Jump to content

Malware bytes keep blocking malicious sites


pvarghese

Recommended Posts

Hi,

 

I have attached the results of Farbar scan, looks like my system is infected beyond repair by malwarebytes.Thanks in advance for any help

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-09-2014
Ran by Pappa (administrator) on PAPPA-PC on 26-09-2014 13:22:55
Running from C:\Users\Pappa\Downloads
Loaded Profile: Pappa (Available profiles: Pappa)
Platform: Microsoft Windows 7 Professional  (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\Run: [{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}] => C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe [212003 2014-09-03] ()
HKLM\...\Run: [Zogofapaqe] => C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK\AppData\Roaming\Ukizliez\algayg.exe [302720 2014-09-26] () <===== ATTENTION
HKLM\...\Run: [Fyreovu] => C:\Users\Pappa\AppData\Roaming\Ivledoap\voqoyz.exe
HKLM\...\Run: [badeahxui] => C:\Users\Pappa\AppData\Roaming\Bohouxc\udwyra.exe
HKLM\...\Run: [Araqmekesu] => C:\Users\Pappa\AppData\Roaming\Cuaqze\zioquh.exe
HKLM\...\Run: [Ylneoqdetaoki] => C:\Users\Pappa\AppData\Roaming\Yvilgyd\arhovu.exe
HKLM\...\Run: [inehygugim] => C:\Users\Pappa\AppData\Roaming\Orsiyww\apkayda.exe
HKLM\...\Run: [Rapuvoxouvazfy] => C:\Users\Pappa\AppData\Roaming\Axipzyov\nicohov.exe
HKLM\...\Run: [Ofynriowtii] => C:\Users\Pappa\AppData\Roaming\Lynyof\efgage.exe
HKLM\...\Run: [Asoswaird] => "C:\Users\Pappa\AppData\Roaming\Awdola\yvzuog.exe"
HKLM\...\Run: [Vayth] => C:\Users\Pappa\AppData\Roaming\Omiwxap\opweu.exe
HKLM\...\Run: [Vubybakokazy] => C:\Users\Pappa\AppData\Roaming\Dodokeoz\dotome.exe
HKLM\...\Run: [Yldyvyteuhtob] => C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP\AppData\Roaming\Hokume\avyxzuy.exe [303290 2014-09-26] () <===== ATTENTION
HKLM\...\Run: [NetworkInformer] => C:\Users\Pappa\AppData\Local\Temp\temp1075485589.exe <===== ATTENTION
HKLM\...\Run: [Faogixevyg] => C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe\AppData\Roaming\Alpifowu\ocweuco.exe [300248 2014-09-26] () <===== ATTENTION
HKLM\...\Run: [Odymcyuspaza] => C:\Users\Pappa\AppData\Roaming\Fyfiat\letuol.exe
HKLM\...\Run: [CrashReportNotifyer] => C:\Users\Pappa\AppData\Local\Temp\temp1183972658.exe <===== ATTENTION
HKLM\...\Run: [idzaiva] => C:\Users\Pappa\AppData\Roaming\Lepuycy\nereqoe.exe
HKLM\...\Run: [Lopegusyt] => "C:\Users\Pappa\AppData\Roaming\Uloqxoag\azepu.exe"
HKLM\...\Run: [iromonqyacu] => C:\Users\Pappa\AppData\Roaming\Xeefybca\xowelu.exe
Winlogon\Notify\sizemfi: C:\Users\Pappa\AppData\Local\Temp\lmKFBCfHN8g9aKNhikf\AppData\Local\sizemfi.dll [X]
Winlogon\Notify\sufgife: C:\Users\Pappa\AppData\Local\Temp\uIUTcus2oZ0HOJE0KFB\AppData\Local\sufgife.dll [X]
Winlogon\Notify\yivsmoi: C:\Users\Pappa\AppData\Local\Temp\EGK1N2c6kY39Blr2Qnr\AppData\Local\yivsmoi.dll [X]
Winlogon\Notify\yivzmoi: C:\Users\Pappa\AppData\Local\Temp\V22t2PxetezO29RUyiq\AppData\Local\yivzmoi.dll [X]
HKLM\...\Policies\Explorer\Run: [{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}] => C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe [212003 2014-09-03] ( ())
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2014-01-06] (Google Inc.)
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [3218515937] => C:\Windows\system32\rundll32.exe "c:\users\pappa\appdata\roaming\1864410487\displaysvc.dll",DllRegisterServer
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [Ylneoqdetaoki] => C:\Users\Pappa\AppData\Roaming\Yvilgyd\arhovu.exe
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [badeahxui] => C:\Users\Pappa\AppData\Roaming\Bohouxc\udwyra.exe
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [Apple Inc.] => C:\Users\Pappa\AppData\Roaming\rbvceaua\dagruuvi.exe
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [netcfg] => "C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe"
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [Rapuvoxouvazfy] => C:\Users\Pappa\AppData\Roaming\Axipzyov\nicohov.exe
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [.tluafed** <*>] => C:\Users\Pappa\Application Data\{000009F5-7321-7583-56E7-4E39C237DA5A}.ex <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [ekmatod] => rundll32 "C:\Users\Pappa\AppData\Local\Temp\3UHeB7Y8IRP9q50pjZR\AppData\Local\ekmatod.dll",ekmatod <===== ATTENTION
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [d5d6f4] => C:\d5d6f43\d5d6f43.exe
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [d5d6f43] => C:\Users\Pappa\AppData\Local\Temp\3UHeB7Y8IRP9q50pjZR\AppData\Roaming\d5d6f43.exe <===== ATTENTION
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Policies\Explorer: [Run] "C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe"
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netcfg.lnk
ShortcutTarget: netcfg.lnk -> C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x8450CBEB1D0BCF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR CustomProfile: C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-06]
CHR Extension: (Google Drive) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-06]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-27]
CHR Extension: (YouTube) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-06]
CHR Extension: (Google Search) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-06]
CHR Extension: (Google Wallet) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-06]
CHR Extension: (Gmail) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-06]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-26] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-26 13:22 - 2014-09-26 13:26 - 00013008 _____ () C:\Users\Pappa\Downloads\FRST.txt
2014-09-26 13:22 - 2014-09-26 13:23 - 00000000 ____D () C:\FRST
2014-09-26 13:21 - 2014-09-26 13:22 - 01100288 _____ (Farbar) C:\Users\Pappa\Downloads\FRST.exe
2014-09-26 12:11 - 2014-09-26 13:02 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-26 12:11 - 2014-09-26 12:11 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-26 12:11 - 2014-09-26 12:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-26 12:11 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-26 12:11 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-26 12:11 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-26 12:10 - 2014-09-26 12:11 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-26 12:10 - 2014-09-26 12:10 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-26 12:09 - 2014-09-26 12:10 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Pappa\Downloads\mbam-setup-2.0.2.1012.exe
2014-09-25 15:00 - 2014-09-25 15:00 - 00003680 ____N () C:\bootsqm.dat
2014-09-25 14:58 - 2014-09-25 14:58 - 00000000 __SHD () C:\found.000
2014-09-25 14:14 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Ozazfion
2014-09-25 14:13 - 2014-09-25 14:13 - 00190464 _____ () C:\Users\Pappa\AppData\Local\miosxksr.exe
2014-09-25 14:09 - 2014-09-25 14:09 - 00181760 _____ () C:\Users\Pappa\AppData\Local\teesfsut.exe
2014-09-22 17:48 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\OnagFuwiw
2014-09-22 16:26 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\bextmto.dll
2014-09-22 16:26 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\hkflaje.dll
2014-09-22 16:05 - 2014-09-22 16:05 - 00000000 __RSH () C:\MSDOS.SYS
2014-09-22 16:05 - 2014-09-22 16:05 - 00000000 __RSH () C:\IO.SYS
2014-09-20 15:27 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Zougysi
2014-09-18 15:36 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Xeefybca
2014-09-17 15:23 - 2014-09-17 15:23 - 00182784 _____ () C:\Users\Pappa\AppData\Local\cciwjukd.exe
2014-09-17 15:19 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Uloqxoag
2014-09-17 15:18 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Lepuycy
2014-09-16 15:52 - 2014-09-16 15:52 - 00902656 _____ () C:\Users\Pappa\Downloads\song.pmd
2014-09-16 15:52 - 2014-09-16 15:52 - 00902656 _____ () C:\Users\Pappa\Downloads\song (2).pmd
2014-09-16 15:52 - 2014-09-16 15:52 - 00902656 _____ () C:\Users\Pappa\Downloads\song (1).pmd
2014-09-15 15:29 - 2014-09-15 15:30 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-09-15 15:29 - 2014-09-15 15:30 - 00001224 _____ () C:\ProgramData\@system.att
2014-09-15 15:29 - 2014-09-15 15:30 - 00000960 ____H () C:\ProgramData\@system2.att
2014-09-15 15:29 - 2014-09-15 15:29 - 21322294 _____ () C:\Users\Pappa\AppData\Roaming\ChromeUpdate.exe
2014-09-15 15:29 - 2014-09-15 15:29 - 00000448 ____H () C:\Users\Pappa\AppData\Roaming\麽鎒駓覜
2014-09-11 16:11 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\ixhuycv.dll
2014-09-11 16:11 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\abqlsgq.dll
2014-09-11 16:09 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Fyfiat
2014-09-08 20:20 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\qwpcriw.dll
2014-09-08 20:20 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\lizwfbs.dll
2014-09-08 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UjumAcwub
2014-09-05 18:31 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IgneRras
2014-09-05 16:55 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Omiwxap
2014-09-05 16:55 - 2014-09-05 16:55 - 00000000 ___HD () C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2014-09-05 16:54 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IlodEvoz
2014-09-04 17:31 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UrotiBwuza
2014-09-04 16:38 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\OfqajRoneg
2014-09-04 15:21 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\liaiadn.dll
2014-09-04 15:21 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\uqmizpx.dll
2014-09-02 16:13 - 2014-09-26 12:31 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Wafaicyt
2014-09-02 16:12 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ErtiRazp
2014-09-02 16:11 - 2014-09-26 12:31 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Lynyof
2014-09-02 16:10 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IqocPizde
2014-09-01 19:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AlsaMhusx
2014-09-01 19:24 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UyeqhOfkoq
2014-09-01 19:24 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EmbewUbida
2014-09-01 19:00 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Cuaqze
2014-09-01 18:56 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Awdola
2014-09-01 18:49 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IlivhIkkuk
2014-09-01 18:49 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EcpatAwuka
2014-09-01 01:25 - 2014-09-22 16:26 - 00000000 ____D () C:\Users\Pappa\AppData\Local\ReceiverVisual
2014-08-31 17:29 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AquxEmex
2014-08-31 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ObbewOgijn
2014-08-31 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EdopXeqdi
2014-08-29 16:17 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ItavAkulc
2014-08-29 16:17 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ErhaDlif
2014-08-29 16:10 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ExobApef
2014-08-29 16:08 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AtejNigt
2014-08-29 16:08 - 2014-08-29 16:08 - 00008174 _____ () C:\DECRYPT_INSTRUCTION.HTML
2014-08-29 16:08 - 2014-08-29 16:08 - 00004132 _____ () C:\DECRYPT_INSTRUCTION.TXT
2014-08-29 16:08 - 2014-08-29 16:08 - 00000254 _____ () C:\DECRYPT_INSTRUCTION.URL
2014-08-27 15:02 - 2014-08-27 15:02 - 00000000 ____D () C:\Windows\pss
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-26 13:17 - 2014-01-06 16:51 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-09-26 13:09 - 2009-07-14 00:34 - 00014624 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-26 13:09 - 2009-07-14 00:34 - 00014624 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-26 13:01 - 2014-03-18 18:45 - 00049820 _____ () C:\Windows\PFRO.log
2014-09-26 13:01 - 2014-01-06 16:51 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-26 13:01 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-26 13:01 - 2009-07-14 00:39 - 00026915 _____ () C:\Windows\setupact.log
2014-09-26 12:32 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\security
2014-09-26 12:31 - 2014-08-26 16:26 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Orsiyww
2014-09-26 12:31 - 2014-08-26 16:22 - 00000000 ____D () C:\ProgramData\AqukiYjujo
2014-09-26 12:31 - 2014-08-26 16:21 - 00000000 ____D () C:\ProgramData\AjineYzose
2014-09-26 12:31 - 2014-08-24 20:11 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Myuzxor
2014-09-26 12:31 - 2014-08-24 20:04 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Ivledoap
2014-09-26 12:31 - 2014-08-24 20:03 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Ovkuas
2014-09-26 12:31 - 2014-08-22 16:31 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Ysehukp
2014-09-26 12:31 - 2014-08-22 16:27 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Dodokeoz
2014-09-26 12:31 - 2014-08-22 16:23 - 00000000 ____D () C:\ProgramData\EpyeTurc
2014-09-26 12:31 - 2014-08-22 16:21 - 00000000 ____D () C:\ProgramData\InoqRopr
2014-09-26 12:31 - 2014-08-22 16:21 - 00000000 ____D () C:\ProgramData\IbgirRebuw
2014-09-26 12:31 - 2014-01-06 16:51 - 00000000 ____D () C:\Users\Pappa\AppData\Local\Google
2014-09-26 12:31 - 2009-07-13 20:20 - 00000000 __SHD () C:\Users\Pappa\AppData\Roaming\rbvceaua
2014-09-26 12:26 - 2014-01-06 16:51 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-09-26 12:17 - 2014-08-26 16:26 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Ykfesasa
2014-09-26 12:17 - 2014-08-26 16:26 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Unabpubo
2014-09-26 12:17 - 2014-08-24 20:11 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Keeqyxy
2014-09-26 12:17 - 2014-08-24 20:10 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Aqysoq
2014-09-26 12:17 - 2014-08-24 20:03 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Xuhyqovy
2014-09-26 12:17 - 2014-08-21 16:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Axipzyov
2014-09-26 12:17 - 2014-08-11 15:39 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Bohouxc
2014-09-26 12:17 - 2014-08-08 02:22 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Yvilgyd
2014-09-22 16:27 - 2014-03-26 19:35 - 00000000 ____D () C:\Users\Pappa\AppData\Local\Apple Computer
2014-09-22 16:04 - 2014-01-06 16:22 - 00000000 ____D () C:\Users\Pappa
2014-09-19 17:05 - 2014-01-06 16:51 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-09-11 16:11 - 2014-03-31 18:27 - 00000000 ____D () C:\Users\Pappa\AppData\Local\HP
2014-08-31 17:53 - 2014-08-21 16:29 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Naazo
2014-08-29 16:08 - 2014-01-06 18:46 - 00000000 ____D () C:\Windows.old
2014-08-27 15:03 - 2009-02-18 07:16 - 00000000 ____D () C:\doctemp
 
