Malicious Websites being constantly blocked

[mlaw31]

Hello all: I opened my desktop this morning and Microsoft Security had notified me that I had a Trojan "Win32/Zbot.gen!/plock"

 

I ran a complete scan and removed all of the red flags.  I also had hits for Anogre.E, Java/CVE-2013-2460, Java/Obfuscator.W, and Win32/Crowti.A

 

I downloaded Malwarebytes, updated and ran a scan.  The first scan is attached. (The FRST text files are attached also).

 

I removed the files, etc.

 

Then and up to now I've been getting Malwarebytes notices that malicious websites are getting blocked.

 

The sites are:

 

fff5e.com

IP Address 31.184.192.90 (out of Russia)

searchnet.blinkxcore.com

95.215.1.57 (also out of Russia)

88.214.193.72 (out of the UK)

 

It's about every single second.

 

I ran malwarebytes several times, but now it is coming up dry.  Also ran TDSSkiller, CCleaner, Adware Cleaner, RogueKiller, SpyBoTSD, Junkware Removal, and HitManPro.

 

I deleted Java and GoogleChrome.  Malwarebytes was originally flagging sites through google chrome.  So I deleted it.  I still have IE.

 

I acted somewhat hastily and so I'm sure I did those scans improperly, out of order, etc.  All to no avail.  Any help would be extremely appreciated.  Thank you, M

MBAM 811AM.txt

FRST.txt

Addition.txt

[LiquidTension]

Hello mlaw31, welcome to Malwarebytes' Malware Removal forum!

My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. 

General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================

Please read through the points below to ensure this process moves as quickly and efficiently as possible.

• Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.
• Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
• Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
• Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
• If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
• Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
• Ensure you are following this topic. Click  at the top of the page.

======================================================
 
Unfortunately, your computer was/is badly infected, and as such, I must issue the following warning. Please let me know what you think and how you wish to proceed. 

 

BACKDOOR WARNING

 

------------------------------

One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

Please disconnect your computer from the Internet immediately. If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc).

Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again unless you reformat your Hard Drive and reinstall your Operating System. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

You have a choice between cleaning the infection(s) or reformatting your computer. Ultimately, the decision is personal, and up to you and whatever you're most comfortable with. Please let me know how you wish to proceed, and if you have any questions.

[mlaw31]

Thanks Adam.  I do not have any passwords, etc. stored on my PC.  Shall I disconnect from the internet now?

[LiquidTension]

Hello, 

 

How would you like to proceed? It's down to you, and what you're most comfortable with based on the information in the warning. 

Clean the machine, or reformat?

[mlaw31]

I'm ready to go! My machine is a Windows 7 Professional 64 Bit

[mlaw31]

I guess I should add that the "Process" for the Malicious Website Blocked is C:\Windows\SysWOW64\dllhost.exe

There are currently four (4) dllhost.exe running in my processes, 3 of which are through the Syswow64 process and 2 of those are over 100K (if that matters)

[LiquidTension]

OK. Work your way through the following. 

 

STEP 1
 ComboFix

• Note: Please read through these instructions before running ComboFix. 
• Please download ComboFix and save the file to your Desktop. << Important!
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click ComboFix.exe and select  Run as administrator to run the programme.
• Follow the prompts. 
   
• Allow ComboFix to complete it's removal routine (please refer to Important Notes:).
• Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.
• Re-enable your anti-virus software.
   

Important Notes:

• Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.
• Do NOT use your computer whilst ComboFix is running.
• Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal.
   
• If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.
• ComboFix will disconnect your machine from the Internet as soon as it starts.
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If you are unable to access the Internet after running ComboFix, please reboot your computer. 
   

STEP 2
 TDSSKiller Scan

• Right-Click TDSSKiller.exe and select  Run as administrator to run the programme.
• Click Change parameters. Place a checkmark next to:
  • Loaded Modules
  • Detect TDLFS file system
  • Verify file digital signatures
• Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
• ​Click Start Scan. Do not use the computer during the scan.
• If objects are found, change the action to skip.
• Click Continue and close the window.
• A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
   

STEP 3
 Farbar Recovery Scan Tool (FRST) Scan

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• ComboFix.txt
• TDSSKiller log (attached)
• FRST.txt
• Addition.txt

[mlaw31]

Thanks Adam: 

 

Step 1: ComboFix

 

