TechSpot

Need help...embedded 'updateflashpayer.exe trojan virus

By Mark O
Sep 6, 2014
  1. We opened the wrong email....Delta tickets attached! Immediately got an embedded virus, 'updateflashplayer.exe Trojan. I started the process of following the Techspot forum instructions.
    Here are the logs from MBAM and DDS. I have Security Essentials as antivirus protection and only now loaded MBAM premium...for real time malware protection going forward. Windows 7 Pro, 32bit laptop.
    Can you help me finish cleaning this machine??

    Version: 2.00.2.1012
    Malware Database: v2014.09.06.06
    Rootkit Database: v2014.08.21.01
    License: Premium
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled
    OS: Windows 7 Service Pack 1
    CPU: x86
    File System: NTFS
    User: AnyUser
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 279195
    Time Elapsed: 7 min, 50 sec
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled
    Processes: 1
    Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, 3848, Delete-on-Reboot, [a6f3d6f3d2a9a690f71e8f2926dbf20e]
    Modules: 0
    (No malicious items detected)
    Registry Keys: 1
    PUP.Optional.WeDownLoadManager.A, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\WEDLMNGR, Quarantined, [d7c205c4d4a76ec8119f738822e01de3],
    Registry Values: 1
    Trojan.Zbot, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Ymsedielamb, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, Quarantined, [a6f3d6f3d2a9a690f71e8f2926dbf20e]
    Registry Data: 0
    (No malicious items detected)
    Folders: 0
    (No malicious items detected)
    Files: 5
    Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Ihexdoe\erqyhaq.exe, Delete-on-Reboot, [a6f3d6f3d2a9a690f71e8f2926dbf20e],
    Trojan.Zbot, C:\Users\AnyUser\AppData\Roaming\Alpebyc\ibfuu.exe, Quarantined, [12872f9a4635cb6b987dbefa01008d73],
    Trojan.Zbot, C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_96952c1b.exe, Quarantined, [5c3d6a5fceadc76f44d1962203fef50b],
    Trojan.Zbot, C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_d3c7bcbb.exe, Quarantined, [ebae5376e19a9d99f61f9226669ba55b],
    Trojan.Agent.MP, C:\Users\AnyUser\AppData\Local\butiqvll.exe, Quarantined, [46533297fa81f73f122bedf8ca3a60a0],
    Physical Sectors: 0
    (No malicious items detected)

    (end)


    DDS scan
    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 11.0.9600.17239
    Run by AnyUser at 12:09:14 on 2014-09-06
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.2017 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\DTS.exe
    C:\Windows\system32\ibmpmsvc.exe
    C:\Windows\system32\AtService.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Memeo\AutoSync\MemeoAutoSync.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
    C:\Program Files\Intel\AMT\LMS.exe
    C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxps://www.google.com/
    uSearch Bar = Preserve
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    uRun: [HP Officejet Pro 8610 (NET)] "c:\program files\hp\hp officejet pro 8610\bin\ScanToPCActivationApp.exe" -deviceID "CN41BBK12X:NW" -scfn "HP Officejet Pro 8610 (NET)" -AutoStart 1
    mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
    mRun: [FingerPrintSoftwareSplashScreen] "c:\program files\lenovo fingerprint software\splashscreen.exe" \s
    mRun: [picon] "c:\program files\common files\intel\privacy icon\PIconStartup.exe"
    mRun: [Memeo AutoSync] c:\program files\memeo\autosync\MemeoLauncher2.exe --silent
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: DisallowCpl = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: DisableCAD = dword:1
    IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print\SmartPrintSetup.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1388550385823
    TCP: NameServer = 192.168.1.254
    TCP: Interfaces\{F5FB515C-88C4-40A8-A8E0-D729B3C3D357} : DHCPNameServer = 192.168.1.254
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\belarcadvisor\system\BAVoilaX.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.103\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
    R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-5-31 1824584]
    R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-5-31 98304]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-9-5 1809720]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-9-5 860472]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2014-3-15 2058776]
    R3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2011-5-31 659968]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-8-22 225408]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-9-5 23256]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-9-5 110296]
    R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
    S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-5-31 106496]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-8-14 108032]
    S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-9-5 51928]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-6-18 104264]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-1-4 14848]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-3-14 49152]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-10-18 1343400]
    .
    =============== Created Last 30 ================
    .
    2014-09-06 16:24:31 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2014-09-06 16:24:31 -------- d-----w- c:\programdata\RogueKiller
    2014-09-05 23:46:36 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-09-05 23:46:21 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-09-05 23:46:21 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-09-05 23:46:21 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-09-05 23:46:20 -------- d-----w- c:\programdata\Malwarebytes
    2014-09-05 23:46:20 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
    2014-09-05 10:17:44 237 ----a-w- c:\programdata\microsoft\microsoft antimalware\localcopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
    2014-09-05 10:16:10 -------- d-----w- c:\users\anyuser\appdata\roaming\Alpebyc
    2014-09-05 09:57:58 -------- d-----w- c:\users\anyuser\appdata\roaming\Ihexdoe
    2014-09-05 04:15:34 280064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzppw71.dll
    2014-09-04 11:31:22 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4cabbce6-e73b-4acb-b060-dff64cb7fc07}\mpengine.dll
    2014-09-03 11:29:47 8581864 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2014-08-29 11:30:34 893248 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a53b23e6-d90f-41c5-8cd2-bc028b31e215}\gapaengine.dll
    2014-08-27 19:27:47 2352640 ----a-w- c:\windows\system32\win32k.sys
    2014-08-27 19:27:46 305152 ----a-w- c:\windows\system32\gdi32.dll
    2014-08-27 14:55:41 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
    2014-08-27 14:16:02 -------- d-----w- c:\windows\system32\appmgmt
    2014-08-18 22:29:03 2425856 ----a-w- c:\windows\system32\wucltux.dll
    2014-08-18 22:28:27 92672 ----a-w- c:\windows\system32\wudriver.dll
    2014-08-18 22:27:32 33792 ----a-w- c:\windows\system32\wuapp.exe
    2014-08-18 22:27:32 179656 ----a-w- c:\windows\system32\wuwebv.dll
    2014-08-15 11:09:55 99480 ----a-w- c:\windows\system32\infocardapi.dll
    2014-08-15 11:09:49 8856 ----a-w- c:\windows\system32\icardres.dll
    2014-08-15 11:09:38 619672 ----a-w- c:\windows\system32\icardagt.exe
    2014-08-15 11:09:29 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
    .
    ==================== Find3M ====================
    .
    2014-07-25 13:04:40 2724864 ----a-w- c:\windows\system32\mshtml.tlb
    2014-07-25 13:03:54 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
    2014-07-25 12:34:49 61952 ----a-w- c:\windows\system32\iesetup.dll
    2014-07-25 12:34:03 455168 ----a-w- c:\windows\system32\vbscript.dll
    2014-07-25 12:33:08 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
    2014-07-25 12:30:32 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
    2014-07-25 12:10:15 112128 ----a-w- c:\windows\system32\ieUnatt.exe
    2014-07-25 12:10:12 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
    2014-07-25 12:08:47 597504 ----a-w- c:\windows\system32\jscript9diag.dll
    2014-07-25 12:06:47 4204032 ----a-w- c:\windows\system32\jscript9.dll
    2014-07-25 11:59:29 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
    2014-07-25 11:43:16 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
    2014-07-25 11:07:49 2001920 ----a-w- c:\windows\system32\inetcpl.cpl
    2014-07-25 11:07:10 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
    2014-07-25 10:05:23 1792512 ----a-w- c:\windows\system32\wininet.dll
    2014-07-16 02:46:02 2048 ----a-w- c:\windows\system32\tzres.dll
    2014-07-14 01:42:02 654336 ----a-w- c:\windows\system32\rpcrt4.dll
    2014-07-09 02:59:14 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-07-09 02:59:14 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
    2014-06-16 01:44:49 730048 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2014-06-16 01:44:49 219072 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2014-06-16 01:40:20 107520 ----a-w- c:\windows\system32\cdd.dll
    .
    ============= FINISH: 12:09:46.87 ===============

    I will post DDS 'attach' report if you need it.

    Thank you!
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]


    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================

    [​IMG] I still need Attach.txt log from DDS.

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download [img=[url]http://www.imgdumper.nl/uploads6/51a5f31352f71/51a5f31352b88-icon_MBAR.png][/url]Malwarebytes Anti-Rootkit to your desktop.
    • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    • Double click on downloaded file. OK self extracting prompt.
    • MBAR will start. Click "Next" to continue.
    • Click in the following screen "Update" to obtain the latest malware definitions.
    • Once the update is complete select "Next" and click "Scan".
    • When the scan is finished and no malware has been found select "Exit".
    • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
    • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
      • "mbar-log-{date} (xx-xx-xx).txt"
      • "system-log.txt"
     
  3. Mark O

    Mark O TS Rookie Topic Starter

    Hi Broni, While many may follow steps of similar virus infections I'm gratefull to have your eyes on the logs as we clean my machine. MANY THANKS!
    Logs to follow; DDS attach text,