Files to move or delete:
====================
C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK\AppData\Roaming\Ukizliez\algayg.exe
C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP\AppData\Roaming\Hokume\avyxzuy.exe
C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe\AppData\Roaming\Alpifowu\ocweuco.exe
C:\ProgramData\abqlsgq.dll
C:\ProgramData\bextmto.dll
C:\ProgramData\hkflaje.dll
C:\ProgramData\ixhuycv.dll
C:\ProgramData\liaiadn.dll
C:\ProgramData\lizwfbs.dll
C:\ProgramData\qwpcriw.dll
C:\ProgramData\uqmizpx.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-09-22 21:18
 
==================== End Of Log ============================
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-09-2014
Ran by Pappa at 2014-09-26 13:34:45
Running from C:\Users\Pappa\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Apple Application Support (HKLM\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{18D47FA1-0440-48D3-A7E0-DA09537FF471}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.124 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
HP Officejet 4620 series Basic Device Software (HKLM\...\{928E9793-43FD-458D-B87B-6376BD4E4DA5}) (Version: 26.0.784.0 - Hewlett-Packard Co.)
HP Officejet 4620 series Product Improvement Study (HKLM\...\{FC831F3D-66AE-4C6D-B36B-F7B178218342}) (Version: 26.0.784.0 - Hewlett-Packard Co.)
iTunes (HKLM\...\{2F21564D-DE05-4C6D-B21E-08B9D313FAB3}) (Version: 11.1.5.5 - Apple Inc.)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2007 (HKLM\...\PROPLUSR) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-1869183926-1366084434-2826835042-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:04 - 2009-06-10 17:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {00CD5841-AB12-411A-ADE2-AD5F0D810B56} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-06] (Google Inc.)
Task: {04CDA25E-4844-4072-B74E-6447F4E610F2} - System32\Tasks\Security Center Update - 4133036300 => C:\Users\Pappa\AppData\Roaming\Aqysoq\kogihea.exe <==== ATTENTION
Task: {06CC92F4-3F10-496E-B731-C64F8A10E869} - System32\Tasks\{CA54B3FA-FA83-FE4F-D8E9-7CB4DCF01D6D} => C:\Users\Pappa\AppData\Roaming\hvvbt.dll [2014-07-25] ()
Task: {18866B62-09B1-4F61-8578-6A934DD6E043} - System32\Tasks\Security Center Update - 4176749541 => C:\Users\Pappa\AppData\Roaming\Lynyof\efgage.exe <==== ATTENTION
Task: {212A39E3-2AB3-4639-AB01-75E493B4B81D} - System32\Tasks\Security Center Update - 965205365 => C:\Users\Pappa\AppData\Roaming\Keeqyxy\bivati.exe <==== ATTENTION
Task: {21A3C022-9D5C-4A14-AA9F-99FB38BC1338} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-06] (Google Inc.)
Task: {2A453CDF-017D-4665-9589-DEF233C910C2} - System32\Tasks\Security Center Update - 3554345298 => C:\Users\Pappa\AppData\Roaming\Cuaqze\zioquh.exe <==== ATTENTION
Task: {2F68E96D-08D9-4522-84C5-9ED76C94F92A} - System32\Tasks\Security Center Update - 677931779 => C:\Users\Pappa\AppData\Roaming\Myuzxor\ygnio.exe <==== ATTENTION
Task: {372F8D38-3E14-415D-BE57-BC8B55B7BE6D} - System32\Tasks\Security Center Update - 410816263 => C:\Users\Pappa\AppData\Roaming\Ivledoap\voqoyz.exe <==== ATTENTION
Task: {3DCB9D14-1137-4D45-A7B8-DA4E4EED3440} - System32\Tasks\Security Center Update - 4066846490 => C:\Users\Pappa\AppData\Roaming\Xuhyqovy\opozxaa.exe <==== ATTENTION
Task: {3F19F725-9D90-47DA-9FBE-629A1A3CA419} - System32\Tasks\Time Trigger Test Task => C:\Users\Pappa\AppData\Local\Temp\wpqqadg.exe <==== ATTENTION
Task: {7E89FF6C-4946-4C9B-A183-1AA03F3D3CB2} - System32\Tasks\HPCustParticipation HP Officejet 4620 series => C:\Program Files\HP\HP Officejet 4620 series\Bin\HPCustPartic.exe [2011-12-18] (Hewlett-Packard Co.)
Task: {AE2428B0-B38A-4B05-B97D-F187E0899E8C} - System32\Tasks\Security Center Update - 653757527 => C:\Users\Pappa\AppData\Roaming\Xeefybca\xowelu.exe <==== ATTENTION
Task: {B8E8C682-8EDC-402E-BDA8-F252D85C16AA} - System32\Tasks\Security Center Update - 4247612681 => C:\Users\Pappa\AppData\Roaming\Ykfesasa\qoiwc.exe <==== ATTENTION
Task: {CB0261B1-F748-483B-B551-ED0E24FBBE05} - System32\Tasks\Security Center Update - 620217676 => C:\Users\Pappa\AppData\Roaming\Wafaicyt\lasea.exe <==== ATTENTION
Task: {DBE219CA-08A6-485C-8D77-AFE4446942AA} - System32\Tasks\Security Center Update - 3883276894 => C:\Users\Pappa\AppData\Roaming\Omiwxap\opweu.exe <==== ATTENTION
Task: {DCA31F8D-009B-448F-A8A1-B9A02DBD5B1D} - System32\Tasks\Security Center Update - 3575277368 => C:\Users\Pappa\AppData\Roaming\Ysehukp\cutuhe.exe <==== ATTENTION
Task: {F075C43F-0A18-4F1D-BB66-A3C899B923E5} - System32\Tasks\Security Center Update - 3512168560 => C:\Users\Pappa\AppData\Roaming\Orsiyww\apkayda.exe <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2014-09-26 12:26 - 2014-09-23 00:07 - 08577864 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.124\pdf.dll
2014-09-26 12:26 - 2014-09-23 00:07 - 00331592 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.124\ppGoogleNaClPluginChrome.dll
2014-09-26 12:26 - 2014-09-23 00:06 - 01660232 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.124\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.HTML => C:\Windows\pss\DECRYPT_INSTRUCTION.HTML.Startup
MSCONFIG\startupfolder: C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.TXT => C:\Windows\pss\DECRYPT_INSTRUCTION.TXT.Startup
MSCONFIG\startupfolder: C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.URL => C:\Windows\pss\DECRYPT_INSTRUCTION.URL.Startup
MSCONFIG\startupreg: Vubybakokazy => C:\Users\Pappa\AppData\Roaming\Dodokeoz\dotome.exe
MSCONFIG\startupreg: {6b8ad2be-14b5-909a-6daa-d6aa9a10963e} => "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe"
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-1869183926-1366084434-2826835042-500 -> Administrator - Disabled - Status: Degraded)
Guest (S-1-5-21-1869183926-1366084434-2826835042-501 -> Limited - Disabled - Status: Degraded)
HomeGroupUser$ (S-1-5-21-1869183926-1366084434-2826835042-1002 -> Limited - Enabled - Status: OK)
Pappa (S-1-5-21-1869183926-1366084434-2826835042-1001 -> Administrator - Enabled - Status: OK) => C:\Users\Pappa
 