ComboFix 14-10-21.01 - Mark 10/23/2014  16:19:38.2.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8065.5187 [GMT -4:00]
Running from: c:\users\Mark\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\@system.att
c:\programdata\@system2.att
c:\programdata\wrnhoah.tmp
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-23 to 2014-10-23  )))))))))))))))))))))))))))))))
.
.
2014-10-23 20:21 . 2014-10-23 20:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-23 18:33 . 2014-10-23 18:50 -------- d-----w- C:\FRST
2014-10-23 17:51 . 2014-10-23 18:36 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-10-23 17:51 . 2014-10-23 18:36 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2014-10-23 17:43 . 2014-10-23 18:18 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-10-23 17:43 . 2014-10-23 17:43 -------- d-----w- c:\programdata\RogueKiller
2014-10-23 17:35 . 2014-10-23 17:35 -------- d-----w- c:\programdata\Emsisoft
2014-10-23 17:12 . 2014-10-23 17:15 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-10-23 16:35 . 2014-10-23 17:38 -------- d-----w- c:\program files (x86)\Emsisoft Anti-Malware
2014-10-23 16:20 . 2014-10-23 16:20 -------- d-----w- c:\program files\HitmanPro
2014-10-23 16:19 . 2014-10-23 16:22 -------- d-----w- c:\programdata\HitmanPro
2014-10-23 16:09 . 2014-10-23 16:09 -------- d-----w- c:\program files (x86)\ESET
2014-10-23 16:01 . 2014-10-23 16:01 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F1B97F2F-8C06-4ACC-8053-5F424CDC3B2A}\offreg.dll
2014-10-23 16:01 . 2014-10-23 16:01 -------- d-----w- c:\windows\ERUNT
2014-10-23 15:31 . 2014-10-23 15:59 -------- d-----w- C:\AdwCleaner
2014-10-23 15:18 . 2014-10-23 15:18 -------- d-----w- c:\users\Mark\AppData\Roaming\QuickScan
2014-10-23 13:00 . 2014-10-23 13:00 55104 ----a-w- c:\windows\system32\drivers\zgjmcoav.sys
2014-10-23 13:00 . 2014-10-23 13:00 55104 ----a-w- c:\windows\system32\drivers\zkxvnegr.sys
2014-10-23 12:59 . 2014-10-23 12:59 55104 ----a-w- c:\windows\system32\drivers\bligbhro.sys
2014-10-23 12:57 . 2014-10-23 12:57 55104 ----a-w- c:\windows\system32\drivers\momdzbrv.sys
2014-10-23 12:12 . 2014-10-23 12:12 55104 ----a-w- c:\windows\system32\drivers\juawwuts.sys
2014-10-23 12:10 . 2014-10-23 18:39 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-23 12:10 . 2014-10-23 12:10 55104 ----a-w- c:\windows\system32\drivers\xvzoeczx.sys
2014-10-23 12:08 . 2014-10-23 17:11 92888 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-23 12:08 . 2014-10-23 13:01 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-10-23 12:08 . 2014-10-23 12:08 -------- d-----w- c:\programdata\Malwarebytes
2014-10-23 12:08 . 2014-10-01 15:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-23 12:08 . 2014-10-01 15:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-10-23 12:06 . 2014-10-23 12:06 55104 ----a-w- c:\windows\system32\drivers\btmuyfyy.sys
2014-10-23 12:05 . 2014-10-23 12:05 -------- d-----w- c:\users\Mark\AppData\Local\Programs
2014-10-23 12:03 . 2014-10-23 12:03 55104 ----a-w- c:\windows\system32\drivers\gxllldmg.sys
2014-10-23 12:00 . 2014-10-23 12:00 55104 ----a-w- c:\windows\system32\drivers\hsjpffpj.sys
2014-10-23 11:58 . 2014-10-23 11:58 55104 ----a-w- c:\windows\system32\drivers\ftltoiav.sys
2014-10-23 11:56 . 2014-10-23 11:56 55104 ----a-w- c:\windows\system32\drivers\rfgwwcdg.sys
2014-10-23 11:54 . 2014-10-23 11:54 55104 ----a-w- c:\windows\system32\drivers\hqktdxnj.sys
2014-10-23 11:53 . 2014-10-23 11:53 55104 ----a-w- c:\windows\system32\drivers\abqmkngh.sys
2014-10-23 11:52 . 2014-10-23 11:52 55104 ----a-w- c:\windows\system32\drivers\obqbxkdo.sys
2014-10-23 07:31 . 2014-10-14 19:59 11627712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F1B97F2F-8C06-4ACC-8053-5F424CDC3B2A}\mpengine.dll
2014-10-22 07:30 . 2014-10-14 19:59 11627712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-14 20:41 . 2014-07-17 02:07 235520 ----a-w- c:\windows\system32\winsta.dll
2014-10-03 07:00 . 2014-10-03 07:00 -------- d-----w- c:\program files (x86)\MSXML 4.0
2014-10-02 07:29 . 2014-09-18 07:29 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{02EF9943-BBE0-49D6-9928-E951FB0C1E51}\gapaengine.dll
2014-10-01 20:50 . 2014-10-17 15:48 952 --sha-w- c:\programdata\KGyGaAvL.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-03 14:02 . 2014-06-17 19:02 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-09-30 15:17 . 2014-06-17 19:56 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-30 15:17 . 2014-06-17 19:56 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-26 08:06 . 2014-06-18 18:55 590536 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-09-22 06:42 . 2010-11-21 03:27 278152 ------w- c:\windows\system32\MpSigStub.exe
2014-09-18 07:29 . 2014-06-24 18:26 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-08-23 02:07 . 2014-08-28 12:22 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-28 12:22 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-06-18 19:00 222920 ----a-w- c:\users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-06-18 19:00 222920 ----a-w- c:\users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-06-18 19:00 222920 ----a-w- c:\users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S3 cleanhlp;cleanhlp;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CLEANHLP
*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-06-17 15:17]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-06-18 19:00 261832 ----a-w- c:\users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-06-18 19:00 261832 ----a-w- c:\users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-06-18 19:00 261832 ----a-w- c:\users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-09-25 10:10 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-01-29 391152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-01-29 771568]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-01-29 770544]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://hotmail.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files (x86)\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-54857365.sys
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-23  16:22:29
ComboFix-quarantined-files.txt  2014-10-23 20:22
.
Pre-Run: 185,525,526,528 bytes free
Post-Run: 186,382,462,976 bytes free
.
- - End Of File - - 1D2E68269CCCFD0678313288ABBC061E
A36C5E4F47E84449FF07ED3517B43A31

 

Step 2: TDSSKiller is attached

 

Step 3: FarBar

 

