Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Trying to remove infected files


Radagast
 Share

Recommended Posts

Having issues removing Trojan.zbot.fbd

 

Ran malwarebytes, malwarebytes anti-rootkit, adwcleaner, and Farber Recovery Scan Tool.

 

Below I have log output from Malwarebytes and following that Farber....

 

problem is I can't seem to get rid of the files in appdata folder as seen in the Farber log (addition.txt).  Any advice or direction for me? 

 

From Malwarebytes log:

 

mbam-log-2014-02-21 (11-36-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 643007
Time elapsed: 1 hour(s), 20 minute(s), 48 second(s)

Memory Processes Detected: 3
C:\Windows\SysWOW64\umoci.exe (Trojan.Zbot.FBD) -> 3300 -> Delete on reboot.
C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe (Trojan.Zbot.FBD) -> 5216 -> Delete on reboot.
C:\Users\conklije\AppData\Roaming\hpqLog\WINDB3D.exe (Trojan.Agent.TMSGen) -> 6040 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer527587583 (Trojan.Zbot.FBD) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ukybraehofyxx (Trojan.Zbot.FBD) -> Data: C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ukybraehofyxx (Trojan.Zbot.FBD) -> Data: C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|GameServer52A (Trojan.Agent.TMSGen) -> Data: "C:\Users\conklije\AppData\Roaming\hpqLog\WINDB3D.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Windows\SysWOW64\umoci.exe (Trojan.Zbot.FBD) -> Delete on reboot.
C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe (Trojan.Zbot.FBD) -> Delete on reboot.
C:\Windows\System32\umoci.exe (Trojan.Zbot.FBD) -> Delete on reboot.
C:\Users\conklije\AppData\Local\Temp\UpdateFlashPlayer_8852cc0b.exe (Trojan.Zbot.FBD) -> Quarantined and deleted successfully.
C:\Users\conklije\AppData\Local\Temp\UpdateFlashPlayer_bec308d9.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully.
C:\Windows\Tasks\Security Center Update - 527587583.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully.
C:\Users\conklije\AppData\Roaming\hpqLog\WINDB3D.exe (Trojan.Agent.TMSGen) -> Delete on reboot.

(end)

 

 

Farber log (second file - addition.txt snippet - not whole file):

 

Microsoft Office Sessions:
=========================
Error: (02/22/2014 00:47:13 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/21/2014 10:24:24 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/21/2014 10:22:23 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

Error: (02/21/2014 10:21:57 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

Error: (02/21/2014 10:21:31 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

Error: (02/21/2014 10:21:05 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

Error: (02/21/2014 10:20:39 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

Error: (02/21/2014 10:20:13 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

Error: (02/21/2014 10:19:47 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

Error: (02/21/2014 10:19:21 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

 

Link to post
Share on other sites

Additional info: ( I just got this machine and loaded it with software not more than two weeks ago. Also put old files on it which was probably the source of my woes.  My initial machine got infected and came down with a boot sector error.  Tried to fix the boot error but it was an encrypted disk and well... beyond the scope of this post).

 

After running the first Malwarebytes and posting first log above and applying cleaning (deleting) I re-ran and got this:

 

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 772044
Time elapsed: 2 hour(s), 23 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

Also in my protection log from Malwarebytes I got this (log snippet since it is repetitive (tries to clean problem but unable):

 

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 772044
Time elapsed: 2 hour(s), 23 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

Then ran Malwarebytes anti-rootkit:

 

from mbar log:

2/22/2014 9:45:44 AM
mbar-log-2014-02-22 (09-45-44).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 642623
Time elapsed: 1 hour(s), 51 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Hijack.SHELL32) -> Bad: (\\?\globalroot\Device\HarddiskVolume3\Users\conklije\AppData\Local\Temp\spvjity\sdctqqh\wow.dll) Good: (SHELL32.dll) -> Replace on reboot.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

From system log:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16736

Java version: 1.6.0_33

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.494000 GHz
Memory total: 4242911232, free: 1840058368

=======================================
Initializing...
------------ Kernel report ------------
     02/22/2014 09:45:40
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\mfewfpk.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\system32\drivers\hpdskflt.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\mfenlfk.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\DRIVERS\e1c62x64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\Netwsw00.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\nusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\Accelerometer.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\dsNcAdpt.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\nusb3hub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\AtihdW76.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\stwrt64.sys
\SystemRoot\system32\DRIVERS\agrsm64.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\drivers\mfefirek.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\WinUSB.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\btwampfl.sys
\SystemRoot\System32\Drivers\BTHUSB.sys
\SystemRoot\System32\Drivers\bthport.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\??\C:\windows\system32\drivers\mbam.sys
\SystemRoot\system32\DRIVERS\rfcomm.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\BthEnum.sys
\SystemRoot\system32\DRIVERS\bthpan.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\HipShieldK.sys
\SystemRoot\system32\drivers\FireNfcp.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\radiamsi.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\system32\drivers\mfeapfk.sys
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\lpk.dll
\Windows\System32\urlmon.dll
\Windows\System32\gdi32.dll
\Windows\System32\kernel32.dll
\Windows\System32\shell32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\advapi32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\oleaut32.dll
\Windows\System32\normaliz.dll
\Windows\System32\comdlg32.dll
\Windows\System32\difxapi.dll
\Windows\System32\sechost.dll
\Windows\System32\imm32.dll
\Windows\System32\user32.dll
\Windows\System32\msctf.dll
\Windows\System32\setupapi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\ole32.dll
\Windows\System32\nsi.dll
\Windows\System32\Wldap32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\usp10.dll
\Windows\System32\wininet.dll
\Windows\System32\psapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\ws2_32.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\comctl32.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\crypt32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80048ed060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa80048c1050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80048ed060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80048edb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80048ed060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004af4b10, DeviceName: Unknown, DriverName: \Driver\hpdskflt\
DevicePointer: 0xfffffa8003ca38c0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80048c1050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 4A2FEE12

Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 1024000

    Partition 1 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 1026048  Numsec = 1021952
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048000  Numsec = 974723072

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Infected: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| --> [Hijack.SHELL32]
Scan finished
Creating System Restore point...
Cleaning up...
Removal successful. No system shutdown is required.
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-1026048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

 

Ran ADWCleaner and performed cleanup of what was found.  Logfile below:

 

AdwCleaner v3.019 - Report created 22/02/2014 at 12:25:57
# Updated 17/02/2014 by Xplode
# Operating System : Windows 7 Enterprise Service Pack 1 (64 bits)
# Username : conklije - CONKLIJE4
# Running from : C:\Users\conklije\Documents\Anti Virus Tools\ADWCleaner\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Uninstall.exe

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
Key Found : HKLM\Software\caphyon
Key Found : HKLM\SOFTWARE\Classes\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16736

-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\conklije\AppData\Roaming\Mozilla\Firefox\Profiles\0fn2yd7j.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [1491 octets] - [22/02/2014 12:25:57]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1551 octets] ##########

 

Then ran Farber Recovery Scan Tool and it produced a FRST log which was inconsequential and an additional.txt file which was posted in the prior post.

Link to post
Share on other sites

Welcome to the forum.

First:
Please run a Quick Scan with Malwarebytes like this and post the log:
Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.
Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.
Make sure that everything is checked, and click Remove Selected.

---------------------

Then please start HERE
Post back the 2 logs here.....DDS.txt and Attach.txt (DDS won't run on W8)
(please don't put logs in code or quotes and use the default font)

(Please don't forget to run the RogueKiller scan below)

General Forum P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.


<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes and use the default font)
MrC


Note:
Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly


Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive


<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.


<+>The removal of malware isn't instantaneous, please be patient.


<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs


<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.


------->Your topic will be closed if you haven't replied within 3 days!<--------
(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Here is the Malwarebytes report :

 

2/22/2014 9:57:04 PM
mbam-log-2014-02-22 (21-57-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 629097
Time elapsed: 1 hour(s), 14 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

DDS Contents:

 

DS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16736
Run by conklije at 23:21:11 on 2014-02-22
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.4046.1619 [GMT -5:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Host Intrusion Prevention Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\atieclxx.exe
C:\windows\system32\Hpservice.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\vcsFPService.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\windows\System32\svchost.exe -k NetworkService
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\PC Backup\AgentService.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.R2\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\PROGRA~2\HEWLET~1\PCCOE3~1\OVCMS~1\radalert.exe
C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Microsoft Office\Office15\lync.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\Hewlett-Packard\GetITIcon\GetITShell.exe
C:\Program Files (x86)\Hewlett-Packard\PC COE\Ida.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe
C:\Program Files (x86)\PC Backup\Agent.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office15\UcMapi.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Program Files\HP\HP Deskjet 3510 series\Bin\HPNetworkCommunicator.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.


mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130619191319.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
uRun: [Lync] "C:\Program Files (x86)\Microsoft Office\Office15\lync.exe" /fromrunkey
uRun: [RESTART_STICKY_NOTES] C:\windows\System32\StikyNot.exe
uRun: [HP Deskjet 3510 series (NET)] "C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN29S180BM05R7:NW" -scfn "HP Deskjet 3510 series (NET)" -AutoStart 1
mRun: [COEMsgDisplay] c:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [shStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [GetITIcon] C:\Program Files (x86)\Hewlett-Packard\GetITIcon\GetITShell.exe
mRun: [iDA] C:\Program Files (x86)\Hewlett-Packard\PC COE\IDA.EXE
mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [QLBController] c:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe /start
mRun: [eepc_SmartClient] C:\Program Files (x86)\SmartClient\Smart.exe
mRun: [AgentUiRunKey] "C:\Program Files (x86)\PC Backup\Agent.exe" -ni -sss -e http://localhost:16386/
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACTIVC~1.LNK - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\launch_splashscreen.vbs
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoWebServices = dword:1
mPolicies-Explorer: NoPublishingWizard = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoAutorun = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:4
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: dontdisplaylockeduserid = dword:1
mPolicies-System: legalnoticecaption = Terms of Use
mPolicies-System: legalnoticetext = This computing system is a company owned asset and provided for the exclusive use of authorized personnel for business purposes.  All information and data created, accessed, processed, or stored using this system (including personal information) are subject to monitoring, auditing, or review to the extent permitted by applicable law.  Unauthorized use or abuse of this system may lead to corrective action including termination of employment, civil and/or criminal penalties.
mPolicies-System: LogonType = dword:0
mPolicies-System: HideFastUserSwitching = dword:1
mPolicies-System: ReportControllerMissing = dword:0
mPolicies-System: DisableNT4Policy = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office15\ONBttnIE.dll/105
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.0\smartprintsetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll





TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{9342DD57-64B2-4CA8-AB34-762DEFC75CD8} : DHCPNameServer = 10.1.10.1
TCP: Interfaces\{FE6D2225-47FF-41C7-8345-ACE8FC323D4F} : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{FE6D2225-47FF-41C7-8345-ACE8FC323D4F}\E41647966796479725563647F62797 : DHCPNameServer = 10.1.10.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
SSODL: WebCheck - <orphaned>
mASetup: {86E45973-5352-439F-A115-2E8EE4D40140} - "C:\Program Files (x86)\Common Files\Hewlett-Packard\ActSet\HpActSet.exe"
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130619191318.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe"
x64-Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe"
x64-Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
x64-Run: [HPRAService] C:\Program Files\RA2HP\HPRAService.exe
x64-Run: [PasswordRegistration] C:\windows\System32\MsPwdRegistration.exe
x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [ukybraehofyxx] "C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - <orphaned>
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll

x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\conklije\AppData\Roaming\Mozilla\Firefox\Profiles\0fn2yd7j.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\windows\System32\drivers\mfehidk.sys [2013-6-19 673624]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\windows\System32\drivers\mfewfpk.sys [2013-6-19 305536]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2014-2-7 55024]
R1 mfenlfk;McAfee NDIS Light Filter;C:\windows\System32\drivers\mfenlfk.sys [2013-6-19 76224]
R2 ac.sharedstore;ActivIdentity Shared Store Service;C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-6-2 277032]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2014-2-7 89600]
R2 AgentService;AgentService;C:\Program Files (x86)\PC Backup\AgentService.exe [2013-8-2 6789408]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2013-6-21 235520]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [2012-7-3 646192]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\System32\drivers\AtihdW76.sys [2013-6-21 96896]
R3 FireNfcp;McAfee Inc. FireNfcp;C:\windows\System32\drivers\FireNfcp.sys [2013-6-19 53472]
R3 HipShieldK;McAfee Inc. HipShieldK;C:\windows\System32\drivers\HipShieldK.sys [2013-6-19 197576]
R3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2013-2-12 175928]
R3 johci;JMicron 1394 Filter Driver;C:\windows\System32\drivers\johci.sys [2013-2-12 26208]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2014-2-21 25928]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\System32\drivers\mfeavfk.sys [2013-6-19 282736]
R3 mfefirek;McAfee Inc. mfefirek;C:\windows\System32\drivers\mfefirek.sys [2013-6-19 496592]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\System32\drivers\nusb3hub.sys [2011-2-15 80384]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\System32\drivers\nusb3xhc.sys [2011-2-15 181248]
R3 RadiaMsi;RadiaMsi;C:\windows\System32\drivers\radiamsi.sys [2009-9-10 43032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 btwampfl;Bluetooth AMP USB Filter;C:\windows\System32\drivers\btwampfl.sys [2011-6-20 344616]
S3 dmvsc;dmvsc;C:\windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 LV_Tracker;LV_Tracker;C:\windows\System32\drivers\LV_Tracker64.sys [2013-8-2 54824]
S3 mferkdet;McAfee Inc. mferkdet;C:\windows\System32\drivers\mferkdet.sys [2013-6-19 101200]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]
S3 SmbDrv;SmbDrv;C:\windows\System32\drivers\Smb_driver_AMDASF.sys [2013-6-12 28400]
S3 SmbDrvI;SmbDrvI;C:\windows\System32\drivers\Smb_driver_Intel.sys [2013-6-12 32496]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\windows\System32\drivers\terminpt.sys [2010-11-21 34816]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 tsusbhub;Remote Deskotop USB Hub;C:\windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]
S4 RsFx0103;RsFx0103 Driver;C:\windows\System32\drivers\RsFx0103.sys [2009-3-30 311656]
S4 RsFx0153;RsFx0153 Driver;C:\windows\System32\drivers\RsFx0153.sys [2012-6-29 321992]
.
=============== File Associations ===============
.
FileExt: .inf: inffile=C:\windows\System32\NOTEPAD.EXE %1 [userChoice]
.
=============== Created Last 30 ================
.
2014-02-22 18:08:25 -------- d-----w- C:\FRST
2014-02-22 17:25:41 -------- d-----w- C:\AdwCleaner
2014-02-22 14:45:40 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-02-22 14:45:00 91352 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys
2014-02-21 16:32:21 -------- d-----w- C:\Users\conklije\AppData\Roaming\Malwarebytes
2014-02-21 16:31:47 -------- d-----w- C:\ProgramData\Malwarebytes
2014-02-21 16:31:42 25928 ----a-w- C:\windows\System32\drivers\mbam.sys
2014-02-21 16:31:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-21 16:29:08 -------- d-----w- C:\Users\conklije\AppData\Local\Programs
2014-02-20 21:48:11 -------- d-----w- C:\Users\conklije\AppData\Roaming\Riupof
2014-02-20 21:46:34 -------- d-----w- C:\Quarantine
2014-02-15 17:37:19 -------- d-----w- C:\ProgramData\Visan
2014-02-15 17:37:19 -------- d-----w- C:\ProgramData\HP Photo Creations
2014-02-15 17:37:19 -------- d-----w- C:\Program Files (x86)\HP Photo Creations
2014-02-15 17:37:03 -------- d-----w- C:\Users\conklije\AppData\Roaming\HpUpdate
2014-02-15 17:36:47 741480 ------w- C:\windows\System32\HPDiscoPMAD11.dll
2014-02-15 17:36:26 -------- d-----w- C:\Program Files (x86)\HP
2014-02-15 17:36:25 -------- d-----w- C:\Program Files\HP
2014-02-15 17:35:59 -------- d-----w- C:\Users\conklije\AppData\Local\HP
2014-02-13 20:45:05 -------- d-----w- C:\Users\conklije\AppData\Roaming\Xerox
2014-02-13 20:43:56 -------- d-----w- C:\ProgramData\Xerox
2014-02-13 20:43:52 42496 ----a-w- C:\windows\System32\Spool\prtprocs\x64\x5pp.dll
2014-02-13 20:43:52 11264 ----a-w- C:\windows\System32\Spool\prtprocs\x64\x5print.dll
2014-02-13 20:42:27 -------- d-----w- C:\Xerox
2014-02-13 20:15:39 -------- d-----w- C:\Users\conklije\AppData\Local\Cisco
2014-02-13 02:39:17 -------- d-----w- C:\Program Files (x86)\Cisco
2014-02-13 02:38:29 -------- d-----w- C:\ProgramData\Cisco