==================== Faulty Device Manager Devices =============
 
Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Base System Device
Description: Base System Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/23/2014 10:07:54 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 21631738
 
Error: (09/23/2014 10:07:54 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 21631738
 
Error: (09/23/2014 10:07:52 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (09/23/2014 10:07:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 21624219
 
Error: (09/23/2014 10:07:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 21624219
 
Error: (09/23/2014 10:07:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (09/23/2014 10:07:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 21621848
 
Error: (09/23/2014 10:07:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 21621848
 
Error: (09/23/2014 10:07:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (09/23/2014 10:07:41 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 21620460
 
 
System errors:
=============
Error: (09/26/2014 01:02:25 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (09/26/2014 01:01:49 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 12:58:50 PM on ‎9/‎26/‎2014 was unexpected.
 
Error: (09/26/2014 00:34:41 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (09/26/2014 00:07:49 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (09/26/2014 00:06:02 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Security Center Server - 620217676 service failed to start due to the following error: 
%%1053
 
Error: (09/26/2014 00:06:02 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Security Center Server - 620217676 service to connect.
 
Error: (09/26/2014 00:05:32 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Security Center Server - 4176749541 service failed to start due to the following error: 
%%1053
 
Error: (09/26/2014 00:05:32 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Security Center Server - 4176749541 service to connect.
 
Error: (09/26/2014 00:02:10 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Security Center Server - 620217676 service failed to start due to the following error: 
%%1053
 
Error: (09/26/2014 00:02:10 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Security Center Server - 620217676 service to connect.
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2014-09-03 15:43:49.274
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\bcrypt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-03 15:43:49.264
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\bcrypt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-03 15:43:49.250
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\bcrypt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-03 15:43:49.156
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\bcrypt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 19:49:44.454
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tpm-driver-wmi_31bf3856ad364e35_6.0.6001.18000_none_6f8d0e60c043c672\Win32_Tpm.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 19:49:44.444
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tpm-driver-wmi_31bf3856ad364e35_6.0.6001.18000_none_6f8d0e60c043c672\Win32_Tpm.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 19:49:44.434
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tpm-driver-wmi_31bf3856ad364e35_6.0.6001.18000_none_6f8d0e60c043c672\Win32_Tpm.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 19:49:44.414
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tpm-driver-wmi_31bf3856ad364e35_6.0.6001.18000_none_6f8d0e60c043c672\Win32_Tpm.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 19:48:58.588
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-26 19:48:58.578
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll because the set of per-page image hashes could not be found on the system.
 

 

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Why do you say your system has been infected by Malwarebytes?

 

Next,

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Let me see those logs in your next reply....

 

Kevin...

Fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-09-2014
Ran by Pappa at 2014-09-26 15:24:19 Run:1
Running from C:\Users\Pappa\Downloads
Loaded Profile: Pappa (Available profiles: Pappa)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
Start
HKLM\...\Run: [{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}] => C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe [212003 2014-09-03] ()
C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}
HKLM\...\Run: [Zogofapaqe] => C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK\AppData\Roaming\Ukizliez\algayg.exe [302720 2014-09-26] () <===== ATTENTION
C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK
HKLM\...\Run: [Fyreovu] => C:\Users\Pappa\AppData\Roaming\Ivledoap\voqoyz.exe
C:\Users\Pappa\AppData\Roaming\Ivledoap
HKLM\...\Run: [badeahxui] => C:\Users\Pappa\AppData\Roaming\Bohouxc\udwyra.exe
C:\Users\Pappa\AppData\Roaming\Bohouxc
HKLM\...\Run: [Araqmekesu] => C:\Users\Pappa\AppData\Roaming\Cuaqze\zioquh.exe
C:\Users\Pappa\AppData\Roaming\Cuaqze
HKLM\...\Run: [Ylneoqdetaoki] => C:\Users\Pappa\AppData\Roaming\Yvilgyd\arhovu.exe
C:\Users\Pappa\AppData\Roaming\Yvilgyd
HKLM\...\Run: [inehygugim] => C:\Users\Pappa\AppData\Roaming\Orsiyww\apkayda.exe
C:\Users\Pappa\AppData\Roaming\Orsiyww
HKLM\...\Run: [Rapuvoxouvazfy] => C:\Users\Pappa\AppData\Roaming\Axipzyov\nicohov.exe
C:\Users\Pappa\AppData\Roaming\Axipzyov
HKLM\...\Run: [Ofynriowtii] => C:\Users\Pappa\AppData\Roaming\Lynyof\efgage.exe
C:\Users\Pappa\AppData\Roaming\Lynyof
HKLM\...\Run: [Asoswaird] => "C:\Users\Pappa\AppData\Roaming\Awdola\yvzuog.exe"
C:\Users\Pappa\AppData\Roaming\Awdola
HKLM\...\Run: [Vayth] => C:\Users\Pappa\AppData\Roaming\Omiwxap\opweu.exe
C:\Users\Pappa\AppData\Roaming\Omiwxap
HKLM\...\Run: [Vubybakokazy] => C:\Users\Pappa\AppData\Roaming\Dodokeoz\dotome.exe
C:\Users\Pappa\AppData\Roaming\Dodokeoz
HKLM\...\Run: [Yldyvyteuhtob] => C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP\AppData\Roaming\Hokume\avyxzuy.exe [303290 2014-09-26] () <===== ATTENTION
C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP
HKLM\...\Run: [NetworkInformer] => C:\Users\Pappa\AppData\Local\Temp\temp1075485589.exe <===== ATTENTION
C:\Users\Pappa\AppData\Local\Temp\temp1075485589.exe
HKLM\...\Run: [Faogixevyg] => C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe\AppData\Roaming\Alpifowu\ocweuco.exe [300248 2014-09-26] () <===== ATTENTION
C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe
HKLM\...\Run: [Odymcyuspaza] => C:\Users\Pappa\AppData\Roaming\Fyfiat\letuol.exe
C:\Users\Pappa\AppData\Roaming\Fyfiat
HKLM\...\Run: [CrashReportNotifyer] => C:\Users\Pappa\AppData\Local\Temp\temp1183972658.exe <===== ATTENTION
C:\Users\Pappa\AppData\Local\Temp\temp1183972658.exe
HKLM\...\Run: [idzaiva] => C:\Users\Pappa\AppData\Roaming\Lepuycy\nereqoe.exe
C:\Users\Pappa\AppData\Roaming\Lepuycy
HKLM\...\Run: [Lopegusyt] => "C:\Users\Pappa\AppData\Roaming\Uloqxoag\azepu.exe"
C:\Users\Pappa\AppData\Roaming\Uloqxoag
HKLM\...\Run: [iromonqyacu] => C:\Users\Pappa\AppData\Roaming\Xeefybca\xowelu.exe
C:\Users\Pappa\AppData\Roaming\Xeefybca
Winlogon\Notify\sizemfi: C:\Users\Pappa\AppData\Local\Temp\lmKFBCfHN8g9aKNhikf\AppData\Local\sizemfi.dll [X]
C:\Users\Pappa\AppData\Local\Temp\lmKFBCfHN8g9aKNhikf
Winlogon\Notify\sufgife: C:\Users\Pappa\AppData\Local\Temp\uIUTcus2oZ0HOJE0KFB\AppData\Local\sufgife.dll [X]
C:\Users\Pappa\AppData\Local\Temp\uIUTcus2oZ0HOJE0KFB
Winlogon\Notify\yivsmoi: C:\Users\Pappa\AppData\Local\Temp\EGK1N2c6kY39Blr2Qnr\AppData\Local\yivsmoi.dll [X]
C:\Users\Pappa\AppData\Local\Temp\EGK1N2c6kY39Blr2Qnr
Winlogon\Notify\yivzmoi: C:\Users\Pappa\AppData\Local\Temp\V22t2PxetezO29RUyiq\AppData\Local\yivzmoi.dll [X]
C:\Users\Pappa\AppData\Local\Temp\V22t2PxetezO29RUyiq
HKLM\...\Policies\Explorer\Run: [{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}] => C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe [212003 2014-09-03] ( ())
C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [3218515937] => C:\Windows\system32\rundll32.exe "c:\users\pappa\appdata\roaming\1864410487\displaysvc.dll",DllRegisterServer
c:\users\pappa\appdata\roaming\1864410487\displaysvc.dll
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [Ylneoqdetaoki] => C:\Users\Pappa\AppData\Roaming\Yvilgyd\arhovu.exe
C:\Users\Pappa\AppData\Roaming\Yvilgyd
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [badeahxui] => C:\Users\Pappa\AppData\Roaming\Bohouxc\udwyra.exe
C:\Users\Pappa\AppData\Roaming\Bohouxc
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [Apple Inc.] => C:\Users\Pappa\AppData\Roaming\rbvceaua\dagruuvi.exe
C:\Users\Pappa\AppData\Roaming\rbvceaua
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [netcfg] => "C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe"
C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [Rapuvoxouvazfy] => C:\Users\Pappa\AppData\Roaming\Axipzyov\nicohov.exe
C:\Users\Pappa\AppData\Roaming\Axipzyov
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [.tluafed** <*>] => C:\Users\Pappa\Application Data\{000009F5-7321-7583-56E7-4E39C237DA5A}.ex <===== ATTENTION (Value Name with invalid characters)
C:\Users\Pappa\Application Data\{000009F5-7321-7583-56E7-4E39C237DA5A}.ex
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [ekmatod] => rundll32 "C:\Users\Pappa\AppData\Local\Temp\3UHeB7Y8IRP9q50pjZR\AppData\Local\ekmatod.dll",ekmatod <===== ATTENTION
C:\Users\Pappa\AppData\Local\Temp\3UHeB7Y8IRP9q50pjZR
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [d5d6f4] => C:\d5d6f43\d5d6f43.exe
C:\d5d6f43\d5d6f43.exe
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [d5d6f43] => C:\Users\Pappa\AppData\Local\Temp\3UHeB7Y8IRP9q50pjZR\AppData\Roaming\d5d6f43.exe <===== ATTENTION
C:\Users\Pappa\AppData\Local\Temp\3UHeB7Y8IRP9q50pjZR
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Policies\Explorer: [Run] "C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe"
C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netcfg.lnk
C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netcfg.lnk
ShortcutTarget: netcfg.lnk -> C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe (No File)
 C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe
CustomCLSID: HKU\S-1-5-21-1869183926-1366084434-2826835042-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {18866B62-09B1-4F61-8578-6A934DD6E043} - System32\Tasks\Security Center Update - 4176749541 => C:\Users\Pappa\AppData\Roaming\Lynyof\efgage.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Lynyof
Task: {212A39E3-2AB3-4639-AB01-75E493B4B81D} - System32\Tasks\Security Center Update - 965205365 => C:\Users\Pappa\AppData\Roaming\Keeqyxy\bivati.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Keeqyxy
Task: {2A453CDF-017D-4665-9589-DEF233C910C2} - System32\Tasks\Security Center Update - 3554345298 => C:\Users\Pappa\AppData\Roaming\Cuaqze\zioquh.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Cuaqze
Task: {2F68E96D-08D9-4522-84C5-9ED76C94F92A} - System32\Tasks\Security Center Update - 677931779 => C:\Users\Pappa\AppData\Roaming\Myuzxor\ygnio.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Myuzxor
Task: {372F8D38-3E14-415D-BE57-BC8B55B7BE6D} - System32\Tasks\Security Center Update - 410816263 => C:\Users\Pappa\AppData\Roaming\Ivledoap\voqoyz.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Ivledoap
Task: {3DCB9D14-1137-4D45-A7B8-DA4E4EED3440} - System32\Tasks\Security Center Update - 4066846490 => C:\Users\Pappa\AppData\Roaming\Xuhyqovy\opozxaa.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Xuhyqovy
Task: {3F19F725-9D90-47DA-9FBE-629A1A3CA419} - System32\Tasks\Time Trigger Test Task => C:\Users\Pappa\AppData\Local\Temp\wpqqadg.exe <==== ATTENTION
C:\Users\Pappa\AppData\Local\Temp\wpqqadg.exe
Task: {AE2428B0-B38A-4B05-B97D-F187E0899E8C} - System32\Tasks\Security Center Update - 653757527 => C:\Users\Pappa\AppData\Roaming\Xeefybca\xowelu.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Xeefybca
Task: {B8E8C682-8EDC-402E-BDA8-F252D85C16AA} - System32\Tasks\Security Center Update - 4247612681 => C:\Users\Pappa\AppData\Roaming\Ykfesasa\qoiwc.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Ykfesasa
Task: {CB0261B1-F748-483B-B551-ED0E24FBBE05} - System32\Tasks\Security Center Update - 620217676 => C:\Users\Pappa\AppData\Roaming\Wafaicyt\lasea.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Wafaicyt
Task: {DBE219CA-08A6-485C-8D77-AFE4446942AA} - System32\Tasks\Security Center Update - 3883276894 => C:\Users\Pappa\AppData\Roaming\Omiwxap\opweu.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Omiwxap
Task: {DCA31F8D-009B-448F-A8A1-B9A02DBD5B1D} - System32\Tasks\Security Center Update - 3575277368 => C:\Users\Pappa\AppData\Roaming\Ysehukp\cutuhe.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Ysehukp
Task: {F075C43F-0A18-4F1D-BB66-A3C899B923E5} - System32\Tasks\Security Center Update - 3512168560 => C:\Users\Pappa\AppData\Roaming\Orsiyww\apkayda.exe <==== ATTENTION
C:\Users\Pappa\AppData\Roaming\Orsiyww
EmptyTemp:
End
 
 
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e} => value deleted successfully.
 
"C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}" directory move:
 
Could not move "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe" => Scheduled to move on reboot.
Could not move "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}" directory. => Scheduled to move on reboot.
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Zogofapaqe => value deleted successfully.
C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Fyreovu => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Ivledoap => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Badeahxui => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Bohouxc => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Araqmekesu => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Cuaqze => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Ylneoqdetaoki => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Yvilgyd => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Inehygugim => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Orsiyww => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Rapuvoxouvazfy => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Axipzyov => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Ofynriowtii => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Lynyof => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Asoswaird => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Awdola => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Vayth => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Omiwxap => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Vubybakokazy => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Dodokeoz => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Yldyvyteuhtob => value deleted successfully.
C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\NetworkInformer => value deleted successfully.
"C:\Users\Pappa\AppData\Local\Temp\temp1075485589.exe" => File/Directory not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Faogixevyg => value deleted successfully.
C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Odymcyuspaza => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Fyfiat => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\CrashReportNotifyer => value deleted successfully.
"C:\Users\Pappa\AppData\Local\Temp\temp1183972658.exe" => File/Directory not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Idzaiva => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Lepuycy => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Lopegusyt => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Uloqxoag => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Iromonqyacu => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\Xeefybca => Moved successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sizemfi" => Key deleted successfully.
C:\Users\Pappa\AppData\Local\Temp\lmKFBCfHN8g9aKNhikf => Moved successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sufgife" => Key deleted successfully.
C:\Users\Pappa\AppData\Local\Temp\uIUTcus2oZ0HOJE0KFB => Moved successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yivsmoi" => Key deleted successfully.
"C:\Users\Pappa\AppData\Local\Temp\EGK1N2c6kY39Blr2Qnr" => File/Directory not found.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yivzmoi" => Key deleted successfully.
"C:\Users\Pappa\AppData\Local\Temp\V22t2PxetezO29RUyiq" => File/Directory not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e} => value deleted successfully.
 
"C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}" directory move:
 
Could not move "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe" => Scheduled to move on reboot.
Could not move "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}" directory. => Scheduled to move on reboot.
 