    Separate post Rogue killer log, MBAR scan log, MBAR system log,

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/6/2013 8:35:01 PM
    System Uptime: 9/6/2014 11:58:01 AM (1 hours ago)
    .
    Motherboard: LENOVO | | 7417TPU
    Processor: Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz | None | 793/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 233 GiB total, 177.815 GiB free.
    D: is CDROM ()
    G: is CDROM ()
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP95: 8/4/2014 5:50:02 PM - Windows Update
    RP96: 8/8/2014 5:50:03 PM - Windows Update
    RP97: 8/12/2014 10:29:51 AM - Windows Update
    RP98: 8/15/2014 6:00:15 AM - Windows Update
    RP99: 8/18/2014 6:48:39 AM - Windows Update
    RP100: 8/18/2014 5:27:17 PM - Windows Update
    RP101: 8/20/2014 11:09:51 PM - Installed HP Update.
    RP102: 8/20/2014 11:17:09 PM - Windows Update
    RP103: 8/23/2014 11:37:21 PM - Windows Update
    RP104: 8/27/2014 9:11:40 AM - Removed HP Update.
    RP105: 8/27/2014 9:13:54 AM - Removed HP Officejet Pro 8600 Help
    RP106: 8/27/2014 9:16:14 AM - Removed HP FWUpdateEDO2
    RP107: 8/27/2014 9:17:47 AM - Removed HP Officejet Pro 8600 Basic Device Software
    RP108: 8/28/2014 6:00:18 AM - Windows Update
    RP109: 8/31/2014 6:30:13 AM - Windows Update
    RP110: 9/4/2014 6:30:22 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Adobe Acrobat 9 Standard - English, Français, Deutsch
    Adobe Acrobat 9.5.5 - CPSID_83708
    Adobe Flash Player 14 ActiveX
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoStudio 6
    Belarc Advisor 8.4
    Bonjour
    Conexant 20561 SmartAudio HD
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Google Chrome
    Google Update Helper
    HP Officejet Pro 8610 Basic Device Software
    HP Officejet Pro 8610 Help
    HP Photosmart Plus B210 series Basic Device Software
    HP Update
    I.R.I.S. OCR
    Intel(R) Management Engine Interface
    Intel(R) Network Connections Drivers
    Intel® Active Management Technology
    Internet Explorer (Enable DEP)
    iTunes
    Lenovo Fingerprint Software
    Lenovo Power Management Driver
    Malwarebytes Anti-Malware version 2.0.2.1012
    Memeo AutoSync
    Microsoft .NET Framework 4.5.1
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Quicken 2009
    Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
    Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
    Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2881071) 32-Bit Edition
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
    ThinkPad UltraNav Driver
    Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
    Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition
    Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition
    Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
    Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2687502) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
    Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition
    Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
    Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition
    Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition
    Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition
    VirtualCloneDrive
    Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (07/02/2010 8.6.0.29)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/6/2014 8:11:58 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    9/6/2014 12:08:47 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    9/6/2014 11:57:21 AM, Error: Service Control Manager [7016] - The Data Transfer Service service has reported an invalid current state 0.
    9/5/2014 6:52:46 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    9/5/2014 6:51:06 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
    9/5/2014 6:51:06 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
    9/5/2014 6:50:45 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_cac9cd10.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Program Files\Malwarebytes Anti-Malware\mbam.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/5/2014 5:14:14 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_4bcf51fe.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/5/2014 5:01:41 AM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
    9/5/2014 4:54:15 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_8d8c67e7.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/5/2014 3:12:26 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_df117291.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/5/2014 12:55:39 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_65cae4d6.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/5/2014 12:11:10 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.183.1609.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10904.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    9/5/2014 1:17:19 AM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5f489339.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:49:07 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_9167203a.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_b5a34405.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_fbf225c6.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:47:27 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_440efd2e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_737fd14a.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_b5a34405.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ce3d5bc2.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:46:36 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_737fd14a.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ce3d5bc2.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_e9b46306.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:44:57 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_36513fbb.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_c99239f1.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_e9b46306.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_f19d4651.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:44:01 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_36513fbb.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_bb5f6b36.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_f19d4651.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:41:17 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_7f8b7604.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_a279f738.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_a6c94414.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ad86090f.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:40:20 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_2773afd3.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_a279f738.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ad86090f.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:38:31 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_1fb97d2f.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_3422c7e3.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_e07e3e3d.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:36:30 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_1eba4797.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_371f6b0d.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ab66311e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_fa76eb19.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:35:36 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_96f43081.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ab66311e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_fa76eb19.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:32:41 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_3385f804.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5e03b623.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_766f248a.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_f9e39eb5.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:31:39 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_05f2c269.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5e03b623.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_658693d3.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_f9e39eb5.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:30:35 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_05f2c269.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_658693d3.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ea75df98.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:28:33 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_0daafe07.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_90be82aa.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_b490557e.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:26:32 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_0aa33d94.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_1867fe2e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_256ddab7.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_2ea37fc9.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:25:29 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_256ddab7.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_2ea37fc9.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_307b1001.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:23:28 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_0af56a1c.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_91f53db1.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_924ae955.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:21:24 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_1e145d0e.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_35819d89.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_bdd7a032.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_d18ba42c.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:20:22 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5567c87b.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_8cf7a37f.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_bdd7a032.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_d18ba42c.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:19:18 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_5567c87b.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_8cf7a37f.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_c09b6559.exe Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 9:18:20 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Zbot.gen!plock&threatid=2147685017 Name: PWS:Win32/Zbot.gen!plock ID: 2147685017 Severity: Severe Category: Password Stealer Path: file:_C:\Users\AnyUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6WSSC0R\exe[1].exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_128dc180.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_8cf7a37f.exe;file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_c09b6559.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\explorer.exe Action: Quarantine Action Status: No additional actions required Error Code: 0x80070490 Error description: Element not found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 11:17:07 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_7d258362.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 11:16:56 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_ebb5be62.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    9/4/2014 11:13:18 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/Rovnix&threatid=2147686717 Name: Virus:DOS/Rovnix ID: 2147686717 Severity: Severe Category: Virus Path: file:_C:\Users\AnyUser\AppData\Local\Temp\UpdateFlashPlayer_62502206.exe Detection Origin: Local machine Detection Type: Dynamic Signature Detection Source: Real-Time Protection User: NT AUTHORITY\SYSTEM Process Name: C:\Windows\System32\svchost.exe Action: Clean Action Status: No additional actions required Error Code: 0x8007007f Error description: The specified procedure could not be found. Signature Version: AV: 1.183.1609.0, AS: 1.183.1609.0, NIS: 112.5.0.0 Engine Version: AM: 1.1.10904.0, NIS: 2.1.10903.0
    .
    ==== End Of File ===========================
     
  4. Mark O

    Mark O TS Rookie Topic Starter

    Rogue Killer log,

    RogueKiller V9.2.9.0 [Jul 11 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : https://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : AnyUser [Admin rights]
    Mode : Remove -- Date : 09/06/2014 14:41:12
    ¤¤¤ Bad processes : 1 ¤¤¤
    [Proc.Hidden] -- [x] -> KILLED [TermThr]
    ¤¤¤ Registry Entries : 5 ¤¤¤
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mbr -> NOT SELECTED
    [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mbr -> NOT SELECTED
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-1311731379-2688022510-2026161381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> NOT SELECTED
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
    ¤¤¤ Scheduled tasks : 0 ¤¤¤
    ¤¤¤ Files : 0 ¤¤¤
    ¤¤¤ HOSTS File : 0 ¤¤¤
    ¤¤¤ Antirootkit : 1 (Driver: LOADED) ¤¤¤
    [Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\drivers\1394ohci.sys)
    ¤¤¤ Web browsers : 0 ¤¤¤
    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: WDC WD2500BEVT-00A0RT0 ATA Device +++++
    --- User ---
    [MBR] c318f86380f1c48d8d64165e4ec071b1
    [BSP] 152eb3cb729760bdcd81c1fa45dd5d79 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB
    User = LL1 ... OK
    User = LL2 ... OK
    +++++ PhysicalDrive1: Kingston DataTraveler 2.0 USB Device +++++
    --- User ---
    [MBR] 01aa0771c122f52fec7e68de6c222831
    [BSP] 4db0cdb66c479bd3e15b2ab904c90d55 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] FAT16-LBA (0xe) [VISIBLE] Offset (sectors): 32 | Size: 489 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )

    ============================================
    RKreport_DEL_09062014_113241.log - RKreport_DEL_09062014_114200.log - RKreport_SCN_09062014_113133.log - RKreport_SCN_09062014_113847.log
    RKreport_SCN_09062014_143857.log

    MBAR SCAN,

    Malwarebytes Anti-Rootkit BETA 1.07.0.1012
    www.malwarebytes.org
    Database version: v2014.09.06.07
    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 11.0.9600.17239
    AnyUser :: ANYUSER-PC [administrator]
    9/6/2014 2:53:12 PM
    mbar-log-2014-09-06 (14-53-12).txt
    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Objects scanned: 279199
    Time elapsed: 8 minute(s), 39 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    Physical Sectors Detected: 0
    (No malicious items detected)
    (end)



    MBAR System,


    Disk Size: 250059350016 bytes
    Sector size: 512 bytes
    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-488377168-488397168)...
    Done!
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: A58EAC95
    Partition information:
    Partition 0 type is Other (0xe)
    Partition is ACTIVE.
    Partition starts at LBA: 32 Numsec = 1003488
    Partition file system is FAT
    Partition is not bootable
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0
    Disk Size: 513802240 bytes
    Sector size: 512 bytes
    Done!
    Scan finished
    =======================================

    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-1-0-32-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
    Removal finished
     