2014-02-13 01:09:16 21008 ----a-w- C:\windows\SysWow64\Ctl3d.dll
2014-02-13 01:09:11 -------- d-----w- C:\Program Files (x86)\OpenLink
2014-02-13 01:08:18 315904 ----a-w- C:\windows\IsUninst.exe
2014-02-12 17:03:48 -------- d-----w- C:\ProgramData\Email Backup Optimization
2014-02-12 17:02:12 -------- d-----w- C:\Program Files (x86)\PC Backup
2014-02-09 03:48:51 -------- d-----w- C:\Users\conklije\AppData\Local\ServiceNow
2014-02-09 03:35:32 -------- d-----w- C:\Program Files (x86)\ServiceNow
2014-02-08 20:28:15 57288 ----a-w- C:\windows\SysWow64\perf-MSSQL10_50.R2-sqlagtctr.dll
2014-02-08 20:28:14 86984 ----a-w- C:\windows\System32\perf-MSSQL10_50.R2-sqlagtctr.dll
2014-02-08 20:28:04 88520 ----a-w- C:\windows\System32\perf-MSSQL$R2-sqlctr10.52.4000.0.dll
2014-02-08 20:28:04 82888 ----a-w- C:\windows\SysWow64\perf-MSSQL$R2-sqlctr10.52.4000.0.dll
2014-02-08 19:45:57 -------- d-----w- C:\backup
2014-02-08 19:29:52 -------- d-----w- C:\Users\conklije\AppData\Local\Microsoft_Corporation
2014-02-08 11:43:28 594024 ----a-w- C:\windows\System32\dsNcSmartCardProv.dll
2014-02-08 11:43:28 423528 ----a-w- C:\windows\System32\dsNcCredProv.dll
2014-02-08 11:43:10 -------- d-----w- C:\Program Files (x86)\Juniper Networks
2014-02-08 11:43:00 -------- d-----w- C:\Users\conklije\AppData\Roaming\Juniper Networks
2014-02-08 11:42:57 -------- d-----w- C:\Users\conklije\AppData\Local\Juniper Networks
2014-02-08 04:40:20 -------- d-----w- C:\ProgramData\Uninstall
2014-02-08 04:40:10 -------- d-----w- C:\Program Files (x86)\Common Files\SureThing Shared
2014-02-08 04:40:08 -------- d-----w- C:\Program Files (x86)\Roxio
2014-02-08 04:39:33 55024 ------w- C:\windows\System32\drivers\PxHlpa64.sys
2014-02-08 04:39:16 -------- d-----w- C:\Program Files (x86)\Common Files\Sonic Shared
2014-02-08 04:39:16 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2014-02-08 00:54:29 -------- d-----w- C:\Users\conklije\AppData\Local\Mozilla
2014-02-08 00:54:21 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service
2014-02-07 22:58:20 78872 ----a-w- C:\windows\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2014-02-07 22:58:20 50200 ----a-w- C:\windows\SysWow64\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2014-02-07 22:58:17 79896 ----a-w- C:\windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2014-02-07 22:58:17 111640 ----a-w- C:\windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2014-02-07 22:57:48 -------- d-----w- C:\windows\System32\RsFx
2014-02-07 22:53:16 -------- d-----w- C:\Program Files\Microsoft SQL Server
2014-02-07 22:52:37 -------- d-----w- C:\Program Files\Microsoft Synchronization Services
2014-02-07 22:52:37 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition
2014-02-07 22:52:33 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2014-02-07 22:52:32 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2014-02-07 22:51:51 -------- d-----w- C:\ProgramData\PreEmptive Solutions
2014-02-07 22:48:39 -------- d-----w- C:\Program Files (x86)\Microsoft ASP.NET
2014-02-07 22:48:35 -------- d-----w- C:\Program Files\IIS
2014-02-07 22:48:34 -------- d-----w- C:\Program Files (x86)\IIS
2014-02-07 22:48:04 2377696 ----a-w- C:\ProgramData\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2014-02-07 22:38:40 -------- d-----w- C:\windows\SysWow64\1033
2014-02-07 22:38:29 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 10.0
2014-02-07 22:38:29 -------- d-----w- C:\Program Files (x86)\Microsoft F#
2014-02-07 22:38:29 -------- d-----w- C:\Program Files (x86)\HTML Help Workshop
2014-02-07 22:38:29 -------- d-----w- C:\Program Files (x86)\Common Files\Merge Modules
2014-02-07 22:26:56 -------- d-----w- C:\windows\System32\1033
2014-02-07 22:26:56 -------- d-----w- C:\Program Files\Microsoft Visual Studio 10.0
2014-02-07 22:26:56 -------- d-----w- C:\Program Files\Microsoft Help Viewer
2014-02-07 21:19:41 -------- d-----w- C:\Users\conklije\AppData\Local\Hewlett-Packard_Company
2014-02-07 19:12:43 -------- d-----w- C:\Logs
2014-02-07 18:38:13 184320 ----a-w- C:\windows\System32\cryptsvc.dll
2014-02-07 18:38:13 1474048 ----a-w- C:\windows\System32\crypt32.dll
2014-02-07 18:38:13 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
2014-02-07 18:38:13 139776 ----a-w- C:\windows\System32\cryptnet.dll
2014-02-07 18:38:13 1168384 ----a-w- C:\windows\SysWow64\crypt32.dll
2014-02-07 18:38:13 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
2014-02-07 18:37:37 497152 ----a-w- C:\windows\System32\drivers\afd.sys
2014-02-07 18:37:10 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2014-02-07 18:37:10 2048 ----a-w- C:\windows\System32\tzres.dll
2014-02-07 18:37:01 9216 ----a-w- C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
2014-02-07 18:37:01 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll
2014-02-07 18:37:01 54784 ----a-w- C:\Program Files (x86)\Windows Defender\MpOAV.dll
2014-02-07 18:37:01 4608 ----a-w- C:\Program Files (x86)\Windows Defender\MsMpLics.dll
2014-02-07 18:37:01 392704 ----a-w- C:\Program Files (x86)\Windows Defender\MpClient.dll