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\3218515937 => value deleted successfully.
"c:\users\pappa\appdata\roaming\1864410487\displaysvc.dll" => File/Directory not found.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Ylneoqdetaoki => value deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Yvilgyd" => File/Directory not found.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Badeahxui => value deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Bohouxc" => File/Directory not found.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Apple Inc. => value deleted successfully.
C:\Users\Pappa\AppData\Roaming\rbvceaua => Moved successfully.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\netcfg => value deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe" => File/Directory not found.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Rapuvoxouvazfy => value deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Axipzyov" => File/Directory not found.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\.tluafed** <*> => Value Deleted Successfully.
"C:\Users\Pappa\Application Data\{000009F5-7321-7583-56E7-4E39C237DA5A}.ex" => File/Directory not found.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\ekmatod => value deleted successfully.
C:\Users\Pappa\AppData\Local\Temp\3UHeB7Y8IRP9q50pjZR => Moved successfully.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\d5d6f4 => value deleted successfully.
"C:\d5d6f43\d5d6f43.exe" => File/Directory not found.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Run\\d5d6f43 => value deleted successfully.
"C:\Users\Pappa\AppData\Local\Temp\3UHeB7Y8IRP9q50pjZR" => File/Directory not found.
HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\Run => value deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe" => File/Directory not found.
"HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netcfg.lnk => Moved successfully.
"C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netcfg.lnk" => File/Directory not found.
C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe not found.
"C:\Users\Pappa\AppData\Roaming\Microsoft\Windows\IEUpdate\netcfg.exe" => File/Directory not found.
"HKU\S-1-5-21-1869183926-1366084434-2826835042-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{18866B62-09B1-4F61-8578-6A934DD6E043}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{18866B62-09B1-4F61-8578-6A934DD6E043}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4176749541 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4176749541" => Key deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Lynyof" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{212A39E3-2AB3-4639-AB01-75E493B4B81D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{212A39E3-2AB3-4639-AB01-75E493B4B81D}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 965205365 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 965205365" => Key deleted successfully.
C:\Users\Pappa\AppData\Roaming\Keeqyxy => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2A453CDF-017D-4665-9589-DEF233C910C2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A453CDF-017D-4665-9589-DEF233C910C2}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3554345298 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3554345298" => Key deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Cuaqze" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2F68E96D-08D9-4522-84C5-9ED76C94F92A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F68E96D-08D9-4522-84C5-9ED76C94F92A}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 677931779 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 677931779" => Key deleted successfully.
C:\Users\Pappa\AppData\Roaming\Myuzxor => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{372F8D38-3E14-415D-BE57-BC8B55B7BE6D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{372F8D38-3E14-415D-BE57-BC8B55B7BE6D}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 410816263 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 410816263" => Key deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Ivledoap" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3DCB9D14-1137-4D45-A7B8-DA4E4EED3440}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3DCB9D14-1137-4D45-A7B8-DA4E4EED3440}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4066846490 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4066846490" => Key deleted successfully.
C:\Users\Pappa\AppData\Roaming\Xuhyqovy => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3F19F725-9D90-47DA-9FBE-629A1A3CA419}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F19F725-9D90-47DA-9FBE-629A1A3CA419}" => Key deleted successfully.
C:\Windows\System32\Tasks\Time Trigger Test Task => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Time Trigger Test Task" => Key deleted successfully.
"C:\Users\Pappa\AppData\Local\Temp\wpqqadg.exe" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AE2428B0-B38A-4B05-B97D-F187E0899E8C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE2428B0-B38A-4B05-B97D-F187E0899E8C}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 653757527 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 653757527" => Key deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Xeefybca" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B8E8C682-8EDC-402E-BDA8-F252D85C16AA}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B8E8C682-8EDC-402E-BDA8-F252D85C16AA}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 4247612681 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4247612681" => Key deleted successfully.
C:\Users\Pappa\AppData\Roaming\Ykfesasa => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CB0261B1-F748-483B-B551-ED0E24FBBE05}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB0261B1-F748-483B-B551-ED0E24FBBE05}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 620217676 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 620217676" => Key deleted successfully.
C:\Users\Pappa\AppData\Roaming\Wafaicyt => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DBE219CA-08A6-485C-8D77-AFE4446942AA}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DBE219CA-08A6-485C-8D77-AFE4446942AA}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3883276894 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3883276894" => Key deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Omiwxap" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DCA31F8D-009B-448F-A8A1-B9A02DBD5B1D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DCA31F8D-009B-448F-A8A1-B9A02DBD5B1D}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3575277368 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3575277368" => Key deleted successfully.
C:\Users\Pappa\AppData\Roaming\Ysehukp => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F075C43F-0A18-4F1D-BB66-A3C899B923E5}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F075C43F-0A18-4F1D-BB66-A3C899B923E5}" => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 3512168560 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 3512168560" => Key deleted successfully.
"C:\Users\Pappa\AppData\Roaming\Orsiyww" => File/Directory not found.
 

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 9/26/2014
Scan Time: 3:54:35 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.09.26.08
Rootkit Database: v2014.09.19.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7
CPU: x86
File System: NTFS
User: Pappa
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 276210
Time Elapsed: 8 min, 15 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 3
Trojan.Zbot, C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK\AppData\Roaming\Ukizliez\algayg.exe, 2112, Delete-on-Reboot, [e69f7976760565d1cc86685312efd927]
Trojan.Zbot, C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP\AppData\Roaming\Hokume\avyxzuy.exe, 2128, Delete-on-Reboot, [5035be312853d0664a089d1eec1555ab]
Trojan.Downloader, C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe\AppData\Roaming\Alpifowu\ocweuco.exe, 2136, Delete-on-Reboot, [325340af8fec6bcb3bd7ad10f60bce32]
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 6
Trojan.Zbot, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Zogofapaqe, C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK\AppData\Roaming\Ukizliez\algayg.exe, Quarantined, [e69f7976760565d1cc86685312efd927]
Trojan.Zbot, HKU\S-1-5-21-1869183926-1366084434-2826835042-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Zogofapaqe, C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK\AppData\Roaming\Ukizliez\algayg.exe, Quarantined, [e69f7976760565d1cc86685312efd927]
Trojan.Zbot, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Yldyvyteuhtob, C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP\AppData\Roaming\Hokume\avyxzuy.exe, Quarantined, [5035be312853d0664a089d1eec1555ab]
Trojan.Zbot, HKU\S-1-5-21-1869183926-1366084434-2826835042-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Yldyvyteuhtob, C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP\AppData\Roaming\Hokume\avyxzuy.exe, Quarantined, [5035be312853d0664a089d1eec1555ab]
Trojan.Downloader, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Faogixevyg, C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe\AppData\Roaming\Alpifowu\ocweuco.exe, Quarantined, [325340af8fec6bcb3bd7ad10f60bce32]
Trojan.Downloader, HKU\S-1-5-21-1869183926-1366084434-2826835042-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Faogixevyg, C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe\AppData\Roaming\Alpifowu\ocweuco.exe, Quarantined, [325340af8fec6bcb3bd7ad10f60bce32]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 3
Trojan.Zbot, C:\Users\Pappa\AppData\Local\Temp\UlyoQ8lrquWtUsuduFK\AppData\Roaming\Ukizliez\algayg.exe, Quarantined, [e69f7976760565d1cc86685312efd927], 
Trojan.Zbot, C:\Users\Pappa\AppData\Local\Temp\0V6dT4lbJTraaNWjOsP\AppData\Roaming\Hokume\avyxzuy.exe, Quarantined, [5035be312853d0664a089d1eec1555ab], 
Trojan.Downloader, C:\Users\Pappa\AppData\Local\Temp\VUfTYkiacmqFIl2KDOe\AppData\Roaming\Alpifowu\ocweuco.exe, Quarantined, [325340af8fec6bcb3bd7ad10f60bce32], 
 
Physical Sectors: 2
Forged physical sector, Physical Sector #488392752 on Drive #0, Replace-on-Reboot, [bf619eac0cdf3f68d496ea9344137e8b], 
Forged physical sector, Physical Sector #488392962 on Drive #0, Replace-on-Reboot, [bf619eac0cdf3f68d496ea9344137e8b], 
 
 
(end)
Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-09-2014

Ran by Pappa (administrator) on PAPPA-PC on 26-09-2014 18:59:22

Running from C:\Users\Pappa\Downloads

Loaded Profile: Pappa (Available profiles: Pappa)

Platform: Microsoft Windows 7 Professional  (X86) OS Language: English (United States)

Internet Explorer Version 8

Boot Mode: Normal


 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe

(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe

(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)

HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)

HKLM\...\Run: [{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}] => "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe"

HKLM\...\Policies\Explorer\Run: [{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}] => "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe" No File

HKU\S-1-5-21-1869183926-1366084434-2826835042-1001\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2014-01-06] (Google Inc.)

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x8450CBEB1D0BCF01

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)


Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

 

FireFox:

========

FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

 

Chrome: 

=======

CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\pdf.dll ()

CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File

CHR CustomProfile: C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Docs) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-06]

CHR Extension: (Google Drive) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-06]

CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-27]

CHR Extension: (YouTube) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-06]

CHR Extension: (Google Search) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-06]

CHR Extension: (Google Wallet) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-06]

CHR Extension: (Gmail) - C:\Users\Pappa\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-06]

 

========================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)

R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-26] (Malwarebytes Corporation)

R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)

 

==================== NetSvcs (Whitelisted) ===================

 

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-09-26 15:21 - 2014-09-26 15:21 - 00009730 _____ () C:\Users\Pappa\Downloads\Fixlist.txt

2014-09-26 13:34 - 2014-09-26 13:50 - 00019636 _____ () C:\Users\Pappa\Downloads\Addition.txt

2014-09-26 13:22 - 2014-09-26 18:59 - 00007263 _____ () C:\Users\Pappa\Downloads\FRST.txt

2014-09-26 13:22 - 2014-09-26 18:59 - 00000000 ____D () C:\FRST

2014-09-26 13:21 - 2014-09-26 13:22 - 01100288 _____ (Farbar) C:\Users\Pappa\Downloads\FRST.exe

2014-09-26 12:11 - 2014-09-26 18:19 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-09-26 12:11 - 2014-09-26 12:11 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-09-26 12:11 - 2014-09-26 12:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-09-26 12:11 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2014-09-26 12:11 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-09-26 12:11 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-09-26 12:10 - 2014-09-26 12:11 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware

2014-09-26 12:10 - 2014-09-26 12:10 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-09-26 12:09 - 2014-09-26 12:10 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Pappa\Downloads\mbam-setup-2.0.2.1012.exe

2014-09-25 14:58 - 2014-09-25 14:58 - 00000000 __SHD () C:\found.000

2014-09-25 14:14 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Ozazfion

2014-09-25 14:13 - 2014-09-25 14:13 - 00190464 _____ () C:\Users\Pappa\AppData\Local\miosxksr.exe

2014-09-25 14:09 - 2014-09-25 14:09 - 00181760 _____ () C:\Users\Pappa\AppData\Local\teesfsut.exe