  5. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  6. Mark O

    Mark O TS Rookie Topic Starter

    Combofix log,

    ComboFix 14-09-05.01 - AnyUser 09/06/2014 15:44:42.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.1369 [GMT -5:00]
    Running from: c:\users\AnyUser\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
    SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\AnyUser\Documents\DPE.DUS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-08-06 to 2014-09-06 )))))))))))))))))))))))))))))))
    .
    .
    2014-09-06 20:50 . 2014-09-06 20:50 -------- d-----w- c:\users\AnyUser\AppData\Local\temp
    2014-09-06 20:50 . 2014-09-06 20:50 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-09-06 19:53 . 2014-09-06 20:02 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2014-09-06 19:32 . 2014-09-06 19:32 39464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F81B5A5A-B665-4030-9E09-19AB35F4B5F8}\MpKsldc39dd24.sys
    2014-09-06 17:10 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F81B5A5A-B665-4030-9E09-19AB35F4B5F8}\mpengine.dll
    2014-09-06 16:24 . 2014-09-06 19:32 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2014-09-06 16:24 . 2014-09-06 16:24 -------- d-----w- c:\programdata\RogueKiller
    2014-09-05 23:46 . 2014-09-06 17:19 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-09-05 23:46 . 2014-09-06 19:52 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-09-05 23:46 . 2014-05-12 13:19 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-09-05 23:46 . 2014-05-12 13:19 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
    2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\programdata\Malwarebytes
    2014-09-05 10:17 . 2014-09-05 10:17 237 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
    2014-09-05 10:16 . 2014-09-06 16:57 -------- d-----w- c:\users\AnyUser\AppData\Roaming\Alpebyc
    2014-09-05 09:57 . 2014-09-06 16:58 -------- d-----w- c:\users\AnyUser\AppData\Roaming\Ihexdoe
    2014-09-05 04:15 . 2014-09-05 04:15 -------- d-----w- c:\programdata\Hewlett-Packard
    2014-09-05 04:15 . 2009-07-14 01:15 280064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzppw71.dll
    2014-09-03 11:29 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2014-08-29 11:30 . 2014-08-20 11:48 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A53B23E6-D90F-41C5-8CD2-BC028B31E215}\gapaengine.dll
    2014-08-27 19:27 . 2014-08-23 00:42 2352640 ----a-w- c:\windows\system32\win32k.sys
    2014-08-27 19:27 . 2014-08-23 01:46 305152 ----a-w- c:\windows\system32\gdi32.dll
    2014-08-27 14:56 . 2014-08-27 14:56 -------- d-----w- c:\program files\Hewlett-Packard
    2014-08-27 14:55 . 2014-07-21 20:33 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
    2014-08-18 22:29 . 2014-05-14 16:23 45536 ----a-w- c:\windows\system32\wups2.dll
    2014-08-18 22:29 . 2014-05-14 16:23 54240 ----a-w- c:\windows\system32\wuauclt.exe
    2014-08-18 22:29 . 2014-05-14 16:23 1973728 ----a-w- c:\windows\system32\wuaueng.dll
    2014-08-18 22:29 . 2014-05-14 16:17 2425856 ----a-w- c:\windows\system32\wucltux.dll
    2014-08-18 22:28 . 2014-05-14 16:23 36320 ----a-w- c:\windows\system32\wups.dll
    2014-08-18 22:28 . 2014-05-14 16:23 581600 ----a-w- c:\windows\system32\wuapi.dll
    2014-08-18 22:28 . 2014-05-14 16:17 92672 ----a-w- c:\windows\system32\wudriver.dll
    2014-08-18 22:27 . 2014-05-14 14:23 179656 ----a-w- c:\windows\system32\wuwebv.dll
    2014-08-18 22:27 . 2014-05-14 14:17 33792 ----a-w- c:\windows\system32\wuapp.exe
    2014-08-15 11:09 . 2014-03-09 21:47 99480 ----a-w- c:\windows\system32\infocardapi.dll
    2014-08-15 11:09 . 2014-06-30 22:14 8856 ----a-w- c:\windows\system32\icardres.dll
    2014-08-15 11:09 . 2014-03-09 21:47 619672 ----a-w- c:\windows\system32\icardagt.exe
    2014-08-15 11:09 . 2014-06-06 06:16 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-08-20 11:48 . 2014-01-04 21:24 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2014-07-09 02:59 . 2013-10-18 18:27 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-07-09 02:59 . 2013-10-18 18:27 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2014-06-18 01:51 . 2014-07-09 00:22 646144 ----a-w- c:\windows\system32\osk.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Officejet Pro 8610 (NET)"="c:\program files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe" [2014-07-21 2427400]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
    "FingerPrintSoftwareSplashScreen"="c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s" [X]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 171288]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 172824]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
    "Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1425208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-02-04 111640]
    "Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-10-19 280576]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisallowCpl"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R1 hbifodwl;hbifodwl;c:\windows\system32\drivers\hbifodwl.sys [x]
    R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-05-31 106496]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-07-25 108032]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-10-18 1343400]
    S1 MpKsldc39dd24;MpKsldc39dd24;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F81B5A5A-B665-4030-9E09-19AB35F4B5F8}\MpKsldc39dd24.sys [2014-09-06 39464]
    S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-05-31 1824584]
    S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-05-31 98304]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2010-02-04 2058776]
    S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2011-06-01 659968]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-09-06 110296]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-16 6114816]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    *NewlyCreated* - MPKSLDC39DD24
    *Deregistered* - TrueSight
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2014-09-03 23:21 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.103\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-18 02:59]
    .
    2014-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
    .
    2014-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    Trusted Zone: harrisbank.com\www4
    TCP: DhcpNameServer = 192.168.1.254
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-09-06 15:52:55
    ComboFix-quarantined-files.txt 2014-09-06 20:52
    .
    Pre-Run: 191,291,088,896 bytes free
    Post-Run: 191,870,406,656 bytes free
    .
    - - End Of File - - C7EFBF688038EB7B6AB5D029386C9730
    A36C5E4F47E84449FF07ED3517B43A31
     
  7. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    c:\users\AnyUser\AppData\Roaming\Ihexdoe
    c:\users\AnyUser\AppData\Roaming\Alpebyc
    
    Driver::
    hbifodwl
    
    Registry::
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  8. Mark O

    Mark O TS Rookie Topic Starter

    Hi Broni,
    Unless specifically instructed to disconnect this machine from the internet, I assume I am to leave it connected.

    Also, between my last post of 3:55pm Sat and your post of 2:17pm Today,Sunday, the MBAM blocked a registry event. Now quarantined in MBAM. Here is the log for that.
    Malwarebytes Anti-Malware
    www.malwarebytes.org
    Scan Date: 9/7/2014
    Scan Time: 2:27:13 AM
    Logfile:
    Administrator: Yes
    Version: 2.00.2.1012
    Malware Database: v2014.09.07.01
    Rootkit Database: v2014.08.21.01
    License: Premium
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled
    OS: Windows 7 Service Pack 1
    CPU: x86
    File System: NTFS
    User: AnyUser
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 288752
    Time Elapsed: 6 min, 4 sec
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled
    Processes: 0
    (No malicious items detected)
    Modules: 0
    (No malicious items detected)
    Registry Keys: 0
    (No malicious items detected)
    Registry Values: 1
    Malware.Trace, HKU\S-1-5-21-1311731379-2688022510-2026161381-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWCPL|1, @biocpl.dll,-1, Quarantined, [c30a7e6ca6d55dd951309ff8996a57a9]
    Registry Data: 0
    (No malicious items detected)
    Folders: 0
    (No malicious items detected)
    Files: 0
    (No malicious items detected)
    Physical Sectors: 0
    (No malicious items detected)

    (end)

    Here is the current Combofix log,

    ComboFix 14-09-05.01 - AnyUser 09/07/2014 17:52:18.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.1981 [GMT -5:00]
    Running from: c:\users\AnyUser\Desktop\ComboFix.exe
    Command switches used :: H:\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
    SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-08-07 to 2014-09-07 )))))))))))))))))))))))))))))))
    .
    .
    2014-09-07 23:00 . 2014-09-07 23:00 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-09-07 07:08 . 2014-09-07 07:08 62576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{841B5BF5-BB07-4EB2-B981-0B3B1585EA57}\offreg.dll
    2014-09-07 07:08 . 2014-09-07 07:08 39464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{841B5BF5-BB07-4EB2-B981-0B3B1585EA57}\MpKsl686f8e44.sys
    2014-09-07 07:06 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{841B5BF5-BB07-4EB2-B981-0B3B1585EA57}\mpengine.dll
    2014-09-06 23:02 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2014-09-06 20:52 . 2014-09-07 23:00 -------- d-----w- c:\users\AnyUser\AppData\Local\temp
    2014-09-06 19:53 . 2014-09-06 20:02 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2014-09-06 16:24 . 2014-09-06 19:32 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2014-09-06 16:24 . 2014-09-06 16:24 -------- d-----w- c:\programdata\RogueKiller
    2014-09-05 23:46 . 2014-09-07 19:30 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-09-05 23:46 . 2014-09-06 19:52 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-09-05 23:46 . 2014-05-12 13:19 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-09-05 23:46 . 2014-05-12 13:19 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
    2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\programdata\Malwarebytes
    2014-09-05 10:17 . 2014-09-05 10:17 237 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
    2014-09-05 10:16 . 2014-09-06 16:57 -------- d-----w- c:\users\AnyUser\AppData\Roaming\Alpebyc
    2014-09-05 09:57 . 2014-09-06 16:58 -------- d-----w- c:\users\AnyUser\AppData\Roaming\Ihexdoe
    2014-09-05 04:15 . 2014-09-05 04:15 -------- d-----w- c:\programdata\Hewlett-Packard
    2014-09-05 04:15 . 2009-07-14 01:15 280064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzppw71.dll
    2014-08-29 11:30 . 2014-08-20 11:48 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A53B23E6-D90F-41C5-8CD2-BC028B31E215}\gapaengine.dll
    2014-08-27 19:27 . 2014-08-23 00:42 2352640 ----a-w- c:\windows\system32\win32k.sys
    2014-08-27 19:27 . 2014-08-23 01:46 305152 ----a-w- c:\windows\system32\gdi32.dll
    2014-08-27 14:56 . 2014-08-27 14:56 -------- d-----w- c:\program files\Hewlett-Packard
    2014-08-27 14:55 . 2014-07-21 20:33 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
    2014-08-18 22:29 . 2014-05-14 16:23 45536 ----a-w- c:\windows\system32\wups2.dll
    2014-08-18 22:29 . 2014-05-14 16:23 54240 ----a-w- c:\windows\system32\wuauclt.exe
    2014-08-18 22:29 . 2014-05-14 16:23 1973728 ----a-w- c:\windows\system32\wuaueng.dll
    2014-08-18 22:29 . 2014-05-14 16:17 2425856 ----a-w- c:\windows\system32\wucltux.dll
    2014-08-18 22:28 . 2014-05-14 16:23 36320 ----a-w- c:\windows\system32\wups.dll
    2014-08-18 22:28 . 2014-05-14 16:23 581600 ----a-w- c:\windows\system32\wuapi.dll
    2014-08-18 22:28 . 2014-05-14 16:17 92672 ----a-w- c:\windows\system32\wudriver.dll
    2014-08-18 22:27 . 2014-05-14 14:23 179656 ----a-w- c:\windows\system32\wuwebv.dll
    2014-08-18 22:27 . 2014-05-14 14:17 33792 ----a-w- c:\windows\system32\wuapp.exe
    2014-08-15 11:09 . 2014-03-09 21:47 99480 ----a-w- c:\windows\system32\infocardapi.dll
    2014-08-15 11:09 . 2014-06-30 22:14 8856 ----a-w- c:\windows\system32\icardres.dll
    2014-08-15 11:09 . 2014-03-09 21:47 619672 ----a-w- c:\windows\system32\icardagt.exe
    2014-08-15 11:09 . 2014-06-06 06:16 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-08-20 11:48 . 2014-01-04 21:24 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2014-07-09 02:59 . 2013-10-18 18:27 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-07-09 02:59 . 2013-10-18 18:27 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2014-06-18 01:51 . 2014-07-09 00:22 646144 ----a-w- c:\windows\system32\osk.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Officejet Pro 8610 (NET)"="c:\program files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe" [2014-07-21 2427400]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
    "FingerPrintSoftwareSplashScreen"="c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s" [X]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 171288]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 172824]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
    "Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1425208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-02-04 111640]
    "Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-10-19 280576]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisallowCpl"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R1 hbifodwl;hbifodwl;c:\windows\system32\drivers\hbifodwl.sys [x]
    R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-05-31 106496]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-07-25 108032]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-10-18 1343400]
    S1 MpKsl686f8e44;MpKsl686f8e44;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{841B5BF5-BB07-4EB2-B981-0B3B1585EA57}\MpKsl686f8e44.sys [2014-09-07 39464]
    S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-05-31 1824584]
    S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-05-31 98304]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2010-02-04 2058776]
    S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2011-06-01 659968]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-09-07 110296]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-16 6114816]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    *NewlyCreated* - MPKSL686F8E44
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2014-09-03 23:21 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.103\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-09-07 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-18 02:59]
    .
    2014-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
    .
    2014-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    Trusted Zone: harrisbank.com\www4
    TCP: DhcpNameServer = 192.168.1.254
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-09-07 18:07:09
    ComboFix-quarantined-files.txt 2014-09-07 23:07
    ComboFix2.txt 2014-09-06 20:52
    .
    Pre-Run: 192,022,368,256 bytes free
    Post-Run: 191,974,494,208 bytes free
    .
    - - End Of File - - 353BACEEA69A2F24D3C98D62D93BA7B8
    A36C5E4F47E84449FF07ED3517B43A31
     
  9. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    It doesn't look like you ran my script.
    Please redo.
     
