dassault Systèmes)
R2 ntrtscan; C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [1938424 2010-10-14] (Trend Micro Inc.)
S3 Remote Solver for Flow Simulation 2012; C:\Program Files\SolidWorks-2012\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [114824 2012-08-09] (Mentor Graphics Corporation)
R2 RemoteSolverDispatcher; C:\Program Files\SW2013_INSTALL\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe [218248 2013-02-22] (Mentor Graphics Corporation)
R2 tmlisten; C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe [2002464 2010-10-14] (Trend Micro Inc.)
R3 TmProxy; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [917768 2010-01-07] (Trend Micro Inc.)

==================== Drivers (Whitelisted) ====================

R3 EvoMouseDriverFilterHidUsb; C:\Windows\System32\DRIVERS\EvoMouseDriverFilterHidUsb.sys [25144 2010-06-23] (Evoluent)
R3 EvoMouseDriverMini; C:\Windows\System32\drivers\EvoMouseDriverMini.sys [22584 2010-06-23] ()
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [24496 2012-03-31] (Intel Corporation)
R0 iaStorS; C:\Windows\System32\drivers\iaStorS.sys [639408 2012-03-31] (Intel Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [1982952 2011-09-23] (Realtek Semiconductor Corp.)
R2 TmFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [344864 2013-08-14] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [42272 2013-08-14] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [108048 2010-01-07] (Trend Micro Inc.)
R2 VSApiNt; C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys [2260768 2013-08-14] (Trend Micro Inc.)
U2 Remote Solver for Flow Simulation 2013;