2014-09-22 17:48 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\OnagFuwiw

2014-09-22 16:26 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\bextmto.dll

2014-09-22 16:26 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\hkflaje.dll

2014-09-22 16:05 - 2014-09-22 16:05 - 00000000 __RSH () C:\MSDOS.SYS

2014-09-22 16:05 - 2014-09-22 16:05 - 00000000 __RSH () C:\IO.SYS

2014-09-20 15:27 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Zougysi

2014-09-17 15:23 - 2014-09-17 15:23 - 00182784 _____ () C:\Users\Pappa\AppData\Local\cciwjukd.exe

2014-09-16 15:52 - 2014-09-16 15:52 - 00902656 _____ () C:\Users\Pappa\Downloads\song.pmd

2014-09-16 15:52 - 2014-09-16 15:52 - 00902656 _____ () C:\Users\Pappa\Downloads\song (2).pmd

2014-09-16 15:52 - 2014-09-16 15:52 - 00902656 _____ () C:\Users\Pappa\Downloads\song (1).pmd

2014-09-15 15:29 - 2014-09-15 15:30 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp

2014-09-15 15:29 - 2014-09-15 15:30 - 00001224 _____ () C:\ProgramData\@system.att

2014-09-15 15:29 - 2014-09-15 15:30 - 00000960 ____H () C:\ProgramData\@system2.att

2014-09-15 15:29 - 2014-09-15 15:29 - 21322294 _____ () C:\Users\Pappa\AppData\Roaming\ChromeUpdate.exe

2014-09-15 15:29 - 2014-09-15 15:29 - 00000448 ____H () C:\Users\Pappa\AppData\Roaming\麽鎒駓覜

2014-09-11 16:11 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\ixhuycv.dll

2014-09-11 16:11 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\abqlsgq.dll

2014-09-08 20:20 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\qwpcriw.dll

2014-09-08 20:20 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\lizwfbs.dll

2014-09-08 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UjumAcwub

2014-09-05 18:31 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IgneRras

2014-09-05 16:55 - 2014-09-05 16:55 - 00000000 ___HD () C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}

2014-09-05 16:54 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IlodEvoz

2014-09-04 17:31 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UrotiBwuza

2014-09-04 16:38 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\OfqajRoneg

2014-09-04 15:21 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\liaiadn.dll

2014-09-04 15:21 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\uqmizpx.dll

2014-09-02 16:12 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ErtiRazp

2014-09-02 16:10 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IqocPizde

2014-09-01 19:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AlsaMhusx

2014-09-01 19:24 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UyeqhOfkoq

2014-09-01 19:24 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EmbewUbida

2014-09-01 18:49 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IlivhIkkuk

2014-09-01 18:49 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EcpatAwuka

2014-09-01 01:25 - 2014-09-22 16:26 - 00000000 ____D () C:\Users\Pappa\AppData\Local\ReceiverVisual

2014-08-31 17:29 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AquxEmex

2014-08-31 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ObbewOgijn

2014-08-31 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EdopXeqdi

2014-08-29 16:17 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ItavAkulc

2014-08-29 16:17 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ErhaDlif

2014-08-29 16:10 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ExobApef

2014-08-29 16:08 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AtejNigt

2014-08-29 16:08 - 2014-08-29 16:08 - 00008174 _____ () C:\DECRYPT_INSTRUCTION.HTML

2014-08-29 16:08 - 2014-08-29 16:08 - 00004132 _____ () C:\DECRYPT_INSTRUCTION.TXT

2014-08-29 16:08 - 2014-08-29 16:08 - 00000254 _____ () C:\DECRYPT_INSTRUCTION.URL

2014-08-27 15:02 - 2014-08-27 15:02 - 00000000 ____D () C:\Windows\pss

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-09-26 18:18 - 2014-01-06 16:51 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-09-26 16:17 - 2014-01-06 16:51 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-09-26 16:11 - 2009-07-14 00:34 - 00014624 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-09-26 16:11 - 2009-07-14 00:34 - 00014624 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-09-26 16:04 - 2014-03-18 18:45 - 00053482 _____ () C:\Windows\PFRO.log

2014-09-26 16:04 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-09-26 16:04 - 2009-07-14 00:39 - 00027027 _____ () C:\Windows\setupact.log

2014-09-26 16:04 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\system

2014-09-26 12:32 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\security

2014-09-26 12:31 - 2014-08-26 16:22 - 00000000 ____D () C:\ProgramData\AqukiYjujo

2014-09-26 12:31 - 2014-08-26 16:21 - 00000000 ____D () C:\ProgramData\AjineYzose

2014-09-26 12:31 - 2014-08-24 20:03 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Ovkuas

2014-09-26 12:31 - 2014-08-22 16:23 - 00000000 ____D () C:\ProgramData\EpyeTurc

2014-09-26 12:31 - 2014-08-22 16:21 - 00000000 ____D () C:\ProgramData\InoqRopr

2014-09-26 12:31 - 2014-08-22 16:21 - 00000000 ____D () C:\ProgramData\IbgirRebuw

2014-09-26 12:31 - 2014-01-06 16:51 - 00000000 ____D () C:\Users\Pappa\AppData\Local\Google

2014-09-26 12:26 - 2014-01-06 16:51 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

2014-09-26 12:17 - 2014-08-26 16:26 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Unabpubo

2014-09-26 12:17 - 2014-08-24 20:10 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Aqysoq

2014-09-22 16:27 - 2014-03-26 19:35 - 00000000 ____D () C:\Users\Pappa\AppData\Local\Apple Computer

2014-09-22 16:04 - 2014-01-06 16:22 - 00000000 ____D () C:\Users\Pappa

2014-09-19 17:05 - 2014-01-06 16:51 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

2014-09-11 16:11 - 2014-03-31 18:27 - 00000000 ____D () C:\Users\Pappa\AppData\Local\HP

2014-08-31 17:53 - 2014-08-21 16:29 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Naazo

2014-08-29 16:08 - 2014-01-06 18:46 - 00000000 ____D () C:\Windows.old

2014-08-27 15:03 - 2009-02-18 07:16 - 00000000 ____D () C:\doctemp

 

Files to move or delete:

====================

C:\ProgramData\abqlsgq.dll

C:\ProgramData\bextmto.dll

C:\ProgramData\hkflaje.dll

C:\ProgramData\ixhuycv.dll

C:\ProgramData\liaiadn.dll

C:\ProgramData\lizwfbs.dll

C:\ProgramData\qwpcriw.dll

C:\ProgramData\uqmizpx.dll

 

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-09-26 16:49

 

==================== End Of Log ============================

 


Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-09-2014

Ran by Pappa at 2014-09-26 19:00:01

Running from C:\Users\Pappa\Downloads

Boot Mode: Normal

==========================================================

 

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

==================== Installed Programs ======================

 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)

Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)

Apple Application Support (HKLM\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)

Apple Mobile Device Support (HKLM\...\{18D47FA1-0440-48D3-A7E0-DA09537FF471}) (Version: 7.1.1.3 - Apple Inc.)

Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)

Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)

Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.124 - Google Inc.)

Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)

Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden

Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden

HP Officejet 4620 series Basic Device Software (HKLM\...\{928E9793-43FD-458D-B87B-6376BD4E4DA5}) (Version: 26.0.784.0 - Hewlett-Packard Co.)

HP Officejet 4620 series Product Improvement Study (HKLM\...\{FC831F3D-66AE-4C6D-B36B-F7B178218342}) (Version: 26.0.784.0 - Hewlett-Packard Co.)

iTunes (HKLM\...\{2F21564D-DE05-4C6D-B21E-08B9D313FAB3}) (Version: 11.1.5.5 - Apple Inc.)

Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)

Microsoft Office Access MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Excel MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Professional Plus 2007 (HKLM\...\PROPLUSR) (Version: 12.0.4518.1014 - Microsoft Corporation)

Microsoft Office Professional Plus 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Proof (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Proof (French) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Proof (Spanish) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Shared MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

Microsoft Office Word MUI (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden

 

==================== Custom CLSID (selected items): ==========================

 

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

 

 

==================== Restore Points  =========================

 

 

==================== Hosts content: ==========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2009-07-13 22:04 - 2009-06-10 17:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

 

==================== Scheduled Tasks (whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

 

Task: {00CD5841-AB12-411A-ADE2-AD5F0D810B56} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-06] (Google Inc.)

Task: {04CDA25E-4844-4072-B74E-6447F4E610F2} - System32\Tasks\Security Center Update - 4133036300 => C:\Users\Pappa\AppData\Roaming\Aqysoq\kogihea.exe <==== ATTENTION

Task: {06CC92F4-3F10-496E-B731-C64F8A10E869} - System32\Tasks\{CA54B3FA-FA83-FE4F-D8E9-7CB4DCF01D6D} => C:\Users\Pappa\AppData\Roaming\hvvbt.dll [2014-07-25] ()

Task: {21A3C022-9D5C-4A14-AA9F-99FB38BC1338} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-06] (Google Inc.)

Task: {7E89FF6C-4946-4C9B-A183-1AA03F3D3CB2} - System32\Tasks\HPCustParticipation HP Officejet 4620 series => C:\Program Files\HP\HP Officejet 4620 series\Bin\HPCustPartic.exe [2011-12-18] (Hewlett-Packard Co.)

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

 

==================== Loaded Modules (whitelisted) =============

 

2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

 

==================== Alternate Data Streams (whitelisted) =========

 

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

 

 

==================== Safe Mode (whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

 

 

==================== EXE Association (whitelisted) =============

 

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

 

 

==================== MSCONFIG/TASK MANAGER disabled items =========

 

(Currently there is no automatic fix for this section.)