  10. Mark O

    Mark O TS Rookie Topic Starter

    Sorry, first time did not copy the actual header area with the word "code:"

    Here is the new log...

    ComboFix 14-09-05.01 - AnyUser 09/07/2014 19:47:51.3.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3032.1856 [GMT -5:00]
    Running from: c:\users\AnyUser\Desktop\ComboFix.exe
    Command switches used :: H:\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
    SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\AnyUser\AppData\Roaming\Alpebyc
    c:\users\AnyUser\AppData\Roaming\Ihexdoe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_hbifodwl
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-08-08 to 2014-09-08 )))))))))))))))))))))))))))))))
    .
    .
    2014-09-08 00:55 . 2014-09-08 00:55 62576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B32800A-9A7B-4AD1-A08F-D48EA8251CB5}\offreg.dll
    2014-09-08 00:52 . 2014-09-08 00:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-09-07 23:16 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B32800A-9A7B-4AD1-A08F-D48EA8251CB5}\mpengine.dll
    2014-09-06 23:02 . 2014-08-21 02:44 8581864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2014-09-06 20:52 . 2014-09-08 00:56 -------- d-----w- c:\users\AnyUser\AppData\Local\temp
    2014-09-06 19:53 . 2014-09-06 20:02 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2014-09-06 16:24 . 2014-09-06 19:32 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2014-09-06 16:24 . 2014-09-06 16:24 -------- d-----w- c:\programdata\RogueKiller
    2014-09-05 23:46 . 2014-09-08 00:55 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-09-05 23:46 . 2014-09-06 19:52 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-09-05 23:46 . 2014-05-12 13:19 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-09-05 23:46 . 2014-05-12 13:19 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
    2014-09-05 23:46 . 2014-09-05 23:46 -------- d-----w- c:\programdata\Malwarebytes
    2014-09-05 10:17 . 2014-09-05 10:17 237 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F2D33B81-D19E-B8AC-F77B-61747863345A}-tmpf3394f68.bat
    2014-09-05 04:15 . 2014-09-05 04:15 -------- d-----w- c:\programdata\Hewlett-Packard
    2014-09-05 04:15 . 2009-07-14 01:15 280064 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzppw71.dll
    2014-08-29 11:30 . 2014-08-20 11:48 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A53B23E6-D90F-41C5-8CD2-BC028B31E215}\gapaengine.dll
    2014-08-27 19:27 . 2014-08-23 00:42 2352640 ----a-w- c:\windows\system32\win32k.sys
    2014-08-27 19:27 . 2014-08-23 01:46 305152 ----a-w- c:\windows\system32\gdi32.dll
    2014-08-27 14:56 . 2014-08-27 14:56 -------- d-----w- c:\program files\Hewlett-Packard
    2014-08-27 14:55 . 2014-07-21 20:33 597512 ------w- c:\windows\system32\HPDiscoPM7112.dll
    2014-08-18 22:29 . 2014-05-14 16:23 45536 ----a-w- c:\windows\system32\wups2.dll
    2014-08-18 22:29 . 2014-05-14 16:23 54240 ----a-w- c:\windows\system32\wuauclt.exe
    2014-08-18 22:29 . 2014-05-14 16:23 1973728 ----a-w- c:\windows\system32\wuaueng.dll
    2014-08-18 22:29 . 2014-05-14 16:17 2425856 ----a-w- c:\windows\system32\wucltux.dll
    2014-08-18 22:28 . 2014-05-14 16:23 36320 ----a-w- c:\windows\system32\wups.dll
    2014-08-18 22:28 . 2014-05-14 16:23 581600 ----a-w- c:\windows\system32\wuapi.dll
    2014-08-18 22:28 . 2014-05-14 16:17 92672 ----a-w- c:\windows\system32\wudriver.dll
    2014-08-18 22:27 . 2014-05-14 14:23 179656 ----a-w- c:\windows\system32\wuwebv.dll
    2014-08-18 22:27 . 2014-05-14 14:17 33792 ----a-w- c:\windows\system32\wuapp.exe
    2014-08-15 11:09 . 2014-03-09 21:47 99480 ----a-w- c:\windows\system32\infocardapi.dll
    2014-08-15 11:09 . 2014-06-30 22:14 8856 ----a-w- c:\windows\system32\icardres.dll
    2014-08-15 11:09 . 2014-03-09 21:47 619672 ----a-w- c:\windows\system32\icardagt.exe
    2014-08-15 11:09 . 2014-06-06 06:16 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-08-20 11:48 . 2014-01-04 21:24 893248 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2014-07-09 02:59 . 2013-10-18 18:27 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2014-07-09 02:59 . 2013-10-18 18:27 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2014-06-18 01:51 . 2014-07-09 00:22 646144 ----a-w- c:\windows\system32\osk.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Officejet Pro 8610 (NET)"="c:\program files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe" [2014-07-21 2427400]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FingerPrintSoftware"="c:\program files\Lenovo Fingerprint Software\fpapp.exe \s" [X]
    "FingerPrintSoftwareSplashScreen"="c:\program files\Lenovo Fingerprint Software\SplashScreen.exe \s" [X]
    "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 171288]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 172824]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
    "Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1425208]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
    "picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-02-04 111640]
    "Memeo AutoSync"="c:\program files\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2013-10-19 280576]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "DisableCAD"= 1 (0x1)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "DisallowCpl"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2011-05-31 106496]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-07-25 108032]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-10-18 1343400]
    S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2011-05-31 1824584]
    S2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2011-05-31 98304]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-05-12 1809720]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-05-12 860472]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2010-02-04 2058776]
    S3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2011-06-01 659968]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-08-23 225408]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-05-12 23256]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-09-08 110296]
    S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-05-12 51928]
    S3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-16 6114816]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MBAMSWISSARMY
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2014-09-03 23:21 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.103\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-09-08 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-18 02:59]
    .
    2014-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
    .
    2014-09-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2014-03-11 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = https://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    Trusted Zone: harrisbank.com\www4
    TCP: DhcpNameServer = 192.168.1.254
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\System32\WUDFHost.exe
    c:\program files\Malwarebytes Anti-Malware\mbam.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Synaptics\SynTP\SynTPEnh.exe
    c:\program files\Synaptics\SynTP\SynTPLpr.exe
    c:\program files\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
    c:\windows\system32\conhost.exe
    c:\program files\Intel\AMT\LMS.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2014-09-07 20:00:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2014-09-08 01:00
    ComboFix2.txt 2014-09-07 23:07
    ComboFix3.txt 2014-09-06 20:52
    .
    Pre-Run: 192,012,500,992 bytes free
    Post-Run: 191,631,241,216 bytes free
    .
    - - End Of File - - 67B98BA2449B0F86CD824096C814591E
    A36C5E4F47E84449FF07ED3517B43A31
     
  11. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Good :)

    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    [​IMG] Please download Farbar Recovery Scan Tool and save it to your Desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
     
  12. Mark O

    Mark O TS Rookie Topic Starter

    # AdwCleaner v3.309 - Report created 08/09/2014 at 08:12:04
    # Updated 02/09/2014 by Xplode
    # Operating System : Windows 7 Professional Service Pack 1 (32 bits)
    # Username : AnyUser - ANYUSER-PC
    # Running from : C:\Users\AnyUser\Desktop\adwcleaner_3.309.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****


    ***** [ Scheduled Tasks ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKCU\Software\InstalledThirdPartyPrograms
    Key Deleted : HKLM\SOFTWARE\InstalledThirdPartyPrograms

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.17239


    -\\ Google Chrome v37.0.2062.103

    [ File : C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\preferences ]


    *************************

    AdwCleaner[R0].txt - [1618 octets] - [08/09/2014 08:10:13]
    AdwCleaner[S0].txt - [1561 octets] - [08/09/2014 08:12:04]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1621 octets] ##########


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.1.3 (03.23.2014:1)
    OS: Windows 7 Professional x86
    Ran by AnyUser on Mon 09/08/2014 at 8:26:38.10
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys

    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\allyrics-16-bg_RASAPI32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\allyrics-16-bg_RASMANCS
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Allyrics-16-codedownloader_RASAPI32
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Allyrics-16-codedownloader_RASMANCS



    ~~~ Files



    ~~~ Folders



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Mon 09/08/2014 at 8:29:15.54
    Computer was rebooted
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-09-2014
    Ran by AnyUser (administrator) on ANYUSER-PC on 08-09-2014 08:34:35
    Running from C:\Users\AnyUser\Desktop
    Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Normal

    The only official download link for FRST:
    Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
    Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
    Download link from any site other than Bleeping Computer is unpermitted or outdated.
    See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    () C:\Windows\System32\DTS.exe
    (Lenovo.) C:\Windows\System32\ibmpmsvc.exe
    (AuthenTec, Inc.) C:\Windows\System32\AtService.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
    (ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
    (Elaborate Bytes AG) C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    (Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
    (ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    (Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    (Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe
    (ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    (Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe
    (Memeo Inc.) C:\Program Files\Memeo\AutoSync\MemeoAutoSync.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
    (Intel Corporation) C:\Program Files\Intel\AMT\LMS.exe
    (Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [VirtualCloneDrive] => C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
    HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
    HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
    HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
    HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
    HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
    HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
    HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
    HKLM\...\Run: [FingerPrintSoftware] => C:\Program Files\Lenovo Fingerprint Software\fpapp.exe [1582920 2011-05-31] (AuthenTec)
    HKLM\...\Run: [FingerPrintSoftwareSplashScreen] => C:\Program Files\Lenovo Fingerprint Software\SplashScreen.exe [102400 2011-05-31] (AuthenTec, Inc.)
    HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe [111640 2010-02-04] ()
    HKLM\...\Run: [Memeo AutoSync] => C:\Program Files\Memeo\AutoSync\MemeoLauncher2.exe [144608 2010-04-16] (Memeo Inc.)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
    HKLM\...\Run: [ArcSoft Connection Service] => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
    HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
    HKU\.DEFAULT\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-10-19] (Microsoft Corporation)
    HKU\S-1-5-21-1311731379-2688022510-2026161381-1000\...\Run: [HP Officejet Pro 8610 (NET)] => C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe [2427400 2014-07-21] (Hewlett-Packard Development Company, LP)
    HKU\S-1-5-21-1311731379-2688022510-2026161381-1000\...\Policies\Explorer: [DisallowCpl] 1