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-12-10 10:31 - 2013-12-10 10:31 - 00014219 _____ C:\Users\benedt\Desktop\FRST.txt
2013-12-10 10:30 - 2013-12-10 10:30 - 01927982 _____ (Farbar) C:\Users\benedt\Desktop\FRST64.exe
2013-12-10 10:30 - 2013-12-10 10:30 - 00000000 ____D C:\FRST
2013-12-10 10:28 - 2013-12-10 10:28 - 00002397 _____ C:\Users\benedt\Desktop\RKreport[0]_D_12102013_102801.txt
2013-12-10 10:27 - 2013-12-10 10:27 - 00002380 _____ C:\Users\benedt\Desktop\RKreport[0]_S_12102013_102709.txt
2013-12-10 10:11 - 2013-12-10 10:11 - 00002347 _____ C:\Users\benedt\Desktop\RKreport[0]_S_12102013_101141.txt
2013-12-10 10:10 - 2013-12-10 10:28 - 00000000 ____D C:\Users\benedt\Desktop\RK_Quarantine
2013-12-10 10:10 - 2013-12-10 10:10 - 04166144 _____ C:\Users\benedt\Desktop\RogueKillerX64.exe
2013-12-10 09:52 - 2013-12-10 09:52 - 00014521 _____ C:\Users\benedt\Desktop\dds.txt
2013-12-10 09:52 - 2013-12-10 09:52 - 00012076 _____ C:\Users\benedt\Desktop\attach.txt
2013-12-10 09:51 - 2013-12-10 09:51 - 00688992 ____R (Swearware) C:\Users\benedt\Desktop\dds.com
2013-12-10 09:25 - 2013-12-10 09:25 - 00000000 ____D C:\Users\benedt\AppData\Roaming\Malwarebytes
2013-12-10 09:22 - 2013-12-10 09:50 - 00000000 ____D C:\Users\benedt\AppData\Roaming\Adobe
2013-12-10 09:22 - 2013-12-10 09:22 - 00152280 _____ C:\Users\benedt\AppData\Local\GDIPFONTCACHEV1.DAT
2013-12-10 09:22 - 2013-12-10 09:22 - 00025110 __RSH C:\Users\benedt\ntuser.pol
2013-12-10 09:22 - 2013-12-10 09:22 - 00001447 _____ C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-12-10 09:22 - 2013-12-10 09:22 - 00001413 _____ C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-12-10 09:22 - 2013-12-10 09:22 - 00000020 ___SH C:\Users\benedt\ntuser.ini
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ___RD C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ___RD C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Roaming\SolidWorks
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Roaming\ATT Connect
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Local\VirtualStore
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Local\Adobe
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 _____ C:\Users\benedt\daemonprocess.txt
2013-12-10 09:22 - 2013-08-31 11:48 - 00000000 ____D C:\Users\benedt\AppData\Roaming\Macromedia
2013-12-10 09:22 - 2013-02-12 04:01 - 00000000 ____D C:\Users\benedt\AppData\Local\Microsoft Help
2013-12-10 09:22 - 2009-07-13 22:54 - 00000000 ___RD C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-10 09:22 - 2009-07-13 22:49 - 00000000 ___RD C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\wangzhisong\AppData\Local\Mobogenie
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\wangzhisong
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\thielr\Documents\Mobogenie
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\thielr\AppData\Local\Mobogenie
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\thielr\AppData\Local\cache
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 _____ C:\Users\thielr\daemonprocess.txt
2013-12-10 09:17 - 2013-12-10 09:24 - 00000000 ____D C:\Program Files (x86)\Mobogenie
2013-12-10 09:17 - 2013-12-10 09:17 - 00351124 _____ C:\Users\thielr\AppData\Local\mysearchdial-speeddial.crx
2013-12-10 09:17 - 2013-12-10 09:17 - 00001023 _____ C:\Users\thielr\Desktop\Mobogenie.lnk
2013-12-10 09:17 - 2013-12-10 09:17 - 00000999 _____ C:\Users\thielr\Desktop\MiPony.lnk
2013-12-10 09:17 - 2013-12-10 09:17 - 00000381 _____ C:\Users\thielr\Desktop\FREE Games.url
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 ____D C:\Users\thielr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mobogenie
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 ____D C:\Users\thielr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MiPony
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 ____D C:\Users\thielr\AppData\Roaming\1H1Q
2013-12-10 09:16 - 2013-12-10 09:16 - 00795560 _____ C:\Users\thielr\Downloads\DownloadManagerSetup.exe
2013-12-10 08:35 - 2013-12-10 08:40 - 00000000 ____D C:\Users\thielr\AppData\Roaming\systweak
2013-12-10 08:35 - 2013-12-10 08:35 - 00129536 _____ C:\Users\Public\AlexaNSISPlugin.8012.dll
2013-12-10 08:35 - 2013-12-06 12:25 - 00020312 _____ (Systweak Inc., (www.systweak.com)) C:\Windows\system32\roboot64.exe
2013-12-10 07:41 - 2013-12-10 07:41 - 00000000 ____D C:\Users\thielr\Desktop\MINE
2013-12-10 07:34 - 2013-12-10 07:34 - 00003024 _____ C:\Windows\System32\Tasks\{06ECF40E-117B-429E-8B6F-82E45F451152}