2014-02-07 18:37:01 314880 ----a-w- C:\Program Files\Windows Defender\MpCommu.dll
2014-02-07 18:37:01 1011712 ----a-w- C:\Program Files\Windows Defender\MpSvc.dll
2014-02-07 18:35:43 9728 ----a-w- C:\windows\System32\Wdfres.dll
2014-02-07 18:35:43 785624 ----a-w- C:\windows\System32\drivers\Wdf01000.sys
2014-02-07 18:35:43 54376 ----a-w- C:\windows\System32\drivers\WdfLdr.sys
2014-02-07 18:35:34 664064 ----a-w- C:\windows\SysWow64\rpcrt4.dll
2014-02-07 18:35:34 189440 ----a-w- C:\windows\System32\rpchttp.dll
2014-02-07 18:35:34 140800 ----a-w- C:\windows\SysWow64\rpchttp.dll
2014-02-07 18:35:34 1216000 ----a-w- C:\windows\System32\rpcrt4.dll
2014-02-07 18:35:28 100864 ----a-w- C:\windows\System32\drivers\usbcir.sys
2014-02-07 18:34:59 76800 ----a-w- C:\windows\System32\drivers\hidclass.sys
2014-02-07 18:34:59 32896 ----a-w- C:\windows\System32\drivers\hidparse.sys
2014-02-07 18:34:54 624128 ----a-w- C:\windows\System32\qedit.dll
2014-02-07 18:34:54 509440 ----a-w- C:\windows\SysWow64\qedit.dll
2014-02-07 18:34:46 3155968 ----a-w- C:\windows\System32\win32k.sys
2014-02-07 18:33:17 404480 ----a-w- C:\windows\System32\gdi32.dll
2014-02-07 18:33:17 311808 ----a-w- C:\windows\SysWow64\gdi32.dll
2014-02-07 18:33:02 936448 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2014-02-07 18:33:02 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2014-02-07 18:33:02 1393152 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2014-02-07 18:33:01 1732608 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2014-02-07 18:33:01 1367040 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2014-02-07 18:32:56 124112 ----a-w- C:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2014-02-07 18:32:56 102608 ----a-w- C:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2014-02-07 18:32:44 376768 ----a-w- C:\windows\System32\drivers\netio.sys
2014-02-07 18:32:44 288192 ----a-w- C:\windows\System32\drivers\FWPKCLNT.SYS
2014-02-07 18:32:44 1900992 ----a-w- C:\windows\System32\drivers\tcpip.sys
2014-02-07 18:32:37 984512 ----a-w- C:\windows\System32\drivers\dxgkrnl.sys
2014-02-07 18:32:37 265152 ----a-w- C:\windows\System32\drivers\dxgmms1.sys
2014-02-07 18:32:07 1643520 ----a-w- C:\windows\System32\DWrite.dll
2014-02-07 18:32:07 1247744 ----a-w- C:\windows\SysWow64\DWrite.dll
2014-02-07 18:30:55 99840 ----a-w- C:\windows\System32\drivers\usbccgp.sys
2014-02-07 18:30:55 7808 ----a-w- C:\windows\System32\drivers\usbd.sys
2014-02-07 18:30:55 52736 ----a-w- C:\windows\System32\drivers\usbehci.sys
2014-02-07 18:30:55 325120 ----a-w- C:\windows\System32\drivers\usbport.sys
2014-02-07 18:30:55 30720 ----a-w- C:\windows\System32\drivers\usbuhci.sys
2014-02-07 18:30:55 25600 ----a-w- C:\windows\System32\drivers\usbohci.sys
2014-02-07 18:30:54 343040 ----a-w- C:\windows\System32\drivers\usbhub.sys
2014-02-07 17:45:36 -------- d-----w- C:\ProgramData\itsec
2014-02-07 17:41:49 30208 ----a-w- C:\windows\System32\dnscacheugc.exe
2014-02-07 17:41:49 28672 ----a-w- C:\windows\SysWow64\dnscacheugc.exe
2014-02-07 17:41:49 183296 ----a-w- C:\windows\System32\dnsrslvr.dll
2014-02-07 17:40:45 -------- d-----w- C:\windows\SmartClient
2014-02-07 17:40:34 -------- d-----w- C:\Program Files (x86)\SmartClient
2014-02-07 17:38:37 -------- d-----w- C:\SSM
2014-02-07 17:30:48 -------- d-----w- C:\Users\conklije\AppData\Roaming\Intel Corporation
2014-02-07 17:30:47 -------- d-----w- C:\Users\conklije\AppData\Roaming\Synaptics
2014-02-07 17:30:47 -------- d-----w- C:\Users\conklije\AppData\Roaming\hpqLog
2014-02-07 15:10:23 752 ----a-w- C:\windows\runsurvey.vbs
2014-02-07 15:10:23 3022 ----a-w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\launch_splashscreen.vbs
2014-02-07 15:10:23 1509 ----a-w- C:\windows\surveytime.vbs
2014-02-07 15:09:50 12800 ------w- C:\windows\EricssonMobileBroadbandVer.dll
2014-02-07 15:08:18 -------- d-----w- C:\windows\SysWow64\SDA
2014-02-07 15:08:17 -------- d-----w- C:\Program Files (x86)\JMicron
2014-02-07 15:08:08 8192 ----a-w- C:\windows\System32\drivers\IntelMEFWVer.dll
2014-02-07 15:08:05 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2014-02-07 15:07:12 53248 ----a-w- C:\windows\SysWow64\CSVer.dll
2014-02-07 15:07:07 -------- d-----w- C:\ProgramData\Validity
2014-02-07 15:07:07 -------- d-----w- C:\Intel
2014-02-07 15:06:50 -------- d-----w- C:\Program Files\Validity Sensors
2014-02-07 15:06:17 48640 ----a-w- C:\windows\System32\wwanprotdim.dll
2014-02-07 15:06:16 229888 ----a-w- C:\windows\System32\wwansvc.dll
2014-02-07 15:05:16 296320 ----a-w- C:\windows\System32\drivers\volsnap.sys
2014-02-07 15:04:56 951680 ----a-w- C:\windows\System32\drivers\ndis.sys
2014-02-07 15:04:27 -------- d-----w- C:\system.sav
2014-02-07 15:03:49 -------- d-----w- C:\Program Files (x86)\Common Files\Telespree
2014-02-06 23:25:08 -------- d-----w- C:\Program Files\Synaptics
2014-02-06 23:23:01 -------- d-----w- C:\Temp
.
==================== Find3M  ====================
.
2014-02-06 04:42:12 53472 ----a-w- C:\windows\System32\drivers\FireNfcp.sys
.
============= FINISH: 23:22:40.62 ===============

