Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill uncovers a missing service iphlpsvc,,,,how do i restore it?


  • This topic is locked This topic is locked
25 replies to this topic

#1 Rom2

Rom2

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 08 September 2013 - 04:34 PM

I think that the module was deleted by the zeroaccess  rootkit Trojan along with mpsSvc.

I have been working to get rid off the rootkit for 3 days.....using many of the tools that you

guys recommend and others as well. I think everything is OK now but a rerun of RKILL shows that the service is still missing.

Here is the log:

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 08 September 2013 - 04:53 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,
Georgi


cXfZ4wS.png


#3 Rom2

Rom2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 08 September 2013 - 05:40 PM

here it is:
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-09-2013
Ran by Nancy K (administrator) on NANCYK-PC on 08-09-2013 18:24:11
Running from C:\Users\Nancy K\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
(Dell, Inc.) C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
() C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
() C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe
(Dropbox, Inc.) C:\Users\Nancy K\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(McAfee, Inc.) C:\Program Files\mcafee.com\agent\mcagent.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Broadcom Corporation.) c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
(Broadcom Corporation.) c:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil64_11_8_800_94_ActiveX.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2247976 2010-07-15] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6486120 2010-09-03] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] - C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2120808 2010-09-03] (Realtek Semiconductor)
HKLM\...\Run: [NVHotkey] - rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
HKLM\...\Run: [IntelWireless] - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [Stage Remote] - C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [IntelliPoint] - C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [559616 2011-10-09] (Dell)
HKCU\...\Run: [Spybot-S&D Cleaning] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [3642312 2013-05-16] (Safer-Networking Ltd.)
HKCU\...\Run: [Pando Media Booster] - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe [4287536 2013-08-24] ()
HKLM-x32\...\Run: [NUSB3MON] - c:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-04-27] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1532992 2013-03-13] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [AccuWeatherWidget] - C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj [2835443 2012-02-01] ()
HKLM-x32\...\Run: [SDTray] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Nancy K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Nancy K\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Nancy K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {4AE4E477-1F14-483A-93B1-9B0675B355F4} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 - DefaultScope {4AE4E477-1F14-483A-93B1-9B0675B355F4} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {4AE4E477-1F14-483A-93B1-9B0675B355F4} URL =
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120624180601.dll (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120624180601.dll (McAfee, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: TopArcadeHits Games - {A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} - C:\Users\Nancy K\AppData\Local\TopArcadeHits\Toparcadehits.dll No File
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553570000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR RestoreOnStartup: "hxxp://www.google.com/", "hxxp://xfinity.comcast.net/?cid=insDate10252012"
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Nancy K\AppData\Local\Google\Chrome\Application\29.0.1547.62\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Nancy K\AppData\Local\Google\Chrome\Application\29.0.1547.62\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Nancy K\AppData\Local\Google\Chrome\Application\29.0.1547.62\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\Nancy K\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.0.61118.0\npctrl.dll No File
CHR Plugin: (McAfee SecurityCenter) - c:\progra~2\mcafee\msc\npmcsn~1.dll ()
CHR Extension: () - C:\Users\NANCYK~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdgdlcjhlbaphcjmagicjhhgfnkiihp\1.0.0_0
CHR Extension: (ARO 2013) - C:\Users\NANCYK~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\jddgoigfhpjafhnbgndmoeaokikjfomp\10.19.2.505_0
CHR Extension: (Google Analytics Debugger) - C:\Users\NANCYK~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\jnkmfdileelhofjcijamephohjechhna\2.6_0