2013-12-10 06:12 - 2013-12-10 06:12 - 00010723 _____ C:\Windows\system32\traceback.log
2013-12-04 04:52 - 2013-12-04 04:52 - 00001684 _____ C:\Users\thielr\Desktop\Engineering Design BOM template 5.28.09 .xls.lnk
2013-12-03 11:51 - 2013-12-03 11:51 - 01853148 _____ C:\Users\thielr\Documents\Remove QuickShare by Linkury (Virus Removal Guide).mht
2013-12-03 11:46 - 2013-12-03 11:46 - 00000000 ____D C:\Users\thielr\AppData\Local\VS Revo Group
2013-12-03 11:46 - 2013-12-03 11:46 - 00000000 ____D C:\ProgramData\VS Revo Group
2013-11-27 11:17 - 2013-10-16 10:18 - 00439296 _____ (Adpeak, Inc.) C:\Windows\system32\AdpeakProxy64.dll
2013-11-26 11:16 - 2012-07-30 10:20 - 00348160 ____N (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2013-11-26 11:15 - 2013-12-10 10:14 - 00000294 _____ C:\Windows\Tasks\Dealply.job
2013-11-26 11:15 - 2013-12-10 08:53 - 00000000 ____D C:\Program Files\Level Quality Watcher
2013-11-26 11:15 - 2013-11-26 11:15 - 00003226 _____ C:\Windows\System32\Tasks\Dealply
2013-11-26 11:15 - 2013-11-26 11:15 - 00000000 ____D C:\Users\thielr\AppData\Local\Google
2013-11-19 15:19 - 2013-11-19 15:19 - 00000000 ____D C:\Users\thielr\Desktop\LANDO_EMAIL_JUNK_11-19-13
2013-11-15 13:41 - 2013-11-15 13:41 - 00003494 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-BEI-roweke
2013-11-15 13:41 - 2013-11-15 13:41 - 00000000 ____D C:\Users\roweke\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2013-11-15 13:40 - 2013-11-15 13:41 - 00000000 ____D C:\Users\roweke\AppData\Local\Adobe
2013-11-15 13:40 - 2013-11-15 13:40 - 00152280 _____ C:\Users\roweke\AppData\Local\GDIPFONTCACHEV1.DAT
2013-11-15 13:40 - 2013-11-15 13:40 - 00000000 ____D C:\Users\roweke\AppData\Local\VirtualStore
2013-11-15 13:39 - 2013-11-15 14:59 - 00000978 ___SH C:\Users\roweke\ntuser.ini
2013-11-15 13:39 - 2013-11-15 13:41 - 00000000 ____D C:\Users\roweke\AppData\Roaming\Adobe
2013-11-15 13:39 - 2013-11-15 13:41 - 00000000 ____D C:\Users\roweke
2013-11-15 13:39 - 2013-11-15 13:40 - 00025110 __RSH C:\Users\roweke\ntuser.pol
2013-11-15 13:39 - 2013-11-14 10:46 - 00000000 ____D C:\Users\roweke\AppData\Roaming\SolidWorks
2013-11-15 13:39 - 2013-11-07 11:45 - 00000000 ____D C:\Users\roweke\AppData\Roaming\SolidWorks 2012
2013-11-15 13:39 - 2013-11-04 13:36 - 00000000 ____D C:\Users\roweke\AppData\Roaming\CircuitWorks
2013-11-15 13:39 - 2013-11-01 10:25 - 00000000 ___RD C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-11-15 13:39 - 2013-10-31 17:01 - 00000000 ____D C:\Users\roweke\AppData\Roaming\DassaultSystemes
2013-11-15 13:39 - 2013-10-24 15:25 - 00000000 ____D C:\Users\roweke\AppData\Roaming\DraftSight
2013-11-15 13:39 - 2013-10-23 11:05 - 00000000 ____D C:\Users\roweke\AppData\Roaming\EDrawings
2013-11-15 13:39 - 2013-10-16 19:07 - 00000000 ____D C:\Users\roweke\AppData\Roaming\FileZilla
2013-11-15 13:39 - 2013-10-14 13:21 - 00000000 ___RD C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-11-15 13:39 - 2013-06-19 13:26 - 00000000 ____D C:\Users\roweke\AppData\Roaming\Autodesk
2013-11-15 13:39 - 2013-05-14 11:08 - 00000000 ____D C:\Users\roweke\AppData\Roaming\Intel Corporation
2013-11-15 13:39 - 2013-05-14 11:08 - 00000000 ____D C:\Users\roweke\AppData\Roaming\Intel
2013-11-15 13:39 - 2013-05-14 11:08 - 00000000 ____D C:\Users\roweke\AppData\Roaming\Creative
2013-11-15 13:39 - 2013-03-15 13:21 - 00000000 ____D C:\Users\roweke\AppData\Roaming\NVIDIA
2013-11-15 13:39 - 2013-03-15 13:17 - 00001443 _____ C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-11-15 13:39 - 2013-03-15 13:17 - 00001409 _____ C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-11-15 13:39 - 2013-03-15 13:17 - 00000000 ____D C:\Users\roweke\AppData\Roaming\ATT Connect
2013-11-15 13:39 - 2012-11-29 12:57 - 00000000 ___RD C:\Users\roweke\Virtual Machines
2013-11-15 13:39 - 2012-09-26 10:04 - 00000000 ____D C:\Users\roweke\AppData\Roaming\PTC
2013-11-15 13:39 - 2012-09-26 09:58 - 00000000 ____D C:\Users\roweke\AppData\Roaming\CyberLink
2013-11-15 13:39 - 2012-09-26 09:51 - 00000000 ____D C:\Users\roweke\AppData\Roaming\Interwise
2013-11-15 13:39 - 2010-04-07 12:32 - 00000000 ____D C:\Users\roweke\AppData\Roaming\Macromedia
2013-11-15 13:39 - 2009-07-13 22:42 - 00000000 ___RD C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-11-15 13:39 - 2009-07-13 22:37 - 00000000 ___RD C:\Users\roweke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-11-14 14:19 - 2013-11-14 14:19 - 00000000 ____D C:\Users\thielr\temp_k2
2013-11-12 15:09 - 2013-11-12 15:09 - 00000000 ____D C:\_download