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF3291824C340CF01
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
    BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1388550385823
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
    Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

    FireFox:
    ========
    FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

    Chrome:
    =======
    CHR HomePage: Default ->
    CHR DefaultSearchKeyword: Default -> 573E5242114621EC3F8AC57831F33F02494A7D227E6F36CC0F4009CD3212231B
    CHR DefaultSearchURL: Default -> CC8155B8290070D618262C21AA52F43392699D5EABAEABB29EBAEE1ABB23B325
    CHR CustomProfile: C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Docs) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-11]
    CHR Extension: (Google Drive) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-11]
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-29]
    CHR Extension: (YouTube) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-11]
    CHR Extension: (Google Search) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-11]
    CHR Extension: (Google Wallet) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-11]
    CHR Extension: (Gmail) - C:\Users\AnyUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-11]

    ========================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
    S3 ADMonitor; C:\Windows\system32\ADMonitor.exe [106496 2011-05-31] () [File not signed]
    R2 dtsvc; C:\Windows\system32\DTS.exe [98304 2011-05-31] () [File not signed]
    S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2013-09-06] (Macrovision Europe Ltd.) [File not signed]
    R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
    R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
    R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
    S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
    R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2058776 2010-02-04] (Intel Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [30616 2013-03-04] (Elaborate Bytes AG)
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
    R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-08] (Malwarebytes Corporation)
    R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
    R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
    S3 catchme; \??\C:\Users\AnyUser\AppData\Local\Temp\catchme.sys [X]

    ==================== NetSvcs (Whitelisted) ===================


    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-09-08 08:34 - 2014-09-08 08:34 - 00012787 _____ () C:\Users\AnyUser\Desktop\FRST.txt
    2014-09-08 08:34 - 2014-09-08 08:34 - 00000000 ____D () C:\FRST
    2014-09-08 08:33 - 2014-09-08 08:32 - 01097728 _____ (Farbar) C:\Users\AnyUser\Desktop\FRST.exe
    2014-09-08 08:32 - 2014-09-08 08:32 - 01097728 _____ (Farbar) C:\Users\AnyUser\Downloads\FRST.exe
    2014-09-08 08:29 - 2014-09-08 08:29 - 00001116 _____ () C:\Users\AnyUser\Desktop\JRT.txt
    2014-09-08 08:23 - 2014-09-08 08:23 - 00000000 ____D () C:\Windows\ERUNT
    2014-09-08 08:22 - 2014-09-08 08:22 - 01016261 _____ (Thisisu) C:\Users\AnyUser\Downloads\JRT.exe
    2014-09-08 08:22 - 2014-09-08 08:22 - 01016261 _____ (Thisisu) C:\Users\AnyUser\Desktop\JRT.exe
    2014-09-08 08:10 - 2014-09-08 08:12 - 00000000 ____D () C:\AdwCleaner
    2014-09-08 08:08 - 2014-09-08 08:08 - 01370467 _____ () C:\Users\AnyUser\Desktop\adwcleaner_3.309.exe
    2014-09-07 20:00 - 2014-09-07 20:00 - 00014330 _____ () C:\ComboFix.txt
    2014-09-07 08:39 - 2014-09-07 08:39 - 00001265 _____ () C:\Users\AnyUser\Desktop\WhileWaitingRegistryThreatcameup.txt
    2014-09-06 17:47 - 2014-09-06 17:47 - 00000000 ____D () C:\Users\AnyUser\Downloads\LenovaT400Fingerprint
    2014-09-06 15:43 - 2014-09-07 20:00 - 00000000 ____D () C:\Qoobox
    2014-09-06 15:43 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
    2014-09-06 15:43 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
    2014-09-06 15:43 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2014-09-06 15:43 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2014-09-06 15:43 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2014-09-06 15:43 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
    2014-09-06 15:43 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
    2014-09-06 15:43 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
    2014-09-06 15:42 - 2014-09-07 19:52 - 00000000 ____D () C:\Windows\erdnt
    2014-09-06 15:41 - 2014-09-06 15:39 - 05576440 ____R (Swearware) C:\Users\AnyUser\Desktop\ComboFix.exe
    2014-09-06 14:53 - 2014-09-06 15:02 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2014-09-06 14:52 - 2014-09-06 15:02 - 00000000 ____D () C:\Users\AnyUser\Desktop\mbar
    2014-09-06 14:51 - 2014-09-06 14:50 - 14349744 _____ (Malwarebytes Corp.) C:\Users\AnyUser\Desktop\mbar-1.07.0.1012.exe
    2014-09-06 14:42 - 2014-09-06 14:42 - 00002549 _____ () C:\Users\AnyUser\Desktop\RKreport_DEL_09062014_144112.log
    2014-09-06 12:09 - 2014-09-06 12:09 - 00044168 _____ () C:\Users\AnyUser\Desktop\attach.txt
    2014-09-06 12:09 - 2014-09-06 12:09 - 00015421 _____ () C:\Users\AnyUser\Desktop\dds.txt
    2014-09-06 11:24 - 2014-09-06 14:32 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
    2014-09-06 11:24 - 2014-09-06 11:24 - 00000000 ____D () C:\ProgramData\RogueKiller
    2014-09-06 11:24 - 2014-09-06 11:23 - 04857944 _____ () C:\Users\AnyUser\Desktop\RogueKiller.exe
    2014-09-05 18:46 - 2014-09-08 08:26 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2014-09-05 18:46 - 2014-09-06 14:52 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
    2014-09-05 18:46 - 2014-09-05 18:46 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\ProgramData\Malwarebytes
    2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
    2014-09-05 18:46 - 2014-05-12 08:19 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
    2014-09-05 18:46 - 2014-05-12 08:19 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
    2014-09-05 18:45 - 2014-09-05 18:42 - 17291904 _____ (Malwarebytes Corporation ) C:\Users\AnyUser\Desktop\mbam_premium.exe
    2014-09-04 23:15 - 2014-09-04 23:15 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
    2014-09-04 19:01 - 2014-09-04 19:01 - 00068415 _____ () C:\Users\AnyUser\AppData\Local\guptemlm
    2014-08-27 14:27 - 2014-08-22 20:46 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
    2014-08-27 14:27 - 2014-08-22 19:42 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
    2014-08-27 09:56 - 2014-08-27 09:56 - 00000000 ____D () C:\Program Files\Hewlett-Packard
    2014-08-27 09:55 - 2014-07-21 15:33 - 00597512 ____N (Hewlett-Packard Development Company, LP) C:\Windows\system32\HPDiscoPM7112.dll
    2014-08-27 09:16 - 2014-08-27 09:16 - 00000000 ____D () C:\Windows\system32\appmgmt
    2014-08-27 09:04 - 2014-08-27 09:04 - 00231760 _____ () C:\Users\AnyUser\Downloads\CrucialScan (1).exe
    2014-08-20 23:17 - 2014-06-24 20:41 - 12874240 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
    2014-08-18 17:29 - 2014-05-14 11:23 - 01973728 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
    2014-08-18 17:29 - 2014-05-14 11:23 - 00054240 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
    2014-08-18 17:29 - 2014-05-14 11:23 - 00045536 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
    2014-08-18 17:29 - 2014-05-14 11:17 - 02425856 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
    2014-08-18 17:28 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
    2014-08-18 17:28 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
    2014-08-18 17:28 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
    2014-08-18 17:27 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
    2014-08-18 17:27 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
    2014-08-15 06:09 - 2014-06-30 17:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
    2014-08-15 06:09 - 2014-06-06 01:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
    2014-08-15 06:09 - 2014-03-09 16:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
    2014-08-15 06:09 - 2014-03-09 16:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
    2014-08-14 16:51 - 2014-07-31 18:16 - 00307384 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
    2014-08-14 16:51 - 2014-07-25 08:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
    2014-08-14 16:51 - 2014-07-25 08:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
    2014-08-14 16:51 - 2014-07-25 07:34 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
    2014-08-14 16:51 - 2014-07-25 07:34 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
    2014-08-14 16:51 - 2014-07-25 07:33 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
    2014-08-14 16:51 - 2014-07-25 07:18 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
    2014-08-14 16:51 - 2014-07-25 07:17 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
    2014-08-14 16:51 - 2014-07-25 07:10 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
    2014-08-14 16:51 - 2014-07-25 07:10 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
    2014-08-14 16:51 - 2014-07-25 06:59 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
    2014-08-14 16:51 - 2014-07-25 06:52 - 00367104 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
    2014-08-14 16:51 - 2014-07-25 06:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
    2014-08-14 16:51 - 2014-07-25 06:36 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
    2014-08-14 16:51 - 2014-07-25 06:29 - 00239616 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
    2014-08-14 16:51 - 2014-07-25 06:13 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
    2014-08-14 16:51 - 2014-07-25 06:09 - 00663040 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
    2014-08-14 16:51 - 2014-07-25 06:07 - 02001920 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
    2014-08-14 16:51 - 2014-07-25 05:09 - 00704512 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
    2014-08-14 16:51 - 2014-07-25 05:05 - 01792512 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
    2014-08-14 16:51 - 2014-07-25 05:00 - 01169920 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
    2014-08-14 16:51 - 2014-07-13 20:42 - 00654336 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
    2014-08-14 16:51 - 2014-06-15 20:44 - 00730048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
    2014-08-14 16:51 - 2014-06-15 20:44 - 00219072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
    2014-08-14 16:51 - 2014-06-15 20:40 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
    2014-08-14 16:50 - 2014-07-25 08:51 - 17524224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
    2014-08-14 16:50 - 2014-07-25 07:30 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
    2014-08-14 16:50 - 2014-07-25 07:21 - 02184704 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
    2014-08-14 16:50 - 2014-07-25 07:12 - 00438784 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
    2014-08-14 16:50 - 2014-07-25 07:08 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
    2014-08-14 16:50 - 2014-07-25 07:06 - 04204032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
    2014-08-14 16:50 - 2014-07-25 06:34 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
    2014-08-14 16:50 - 2014-07-25 06:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
    2014-08-14 16:50 - 2014-07-25 06:03 - 11772928 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
    2014-08-14 16:50 - 2014-07-15 21:46 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
    2014-08-14 16:50 - 2014-06-03 04:30 - 00101824 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
    2014-08-14 16:50 - 2014-06-03 04:29 - 02363392 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
    2014-08-14 16:50 - 2014-06-03 04:29 - 01805824 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
    2014-08-14 16:50 - 2014-06-03 04:29 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
    2014-08-11 10:22 - 2014-08-11 10:22 - 00231760 _____ () C:\Users\AnyUser\Downloads\CrucialScan.exe