FRST Text:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-10-2014
Ran by Mark (administrator) on MARK-PC on 23-10-2014 16:35:36
Running from E:\
Loaded Profile: Mark (Available profiles: Mark)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
() C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_15_0_0_167_ActiveX.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [37232 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640376 2008-06-11] (Adobe Systems Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/distribution/alternatiff-ax-w32-2.0.6.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1212152.dll (Adobe Systems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-14]
CHR Extension: (Google Drive) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-14]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-19]
CHR Extension: (YouTube) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-14]
CHR Extension: (Google Search) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-14]
CHR Extension: (Google Wallet) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-14]
CHR Extension: (Gmail) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe [936728 2013-05-07] ()
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2436280 2014-09-25] (Microsoft Corporation)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2014-09-16] (Macrovision Europe Ltd.) [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2013-09-13] (arvato digital services llc)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-23] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-10-23] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-23 16:30 - 2014-10-23 16:30 - 00004420 _____ () C:\Windows\PFRO.log
2014-10-23 16:27 - 2014-10-23 16:28 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Mark\Downloads\tdsskiller.exe
2014-10-23 16:22 - 2014-10-23 16:22 - 00021203 _____ () C:\ComboFix.txt
2014-10-23 16:17 - 2014-10-23 16:22 - 00000000 ____D () C:\Qoobox
2014-10-23 16:17 - 2014-10-23 16:21 - 00000000 ____D () C:\Windows\erdnt
2014-10-23 16:17 - 2014-10-23 16:17 - 05584933 ____R (Swearware) C:\Users\Mark\Downloads\ComboFix.exe
2014-10-23 16:17 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-10-23 16:17 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-10-23 16:17 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-10-23 16:17 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-10-23 16:17 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-10-23 16:17 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-10-23 16:17 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-10-23 16:17 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-10-23 14:46 - 2014-10-23 16:30 - 00000850 _____ () C:\Windows\setupact.log
2014-10-23 14:46 - 2014-10-23 14:46 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-23 14:33 - 2014-10-23 16:35 - 00000000 ____D () C:\FRST
2014-10-23 14:33 - 2014-10-23 14:33 - 00017341 _____ () C:\Users\Mark\Desktop\Addition.txt
2014-10-23 13:52 - 2014-10-23 13:52 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2014-10-23 13:51 - 2014-10-23 16:30 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-10-23 13:51 - 2014-10-23 14:36 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-10-23 13:43 - 2014-10-23 14:18 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-23 13:43 - 2014-10-23 13:43 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-23 13:42 - 2014-10-23 13:42 - 00006292 _____ () C:\Users\Mark\Documents\cc_20141023_134206.reg
2014-10-23 13:35 - 2014-10-23 13:35 - 00000000 ____D () C:\ProgramData\Emsisoft
2014-10-23 13:17 - 2014-10-23 13:17 - 16281688 _____ () C:\Users\Mark\Desktop\RogueKiller.exe
2014-10-23 13:12 - 2014-10-23 13:15 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-10-23 12:35 - 2014-10-23 16:30 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-10-23 12:20 - 2014-10-23 12:20 - 00000000 ____D () C:\Program Files\HitmanPro
2014-10-23 12:19 - 2014-10-23 12:22 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-10-23 12:03 - 2014-10-23 12:03 - 00000632 _____ () C:\Users\Mark\Desktop\JRT.txt
2014-10-23 12:01 - 2014-10-23 12:01 - 00000000 ____D () C:\Windows\ERUNT
2014-10-23 11:31 - 2014-10-23 11:59 - 00000000 ____D () C:\AdwCleaner
2014-10-23 11:18 - 2014-10-23 11:18 - 00000000 ____D () C:\Users\Mark\AppData\Roaming\QuickScan
2014-10-23 09:13 - 2014-10-23 09:13 - 00000000 ____D () C:\Windows\pss
2014-10-23 09:00 - 2014-10-23 09:00 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\zkxvnegr.sys
2014-10-23 09:00 - 2014-10-23 09:00 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\zgjmcoav.sys
2014-10-23 08:59 - 2014-10-23 08:59 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bligbhro.sys
2014-10-23 08:57 - 2014-10-23 08:57 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\momdzbrv.sys
2014-10-23 08:12 - 2014-10-23 08:12 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\juawwuts.sys
2014-10-23 08:10 - 2014-10-23 16:30 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-23 08:10 - 2014-10-23 08:10 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\xvzoeczx.sys
2014-10-23 08:08 - 2014-10-23 13:11 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-23 08:08 - 2014-10-23 09:01 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-23 08:08 - 2014-10-23 08:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-23 08:08 - 2014-10-23 08:08 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-23 08:08 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-23 08:08 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-23 08:06 - 2014-10-23 08:06 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\btmuyfyy.sys
2014-10-23 08:03 - 2014-10-23 08:03 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\gxllldmg.sys
2014-10-23 08:00 - 2014-10-23 08:01 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\Mark\Downloads\mbam-setup-2.0.3.1025.exe
2014-10-23 08:00 - 2014-10-23 08:00 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hsjpffpj.sys
2014-10-23 07:58 - 2014-10-23 07:58 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ftltoiav.sys
2014-10-23 07:56 - 2014-10-23 07:56 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rfgwwcdg.sys
2014-10-23 07:54 - 2014-10-23 07:54 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hqktdxnj.sys
2014-10-23 07:53 - 2014-10-23 07:53 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\abqmkngh.sys
2014-10-23 07:52 - 2014-10-23 07:52 - 00055104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\obqbxkdo.sys
2014-10-22 16:42 - 2014-10-22 16:42 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-16 11:12 - 2014-10-16 11:12 - 00046251 _____ () C:\Users\Mark\Desktop\Carp Letterhead.wpd
2014-10-16 11:08 - 2014-10-16 11:08 - 00025259 _____ () C:\Users\Mark\Downloads\olde_english.zip
2014-10-16 11:08 - 2014-10-16 11:08 - 00025259 _____ () C:\Users\Mark\Downloads\olde_english (1).zip
2014-10-16 11:06 - 2014-10-16 11:06 - 00047862 _____ () C:\Users\Mark\Downloads\Kubeyka, Draft, 14-03-18, Ltr to Prothy.wpd
2014-10-16 11:05 - 2014-10-16 11:05 - 00018288 _____ () C:\Users\Mark\Downloads\Gerber Ltr to Zdiera (Entry of Judgment).wpd
2014-10-16 11:04 - 2014-10-16 11:04 - 00014859 _____ () C:\Users\Mark\Downloads\Gerber Ltr to Hale (Entry of Judgment).wpd
2014-10-15 11:21 - 2014-10-15 11:21 - 00026454 _____ () C:\Users\Mark\Downloads\Hufnagle v. Bartosic, 14-07-08, Out of Pocket Expenses.xlsx
2014-10-15 09:53 - 2014-10-22 10:28 - 00004964 _____ () C:\Windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for Mark-PC-Mark Mark-PC
2014-10-14 17:01 - 2014-09-28 20:58 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-14 17:01 - 2014-09-04 01:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-10-14 17:01 - 2014-09-04 01:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2014-10-14 17:01 - 2014-08-29 22:10 - 06583296 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-10-14 17:01 - 2014-08-29 21:50 - 05702656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-10-14 17:01 - 2014-08-28 22:07 - 03179520 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-10-14 17:01 - 2014-08-18 23:11 - 00693176 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2014-10-14 17:01 - 2014-08-18 23:10 - 00616352 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2014-10-14 17:01 - 2014-08-18 23:08 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2014-10-14 17:01 - 2014-08-18 23:08 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2014-10-14 17:01 - 2014-08-18 23:08 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2014-10-14 17:01 - 2014-08-18 23:07 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2014-10-14 17:01 - 2014-08-18 23:07 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2014-10-14 17:01 - 2014-08-18 23:07 - 00058880 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2014-10-14 17:01 - 2014-08-18 23:07 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2014-10-14 17:01 - 2014-08-18 23:07 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2014-10-14 17:01 - 2014-08-18 22:41 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2014-10-14 17:01 - 2014-08-18 22:41 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2014-10-14 17:01 - 2014-08-18 22:06 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2014-10-14 17:01 - 2014-07-06 22:07 - 14632960 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2014-10-14 17:01 - 2014-07-06 22:07 - 00782848 _____ (Microsoft Corporation) C:\Windows\system32\wmdrmsdk.dll
2014-10-14 17:01 - 2014-07-06 22:07 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 05551032 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-10-14 17:01 - 2014-07-06 22:06 - 04120576 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 01574400 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 01202176 _____ (Microsoft Corporation) C:\Windows\system32\drmv2clt.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 01069056 _____ (Microsoft Corporation) C:\Windows\system32\cryptui.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00842240 _____ (Microsoft Corporation) C:\Windows\system32\blackbox.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00679424 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00641024 _____ (Microsoft Corporation) C:\Windows\system32\msscp.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\drmmgrtn.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00432128 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00368128 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\msnetobj.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00188416 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\cryptsp.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2014-10-14 17:01 - 2014-07-06 22:06 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2014-10-14 17:01 - 2014-07-06 22:06 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2014-10-14 17:01 - 2014-07-06 22:06 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2014-10-14 17:01 - 2014-07-06 22:06 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2014-10-14 17:01 - 2014-07-06 22:05 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2014-10-14 17:01 - 2014-07-06 22:05 - 00126464 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe
2014-10-14 17:01 - 2014-07-06 22:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2014-10-14 17:01 - 2014-07-06 21:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\PEAuth.sys
2014-10-14 17:01 - 2014-07-06 21:40 - 11411456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 03208704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 01329664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 01005056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptui.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00988160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\drmv2clt.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00744960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\blackbox.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00617984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmdrmsdk.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00516096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msscp.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00489984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\evr.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00406016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\drmmgrtn.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00354816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfplat.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00265216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msnetobj.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00081408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsp.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2014-10-14 17:01 - 2014-07-06 21:40 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2014-10-14 17:01 - 2014-07-06 21:40 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2014-10-14 17:01 - 2014-07-06 21:39 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2014-10-14 17:01 - 2014-07-06 21:39 - 03970488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2014-10-14 17:01 - 2014-07-06 21:39 - 03914680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2014-10-14 17:01 - 2014-07-06 21:39 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe
2014-10-14 17:01 - 2014-07-06 21:39 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe
2014-10-14 17:01 - 2014-07-06 21:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll
2014-10-14 17:01 - 2014-06-27 20:21 - 00619056 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2014-10-14 17:01 - 2014-06-27 20:21 - 00532176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2014-10-14 17:01 - 2014-06-27 20:21 - 00457400 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll
2014-10-14 17:01 - 2014-06-18 18:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-14 17:01 - 2014-06-18 18:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2014-10-14 17:01 - 2014-06-18 18:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2014-10-14 17:01 - 2014-06-18 18:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-14 17:01 - 2014-06-18 18:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2014-10-14 17:01 - 2014-06-18 18:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-14 16:41 - 2014-09-20 01:18 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-10-14 16:41 - 2014-09-20 01:17 - 02236928 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-14 16:41 - 2014-09-20 01:17 - 01407488 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 19280896 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 15399424 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-14 16:41 - 2014-09-20 01:16 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-10-14 16:41 - 2014-09-20 01:15 - 01508864 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-14 16:41 - 2014-09-20 01:15 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-14 16:41 - 2014-09-20 01:15 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 14368768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 13757952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 01180672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-10-14 16:41 - 2014-09-19 23:57 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-10-14 16:41 - 2014-09-19 23:56 - 01440768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-10-14 16:41 - 2014-09-19 23:56 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-10-14 16:41 - 2014-09-19 23:56 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-10-14 16:41 - 2014-09-19 23:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-14 16:41 - 2014-09-19 23:33 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-10-14 16:41 - 2014-09-19 22:43 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-10-14 16:41 - 2014-09-19 22:35 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2014-10-14 16:41 - 2014-09-12 21:58 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-14 16:41 - 2014-09-12 21:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-10-14 16:41 - 2014-07-16 22:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-10-14 16:41 - 2014-07-16 22:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-14 16:41 - 2014-07-16 22:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-10-14 16:41 - 2014-07-16 22:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-10-14 16:41 - 2014-07-16 22:07 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-10-14 16:41 - 2014-07-16 22:07 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-10-14 16:41 - 2014-07-16 21:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2014-10-14 16:41 - 2014-07-16 21:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-10-14 16:41 - 2014-07-16 21:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-10-14 16:41 - 2014-07-16 21:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-10-14 16:41 - 2014-07-16 21:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2014-10-14 16:41 - 2014-05-30 04:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-10-14 16:41 - 2014-05-30 04:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-10-14 16:41 - 2014-05-30 04:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-10-14 16:41 - 2014-05-30 04:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-10-14 16:41 - 2014-05-30 03:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-10-14 16:41 - 2014-05-30 03:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-10-14 16:41 - 2014-05-30 03:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-10-14 16:41 - 2014-05-30 03:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-10-14 16:11 - 2014-10-14 16:11 - 00018182 _____ () C:\Users\Mark\Downloads\Durable General POA(Form) (1).wpd
2014-10-14 15:58 - 2014-10-14 15:58 - 00017920 _____ () C:\Users\Mark\Downloads\Durable General POA(Form).wpd
2014-10-03 03:00 - 2014-10-03 03:00 - 00000000 ____D () C:\Program Files (x86)\MSXML 4.0
2014-10-01 16:50 - 2014-10-17 11:48 - 00000952 ___SH () C:\ProgramData\KGyGaAvL.sys
2014-10-01 16:49 - 2014-10-01 16:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WordPerfect Office X5
2014-10-01 16:28 - 2014-10-14 16:13 - 00000000 ____D () C:\Users\Mark\Desktop\Camp Trial Motions
2014-10-01 14:28 - 2014-10-17 14:59 - 00000000 ____D () C:\Users\Mark\Desktop\PLNC
2014-10-01 09:38 - 2014-10-18 12:26 - 00000000 ____D () C:\Users\Mark\Desktop\Peck Supplement
2014-09-26 14:14 - 2014-09-26 15:12 - 00013965 _____ () C:\Users\Mark\Desktop\Distribution Sheet.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-23 16:34 - 2009-07-14 01:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-23 16:33 - 2009-01-01 02:04 - 01705871 _____ () C:\Windows\WindowsUpdate.log
2014-10-23 16:30 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-23 16:21 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-10-23 16:12 - 2009-07-14 00:45 - 00021872 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-23 16:12 - 2009-07-14 00:45 - 00021872 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-23 16:11 - 2014-06-17 15:56 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-23 13:31 - 2009-01-01 04:16 - 00000000 ____D () C:\Windows\Panther
2014-10-23 12:15 - 2014-06-17 15:55 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-10-23 12:14 - 2014-06-17 15:36 - 00000000 ____D () C:\Users\Mark\AppData\Roaming\Adobe
2014-10-23 11:12 - 2014-06-17 15:54 - 00000000 ____D () C:\ProgramData\Oracle
2014-10-23 10:32 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\Registration
2014-10-23 09:35 - 2014-08-14 17:18 - 00000000 ____D () C:\Program Files (x86)\Google
2014-10-23 07:49 - 2014-06-18 14:50 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-10-23 07:49 - 2014-06-17 14:46 - 00084040 _____ () C:\Users\Mark\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-23 07:49 - 2009-07-14 00:45 - 00350272 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-20 20:24 - 2014-08-14 17:18 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-20 20:24 - 2014-08-14 17:18 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-17 11:48 - 2009-07-14 01:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-10-17 09:42 - 2014-06-16 15:13 - 00000000 ____D () C:\Users\Mark\Desktop\Files
2014-10-15 03:19 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2014-10-15 03:19 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\Dism
2014-10-15 03:01 - 2014-06-17 15:02 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-03 10:02 - 2014-06-17 15:02 - 103265616 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-01 16:51 - 2014-08-09 11:40 - 00000000 ____D () C:\Users\Mark\AppData\Roaming\Corel
2014-10-01 16:51 - 2014-08-09 11:39 - 00000000 ____D () C:\Users\Public\Documents\WordPerfect Office
2014-10-01 16:51 - 2014-08-09 11:38 - 00000000 ____D () C:\ProgramData\Corel
2014-10-01 16:51 - 2014-08-09 11:38 - 00000000 ____D () C:\Program Files (x86)\Corel
2014-10-01 16:50 - 2014-08-09 11:38 - 00000000 ____D () C:\Program Files\Common Files\Corel
2014-10-01 16:49 - 2011-04-12 04:28 - 00000000 ____D () C:\Windows\ShellNew
2014-09-30 11:17 - 2014-06-18 14:58 - 00000000 ____D () C:\Users\Mark\AppData\Local\Adobe
2014-09-30 11:17 - 2014-06-17 15:56 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-09-30 11:17 - 2014-06-17 15:56 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-30 11:17 - 2014-06-17 15:56 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-09-29 09:30 - 2014-08-09 11:37 - 00000000 ____D () C:\ProgramData\WordPerfect Office X7
2014-09-26 07:59 - 2014-09-13 14:13 - 00000000 ____D () C:\Users\Mark\Desktop\Website
2014-09-24 07:44 - 2014-06-16 15:13 - 00001475 _____ () C:\Users\Mark\Desktop\Shortcut to OHF.lnk
2014-09-24 07:44 - 2014-06-16 15:13 - 00001369 _____ () C:\Users\Mark\Desktop\Shortcut to OFFICE.lnk