==================== One Month Modified Files and Folders =======

2013-12-10 10:31 - 2013-12-10 10:31 - 00014219 _____ C:\Users\benedt\Desktop\FRST.txt
2013-12-10 10:30 - 2013-12-10 10:30 - 01927982 _____ (Farbar) C:\Users\benedt\Desktop\FRST64.exe
2013-12-10 10:30 - 2013-12-10 10:30 - 00000000 ____D C:\FRST
2013-12-10 10:30 - 2013-02-27 13:02 - 01579413 _____ C:\Windows\WindowsUpdate.log
2013-12-10 10:28 - 2013-12-10 10:28 - 00002397 _____ C:\Users\benedt\Desktop\RKreport[0]_D_12102013_102801.txt
2013-12-10 10:28 - 2013-12-10 10:10 - 00000000 ____D C:\Users\benedt\Desktop\RK_Quarantine
2013-12-10 10:27 - 2013-12-10 10:27 - 00002380 _____ C:\Users\benedt\Desktop\RKreport[0]_S_12102013_102709.txt
2013-12-10 10:14 - 2013-11-26 11:15 - 00000294 _____ C:\Windows\Tasks\Dealply.job
2013-12-10 10:11 - 2013-12-10 10:11 - 00002347 _____ C:\Users\benedt\Desktop\RKreport[0]_S_12102013_101141.txt
2013-12-10 10:10 - 2013-12-10 10:10 - 04166144 _____ C:\Users\benedt\Desktop\RogueKillerX64.exe
2013-12-10 09:54 - 2009-07-13 22:45 - 00033360 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-10 09:54 - 2009-07-13 22:45 - 00033360 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-10 09:52 - 2013-12-10 09:52 - 00014521 _____ C:\Users\benedt\Desktop\dds.txt
2013-12-10 09:52 - 2013-12-10 09:52 - 00012076 _____ C:\Users\benedt\Desktop\attach.txt
2013-12-10 09:51 - 2013-12-10 09:51 - 00688992 ____R (Swearware) C:\Users\benedt\Desktop\dds.com
2013-12-10 09:51 - 2009-07-13 23:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2013-12-10 09:51 - 2009-07-13 23:13 - 00798082 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-10 09:50 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Roaming\Adobe
2013-12-10 09:50 - 2013-03-12 13:44 - 00000158 _____ C:\Windows\system32\ricdb.ini
2013-12-10 09:46 - 2013-02-11 09:21 - 00000584 _____ C:\Windows\system32\config\netlogon.ftl
2013-12-10 09:46 - 2013-02-11 09:17 - 00000000 ____D C:\ProgramData\NVIDIA
2013-12-10 09:46 - 2010-11-20 21:47 - 00408782 _____ C:\Windows\PFRO.log
2013-12-10 09:46 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-10 09:46 - 2009-07-13 22:51 - 01766203 _____ C:\Windows\setupact.log
2013-12-10 09:25 - 2013-12-10 09:25 - 00000000 ____D C:\Users\benedt\AppData\Roaming\Malwarebytes
2013-12-10 09:24 - 2013-12-10 09:17 - 00000000 ____D C:\Program Files (x86)\Mobogenie
2013-12-10 09:22 - 2013-12-10 09:22 - 00152280 _____ C:\Users\benedt\AppData\Local\GDIPFONTCACHEV1.DAT
2013-12-10 09:22 - 2013-12-10 09:22 - 00025110 __RSH C:\Users\benedt\ntuser.pol
2013-12-10 09:22 - 2013-12-10 09:22 - 00001447 _____ C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-12-10 09:22 - 2013-12-10 09:22 - 00001413 _____ C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-12-10 09:22 - 2013-12-10 09:22 - 00000020 ___SH C:\Users\benedt\ntuser.ini
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ___RD C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ___RD C:\Users\benedt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Roaming\SolidWorks
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Roaming\ATT Connect
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Local\VirtualStore
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt\AppData\Local\Adobe
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 ____D C:\Users\benedt
2013-12-10 09:22 - 2013-12-10 09:22 - 00000000 _____ C:\Users\benedt\daemonprocess.txt
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\wangzhisong\AppData\Local\Mobogenie
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\wangzhisong
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\thielr\Documents\Mobogenie
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\thielr\AppData\Local\Mobogenie
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 ____D C:\Users\thielr\AppData\Local\cache
2013-12-10 09:18 - 2013-12-10 09:18 - 00000000 _____ C:\Users\thielr\daemonprocess.txt
2013-12-10 09:18 - 2013-03-12 07:19 - 00000000 ____D C:\Users\thielr
2013-12-10 09:17 - 2013-12-10 09:17 - 00351124 _____ C:\Users\thielr\AppData\Local\mysearchdial-speeddial.crx
2013-12-10 09:17 - 2013-12-10 09:17 - 00001023 _____ C:\Users\thielr\Desktop\Mobogenie.lnk
2013-12-10 09:17 - 2013-12-10 09:17 - 00000999 _____ C:\Users\thielr\Desktop\MiPony.lnk