CHR Extension: (529andYou) - C:\Users\NANCYK~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nekcpognkifhchlmgddjajmaiplidfhn\1.3.4.0_0
CHR Extension: (Google Wallet Service) - C:\Users\NANCYK~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.9_0
CHR Extension: (Read Your AOL Mail) - C:\Users\NANCYK~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\phgdojkomekmnemlclopfjlmbamhnafp\2.1.0.0_0
CHR HKLM-x32\...\Chrome\Extension: [abfmigjiaapipflmopkaaooigcjjdojh] - C:\Program Files (x86)\LyricsContainer\128.crx
CHR HKLM-x32\...\Chrome\Extension: [jddgoigfhpjafhnbgndmoeaokikjfomp] - C:\Users\Nancy K\AppData\Local\CRE\jddgoigfhpjafhnbgndmoeaokikjfomp.crx
==================== Services (Whitelisted) =================
S2 CLKMSVC10_9EC60124; c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [254448 2010-09-28] (CyberLink)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [109352 2013-09-07] (SurfRight B.V.)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [227232 2010-09-03] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 mcmscsvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 McNASvc; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [383608 2012-11-16] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [241456 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [182752 2013-02-19] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
S4 RemoteAccess; C:\Windows\System32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2013-05-15] (Safer-Networking Ltd.)
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{5b51cb62-908d-be00-c32a-623c87aba4a2}\   \...\???\{5b51cb62-908d-be00-c32a-623c87aba4a2}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
==================== Drivers (Whitelisted) ====================
S3 BVRPMPR5; C:\Windows\SysWow64\drivers\BVRPMPR5.SYS [44224 2006-09-05] (BVRP Software)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-02-19] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179280 2013-02-19] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309840 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515968 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771536 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106552 2013-02-19] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [340216 2013-02-19] (McAfee, Inc.)
R1 SDHookDriver; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [63776 2013-05-16] ()
R1 SDHookDriver; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [63776 2013-05-16] ()
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
R2 TurboB; C:\Windows\System32\DRIVERS\TurboB.sys [13784 2009-11-02] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 BVRPMPR5; \??\C:\Windows\system32\drivers\BVRPMPR5.SYS [x]
S3 catchme; \??\C:\ComboFix\catchme.sys [x]
U3 mfeavfk01; No ImagePath
S3 MREMP50; \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [x]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
S3 MREMPR5; \??\C:\PROGRA~2\COMMON~1\Motive\MREMPR5.SYS [x]
S3 MRENDIS5; \??\C:\PROGRA~2\COMMON~1\Motive\MRENDIS5.SYS [x]
S3 MRESP50; \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [x]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
S0 SMR322; System32\drivers\SMR322.SYS [x]
========================== Drivers MD5 =======================
C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Accelern.sys 7A505465BBB1EB8B5AD4D76E8749383B
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 1C7857B62DE5994A75B054A9FD4C3825
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D4121AE6D0C0E7E13AA221AA57EF2D49
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 540DAF1CEA6094886D72126FD7C33048
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\system32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bridge.sys 5C2F352A4E961D72518261257AAE204B
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\BthEnum.sys CF98190A94F62E405C8CB255018B2315
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bthpan.sys 02DD601B708DD0667E1331FA8518E9FF
C:\Windows\System32\Drivers\BTHport.sys 738D0E9272F59EB7A1449C3EC118E6C4
C:\Windows\System32\Drivers\BTHUSB.sys F188B7394D81010767B6DF3178519A37
C:\Windows\System32\drivers\btwampfl.sys 7A2CE8C1BF4DAA1F2766E21E9CA11078
C:\Windows\System32\drivers\btwaudio.sys A75BF6802A967F5AACECC3C67FEBDF55
C:\Windows\System32\drivers\btwavdt.sys D895DC213EDBDA5FCC53AAD1F1E0E63B
C:\Windows\System32\DRIVERS\btwl2cap.sys 07096D2BC22CCB6CEA5A532DF0BE8A75
C:\Windows\System32\DRIVERS\btwrchid.sys 6D7AA2BDE0135599C5F230D69DB3B420
C:\Windows\SysWow64\drivers\BVRPMPR5.SYS 18E0F9C1E7EC4AAE40B3F67EAB0AEE99
C:\Windows\system32\drivers\BVRPMPR5a64.SYS 9887CA12F407D7FBC7F48F3678F5F0B6
C:\Windows\system32\drivers\BVRPMPR5a64.SYS 9887CA12F407D7FBC7F48F3678F5F0B6
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\cdrom.sys ==> MD5 is legit
C:\Windows\System32\drivers\cfwids.sys D2B3252AD4EB499C935A56467997AA3C