 

MSCONFIG\startupfolder: C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.HTML => C:\Windows\pss\DECRYPT_INSTRUCTION.HTML.Startup

MSCONFIG\startupfolder: C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.TXT => C:\Windows\pss\DECRYPT_INSTRUCTION.TXT.Startup

MSCONFIG\startupfolder: C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.URL => C:\Windows\pss\DECRYPT_INSTRUCTION.URL.Startup

MSCONFIG\startupreg: Vubybakokazy => C:\Users\Pappa\AppData\Roaming\Dodokeoz\dotome.exe

MSCONFIG\startupreg: {6b8ad2be-14b5-909a-6daa-d6aa9a10963e} => "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe"

 

========================= Accounts: ==========================

 

Administrator (S-1-5-21-1869183926-1366084434-2826835042-500 -> Administrator - Disabled - Status: Degraded)

Guest (S-1-5-21-1869183926-1366084434-2826835042-501 -> Limited - Disabled - Status: Degraded)

HomeGroupUser$ (S-1-5-21-1869183926-1366084434-2826835042-1002 -> Limited - Enabled - Status: OK)

Pappa (S-1-5-21-1869183926-1366084434-2826835042-1001 -> Administrator - Enabled - Status: OK) => C:\Users\Pappa

 

==================== Faulty Device Manager Devices =============

 

Name: Base System Device

Description: Base System Device

Class Guid: 

Manufacturer: 

Service: 

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

Name: Base System Device

Description: Base System Device

Class Guid: 

Manufacturer: 

Service: 

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

Name: Base System Device

Description: Base System Device

Class Guid: 

Manufacturer: 

Service: 

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (09/26/2014 06:19:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 7067

 

Error: (09/26/2014 06:19:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 7067

 

Error: (09/26/2014 06:19:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (09/26/2014 06:19:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 6022

 

Error: (09/26/2014 06:19:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 6022

 

Error: (09/26/2014 06:19:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (09/26/2014 06:19:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 4899

 

Error: (09/26/2014 06:19:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 4899

 

Error: (09/26/2014 06:19:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (09/26/2014 06:18:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 2609288

 

 

System errors:

=============

Error: (09/26/2014 04:56:48 PM) (Source: volsnap) (EventID: 28) (User: )

Description: The shadow copy of volume C: could not be created due to a failure in creating the necessary on disk structures.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

Error: (09/26/2014 04:56:48 PM) (Source: Disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk0\DR0.

 

 

Microsoft Office Sessions:

=========================

 

CodeIntegrity Errors:

===================================

  Date: 2014-09-03 15:43:49.274

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\bcrypt.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-09-03 15:43:49.264

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\bcrypt.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-09-03 15:43:49.250

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\bcrypt.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-09-03 15:43:49.156

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\bcrypt.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-03-26 19:49:44.454

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tpm-driver-wmi_31bf3856ad364e35_6.0.6001.18000_none_6f8d0e60c043c672\Win32_Tpm.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-03-26 19:49:44.444

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tpm-driver-wmi_31bf3856ad364e35_6.0.6001.18000_none_6f8d0e60c043c672\Win32_Tpm.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-03-26 19:49:44.434

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tpm-driver-wmi_31bf3856ad364e35_6.0.6001.18000_none_6f8d0e60c043c672\Win32_Tpm.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-03-26 19:49:44.414

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tpm-driver-wmi_31bf3856ad364e35_6.0.6001.18000_none_6f8d0e60c043c672\Win32_Tpm.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-03-26 19:48:58.588

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll because the set of per-page image hashes could not be found on the system.

 

  Date: 2014-03-26 19:48:58.578

  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll because the set of per-page image hashes could not be found on the system.

 

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review



****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

*EXTRA NOTES*


  •    
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
       
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
       
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



Post the logs in next reply please...

Kevin
 

Fixlist.txt

Link to post
Share on other sites

ComboFix 14-09-24.01 - Pappa 09/27/2014  13:24:02.1.2 - x86

Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.3062.2052 [GMT -4:00]

Running from: c:\users\Pappa\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\Local Settings\Temp

c:\programdata\wrnhoah.tmp

c:\users\Pappa\AppData\Local\cciwjukd.exe

c:\users\Pappa\AppData\Local\miosxksr.exe

c:\users\Pappa\AppData\Local\teesfsut.exe

c:\users\Pappa\AppData\Roaming\{000009F5-7321-7583-56E7-4E39C237DA5A}.exe

c:\users\Pappa\AppData\Roaming\1340330571

c:\users\Pappa\AppData\Roaming\1741021225

c:\users\Pappa\AppData\Roaming\1972743714

c:\users\Pappa\AppData\Roaming\2137741828

c:\users\Pappa\AppData\Roaming\3039120963

c:\users\Pappa\AppData\Roaming\3223024724

c:\users\Pappa\AppData\Roaming\appdata

c:\users\Pappa\AppData\Roaming\ChromeUpdate.exe

c:\users\Pappa\AppData\Roaming\hvvbt.dll

c:\windows\system32\mlydot.dll

.

.

(((((((((((((((((((((((((   Files Created from 2014-08-27 to 2014-09-27  )))))))))))))))))))))))))))))))

.

.

2014-09-27 17:34 . 2014-09-27 17:34 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-09-26 16:11 . 2014-09-27 07:37 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-09-26 16:11 . 2014-05-12 11:26 51928 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-09-26 16:11 . 2014-05-12 11:25 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-09-26 16:11 . 2014-05-12 11:25 23256 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-09-26 16:10 . 2014-09-26 16:11 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

2014-09-26 16:10 . 2014-09-26 16:10 -------- d-----w- c:\programdata\Malwarebytes

2014-09-26 16:10 . 2014-09-26 16:10 -------- d-----w- c:\users\Pappa\AppData\Local\Programs

2014-09-25 18:58 . 2014-09-25 18:58 -------- d-----w- C:\found.000

2014-09-25 18:14 . 2014-09-26 16:32 -------- d-----w- c:\users\Pappa\AppData\Roaming\Ozazfion

2014-09-22 21:48 . 2014-09-26 16:31 -------- d-----w- c:\programdata\OnagFuwiw

2014-09-22 20:26 . 2009-07-14 01:17 1286144 ----a-w- c:\programdata\bextmto.dll

2014-09-22 20:26 . 2009-07-14 01:15 857088 ----a-w- c:\programdata\hkflaje.dll

2014-09-20 19:27 . 2014-09-26 16:32 -------- d-----w- c:\users\Pappa\AppData\Roaming\Zougysi

2014-09-11 20:11 . 2009-07-14 01:17 1286144 ----a-w- c:\programdata\ixhuycv.dll

2014-09-11 20:11 . 2009-07-14 01:15 857088 ----a-w- c:\programdata\abqlsgq.dll

2014-09-09 00:20 . 2009-07-14 01:17 1286144 ----a-w- c:\programdata\qwpcriw.dll

2014-09-09 00:20 . 2009-07-14 01:15 857088 ----a-w- c:\programdata\lizwfbs.dll

2014-09-08 21:26 . 2014-09-26 16:31 -------- d-----w- c:\programdata\UjumAcwub

2014-09-08 21:24 . 2014-09-27 17:34 -------- d-----w- c:\programdata\Local Settings

2014-09-05 22:31 . 2014-09-26 16:31 -------- d-----w- c:\programdata\IgneRras

2014-09-05 20:55 . 2014-09-05 20:55 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}

2014-09-05 20:54 . 2014-09-26 16:31 -------- d-----w- c:\programdata\IlodEvoz

2014-09-04 21:31 . 2014-09-26 16:31 -------- d-----w- c:\programdata\UrotiBwuza

2014-09-04 20:38 . 2014-09-26 16:31 -------- d-----w- c:\programdata\OfqajRoneg

2014-09-04 19:21 . 2009-07-14 01:17 1286144 ----a-w- c:\programdata\liaiadn.dll

2014-09-04 19:21 . 2009-07-14 01:15 857088 ----a-w- c:\programdata\uqmizpx.dll

2014-09-02 20:12 . 2014-09-26 16:31 -------- d-----w- c:\programdata\ErtiRazp

2014-09-02 20:10 . 2014-09-26 16:31 -------- d-----w- c:\programdata\IqocPizde

2014-09-01 23:26 . 2014-09-26 16:31 -------- d-----w- c:\programdata\AlsaMhusx

2014-09-01 23:24 . 2014-09-26 16:31 -------- d-----w- c:\programdata\EmbewUbida

2014-09-01 23:24 . 2014-09-26 16:31 -------- d-----w- c:\programdata\UyeqhOfkoq

2014-09-01 22:49 . 2014-09-26 16:31 -------- d-----w- c:\programdata\IlivhIkkuk

2014-09-01 22:49 . 2014-09-26 16:31 -------- d-----w- c:\programdata\EcpatAwuka

2014-09-01 05:25 . 2014-09-22 20:26 -------- d-----w- c:\users\Pappa\AppData\Local\ReceiverVisual

2014-09-01 00:51 . 2014-09-01 00:51 21504 ----a-w- c:\program files\Internet Explorer\version1.dll

2014-08-31 21:29 . 2014-09-26 16:31 -------- d-----w- c:\programdata\AquxEmex

2014-08-31 21:26 . 2014-09-26 16:31 -------- d-----w- c:\programdata\ObbewOgijn

2014-08-31 21:26 . 2014-09-26 16:31 -------- d-----w- c:\programdata\EdopXeqdi

2014-08-29 20:17 . 2014-09-26 16:31 -------- d-----w- c:\programdata\ErhaDlif

2014-08-29 20:17 . 2014-09-26 16:31 -------- d-----w- c:\programdata\ItavAkulc

2014-08-29 20:10 . 2014-09-26 16:31 -------- d-----w- c:\programdata\ExobApef

2014-08-29 20:08 . 2014-09-26 16:31 -------- d-----w- c:\programdata\AtejNigt

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-07-25 19:08 . 2014-07-25 19:08 0 ----a-w- c:\users\Pappa\AppData\Roaming\mlydot.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2014-01-06 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 0 (0x0)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKLM\~\startupfolder\C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.HTML]

path=c:\users\Pappa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML

backup=c:\windows\pss\DECRYPT_INSTRUCTION.HTML.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.TXT]

path=c:\users\Pappa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT

backup=c:\windows\pss\DECRYPT_INSTRUCTION.TXT.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^Pappa^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^DECRYPT_INSTRUCTION.URL]

path=c:\users\Pappa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.URL

backup=c:\windows\pss\DECRYPT_INSTRUCTION.URL.Startup

backupExtension=.Startup

.