2013-12-10 09:17 - 2013-12-10 09:17 - 00000381 _____ C:\Users\thielr\Desktop\FREE Games.url
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 ____D C:\Users\thielr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mobogenie
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 ____D C:\Users\thielr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MiPony
2013-12-10 09:17 - 2013-12-10 09:17 - 00000000 ____D C:\Users\thielr\AppData\Roaming\1H1Q
2013-12-10 09:16 - 2013-12-10 09:16 - 00795560 _____ C:\Users\thielr\Downloads\DownloadManagerSetup.exe
2013-12-10 08:53 - 2013-11-26 11:15 - 00000000 ____D C:\Program Files\Level Quality Watcher
2013-12-10 08:53 - 2013-03-12 12:17 - 00000000 ____D C:\Users\thielr\AppData\Local\Adobe
2013-12-10 08:40 - 2013-12-10 08:35 - 00000000 ____D C:\Users\thielr\AppData\Roaming\systweak
2013-12-10 08:35 - 2013-12-10 08:35 - 00129536 _____ C:\Users\Public\AlexaNSISPlugin.8012.dll
2013-12-10 07:57 - 2013-03-12 08:23 - 00000000 ____D C:\Users\thielr\AppData\Local\TempSWBackupDirectory
2013-12-10 07:57 - 2013-03-12 07:20 - 00000000 ____D C:\Users\thielr\AppData\Roaming\SolidWorks
2013-12-10 07:41 - 2013-12-10 07:41 - 00000000 ____D C:\Users\thielr\Desktop\MINE
2013-12-10 07:36 - 2013-05-09 07:17 - 00031870 _____ C:\Users\thielr\Documents\ptcsetup.log
2013-12-10 07:34 - 2013-12-10 07:34 - 00003024 _____ C:\Windows\System32\Tasks\{06ECF40E-117B-429E-8B6F-82E45F451152}
2013-12-10 07:34 - 2013-05-09 07:17 - 00005318 _____ C:\Users\thielr\Documents\ptcsetup.bak
2013-12-10 07:18 - 2013-03-29 13:19 - 00000000 ____D C:\Users\thielr\AppData\Local\CutePDF Writer
2013-12-10 06:12 - 2013-12-10 06:12 - 00010723 _____ C:\Windows\system32\traceback.log
2013-12-10 02:18 - 2013-02-27 08:20 - 00018098 _____ C:\Windows\cfgall.ini
2013-12-06 12:25 - 2013-12-10 08:35 - 00020312 _____ (Systweak Inc., (www.systweak.com)) C:\Windows\system32\roboot64.exe
2013-12-06 05:59 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\NDF
2013-12-04 04:52 - 2013-12-04 04:52 - 00001684 _____ C:\Users\thielr\Desktop\Engineering Design BOM template 5.28.09 .xls.lnk
2013-12-03 11:51 - 2013-12-03 11:51 - 01853148 _____ C:\Users\thielr\Documents\Remove QuickShare by Linkury (Virus Removal Guide).mht
2013-12-03 11:46 - 2013-12-03 11:46 - 00000000 ____D C:\Users\thielr\AppData\Local\VS Revo Group
2013-12-03 11:46 - 2013-12-03 11:46 - 00000000 ____D C:\ProgramData\VS Revo Group
2013-12-03 09:58 - 2013-10-29 02:00 - 00000501 _____ C:\Windows\TMFilter.log
2013-12-03 04:51 - 2013-06-28 11:11 - 00000000 ____D C:\Users\thielr\AppData\Local\JabberWerxCPP
2013-11-27 09:15 - 2013-03-12 08:15 - 00000000 ____D C:\Users\thielr\AppData\Roaming\Adobe
2013-11-26 11:15 - 2013-11-26 11:15 - 00003226 _____ C:\Windows\System32\Tasks\Dealply
2013-11-26 11:15 - 2013-11-26 11:15 - 00000000 ____D C:\Users\thielr\AppData\Local\Google
2013-11-26 11:14 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\Resources
2013-11-23 11:33 - 2013-02-11 09:16 - 00000000 ____D C:\Program Files (x86)\Dell
2013-11-19 15:19 - 2013-11-19 15:19 - 00000000 ____D C:\Users\thielr\Desktop\LANDO_EMAIL_JUNK_11-19-13
2013-11-15 14:59 - 2013-11-15 13:39 - 00000978 ___SH C:\Users\roweke\ntuser.ini
2013-11-15 13:41 - 2013-11-15 13:41 - 00003494 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-BEI-roweke
2013-11-15 13:41 - 2013-11-15 13:41 - 00000000 ____D C:\Users\roweke\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2013-11-15 13:41 - 2013-11-15 13:40 - 00000000 ____D C:\Users\roweke\AppData\Local\Adobe
2013-11-15 13:41 - 2013-11-15 13:39 - 00000000 ____D C:\Users\roweke\AppData\Roaming\Adobe
2013-11-15 13:41 - 2013-11-15 13:39 - 00000000 ____D C:\Users\roweke
2013-11-15 13:40 - 2013-11-15 13:40 - 00152280 _____ C:\Users\roweke\AppData\Local\GDIPFONTCACHEV1.DAT
2013-11-15 13:40 - 2013-11-15 13:40 - 00000000 ____D C:\Users\roweke\AppData\Local\VirtualStore
2013-11-15 13:40 - 2013-11-15 13:39 - 00025110 __RSH C:\Users\roweke\ntuser.pol
2013-11-14 14:19 - 2013-11-14 14:19 - 00000000 ____D C:\Users\thielr\temp_k2
2013-11-14 10:46 - 2013-11-15 13:39 - 00000000 ____D C:\Users\roweke\AppData\Roaming\SolidWorks
2013-11-12 15:09 - 2013-11-12 15:09 - 00000000 ____D C:\_download