 

 

 

 

Attach contents:

 

Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume2
Install Date: 2/7/2014 10:02:42 AM
System Uptime: 2/22/2014 5:24:38 PM (6 hours ago)
.
Motherboard: Hewlett-Packard |  | 161C
Processor: Intel® Core i5-2520M CPU @ 2.50GHz | CPU 1 | 2501/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 465 GiB total, 404.076 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
PNP Device ID: ROOT\NET\0000
Service: vpnva
.
==== System Restore Points ===================
.
RP52: 2/15/2014 2:31:48 PM - Windows Update
RP53: 2/22/2014 11:48:13 AM - Malwarebytes Anti-Rootkit Restore Point
.
==== Installed Programs ======================
.
ActivClient
Adobe Flash Player 10 ActiveX
Adobe Reader
Chinese Simplified Fonts Support For Adobe Reader 9
Chinese Traditional Fonts Support For Adobe Reader 9
Cisco AnyConnect VPN Client
Crystal Reports for Visual Studio
Device Installer x64
Dotfuscator Software Services - Community Edition
Forefront Identity Manager Add-ins and Extensions
Get IT Icon
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
HP 3D DriveGuard
HP Client Automation Application Manager Agent
HP Connection Manager
HP Deskjet 3510 series Basic Device Software
HP Deskjet 3510 series Help
HP Deskjet 3510 series Product Improvement Study
HP ESU for Microsoft Windows 7
HP Fonts
HP Hotkey Support
HP Photo Creations
HP Software Framework
HP Timing Service
HP Update
Intel® Control Center
Intel® Management Engine Components
Intel® Rapid Storage Technology
Japanese Fonts Support For Adobe Reader 9
Java
JMicron 1394 Filter Driver
JMicron Flash Media Controller Driver
Juniper Networks Network Connect 7.4.0
Juniper Networks, Inc. Setup Client
Juniper Networks, Inc. Setup Client 64-bit Activex Control
Juniper Networks, Inc. Setup Client Activex Control
Korean Fonts Support For Adobe Reader 9
LSI HDA Modem
Malwarebytes Anti-Malware version 1.75.0.1300
McAfee Agent
McAfee Host Intrusion Prevention
McAfee SiteAdvisor Enterprise Plus
McAfee VirusScan Enterprise
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Access MUI (English) 2013
Microsoft Access Setup Metadata MUI (English) 2013
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft DCF MUI (English) 2013
Microsoft Excel MUI (English) 2013
Microsoft Groove MUI (English) 2013
Microsoft Help Viewer 1.0
Microsoft InfoPath MUI (English) 2013
Microsoft Lync MUI (English) 2013
Microsoft Office 64-bit Components 2013
Microsoft Office OSM MUI (English) 2013
Microsoft Office OSM UX MUI (English) 2013
Microsoft Office Professional Plus 2013
Microsoft Office Proofing (English) 2013
Microsoft Office Proofing Tools 2013 - English
Microsoft Office Proofing Tools 2013 - Español
Microsoft Office Shared 64-bit MUI (English) 2013
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2013
Microsoft Office Shared MUI (English) 2013
Microsoft Office Shared Setup Metadata MUI (English) 2013
Microsoft OneNote MUI (English) 2013
Microsoft Outlook MUI (English) 2013
Microsoft PowerPoint MUI (English) 2013
Microsoft Publisher MUI (English) 2013
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2008 (64-bit)
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Management Studio
Microsoft SQL Server 2008 Policies
Microsoft SQL Server 2008 R2 (64-bit)
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Management Objects (x64)
Microsoft SQL Server 2008 R2 Native Client
Microsoft SQL Server 2008 R2 RsFx Driver
Microsoft SQL Server 2008 R2 Setup (English)
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Browser
Microsoft SQL Server Compact 3.5 SP1 Query Tools English
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Compact 3.5 SP2 x64 ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft SQL Server System CLR Types (x64)
Microsoft SQL Server VSS Writer
Microsoft Sync Framework Runtime v1.0 SP1 (x64)
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Sync Framework Services v1.0 SP1 (x64)
Microsoft Sync Services for ADO.NET v2.0 SP1 (x64)
Microsoft Team Foundation Server 2010 Object Model - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2005 Runtime
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2010  x64 Designtime - 10.0.30319
Microsoft Visual C++ 2010  x64 Runtime - 10.0.30319
Microsoft Visual C++ 2010  x86 Runtime - 10.0.30319
Microsoft Visual F# 2.0 Runtime
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Office Developer Tools (x64)
Microsoft Visual Studio 2010 Professional - ENU
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
Microsoft Visual Studio Macro Tools
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Word MUI (English) 2013
Mozilla Firefox 27.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB2758694)
OpenLink UDA 5.20.0076 Multi-Tier Generic Client
Outils de vérification linguistique 2013 de Microsoft Office - Français
PC Backup Agent
PC COE
PC COE Required Settings
Remote Access to HP Network 6.5
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Business
Roxio Creator Business v10
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Security Update for Microsoft Excel 2013 (KB2827238) 32-Bit Edition
Security Update for Microsoft Lync 2013 (KB2817465) 32-Bit Edition
Security Update for Microsoft Office 2013 (KB2768005) 32-Bit Edition
Security Update for Microsoft Office 2013 (KB2810009) 32-Bit Edition
Security Update for Microsoft Office 2013 (KB2817623) 32-Bit Edition
Security Update for Microsoft Outlook 2013 (KB2837618) 32-Bit Edition
Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2251489)
Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2644980)
Service Pack 1 for SQL Server 2008 (KB968369) (64-bit)
Service Pack 2 for SQL Server 2008 R2 (KB2630458) (64-bit)
ServiceNow ODBC Driver
SQL Server 2008 R2 SP2 Common Files
SQL Server 2008 R2 SP2 Database Engine Services
SQL Server 2008 R2 SP2 Database Engine Shared
Sql Server Customer Experience Improvement Program
Synaptics Pointing Device Driver
Update for Microsoft Office 2013 (KB2767852) 32-Bit Edition
Validity Fingerprint Sensor Driver
Visual Studio 2010 Prerequisites - English
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
Web Deployment Tool
.
==== Event Viewer Messages From Past Week ========
.
2/22/2014 9:31:13 AM, Error: Microsoft-Windows-Smartcard-Server [610]  - Smart Card Reader 'Generic EMV Smartcard Reader 0' rejected IOCTL GET_STATE: The handle is invalid.  If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX
2/22/2014 3:29:39 PM, Error: Server [2505]  - The server could not bind to the transport \Device\NetBT_Tcpip_{FE6D2225-47FF-41C7-8345-ACE8FC323D4F} because another computer on the network has the same name.  The server could not start.
2/22/2014 12:57:09 PM, Error: Microsoft-Windows-GroupPolicy [1129]  - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
2/22/2014 11:09:20 PM, Error: Schannel [36871]  - A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
2/22/2014 10:14:59 PM, Error: NETLOGON [5719]  - This computer was not able to set up a secure session with a domain controller in domain AMERICAS due to the following:  There are currently no logon servers available to service the logon request.  This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
2/21/2014 5:16:56 AM, Error: Schannel [36887]  - The following fatal alert was received: 100.
2/21/2014 3:22:47 PM, Error: Microsoft-Windows-Smartcard-Server [610]  - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL GET_STATE: The I/O operation has been aborted because of either a thread exit or an application request.  If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX
2/20/2014 11:48:41 PM, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.
2/20/2014 10:19:02 PM, Error: Microsoft-Windows-RasSstp [1]  - CoId={A4DB9F7F-9036-418A-9C59-8E9563CA2926}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2/20/2014 10:02:12 PM, Error: Microsoft-Windows-RasSstp [1]  - CoId={13B3727B-6E9A-4278-9FBE-080C29528170}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2/19/2014 9:25:30 AM, Error: Server [2505]  - The server could not bind to the transport \Device\NetBT_Tcpip_{71554EBE-24C9-476F-9B43-CDA3FC7BAD97} because another computer on the network has the same name.  The server could not start.
2/19/2014 3:41:09 PM, Error: WudfUsbccidDriver [6]  - Invalid data. Name: InvalidSetProtocol Value: 0x0
2/19/2014 3:41:09 PM, Error: WudfUsbccidDriver [11]  - A Request has returned failure. MsgType: 0x80 ICCStatus: 0x1 CmdStatus: 0x1 Error: 0xfe SW1: 0x0 SW2: 0x0
2/19/2014 3:41:09 PM, Error: WudfUsbccidDriver [1]  - An operation has failed (0x6, 0x3, 0x0, 0x0). ScCardPowerWarmReset: IccPowerOn failed. HResult: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.
2/19/2014 3:41:09 PM, Error: WudfUsbccidDriver [1]  - An operation has failed (0x0, 0x0, 0x0, 0x0). UpdateCardCapabilities: ATR too short. HResult: {Unknown Disk Format} The disk in drive %hs is not formatted properly. Please check the disk, and reformat if necessary.
2/19/2014 3:41:09 PM, Error: Microsoft-Windows-Smartcard-Server [610]  - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL POWER: The smart card is not responding to a reset.  If this error persists, your smart card or reader may not be functioning correctly. Command Header: 02 00 00 00
2/19/2014 3:41:08 PM, Error: WudfUsbccidDriver [11]  - A Request has returned failure. MsgType: 0x80 ICCStatus: 0x0 CmdStatus: 0x1 Error: 0xfb SW1: 0x0 SW2: 0x0
2/19/2014 3:41:08 PM, Error: WudfUsbccidDriver [10]  - Request[0](CLS=0x0,INS=0xca,P1=0x7f,P2=0x68,Lc=0,Le=256,.NETServiceMethod=0x0)
2/19/2014 3:41:08 PM, Error: WudfUsbccidDriver [10]  - Request[0](CLS=0x0,INS=0xa4,P1=0x4,P2=0x0,Lc=9,Le=0,.NETServiceMethod=0x0)
2/19/2014 3:41:08 PM, Error: WudfUsbccidDriver [1]  - An operation has failed (0x0, 0x0, 0x0, 0x0). ScT0Transmit: Failed to send request at TPDU level. HResult: The I/O device reported an I/O error.
2/19/2014 3:41:08 PM, Error: Microsoft-Windows-Smartcard-Server [610]  - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL TRANSMIT: The request could not be performed because of an I/O device error.  If this error persists, your smart card or reader may not be functioning correctly. Command Header: 00 ca 7f 68
2/19/2014 3:41:08 PM, Error: Microsoft-Windows-Smartcard-Server [610]  - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL TRANSMIT: The request could not be performed because of an I/O device error.  If this error persists, your smart card or reader may not be functioning correctly. Command Header: 00 a4 04 00
2/19/2014 3:41:07 PM, Error: WudfUsbccidDriver [10]  - Request[0](CLS=0x0,INS=0xa4,P1=0x4,P2=0x0,Lc=11,Le=0,.NETServiceMethod=0x0)
2/19/2014 3:06:30 PM, Error: WudfUsbccidDriver [10]  - Request[0](CLS=0x0,INS=0xa4,P1=0x4,P2=0x0,Lc=7,Le=0,.NETServiceMethod=0x0)
2/18/2014 5:42:33 AM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
2/17/2014 9:48:08 AM, Error: Microsoft-Windows-Smartcard-Server [610]  - Smart Card Reader 'Generic EMV Smartcard Reader 0' rejected IOCTL GET_STATE: The I/O operation has been aborted because of either a thread exit or an application request.  If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX
2/16/2014 4:43:36 PM, Error: Service Control Manager [7000]  - The Juniper Network Connect Service service failed to start due to the following error:  The pipe has been ended.
2/16/2014 4:43:18 PM, Error: Service Control Manager [7000]  - The Intel® Management and Security Application Local Management Service service failed to start due to the following error:  The pipe has been ended.
2/16/2014 4:43:13 PM, Error: Service Control Manager [7000]  - The Cisco AnyConnect VPN Agent service failed to start due to the following error:  The pipe has been ended.
2/16/2014 4:43:09 PM, Error: Service Control Manager [7031]  - The Cisco AnyConnect VPN Agent service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 4000 milliseconds: Restart the service.
2/16/2014 4:43:08 PM, Error: Service Control Manager [7034]  - The McAfee Framework Service service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:08 PM, Error: Service Control Manager [7034]  - The Intel® Rapid Storage Technology service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:08 PM, Error: Service Control Manager [7034]  - The Intel® Management and Security Application User Notification Service service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:08 PM, Error: Service Control Manager [7034]  - The HP Connection Manager 4 Service service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:08 PM, Error: Service Control Manager [7031]  - The Intel® Management and Security Application Local Management Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
2/16/2014 4:43:07 PM, Error: Service Control Manager [7034]  - The HPCA Scheduler Daemon service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:07 PM, Error: Service Control Manager [7034]  - The HPCA Notify Daemon service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:06 PM, Error: Service Control Manager [7034]  - The McAfee Task Manager service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:06 PM, Error: Service Control Manager [7034]  - The McAfee SiteAdvisor Enterprise Service service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:06 PM, Error: Service Control Manager [7034]  - The hpHotkeyMonitor service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:06 PM, Error: Service Control Manager [7034]  - The HP Quick Synchronization Service service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 4:43:06 PM, Error: Service Control Manager [7031]  - The Juniper Network Connect Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/16/2014 4:43:05 PM, Error: Service Control Manager [7031]  - The AgentService service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/16/2014 4:43:04 PM, Error: Service Control Manager [7031]  - The Cisco AnyConnect VPN Agent service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
2/16/2014 4:43:03 PM, Error: Service Control Manager [7043]  - The McAfee McShield service did not shut down properly after receiving a preshutdown control.
2/16/2014 4:43:03 PM, Error: Service Control Manager [7034]  - The HP Software Framework Service service terminated unexpectedly.  It has done this 1 time(s).
2/16/2014 12:45:33 PM, Error: Microsoft-Windows-Smartcard-Server [610]  - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL GET_STATE: The device has been removed.  If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX
2/15/2014 3:52:57 PM, Error: Schannel [36888]  - The following fatal alert was generated: 80. The internal error state is 301.
2/15/2014 3:02:57 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems (KB2160841).
2/15/2014 2:47:45 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems (KB2416472).
2/15/2014 2:47:45 PM, Error: Microsoft-Windows-WindowsUpdateClient [20]  - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Silverlight (KB2814124).
.
==== End Of File ===========================