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-09-08 08:34 - 2014-09-08 08:34 - 00012787 _____ () C:\Users\AnyUser\Desktop\FRST.txt
    2014-09-08 08:34 - 2014-09-08 08:34 - 00000000 ____D () C:\FRST
    2014-09-08 08:32 - 2014-09-08 08:33 - 01097728 _____ (Farbar) C:\Users\AnyUser\Desktop\FRST.exe
    2014-09-08 08:32 - 2014-09-08 08:32 - 01097728 _____ (Farbar) C:\Users\AnyUser\Downloads\FRST.exe
    2014-09-08 08:32 - 2009-07-13 23:34 - 00029904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2014-09-08 08:32 - 2009-07-13 23:34 - 00029904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2014-09-08 08:29 - 2014-09-08 08:29 - 00001116 _____ () C:\Users\AnyUser\Desktop\JRT.txt
    2014-09-08 08:28 - 2013-09-06 21:28 - 02077458 _____ () C:\Windows\WindowsUpdate.log
    2014-09-08 08:26 - 2014-09-05 18:46 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2014-09-08 08:25 - 2014-03-11 17:58 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2014-09-08 08:25 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2014-09-08 08:25 - 2009-07-13 23:39 - 00036152 _____ () C:\Windows\setupact.log
    2014-09-08 08:23 - 2014-09-08 08:23 - 00000000 ____D () C:\Windows\ERUNT
    2014-09-08 08:22 - 2014-09-08 08:22 - 01016261 _____ (Thisisu) C:\Users\AnyUser\Downloads\JRT.exe
    2014-09-08 08:22 - 2014-09-08 08:22 - 01016261 _____ (Thisisu) C:\Users\AnyUser\Desktop\JRT.exe
    2014-09-08 08:21 - 2014-03-11 17:58 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2014-09-08 08:13 - 2013-10-18 10:30 - 00025618 _____ () C:\Windows\PFRO.log
    2014-09-08 08:12 - 2014-09-08 08:10 - 00000000 ____D () C:\AdwCleaner
    2014-09-08 08:08 - 2014-09-08 08:08 - 01370467 _____ () C:\Users\AnyUser\Desktop\adwcleaner_3.309.exe
    2014-09-08 07:59 - 2014-03-11 17:41 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2014-09-07 20:00 - 2014-09-07 20:00 - 00014330 _____ () C:\ComboFix.txt
    2014-09-07 20:00 - 2014-09-06 15:43 - 00000000 ____D () C:\Qoobox
    2014-09-07 19:56 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
    2014-09-07 19:53 - 2009-07-13 21:03 - 52953088 _____ () C:\Windows\system32\config\SOFTWARE.bak
    2014-09-07 19:53 - 2009-07-13 21:03 - 14680064 _____ () C:\Windows\system32\config\SYSTEM.bak
    2014-09-07 19:53 - 2009-07-13 21:03 - 00524288 _____ () C:\Windows\system32\config\DEFAULT.bak
    2014-09-07 19:53 - 2009-07-13 21:03 - 00262144 _____ () C:\Windows\system32\config\SECURITY.bak
    2014-09-07 19:53 - 2009-07-13 21:03 - 00262144 _____ () C:\Windows\system32\config\SAM.bak
    2014-09-07 19:52 - 2014-09-06 15:42 - 00000000 ____D () C:\Windows\erdnt
    2014-09-07 08:39 - 2014-09-07 08:39 - 00001265 _____ () C:\Users\AnyUser\Desktop\WhileWaitingRegistryThreatcameup.txt
    2014-09-06 17:49 - 2014-03-15 23:16 - 00013960 _____ () C:\Windows\DPINST.LOG
    2014-09-06 17:49 - 2014-03-15 23:15 - 00000000 ____D () C:\Program Files\Lenovo Fingerprint Software
    2014-09-06 17:47 - 2014-09-06 17:47 - 00000000 ____D () C:\Users\AnyUser\Downloads\LenovaT400Fingerprint
    2014-09-06 15:52 - 2009-07-13 21:37 - 00000000 __RHD () C:\Users\Default
    2014-09-06 15:52 - 2009-07-13 21:37 - 00000000 ___RD () C:\Users\Public
    2014-09-06 15:39 - 2014-09-06 15:41 - 05576440 ____R (Swearware) C:\Users\AnyUser\Desktop\ComboFix.exe
    2014-09-06 15:02 - 2014-09-06 14:53 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2014-09-06 15:02 - 2014-09-06 14:52 - 00000000 ____D () C:\Users\AnyUser\Desktop\mbar
    2014-09-06 14:52 - 2014-09-05 18:46 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
    2014-09-06 14:50 - 2014-09-06 14:51 - 14349744 _____ (Malwarebytes Corp.) C:\Users\AnyUser\Desktop\mbar-1.07.0.1012.exe
    2014-09-06 14:42 - 2014-09-06 14:42 - 00002549 _____ () C:\Users\AnyUser\Desktop\RKreport_DEL_09062014_144112.log
    2014-09-06 14:32 - 2014-09-06 11:24 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
    2014-09-06 12:09 - 2014-09-06 12:09 - 00044168 _____ () C:\Users\AnyUser\Desktop\attach.txt
    2014-09-06 12:09 - 2014-09-06 12:09 - 00015421 _____ () C:\Users\AnyUser\Desktop\dds.txt
    2014-09-06 11:58 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Web
    2014-09-06 11:24 - 2014-09-06 11:24 - 00000000 ____D () C:\ProgramData\RogueKiller
    2014-09-06 11:23 - 2014-09-06 11:24 - 04857944 _____ () C:\Users\AnyUser\Desktop\RogueKiller.exe
    2014-09-06 11:12 - 2013-09-06 20:36 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
    2014-09-06 08:01 - 2013-09-06 22:24 - 00000000 ____D () C:\Windows\Panther
    2014-09-05 18:46 - 2014-09-05 18:46 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\ProgramData\Malwarebytes
    2014-09-05 18:46 - 2014-09-05 18:46 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
    2014-09-05 18:42 - 2014-09-05 18:45 - 17291904 _____ (Malwarebytes Corporation ) C:\Users\AnyUser\Desktop\mbam_premium.exe
    2014-09-04 23:15 - 2014-09-04 23:15 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
    2014-09-04 19:23 - 2014-03-14 09:09 - 00000000 ____D () C:\Users\AnyUser\Documents\Outlook Files
    2014-09-04 19:01 - 2014-09-04 19:01 - 00068415 _____ () C:\Users\AnyUser\AppData\Local\guptemlm
    2014-08-29 02:25 - 2014-03-13 19:42 - 00000000 ____D () C:\Users\AnyUser\AppData\Roaming\HpUpdate
    2014-08-28 06:19 - 2009-07-13 23:33 - 00409416 _____ () C:\Windows\system32\FNTCACHE.DAT
    2014-08-27 09:56 - 2014-08-27 09:56 - 00000000 ____D () C:\Program Files\Hewlett-Packard
    2014-08-27 09:56 - 2014-03-03 14:44 - 00000000 ____D () C:\Users\AnyUser\AppData\Local\HP
    2014-08-27 09:55 - 2014-03-03 14:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
    2014-08-27 09:55 - 2014-03-03 14:44 - 00000000 ____D () C:\Program Files\HP
    2014-08-27 09:54 - 2014-03-03 14:45 - 00000000 ____D () C:\ProgramData\HP
    2014-08-27 09:54 - 2009-07-13 23:52 - 00000000 ____D () C:\Windows\twain_32
    2014-08-27 09:16 - 2014-08-27 09:16 - 00000000 ____D () C:\Windows\system32\appmgmt
    2014-08-27 09:04 - 2014-08-27 09:04 - 00231760 _____ () C:\Users\AnyUser\Downloads\CrucialScan (1).exe
    2014-08-22 20:46 - 2014-08-27 14:27 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
    2014-08-22 19:42 - 2014-08-27 14:27 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
    2014-08-21 00:13 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
    2014-08-15 06:58 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
    2014-08-15 06:18 - 2013-10-18 11:57 - 00000000 ____D () C:\Windows\system32\MRT
    2014-08-15 06:18 - 2013-09-06 21:06 - 00000000 ____D () C:\ProgramData\Microsoft Help
    2014-08-15 06:14 - 2013-10-18 11:57 - 96303304 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
    2014-08-11 10:22 - 2014-08-11 10:22 - 00231760 _____ () C:\Users\AnyUser\Downloads\CrucialScan.exe
    2014-08-11 10:18 - 2014-03-13 21:23 - 00000000 ____D () C:\Program Files\Microsoft Silverlight

    Some content of TEMP:
    ====================
    C:\Users\AnyUser\AppData\Local\temp\Quarantine.exe


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2014-09-06 00:25

    ==================== End Of Log ============================
     
  13. Mark O

    Mark O TS Rookie Topic Starter

    FARBAR Additional scan log

    Additional scan result of Farbar Recovery Scan Tool (x86) Version: 07-09-2014
    Ran by AnyUser at 2014-09-08 08:35:16
    Running from C:\Users\AnyUser\Desktop
    Boot Mode: Normal
    ==========================================================


    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Microsoft Security Essentials (Disabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
    AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Microsoft Security Essentials (Disabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