S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-09-27 110296]

S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]

S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-09-26 16:18 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2014-01-06 20:51]

.

2014-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2014-01-06 20:51]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-{6b8ad2be-14b5-909a-6daa-d6aa9a10963e} - c:\programdata\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe

MSConfigStartUp-Vubybakokazy - c:\users\Pappa\AppData\Roaming\Dodokeoz\dotome.exe

MSConfigStartUp-{6b8ad2be-14b5-909a-6daa-d6aa9a10963e} - c:\programdata\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\taskhost.exe

c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\conhost.exe

c:\program files\Malwarebytes Anti-Malware\mbam.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\sppsvc.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2014-09-27  13:45:12 - machine was rebooted

ComboFix-quarantined-files.txt  2014-09-27 17:45

.

Pre-Run: 187,723,599,872 bytes free

Post-Run: 188,506,546,176 bytes free

.

- - End Of File - - 4C9107F032A52AAFC05AA55A9404291C

A36C5E4F47E84449FF07ED3517B43A31
Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-09-2014

Ran by Pappa at 2014-09-29 15:30:01 Run:1

Running from C:\Users\Pappa\Downloads

Loaded Profile: Pappa (Available profiles: Pappa)

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

Start

HKLM\...\Run: [{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}] => "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe"

C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe

HKLM\...\Policies\Explorer\Run: [{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}] => "C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe" No File

C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}

2014-09-25 14:14 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Ozazfion

2014-09-25 14:13 - 2014-09-25 14:13 - 00190464 _____ () C:\Users\Pappa\AppData\Local\miosxksr.exe

2014-09-25 14:09 - 2014-09-25 14:09 - 00181760 _____ () C:\Users\Pappa\AppData\Local\teesfsut.exe

2014-09-22 17:48 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\OnagFuwiw

2014-09-22 16:26 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\bextmto.dll

2014-09-22 16:26 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\hkflaje.dll

2014-09-20 15:27 - 2014-09-26 12:32 - 00000000 ____D () C:\Users\Pappa\AppData\Roaming\Zougysi

2014-09-17 15:23 - 2014-09-17 15:23 - 00182784 _____ () C:\Users\Pappa\AppData\Local\cciwjukd.exe

2014-09-15 15:29 - 2014-09-15 15:30 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp

2014-09-15 15:29 - 2014-09-15 15:30 - 00001224 _____ () C:\ProgramData\@system.att

2014-09-15 15:29 - 2014-09-15 15:30 - 00000960 ____H () C:\ProgramData\@system2.att

2014-09-15 15:29 - 2014-09-15 15:29 - 21322294 _____ () C:\Users\Pappa\AppData\Roaming\ChromeUpdate.exe

2014-09-15 15:29 - 2014-09-15 15:29 - 00000448 ____H () C:\Users\Pappa\AppData\Roaming\????

2014-09-11 16:11 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\ixhuycv.dll

2014-09-11 16:11 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\abqlsgq.dll

2014-09-08 20:20 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\qwpcriw.dll

2014-09-08 20:20 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\lizwfbs.dll

2014-09-08 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UjumAcwub

2014-09-05 18:31 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IgneRras

2014-09-05 16:55 - 2014-09-05 16:55 - 00000000 ___HD () C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}

2014-09-05 16:54 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IlodEvoz

2014-09-04 17:31 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UrotiBwuza

2014-09-04 16:38 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\OfqajRoneg

2014-09-04 15:21 - 2009-07-13 21:17 - 01286144 _____ (Microsoft Corporation) C:\ProgramData\liaiadn.dll

2014-09-04 15:21 - 2009-07-13 21:15 - 00857088 _____ (Microsoft Corporation) C:\ProgramData\uqmizpx.dll

2014-09-02 16:12 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ErtiRazp

2014-09-02 16:10 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IqocPizde

2014-09-01 19:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AlsaMhusx

2014-09-01 19:24 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\UyeqhOfkoq

2014-09-01 19:24 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EmbewUbida

2014-09-01 18:49 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\IlivhIkkuk

2014-09-01 18:49 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EcpatAwuka

2014-08-31 17:29 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AquxEmex

2014-08-31 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ObbewOgijn

2014-08-31 17:26 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\EdopXeqdi

2014-08-29 16:17 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ItavAkulc

2014-08-29 16:17 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ErhaDlif

2014-08-29 16:10 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\ExobApef

2014-08-29 16:08 - 2014-09-26 12:31 - 00000000 ____D () C:\ProgramData\AtejNigt

2014-08-29 16:08 - 2014-08-29 16:08 - 00008174 _____ () C:\DECRYPT_INSTRUCTION.HTML

2014-08-29 16:08 - 2014-08-29 16:08 - 00004132 _____ () C:\DECRYPT_INSTRUCTION.TXT

2014-08-29 16:08 - 2014-08-29 16:08 - 00000254 _____ () C:\DECRYPT_INSTRUCTION.URL

C:\ProgramData\abqlsgq.dll

C:\ProgramData\bextmto.dll

C:\ProgramData\hkflaje.dll

C:\ProgramData\ixhuycv.dll

C:\ProgramData\liaiadn.dll

C:\ProgramData\lizwfbs.dll

C:\ProgramData\qwpcriw.dll

C:\ProgramData\uqmizpx.dll

EmptyTemp:

End

 

 

*****************

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e} => Value not found.

"C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}.exe" => File/Directory not found.

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e} => Value not found.

"C:\ProgramData\Microsoft\{6b8ad2be-14b5-909a-6daa-d6aa9a10963e}" => File/Directory not found.

C:\Users\Pappa\AppData\Roaming\Ozazfion => Moved successfully.

"C:\Users\Pappa\AppData\Local\miosxksr.exe" => File/Directory not found.

"C:\Users\Pappa\AppData\Local\teesfsut.exe" => File/Directory not found.

C:\ProgramData\OnagFuwiw => Moved successfully.

C:\ProgramData\bextmto.dll => Moved successfully.

C:\ProgramData\hkflaje.dll => Moved successfully.

C:\Users\Pappa\AppData\Roaming\Zougysi => Moved successfully.

"C:\Users\Pappa\AppData\Local\cciwjukd.exe" => File/Directory not found.

"C:\ProgramData\wrnhoah.tmp" => File/Directory not found.

C:\ProgramData\@system.att => Moved successfully.

C:\ProgramData\@system2.att => Moved successfully.

"C:\Users\Pappa\AppData\Roaming\ChromeUpdate.exe" => File/Directory not found.

 

"C:\Users\Pappa\AppData\Roaming\????" directory move:

 

Could not move "C:\Users\Pappa\AppData\Roaming\????" directory. => Scheduled to move on reboot.

 

C:\ProgramData\ixhuycv.dll => Moved successfully.

C:\ProgramData\abqlsgq.dll => Moved successfully.

C:\ProgramData\qwpcriw.dll => Moved successfully.

C:\ProgramData\lizwfbs.dll => Moved successfully.

C:\ProgramData\UjumAcwub => Moved successfully.

C:\ProgramData\IgneRras => Moved successfully.

C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4} => Moved successfully.

C:\ProgramData\IlodEvoz => Moved successfully.

C:\ProgramData\UrotiBwuza => Moved successfully.

C:\ProgramData\OfqajRoneg => Moved successfully.

C:\ProgramData\liaiadn.dll => Moved successfully.

C:\ProgramData\uqmizpx.dll => Moved successfully.

C:\ProgramData\ErtiRazp => Moved successfully.

C:\ProgramData\IqocPizde => Moved successfully.

C:\ProgramData\AlsaMhusx => Moved successfully.

C:\ProgramData\UyeqhOfkoq => Moved successfully.

C:\ProgramData\EmbewUbida => Moved successfully.

C:\ProgramData\IlivhIkkuk => Moved successfully.

C:\ProgramData\EcpatAwuka => Moved successfully.

C:\ProgramData\AquxEmex => Moved successfully.

C:\ProgramData\ObbewOgijn => Moved successfully.

C:\ProgramData\EdopXeqdi => Moved successfully.

C:\ProgramData\ItavAkulc => Moved successfully.

C:\ProgramData\ErhaDlif => Moved successfully.

C:\ProgramData\ExobApef => Moved successfully.

C:\ProgramData\AtejNigt => Moved successfully.

C:\DECRYPT_INSTRUCTION.HTML => Moved successfully.

C:\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\DECRYPT_INSTRUCTION.URL => Moved successfully.

"C:\ProgramData\abqlsgq.dll" => File/Directory not found.

"C:\ProgramData\bextmto.dll" => File/Directory not found.

"C:\ProgramData\hkflaje.dll" => File/Directory not found.

"C:\ProgramData\ixhuycv.dll" => File/Directory not found.

"C:\ProgramData\liaiadn.dll" => File/Directory not found.

"C:\ProgramData\lizwfbs.dll" => File/Directory not found.

"C:\ProgramData\qwpcriw.dll" => File/Directory not found.

"C:\ProgramData\uqmizpx.dll" => File/Directory not found.

EmptyTemp: => Removed 237 MB temporary data.
Link to post
Share on other sites

Thanks for the logs, We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply. Also give an update on any remaining issues or concerns...

 

Thanks,

 

Kevin....

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.