 

Link to post
Share on other sites

Ran in safe mode.  Results below:

 

RogueKiller V8.8.8 _x64_ [Feb 19 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode
User : conklije [Admin rights]
Mode : Scan -- Date : 02/23/2014 08:43:55
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\Run : Ukybraehofyxx ("C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe" [x]) -> FOUND

[PROXY IE][PUM] HKLM\[...]\Internet Settings : ProxyEnable (1) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS727550A9E364 +++++
--- User ---
[MBR] d2427742a8527c899bd077f9418bfb76
[bSP] f4813db50b2d3a32426639928d93b5a4 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 500 Mo
1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 1026048 | Size: 499 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048000 | Size: 475939 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02232014_084355.txt >>

 

 

***As an aside---- before I engaged you I ran the Farber Recovery Scan tool and found:

 

Error: (02/21/2014 10:21:57 PM) (Source: McLogEvent)(User: NT AUTHORITY)
Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.

 

Additionally, each time I reboot Malwarebytes it keeps stating it blocked something to a website.

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKLM\[...]\Run : Ukybraehofyxx ("C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe" [x]) -> FOUND

Now click Delete on the right hand column under Options

-------------

Next.........

Download Malwarebytes Anti-Rootkit from HERE

  • Run the file and follow the onscreen instructions to extract it to a location of your choosing (your desktop by default)
  • Malwarebytes Anti-Rootkit will then open, follow the instruction in the wizard to update and allow the program to scan your computer for threats
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
To attach a log if needed:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

Last........

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Ran Malwarebytes Anti-Rootkit twice.

 

Keep getting this:

 

Registry Data Items Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Hijack.SHELL32) -> Bad: (\\?\globalroot\Device\HarddiskVolume3\Users\conklije\AppData\Local\Temp\spvjity\sdctqqh\wow.dll) Good: (SHELL32.dll) -> Replace on reboot.

 

Keeps telling me its cleaned successfully but then its back when I ran another scan.  I did not reboot between scans (not prompted to).

 

I am attaching the two files under more reply options.

 

Additionally I keep getting the message:

 

Malware Anti-Malware Successfully blocked access to a potentially malicious site 5.45.66.217

 

Googled this site and references to it say it points to a Trojan

 

Did not complete the last step in your prior email yet.

 

Should I run the fixdamage.exe under malwarebytes as suggested?

 

 

mbar-log-2014-02-23 (11-18-12).txt

system-log.txt

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.