Some content of TEMP:
====================
C:\Users\Mark\AppData\Local\Temp\{C93DD633-EF2A-4C96-B11A-9C92F36D82FA}.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-06-17 13:57

==================== End Of Log ============================

 

Addition Text:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-10-2014
Ran by Mark at 2014-10-23 16:35:50
Running from E:\
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat 9 Pro Extended - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}) (Version: 9.0.0 - Adobe Systems)
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch (x32 Version: 9.0.0 - Adobe Systems) Hidden
Adobe Acrobat 9 Pro Extended 64-bit Add-On (HKLM\...\{AC76BA86-1033-0000-0064-0003D0000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.2.152 - Adobe Systems, Inc.)
C5150n - C5200n  Series GDI Driver from OKI® Printing Solutions for Windows  (HKLM-x32\...\{2C52D6EB-EE7E-45C4-AFB8-1242164A4A44}) (Version: 210 - OKI® Printing Solutions)
Corel WordPerfect Office - iFilter 64 Bit (HKLM\...\{1B45B85C-99E8-4523-8FB3-0248B3DECFC8}) (Version: 1.01.000 - Corel Corporation)
Google Update Helper (x32 Version: 1.3.25.5 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3412 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Home and Business 2013 - en-us (HKLM\...\HomeBusinessRetail - en-us) (Version: 15.0.4659.1001 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.0.4023.1211 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4659.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4659.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4659.1001 - Microsoft Corporation) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
WordPerfect Lightning - IPM (x32 Version: 1.0 - Corel Corporation) Hidden
WordPerfect Lightning - Messages (x32 Version: 1.0 - Corel Corporation) Hidden
WordPerfect Lightning - MSOM (x32 Version: 1.1 - Corel Corporation) Hidden
WordPerfect Lightning (x32 Version: 2.0 - Corel Corporation) Hidden
WordPerfect Office IFilter 32-bit (HKLM-x32\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.4 - Corel Corporation)
WordPerfect Office X5 - Common (x32 Version: 15.3 - Corel Corporation) Hidden
Wordperfect Office X5 - EN (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Filters (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Graphics (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - IPM (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - LegalTools (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Migration Manager (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Oxford (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - PerfectExperts EN (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - PR (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - QP (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Setup Files (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Sharepoint (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Skins (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - System EN (x32 Version: 15.0 - Corel Corporation) Hidden
WordPerfect Office X5 - Templates (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - WP (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - WT (x32 Version: 15.3 -  Corel Corporation) Hidden
WordPerfect Office X5 (HKLM-x32\...\_{DE6DE4A1-0343-4DBE-9DC2-E667AA03F579}) (Version: 15.0.0.505 - Corel Corporation)
WordPerfect Office X5 (x32 Version: 15.3 - Corel Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2567928627-484860732-3909439429-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2567928627-484860732-3909439429-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2567928627-484860732-3909439429-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2567928627-484860732-3909439429-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2567928627-484860732-3909439429-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\Mark\AppData\Local\Microsoft\SkyDrive\17.0.4023.1211\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Restore Points  =========================

18-10-2014 07:30:36 Windows Update
21-10-2014 07:31:03 Windows Update
23-10-2014 15:10:30 Removed Java 7 Update 60
23-10-2014 16:22:00 Checkpoint by HitmanPro
23-10-2014 18:37:12 Removed Java 8 Update 25

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2014-10-23 16:21 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2FF04013-79BC-4299-953B-E0E0821EC8ED} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {323588D8-4E89-4A9D-8067-A5F6781B3251} - System32\Tasks\Microsoft Office 15 Sync Maintenance for Mark-PC-Mark Mark-PC => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-09-16] (Microsoft Corporation)
Task: {9ADDE0C1-399A-4E0C-A2F7-E4CDA98CCDE4} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-30] (Adobe Systems Incorporated)
Task: {BF9F4A49-4D80-4571-A7A7-036AA1E3DDA6} - System32\Tasks\Games\UpdateCheck_S-1-5-21-2567928627-484860732-3909439429-1000
Task: {D4A0F948-8E9A-4D02-A97C-2A389CB24189} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2014-09-25] (Microsoft Corporation)
Task: {FE604B48-5ADC-4235-BE9D-BF5DB9E2CEC5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-09-26 04:07 - 2014-09-09 10:59 - 08896160 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-06-17 13:40 - 2013-05-07 03:45 - 00936728 ____N () C:\Program Files (x86)\ASUS\AXSP\1.01.02\atkexComSvc.exe
2014-06-18 14:50 - 2014-05-20 09:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2014-06-17 13:40 - 2014-10-23 16:30 - 00027136 _____ () C:\Program Files (x86)\ASUS\AXSP\1.01.02\PEbiosinterface32.dll
2014-06-17 13:40 - 2013-05-07 03:45 - 00104448 ____N () C:\Program Files (x86)\ASUS\AXSP\1.01.02\ATKEX.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Windows\system32\Drivers\abqmkngh.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\bligbhro.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\btmuyfyy.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\ftltoiav.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\gxllldmg.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\hqktdxnj.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\hsjpffpj.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\juawwuts.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\momdzbrv.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\obqbxkdo.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\rfgwwcdg.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\xvzoeczx.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\zgjmcoav.sys:changelist
AlternateDataStreams: C:\Windows\system32\Drivers\zkxvnegr.sys:changelist