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-751052115-1355565041-1136263860-53073\$8e70c5eea6ceb1366888d57031917e19

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19

Files to move or delete:
====================
C:\Users\Public\AlexaNSISPlugin.8012.dll

Some content of TEMP:
====================
C:\Users\benedt\AppData\Local\Temp\25519uninstall.exe
C:\Users\benedt\AppData\Local\Temp\ntdll_dump.dll
C:\Users\benedt\AppData\Local\Temp\Sqlite3.dll
C:\Users\whiter\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-12-10 00:00

==================== End Of Log ============================

Addition.txt

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Download the attached fixlist.txt to the same folder as FRST.
Run FRST.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Then......

Clean out temp files by using disk cleanup or.........

Download, install and run CCleaner free to clean out temp files.
Here's a Tutorial if needed.
You may want to uncheck "cookies" and please stay away from the registry cleaner.

Last........

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Full Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites
tombenedict

tombenedict

Posted
  • Author
Posted

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-12-2013
Ran by benedt at 2013-12-10 10:53:29 Run:1
Running from C:\Users\benedt\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\$Recycle.Bin\S-1-5-21-751052115-1355565041-1136263860-53073\$8e70c5eea6ceb1366888d57031917e19
C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19
Task: {00E32347-EAC5-4511-8DD3-B6231B32924F} - System32\Tasks\Dealply => C:\Users\thielr\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE
Task: C:\Windows\Tasks\Dealply.job => C:\Users\thielr\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE
*****************

C:\$Recycle.Bin\S-1-5-21-751052115-1355565041-1136263860-53073\$8e70c5eea6ceb1366888d57031917e19 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$8e70c5eea6ceb1366888d57031917e19 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{00E32347-EAC5-4511-8DD3-B6231B32924F} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00E32347-EAC5-4511-8DD3-B6231B32924F} => Key deleted successfully.
C:\Windows\System32\Tasks\Dealply => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Dealply => Key deleted successfully.
C:\Windows\Tasks\Dealply.job => Moved successfully.

==== End of Fixlog ====

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.10.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
benedt :: C1678 [administrator]

12/10/2013 11:05:09 AM
mbam-log-2013-12-10 (11-05-09).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 590934
Time elapsed: 18 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

Thanks MrC!

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.