    ==================== Installed Programs ======================

    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Acrobat 9 Standard - English, Français, Deutsch (HKLM\...\{AC76BA86-1033-F400-BA7E-000000000004}{AC76BA86-1033-F400-BA7E-000000000004}) (Version: 9.5.5 - Adobe Systems)
    Adobe Acrobat 9 Standard - English, Français, Deutsch (Version: 9.5.5 - Adobe Systems) Hidden
    Adobe Acrobat 9.5.5 - CPSID_83708 (HKLM\...\{AC76BA86-1033-F400-BA7E-000000000004}_955) (Version: - Adobe Systems Incorporated)
    Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
    AnswerWorks 5.0 English Runtime (HKLM\...\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}) (Version: 5.0.7 - Vantage Software Technologies)
    Apple Application Support (HKLM\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
    Apple Mobile Device Support (HKLM\...\{18D47FA1-0440-48D3-A7E0-DA09537FF471}) (Version: 7.1.1.3 - Apple Inc.)
    Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
    ArcSoft PhotoStudio 6 (HKLM\...\{9A4D3FF6-FFDD-4E4E-B887-4BF378174F04}) (Version: 6.0.0.138 - ArcSoft)
    Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
    Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
    Conexant 20561 SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.92.10.0 - Conexant)
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{132D27B8-C656-44BD-8C16-73C54EA8A85F}) (Version: - Microsoft)
    Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.103 - Google Inc.)
    Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
    HP Officejet Pro 8610 Basic Device Software (HKLM\...\{B199C367-0F3F-4873-8D8D-7B60D50ED105}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
    HP Officejet Pro 8610 Help (HKLM\...\{F9569D00-4576-46C8-B6C7-207A4FD39745}) (Version: 32.0.0 - Hewlett Packard)
    HP Photosmart Plus B210 series Basic Device Software (HKLM\...\{B4BEEEA3-05E9-4966-AE47-B0F3490564BE}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
    HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
    I.R.I.S. OCR (HKLM\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
    Intel(R) Management Engine Interface (HKLM\...\HECI) (Version: - Intel Corporation)
    Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: - )
    Intel® Active Management Technology (HKLM\...\MESOL) (Version: - Intel Corporation)
    Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version: - )
    iTunes (HKLM\...\{2F21564D-DE05-4C6D-B21E-08B9D313FAB3}) (Version: 11.1.5.5 - Apple Inc.)
    Lenovo Fingerprint Software (HKLM\...\{2D440AF4-7330-43F0-A085-35DE1A90E703}) (Version: 3.3.2.50 - AuthenTec, Inc.)
    Lenovo Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.67.04.05 - )
    Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
    Memeo AutoSync (HKLM\...\{75B7F766-7998-44d8-A202-F1EC76A121BA}) (Version: - Memeo Inc.)
    Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
    Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
    Microsoft Office Access MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Excel MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Groove MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
    Microsoft Office Professional Plus 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Proof (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Proof (French) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Proof (Spanish) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Proofing (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Shared MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Office Word MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
    Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
    Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
    MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
    Quicken 2009 (HKLM\...\{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}) (Version: 18.1.3.11 - Intuit)
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (Version: - Microsoft) Hidden
    ThinkPad UltraNav Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.19.7 - )
    Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version: - Microsoft)
    Update for Microsoft Excel 2010 (KB2837600) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4ACD847E-547D-493F-9A86-F73EAE1B5174}) (Version: - Microsoft)
    Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{302A8FE3-EBF5-486C-A431-16A1CD914443}) (Version: - Microsoft)
    Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version: - Microsoft)
    Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2687502) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7DE7DF97-82FE-4B3A-AB8D-1621F9CC464A}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F1A20C69-9FE5-40FD-9CD5-84EABC2EF64A}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{BA610006-2C39-4419-9834-CF61AB24810A}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{334FB202-28D7-4BA4-8BC9-4FE4AB233EA0}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B0D672F7-883E-4279-8E75-D97A5445AB46}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2878252) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B0DB9F71-E0F7-4FE6-8925-35B860CAC0C4}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{089DBFD7-8211-43B2-AAAE-5BDD8C23E3A8}) (Version: - Microsoft)
    Update for Microsoft Office 2010 (KB2881028) 32-Bit Edition (HKLM\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{794A0574-4E2F-4D58-B2A0-D7460ACDC85C}) (Version: - Microsoft)
    Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
    Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version: - Microsoft)
    Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version: - Microsoft)
    Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version: - Microsoft)
    Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{334AA0A1-2BB1-4D74-B66A-2B2C4D9C2C87}) (Version: - Microsoft)
    Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)
    Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{7B29D8B8-6A87-496C-A65E-B935E740448A}) (Version: - Microsoft)
    Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{38CF30E4-3348-4BD1-A859-B630C355A56F}) (Version: - Microsoft)
    Update for Microsoft Word 2010 (KB2880529) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B9B89E01-5B6B-4F73-BC34-B2C0D8ACB4CD}) (Version: - Microsoft)
    VirtualCloneDrive (HKLM\...\VirtualCloneDrive) (Version: - Elaborate Bytes)
    Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (07/02/2010 8.6.0.29) (HKLM\...\05FBE63CF9C9B3424152207E7278CD6DA193C56C) (Version: 07/02/2010 8.6.0.29 - AuthenTec Inc.)

    ==================== Custom CLSID (selected items): ==========================

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


    ==================== Restore Points =========================

    08-08-2014 22:50:03 Windows Update
    12-08-2014 15:29:51 Windows Update
    15-08-2014 11:00:15 Windows Update
    18-08-2014 11:48:39 Windows Update
    18-08-2014 22:27:17 Windows Update
    21-08-2014 04:09:51 Installed HP Update.
    21-08-2014 04:17:09 Windows Update
    24-08-2014 04:37:21 Windows Update
    27-08-2014 14:11:40 Removed HP Update.
    27-08-2014 14:13:54 Removed HP Officejet Pro 8600 Help
    27-08-2014 14:16:14 Removed HP FWUpdateEDO2
    27-08-2014 14:17:47 Removed HP Officejet Pro 8600 Basic Device Software
    28-08-2014 11:00:18 Windows Update
    31-08-2014 11:30:13 Windows Update
    04-09-2014 11:30:22 Windows Update
    06-09-2014 19:44:26 AfterRogueKillerBeforeRootKit

    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-13 21:04 - 2014-09-07 19:55 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
    127.0.0.1 localhost

    ==================== Scheduled Tasks (whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

    Task: {2D051F2C-6385-45B4-A98E-53F73276B964} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-08] (Adobe Systems Incorporated)
    Task: {A7DBAE7B-8F1E-4A1E-A230-8BA1AF77647F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-03-11] (Google Inc.)
    Task: {C605189B-CA6B-4510-BB78-D000C428ABCD} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-04-24] (Synaptics Incorporated)
    Task: {F8AF599A-3024-4875-AB51-F9CCD5B0E222} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-03-11] (Google Inc.)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

    ==================== Loaded Modules (whitelisted) =============

    2011-05-31 06:26 - 2011-05-31 06:26 - 00098304 _____ () C:\Windows\system32\DTS.exe
    2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
    2013-09-05 01:14 - 2013-09-05 01:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
    2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    2010-04-16 16:49 - 2010-04-16 16:49 - 00024288 _____ () C:\Program Files\Memeo\AutoSync\Memeo.Client.DriveDetection.dll
    2010-04-16 16:48 - 2010-04-16 16:48 - 00038112 _____ () C:\Program Files\Memeo\AutoSync\NamedPipes.dll
    2010-02-09 20:20 - 2010-02-09 20:20 - 00491202 _____ () C:\Program Files\Memeo\AutoSync\sqlite3.DLL
    2010-04-16 16:49 - 2010-04-16 16:49 - 00165088 _____ () C:\Program Files\Memeo\AutoSync\providers\Memeo.Server.Providers.FileCopySyncProvider.dll
    2014-09-03 18:24 - 2014-08-29 21:49 - 01098056 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\libglesv2.dll
    2014-09-03 18:24 - 2014-08-29 21:49 - 00174408 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\libegl.dll
    2014-09-03 18:24 - 2014-08-29 21:49 - 08577864 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\pdf.dll
    2014-09-03 18:24 - 2014-08-29 21:49 - 00331592 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\ppGoogleNaClPluginChrome.dll
    2014-09-03 18:24 - 2014-08-29 21:49 - 01660232 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\ffmpegsumo.dll
    2014-09-03 18:24 - 2014-08-29 21:49 - 14669128 _____ () C:\Program Files\Google\Chrome\Application\37.0.2062.103\PepperFlash\pepflashplayer.dll

    ==================== Alternate Data Streams (whitelisted) =========

    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


    ==================== Safe Mode (whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== EXE Association (whitelisted) =============

    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


    ==================== MSCONFIG/TASK MANAGER disabled items =========

    (Currently there is no automatic fix for this section.)


    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================

    System errors:
    =============

    Microsoft Office Sessions:
    =========================

    CodeIntegrity Errors:
    ===================================
    Date: 2014-09-05 22:37:07.819
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webservices_31bf3856ad364e35_6.2.9200.16384_none_0b27641a00190493\webservices.dll because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.768
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webservices_31bf3856ad364e35_6.2.9200.16384_none_0b27641a00190493\webservices.dll because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.721
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webservices_31bf3856ad364e35_6.2.9200.16384_none_0b27641a00190493\webservices.dll because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.461
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.20569_none_6a381c25963dbf70\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.456
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.20569_none_6a381c25963dbf70\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.451
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.20569_none_6a381c25963dbf70\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.323
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.16465_none_69aa7e327d23ba4a\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.318
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.16465_none_69aa7e327d23ba4a\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.313
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.16465_none_69aa7e327d23ba4a\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.

    Date: 2014-09-05 22:37:07.239
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\SonyBackup0513\Windows\WinSxS\x86_microsoft-windows-webcamexperience_31bf3856ad364e35_6.2.9200.16384_none_6993dc2a7d34dbae\CameraSettingsUIHost.exe because the set of per-page image hashes could not be found on the system.


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz
    Percentage of memory in use: 43%
    Total physical RAM: 3032.03 MB
    Available physical RAM: 1710.89 MB
    Total Pagefile: 6062.34 MB
    Available Pagefile: 4271.18 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1899.98 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:232.79 GB) (Free:178.36 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 1503D8EA)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)

    ==================== End Of Log ============================
     
  14. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    How is computer doing?

    Last scans...

    [​IMG] Download Security Check from here or here and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
    NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.
    NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


    [​IMG] Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
      • Other Services
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    [​IMG] Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    [​IMG] Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Internet Explorer users - Click on this link to open ESET OnlineScan.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on ESET Smart Installer to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the [img=[url]http://www.bleepstatic.com/fhost/uploads/0/esetsmartinstaller_enu.png][/url] icon on your desktop.
    • Check "YES, I accept the Terms of Use."
    • Click the Start button.
    • Accept any security warnings from your browser.[/*]
    • Check "Enable detection of potentially unwanted applications".
    • Click Advanced settings and make sure all 4 boxes are checkmarked (two of them are already checkmarked by default).
      Do NOT checkmark "Use custom proxy settings"
    • Click the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click List Threats[/*]
    • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Click the Back button.
    • Click the Finish button.
     