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\78888917.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\78888917.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-2567928627-484860732-3909439429-500 - Administrator - Disabled)
Guest (S-1-5-21-2567928627-484860732-3909439429-501 - Limited - Disabled)
Mark (S-1-5-21-2567928627-484860732-3909439429-1000 - Administrator - Enabled) => C:\Users\Mark

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/23/2014 04:32:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

System errors:
=============
Error: (10/23/2014 04:21:41 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (10/23/2014 04:21:27 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (10/23/2014 04:20:30 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (10/23/2014 02:18:53 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (10/23/2014 02:06:33 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (10/23/2014 01:51:45 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (10/23/2014 01:51:45 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (10/23/2014 01:43:34 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (10/23/2014 01:43:23 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (10/23/2014 01:29:10 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Microsoft Office Sessions:
=========================
Error: (10/23/2014 04:32:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

CodeIntegrity Errors:
===================================
  Date: 2014-10-23 16:21:27.914
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-10-23 16:21:27.898
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Core i5-4690 CPU @ 3.50GHz
Percentage of memory in use: 23%
Total physical RAM: 8064.74 MB
Available physical RAM: 6179.48 MB
Total Pagefile: 16127.66 MB
Available Pagefile: 14390.27 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:223.47 GB) (Free:173.51 GB) NTFS
Drive e: (USB20FD) (Removable) (Total:7.52 GB) (Free:5 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 223.6 GB) (Disk ID: 9962CF7E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=223.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7.5 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=7.5 GB) - (Type=0C)

==================== End Of Log ============================

 

 

TDSSKiller.3.0.0.40_23.10.2014_16.31.45_log.txt

[LiquidTension]

Good job.

I'm heading off now, but will return with instructions for you in the morning (GMT).

I would keep the machine disconnected from the Internet or switched off until my next set of instructions.

[mlaw31]

Also: All three scans ran seamlessly.  I had to reboot with TDSSKiller per your instructions about the module.  On reboot, when I go to Internet Explorer, I am now getting this "Security Alert": "You are about to view pages over a secure connection.  Any information you exchange with this site cannot be viewed by anyone else on the web."  - I'm wondering if that is a concern?

 

FRST64 is still running in the background.  So is MBAM.exe.  And mseces.exe (Microsoft Security Essentials?).  I went to open Malwarebytes, and I get this prompt "Do you want to allow the following program to make changes to this computer?"

[mlaw31]

Also, no more "Malicious Website Blocked" notices from Malwarebytes

[LiquidTension]

The IE alert is normal. ComboFix resets certain IE settings. When the warning pops up, place a checkmark in the box and click OK.

mseces.exe belongs to Microsoft Security Essentials (MSE). Don't worry about FRST running in the background. You can always reboot in any case.

The prompt when opening MBAM is from UAC (User Access Control). It's a security measure in Windows, and should always be enabled. It sounds as if you've had it disabled if you're unfamilair with the prompt.

Hang fire for now until I issue your next set of instructions later.

[mlaw31]

Adam: thank you so much for your assistance last evening. I powered down the computer after your last post. I rebooted this morning. Windows opened much more quickly and no "malicious website" warnings began popping up while I was connected to the internet. (I only did this because I had to get a MSword file off of my computer and onto a thumb drive). I ran updated and scanned with Malwarebytes. Nothing found. I am powering down the machine again and will wait for your next directive. Thank you so much!

[LiquidTension]

Hello, 
 
Is there any reason why you ran the following programme? Windows Genuine Advantage
 
Please do the following. 
 
STEP 1
 Folder Options 

• Press the Windows Key  + r on your keyboard at the same time. Type Control Folders and click OK.
• Click View. Under Hidden files and folders: 
• Place a checkmark next to Show hidden files, folders and drives.
• Remove the checkmark next to Hide extensions for known file types.
• Remove the checkmark next to Hide protected operating system Files (Recommended).
• Click Apply followed by OK.
   

STEP 2
 VirusTotal Upload

• Please go to VirusTotal.com.
• Click Choose File and locate the following file:
  • C:\ProgramData\KGyGaAvL.sys
• ​Click Scan it!.
• If you receive the following notification: File already analysed click Reanalyse.
• Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply. 
• Please do the same for the files below:
  • C:\Windows\system32\Drivers\zkxvnegr.sys
  • C:\Windows\system32\Drivers\xvzoeczx.sys
  • C:\Windows\system32\Drivers\ftltoiav.sys

[mlaw31]

I don't know what Windows Genuine Advantage is.  Is there any "genuine advantage" to running it?

 

C:\ProgramData\KGyGaAvL.sys:

https://www.virustotal.com/en/file/25bab8da85d87fbe5fda5b53e503411ee0fc2841912af9b586e18a2a6b27f829/analysis/1414174340/

 

C:\Windows\system32\Drivers\zkxvnegr.sys:

 

Ok with the above one... I could not find it in the drivers folder.  I then did a C: search for "zkxvnegr" and it popped up as the only file.  Still not there.  I tried to copy and paste into virusscan and it said that the file could not be found.  This file says it was created yesterday at 9:00AM.

 

C:\Windows\system32\Drivers\xvzoeczx.sys:

 

Same for this one.  Not in the drivers folder.  Did a C: search and it popped up as the only file. Ditto for attempting to open via virusscan.  This file says it was created yesterday at 8:17AM.

 

C:\Windows\system32\Drivers\ftltoiav.sys

 

Same for this one on everything.  This file says it was created at 7:58AM yesterday.

 

I went back and double-checked that I had the proper checkmarks (or lack thereof) in the View folder.  It was correct as per instructions.  I should not that yesterday morning was the first time when I began having problems.

[LiquidTension]

You can read about Windows Genuine Advantage here.
 
Lets put VirusTotal on hold. 
Please run the following. 

 
STEP 1
 aswMBR

• Please download aswMBR and save the file to your Desktop. 
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click aswMBR.exe and select  Run as administrator to run the programme.
• Click Yes when prompted to download avast! virus definitions. Wait until AVAST engine defs: ### appears. 
• If you are prompted to enable the use of "Virtualization Technology", click Yes.
• Click the AV Scan: drop down box and click C:\.
• Click Scan. 
• Upon completion, you will see Scan finished successfully. Click Save log. Save the log to your Desktop. 
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.

Note: Do NOT click Fix or FixMBR.
Note: A file (MBR.dat) will be created on your Desktop. Do NOT click or delete it.
 
 
STEP 2
 Malwarebytes Anti-Rootkit (MBAR)

• Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
• Double-click MBAR.exe to run the installer.
• Select a convenient location to extract the contents and click OK. Navigate to the location you selected.
• Right-Click MBAR.exe and select  Run as administrator to run the programme.
• Follow the prompts to update the programme and scan your computer. 
• Upon completion, click Cleanup and reboot your computer. 
• After the reboot, rerun the programme to verify no threats remain. If threats are still detected, click the Cleanup button once more. 
• Upon completion, two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder. 
   

======================================================
 
STEP 3
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• aswMBR log
• mbar-log.txt
• system-log.txt

[mlaw31]

All completed.  (Note: I did the MBAR scans with antivirus real time protection enabled as per instructions but not aswMBR).

 

aswMBR:

 

aswMBR version 1.0.1.2161 Copyright© 2014 AVAST Software
Run date: 2014-10-24 14:59:59
-----------------------------
14:59:59.571    OS Version: Windows x64 6.1.7601 Service Pack 1
14:59:59.571    Number of processors: 4 586 0x3C03
14:59:59.571    ComputerName: MARK-PC  UserName: Mark
14:59:59.930    Initialize success
14:59:59.930    VM: initialized successfully
14:59:59.945    VM: Intel CPU BiosDisabled
15:00:01.409    VM: supported disk I/O ataport.SYS
15:02:12.976    AVAST engine defs: 14102400
15:03:14.033    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:03:14.049    Disk 0 Vendor: INTEL_SSDSC2BW240A4 DC32 Size: 228936MB BusType: 11
15:03:14.049    Disk 0 MBR read successfully
15:03:14.064    Disk 0 MBR scan
15:03:14.064    Disk 0 Windows 7 default MBR code
15:03:14.080    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
15:03:14.080    Disk 0 default boot code
15:03:14.080    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       228834 MB offset 206848
15:03:14.095    Disk 0 scanning C:\Windows\system32\drivers
15:03:15.894    Service scanning
15:03:23.917    Modules scanning
15:03:23.933    Disk 0 trace - called modules:
15:03:23.933    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:03:23.949    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006fb6060]
15:03:23.949    3 CLASSPNP.SYS[fffff8800193943f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006db0060]
15:03:24.120    AVAST engine scan C:\
15:10:06.331    Disk 0 statistics 19672750/0/18 @ 67.43 MB/s
15:10:06.331    Scan finished successfully
15:10:17.591    Disk 0 MBR has been saved successfully to "C:\Users\Mark\Desktop\MBR.dat"
15:10:17.591    The log file has been saved successfully to "C:\Users\Mark\Desktop\aswMBR.txt"

 

MBARlog Txt (this is the second one...the first one was clean also):

 

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.10.24.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.17116
Mark :: MARK-PC [administrator]

10/24/2014 3:20:00 PM
mbar-log-2014-10-24 (15-20-00).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 316230
Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

systemlog.txt:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.17116

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.491000 GHz
Memory total: 8456491008, free: 5700550656

=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.17116

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.491000 GHz
Memory total: 8456491008, free: 5759832064

Downloaded database version: v2014.10.24.08
Downloaded database version: v2014.10.22.01
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 9962CF7E

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

[LiquidTension]

Very good. 
Lets go back to VirusTotal. 

 

Using Windows Explorer, please navigate to C:\Windows\system32\Drivers. Locate the three files:

• C:\Windows\system32\Drivers\zkxvnegr.sys
• C:\Windows\system32\Drivers\xvzoeczx.sys
• C:\Windows\system32\Drivers\ftltoiav.sys

One at a time, right-click the file and click Copy. Navigate to your Desktop, right-click and click Paste. You should now have three copied files on your Desktop. Repeat the VirusTotal step, this time scanning the three files copied to your Desktop. 

 

Let me know how you get on.

[mlaw31]

zkxvnegr.sys
https://www.virustotal.com/en/file/466395e00d2652367e60bd98af386d80f7faa278ab549f06b4ee86ece9c4ec0d/analysis/1414180045/

xvzoeczx.sys
https://www.virustotal.com/en/file/466395e00d2652367e60bd98af386d80f7faa278ab549f06b4ee86ece9c4ec0d/analysis/1414180045/

 

ftltoiav.sys
https://www.virustotal.com/en/file/466395e00d2652367e60bd98af386d80f7faa278ab549f06b4ee86ece9c4ec0d/analysis/1414180045/

 

Is it odd that for all three the file name was "zkxvnegr.sys"?

[LiquidTension]

It's OK, I have my answer now. You can go ahead and delete the copied files on your Desktop. 
 
I'm going to use this opportunity to warn you about the dangers of running a registry cleaner. I can see you've run CCleaner's registry cleaner recently, and whilst the programme is good for clearing temp files, etc, the built-in registry cleaner should be avoided. 
 

Registry Cleaner Warning
 
------------------------------
 
I see you have registry cleaner software (CCleaner Registry Cleaner) installed on your computer. Registry cleaners and optimization tools that claim to speed up your computer should be avoided, and are potentially dangerous. By running a registry cleaner you risk rendering your machine unbootable. There is no statistical evidence to back claims that cleaning the registry will improve performance. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product.

• Some registry cleaners employ aggressive cleaning routines that may cause substantial damage to your system, and could render your machine unbootable.
• Not all registry cleaners backup the registry. When modifying the registry, one should always create a backup.
• The usefulness of cleaning one's registry is disputable; there is no statistical evidence to support the claim that cleaning the registry will improve system performance. 

Please refer to the following article on why you should not use registry cleaner software. I suggest reading why Microsoft does not support the use of registry cleaners as well.

 
Please provide an update on your computer after completing the steps below. Are there any outstanding issues?

STEP 1
 Farbar Recovery Scan Tool (FRST) Script

• Press the Windows Key  + r on your keyboard at the same time. Type Notepad and click OK.
• Copy the entire contents of the codebox below and paste into the Notepad document.
  

  startHKLM-x32\...\Run: [] => [X]Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No FileC:\Users\Mark\AppData\Local\Temp\{C93DD633-EF2A-4C96-B11A-9C92F36D82FA}.exeFolder: C:\Users\Mark\AppData\Roaming\QuickScanHKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\78888917.sys => ""="Driver"HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\78888917.sys => ""="Driver"CMD: ipconfig /flushdnsEmptyTemp:end

• Click File, Save As and type fixlist.txt as the File Name. 
• Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Right-Click FRST64.exe and select  Run as administrator to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
   

STEP 2
 AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
• Right-Click AdwCleaner.exe and select  Run as administrator to run the programme.
• Follow the prompts. 
• Click Scan. 
• Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean. 
• Follow the prompts and allow your computer to reboot. 
• After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 

STEP 3
 Junkware Removal Tool (JRT)

• Please download Junkware Removal Tool and save the file to your Desktop.
• Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Right-Click JRT.exe and select  Run as administrator to run the programme.
• Follow the prompts and allow the scan to run uninterrupted. 
• Upon completion, a log (JRT.txt) will open on your desktop.
• Re-enable your anti-virus software.
• Copy the contents of JRT.txt and paste in your next reply.
   