  15. Mark O

    Mark O TS Rookie Topic Starter

    Hey Broni,
    The computer has been working well...and faster. I'm working on the next steps. Meanwhile, I have a couple other questions. If I click on donate, will you get the donation?? Also, I had a USB 1TB drive connected as a syncing backup to some folders. I disconnected it right away and it has been disconnected throughout the cleaning process. When we are done cleaning this machine, can I reconnect the USB drive and just have Security Essentials and MBAM scan it...and feel safe with that? Or do I have to do more for the USB drive?
     
  16. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Glad to hear good news :)

    Yes.
    Yes.
     
  17. Mark O

    Mark O TS Rookie Topic Starter

    I'll look for your response before posting next results.
     
  18. Mark O

    Mark O TS Rookie Topic Starter

    Thanks for your Input!!

    Results of screen317's Security Check version 0.99.87
    Windows 7 Service Pack 1 x86 (UAC is enabled)
    Internet Explorer 11
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Google Chrome 36.0.1985.143
    Google Chrome 37.0.2062.103
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbam.exe
    Malwarebytes Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1%
    ````````````````````End of Log``````````````````````

    Farbar Service Scanner Version: 21-07-2014
    Ran by AnyUser (administrator) on 08-09-2014 at 20:44:58
    Running from "C:\Users\AnyUser\Desktop"
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Attempt to access Yahoo.com returned error: Yahoo.com is unreachable


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => File is digitally signed
    C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\system32\dhcpcore.dll => File is digitally signed
    C:\Windows\system32\Drivers\afd.sys => File is digitally signed
    C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
    C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\system32\dnsrslvr.dll => File is digitally signed
    C:\Windows\system32\mpssvc.dll => File is digitally signed
    C:\Windows\system32\bfe.dll => File is digitally signed
    C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\system32\SDRSVC.dll => File is digitally signed
    C:\Windows\system32\vssvc.exe => File is digitally signed
    C:\Windows\system32\wscsvc.dll => File is digitally signed
    C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\system32\wuaueng.dll => File is digitally signed
    C:\Windows\system32\qmgr.dll => File is digitally signed
    C:\Windows\system32\es.dll => File is digitally signed
    C:\Windows\system32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\system32\ipnathlp.dll => File is digitally signed
    C:\Windows\system32\iphlpsvc.dll => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed


    **** End of log ****

    Temp file CLeaner ran well

    ESET did not find any threats.
    Then it did not allow ability to follow instructions re: List Threats...Export...Back Only FINISH.

    END
     
  19. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Your computer is clean [​IMG]

    1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
    This is a very crucial step so make sure you don't skip it.
    Download [​IMG]DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

    Double-click Delfix.exe to start the tool.
    Make sure the following items are checked:
    • Activate UAC (optional; some users prefer to keep it off)
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore
    • Reset system settings
    Now click "Run" and wait patiently.
    Once finished a logfile will be created. You don't have to attach it to your next reply.

    2. Make sure Windows Updates are current.

    3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    4. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    11. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
    About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

    12. Please, let me know, how your computer is doing.
     
  20. Mark O

    Mark O TS Rookie Topic Starter

    HI Broni, Before performing last set of instructions I need to ask about a new occurrence today. We use Outlook with pop forwarding from Ameritech.net. (att.net older domain). So the web interface captured all these "mailer-Daemon" emails (260or so ,they came every few minutes all day today, in the Trash folder, (Versus Spam folder). Our Outlook allowed these into the Inbox, (I think I can change the Pop settings to not forward Spam). Is this an unrelated event to our infection? We have not seen this before. Other than this, the machine is running quite smoothly now. Here is a text copy of one of them, (changed our email name to "myname") ,

    From MAILER-DAEMON@yahoo.com Tue Sep 9 13:02:18 2014
    X-Apparently-To: (myname)@ameritech.net via 98.136.215.72; Tue, 09 Sep 2014 20:02:19 +0000
    Return-Path: <>
    Received-SPF: none (domain of nlpi167.prodigy.net does not designate permitted sender hosts)
    b24gWW91IGhhdmUgYSBtaXNzZWQgY2FsbCBhdCBTZXAtMDggMjAxNCAxMDow
    NkFNISAyMDE0IFZpYmVyIE1lZGlhIFMuYS5yLmEgATABAQEBA3RleHQvcGxh
    aW4DAzACA3RleHQvaHRtbAMDMw--
    X-YMailISG: pn9VBJEWLDtH.T8U9tIPMmKe3_8BsrZIU_JzonP74XXKFCAU
    DmNwNyH386ZD5VX2bc467IY0yyMaDHOeGn.gstmFB1a2YjLwPC1gyIN4O_Xc
    NYklRiHfEImANIl5jdzh3sHiXgNX5PgWT3sT7iURrZ.FhU0KuuBFPM9CxmFW
    YuNWycl.fiyEWb.VmRfGe4qWz2Vvzh3eA87LYdQm68fMBNqc16S.O5TPt.7F
    6hFeXiD486Jm_ITiJpMRgafK04qyI8wwt0QTuRxzIQyxAQzwjooQkPuoZNw_
    c5_uHHlosdlegECWdUUC8vqbXcANqrdpZM20rSjo8KgQIKbeTIoIC3mwTV_u
    gykT_BqqSHHgG0PMpHcf1he1PDcAvUGhEgv8nTD4RrrdLWzh9_nX97drNi4Z
    hQtuwy01XJKDXhCM6G6fmFLhO4pbRwZEc8goV91.9uEsFFlO8D.kYY6CXDhs
    _WV50FLH3g7s6ObGPBh8Ub8F2KtTJc9d0K7BVt0eXJxmI8zfurUxDaMrGCVl
    YRrgoE.0_STz94oI0VoDOhLm6igO101jMcgbwKJ.l6eq5QUWJJ9iN4tQQlYi
    dMFRRphQKpsy3KpP7J7X8DqOiiSFaAq_lTfzWNEYBhs8KZRMfvUK6Rk0QQAc
    wY.4ZKcPFkWbH7rfQq8pf3MQVp80D8jCmlOWr4NqwAye4DRMI2veEtBRVaqV
    0lhdVNC06wfVdhnldEJ395dQfpbHReL05IlNzCRH9Z06ffs8IRi1DWIHB1Ol
    zYH7yEdNBrZJs20JnW025V_m0vFZjzwDe5I3P05Y22GTxzIQ14fpKzNpqgTw
    PEE4V02T0jnxvjxJGx.F_5xq9qnFkag1IXpRihi6DmjKh02GJJxslY2JSUnv
    o8aMvXPT8Jox23z.xrQB9bQyfWYxn_LyRwcTsvEW0pnXAA2ekXq40Ve_Rw5H
    VXL.9BiawJ65R6xVKo_2qNdD3HKrkIa2luhPYoEU9WPl9krSr0TZ7nJpl5de
    EdejQ6PTJmjoTUw61uDvfiWFNoaiclyrItWTXinxpRJXgcOJUANVn8YOKa7a
    6B6EYEJrQ51MrNJ5peUPyQZUfHTW4GyzTeayLR9LemXh7H9fYH8B3DU2QubK
    eHCqC_MeUA61Gog5QT4.uL5xI3kYqk2PRDgxYg0tSwFPCcmtS9xs0XrlLaFH
    zHunmTPotvbReVBaPnfpvuTk4phHBxo3CpmOdgjvlGdpYt.Gfpc6a60MjDc1
    MOPf_2sdKu7FJkEDXcoxQduxjzNE1Ld6s11vVyyUPQjiXRmGUl28NM39EWzh
    GKMl_hWj6JceKJAK1DVYfuNkLEyGPsQfQBWDUFJPxIVDRoVUfoBKuaCXPo_G
    Sj0VI1XZ9q_Fa23arPu1Jnp658Xcn8nS5gL7ZvSE86av_WucQuIGmgFaslKU
    JqNucVR250F3fevPKz_UcNAO3dVm8ceY_QS1yd6ZzQI37RFgD23p2QjnLiqF
    nt5XOehlQZgxJWegFw9JUDkIRtuhtxIf4xc42NEC_sjQVAw8S0Itzlh981fI
    Vv703v9x.Q--
    X-Originating-IP: [216.109.114.232]
    Authentication-Results: mta1035.sbc.mail.bf1.yahoo.com from=yahoo.com; domainkeys=pass (ok); from=yahoo.com; dkim=pass (ok)
    Received: from 207.115.36.39 (EHLO nlpi167.prodigy.net) (207.115.36.39)
    by mta1035.sbc.mail.bf1.yahoo.com with SMTP; Tue, 09 Sep 2014 20:02:19 +0000
    X-Originating-IP: [216.109.114.232]
    Received: from nm11-vm9.access.bullet.mail.bf1.yahoo.com (nm11-vm9.access.bullet.mail.bf1.yahoo.com [216.109.114.232])
    by nlpi167.prodigy.net (8.14.4 IN nd2 TLS/8.14.4) with ESMTP id s89K2Ith022418
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
    for <(myname)@ameritech.net>; Tue, 9 Sep 2014 15:02:19 -0500
    Message-Id: <201409092002.s89K2Ith022418@nlpi167.prodigy.net>
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=bounce; t=1410292938; bh=kh8NCPOgjmSMinW98Dw3D2/J57mBVkGTV468Opg01mI=; h=From:To:Date:Subject:X-Yahoo-Newman-Property; b=lh0GRoV2Mxn8lN7ovsbKMw3y2VJv7793T4vb357nzzpsKmqY+qvVgPTgATRFeF6L9CyUjf96BKwqbMzI/5zAphehbZ683iuDOtKzbY7ntAUnfWCKeiMLD96aopyZtXuIhDUE0Ni8b51b1DWPHHBP8wn25e1vaO+0hY6ZJaNpeLQ=
    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=bounce; d=yahoo.com;
    b=UIC6GGhtWBsGirmS8aUQhbuAQKFAYTKzrH9W05M4DrP1Dd2PH7ufEhHZ/4X/nqNX78RyM1yVioieWd1rCk5Wi7NiM88G0Ko4qRihObJALWKsLqFmFMrlUwWe7Vy9yK10Hlf+whoNozOfwLhFQ+rNsNDIyj+irQOQGV1OLdnrEEo=;
    From: MAILER-DAEMON@yahoo.com
    To: (myname)@ameritech.net
    Date: Tue, 09 Sep 2014 20:02:18 -0000
    Subject: Failure Notice
    X-Yahoo-Newman-Property: bmbounce
    Content-Length: 4750
     
  21. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Spam is never related to computer infection.
     
  22. Mark O

    Mark O TS Rookie Topic Starter

    OK Broni!! Good to go! We really appreciate all the time and concern you offer us all! I'll follow some of the other topics...now that I'm a fan! Donation coming...
     
  23. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Thank you :)
    Good luck!
     
    Mark O likes this.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...