======================================================

STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• Fixlog.txt
• AdwCleaner[s0].txt
• JRT.txt
• How is your computer performing?

[mlaw31]

I did run CCleaner but only to remove temp files.  There were two reports for AdwCleaner one with an [R] and one with an which came up after reboot.

 

Nothing was found on AdwCleaner so I didn't have to review anything.

 

My computer is running perfectly.  No hangups or anything.  Being honest however, I'm now a little concerned about the files you had me check on virus total.  I also have Roguekiller (I downloaded that very early on in this saga).  Do you want me to run that?  I truly appreciate all of your help. - Mark

 

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-10-2014
Ran by Mark at 2014-10-24 16:43:25 Run:1
Running from E:\
Loaded Profile: Mark (Available profiles: Mark)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] => [X]
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
C:\Users\Mark\AppData\Local\Temp\{C93DD633-EF2A-4C96-B11A-9C92F36D82FA}.exe
Folder: C:\Users\Mark\AppData\Roaming\QuickScan
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\78888917.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\78888917.sys => ""="Driver"
CMD: ipconfig /flushdns
EmptyTemp:
end
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
"HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}" => Key not found.
"C:\Users\Mark\AppData\Local\Temp\{C93DD633-EF2A-4C96-B11A-9C92F36D82FA}.exe" => File/Directory not found.

========================= Folder: C:\Users\Mark\AppData\Roaming\QuickScan ========================

2014-10-23 11:18 - 2014-10-23 11:18 - 0022221 _____ () C:\Users\Mark\AppData\Roaming\QuickScan\Report 2014-10-23 11.18.16.txt

====== End of Folder: ======

"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\78888917.sys" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\78888917.sys" => Key deleted successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => Removed 244.2 MB temporary data.

The system needed a reboot.

==== End of Fixlog ====

 

AdwCleaner[s0].txt:

 

# AdwCleaner v4.001 - Report created 24/10/2014 at 16:49:54
# DB v2014-10-23.2
# Updated 20/10/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Mark - MARK-PC
# Running from : C:\Users\Mark\Desktop\AdwCleaner.exe
# Option : Clean

 

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17116

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [1068 octets] - [23/10/2014 11:32:02]
AdwCleaner[R1].txt - [912 octets] - [23/10/2014 11:58:30]
AdwCleaner[R2].txt - [960 octets] - [24/10/2014 16:47:52]
AdwCleaner[s0].txt - [1127 octets] - [23/10/2014 11:36:39]
AdwCleaner[s1].txt - [965 octets] - [23/10/2014 11:59:23]
AdwCleaner[s2].txt - [875 octets] - [24/10/2014 16:49:54]

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [934 octets] ##########

 

JRT.txt

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows 7 Professional x64
Ran by Mark on Fri 10/24/2014 at 16:54:10.80
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/24/2014 at 16:55:27.92
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[LiquidTension]

Hi Mark
 

I did run CCleaner but only to remove temp files. 

OK, no problem then.
 

Being honest however, I'm now a little concerned about the files you had me check on virus total.

There's no need. They are legitimate Microsoft files used for malware protection. 
The random name (the reason for checking) is to make it harder for malware to block the files from running. 

 

Product Microsoft Malware Protection
Original name BTR.sys
Internal name BootTimeRemoval

 

I also have Roguekiller (I downloaded that very early on in this saga).  Do you want me to run that?

No thank you, there's no need. 

 

Lets check for remnants and confirm your machine appears free of malware.
 
STEP 1
 Malwarebytes Anti-Malware (MBAM)

• Open Malwarebytes Anti-Malware and click Update Now.
• Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
• Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• Click Copy to Clipboard and paste the log in your next reply. 
   

STEP 2
 ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

• Please download ESET Online Scan and save the file to your Desktop.
• Temporarily disable your anti-virus software. For instructions, please refer to the following link.
• Double-click esetsmartinstaller_enu.exe to run the programme. 
• Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
• Agree to the Terms of Use once more and click Start. Allow components to download.
• Place a checkmark next to Enable detection of potentially unwanted applications.
• Click Hide advanced settings. Place a checkmark next to:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Ensure Remove found threats is unchecked.
• Click Start.
• Wait for the scan to finish. Please be patient as this can take some time.
• Upon completion, click . If no threats were found, skip the next two bullet points. 
• Click Export to text file... and save the file to your Desktop, naming it something such as "MyEsetScan".
• Push the Back button.
• Place a checkmark next to  and click Finish.
• Re-enable your anti-virus software.
• Copy the contents of the log and paste in your next reply.
   

STEP 3
 Farbar Service Scanner (FSS)

• Please download FSS and save the file to your Desktop.
• Right-Click FSS.exe and select Run as administrator to run the programme.
• Ensure the following items are checked:
  • .
  • .
  • .
  • .
  • .
  • .
• Click Scan.
• A log (FSS.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.
   

======================================================
 
STEP 4
 Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

• MBAM Scan log
• ESET Online Scan log
• FSS.txt

[mlaw31]

Good morning Adam:  all scans seem to have been clear.  ESET did not generate a report that could be saved.  Nothing was found and I wasn't prompted with "export to text file".  Will try again here in a few...

 

MBAM:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/27/2014
Scan Time: 7:36:59 AM
Logfile: MBAM Scan Log.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.27.02
Rootkit Database: v2014.10.22.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Mark

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 316395
Time Elapsed: 4 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

FSS:

 

 

Farbar Service Scanner Version: 21-07-2014
Ran by Mark (administrator) on 27-10-2014 at 07:59:30
Running from "C:\Users\Mark\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

[LiquidTension]

Hi Mark, 
 
All looks good. No ESET log required if the scan was clean. 
 
Now for the good news. 
 
All Clean!
Congratulations, your computer appears clean! 
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful. 
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. 
 
 
STEP 1
 ComboFix Uninstall

• Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:
  

  ComboFix /Uninstall

• Click OK.
• Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.
   

STEP 2
 DelFix

• Please download DelFix and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore
  • Reset system settings
• Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malware by quietman7, MVP
   

The following programmes come highly recommended in the security community.

•  AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
• CryptoPrevent places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
•  Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
•  Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
•  NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
•  Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
•  Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
•  SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
•  Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing.     
Adam (LiquidTension).

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!