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys 9AC4F97C2D3E93367E2148EA940CD2CD
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CtClsFlt.sys FBE228ABEAB2BE13B9C3A3A112D4D8DC
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys AF2E16242AA723F68F461B6EAE2EAD3D
C:\Windows\system32\DRIVERS\evbda.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
C:\Windows\System32\DRIVERS\fvevol.sys 8F6322049018354F45F05A2FD2D4E5E0
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\GEARAspiWDM.sys 8E98D21EE06192492A5671A6144D092F
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HECIx64.sys B6AC71AAA2B10848F57FC49D55A651AF
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\System32\drivers\HipShieldK.sys A894FB2CAE6A29F5D9C8EDA47B074623
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys ABBF174CB394F5C437410A788B7E404A
C:\Windows\system32\drivers\iaStorV.sys AAAF44DB3BD0B9D1FB6969B23ECC8366
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHD64.sys 491DADCC74327FABC85E0AB80AF8F204
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\jmcr.sys 08ED99A8271CF0B808C595D88ECEE779
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys 97A7070AEA4C058B6418519E869A63B4
C:\Windows\System32\Drivers\ksecpkg.sys 26C43A7C2862447EC59DEDA188D1DA07
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\mfeapfk.sys B1720E97FABBDF7D30B36DAF19C3DEE8
C:\Windows\System32\drivers\mfeavfk.sys 113F1534B80D65DFDCA660F19967A3B7
C:\Windows\System32\drivers\mfefirek.sys CECC9841D036EE008091825272D91331
C:\Windows\System32\drivers\mfehidk.sys EF0F85EDBDF6C0AB467E88E0CEE2B346
C:\Windows\System32\drivers\mferkdet.sys 6E3A46BF6CBB80450CC24F80FE03ED5A
C:\Windows\System32\drivers\mfewfpk.sys 2802D09F1B6ED502237539563F3C4992
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys A5D9106A73DC88564C825D317CAC68AC
C:\Windows\System32\DRIVERS\mrxsmb10.sys D711B3C1D5F42C0C2415687BE09FC163
C:\Windows\System32\DRIVERS\mrxsmb20.sys 9423E9D355C8D303E76B8CFBD8A5C30C
C:\Windows\system32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 760E38053BF56E501D562B70AD796B88
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\NETw5s64.sys 18555F48844C2861D9DCE8F2B7223AE5
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys B98F8C6E31CD07B2E6F71F7F648E38C0
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nusb3hub.sys 285ACEC1B13A15BA520AAE06BACB9CFF
C:\Windows\System32\DRIVERS\nusb3xhc.sys F6D625FF7B56BB6EA063F0D3A5BBC996
C:\Windows\System32\drivers\nvhda64v.sys E20ABD5B229760158F753CA90B97E090
C:\Windows\System32\DRIVERS\nvlddmkm.sys 011F0596D167D073E6813AE88E7947A9
C:\Windows\system32\drivers\nvraid.sys 0A92CB65770442ED0DC44834632F66AD
C:\Windows\system32\drivers\nvstor.sys DAB0E87525C10052BF65F06152F37E4A
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys E9766131EEADE40A27DC27D2D68FBA9C
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\point64.sys 4F0878FD62D5F7444C5F1C4C66D9D293
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\System32\Drivers\PxHlpa64.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\qicflt.sys 0928BD20273625622722FE1DE5BBDE57
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys E61608AA35E98999AF9AAEEEA6114B0A
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rfcomm.sys 3DD798846E2C28102B922C56E71B7932
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\Rt64win7.sys EE082E06A82FF630351D1E0EBBD3D8D0
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\system32\drivers\sdbus.sys 111E0EBC0AD79CB0FA014B907B231CF0
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys E6BAF67CB6C590E3A57D35004AB28CDA
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys E6BAF67CB6C590E3A57D35004AB28CDA
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 441FBA48BFF01FDB9D5969EBC1838F0B
C:\Windows\System32\DRIVERS\srv2.sys B4ADEBBF5E3677CCE9651E0F01F7CC28
C:\Windows\System32\DRIVERS\srvnet.sys 27E461F0BE5BFF5FC737328F749538C3
C:\Windows\System32\DRIVERS\stdcfltn.sys 92E7F6666633D2DD91D527503DAA7BE0
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\SynTP.sys 36F506C894E1EA59C65FAF6398BDF49A
C:\Windows\System32\drivers\tcpip.sys DB74544B75566C974815E79A62433F29
C:\Windows\System32\DRIVERS\tcpip.sys DB74544B75566C974815E79A62433F29
C:\Windows\System32\drivers\tcpipreg.sys 1B16D0BD9841794A6E0CDE0CEF744ABC
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys 4CE278FC9671BA81A138D70823FCAA09
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\TurboB.sys 825E7A1F48FB8BCFBA27C178AAB4E275
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\Drivers\usbaapl64.sys C9E9D59C0099A9FF51697E9306A44240
C:\Windows\System32\DRIVERS\usbccgp.sys 6F1A3157A1C89435352CEB543CDB359C
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbehci.sys C025055FE7B87701EB042095DF1A2D7B
C:\Windows\System32\DRIVERS\usbhub.sys 287C6C9410B111B68B52CA298F7B8C24
C:\Windows\system32\drivers\usbohci.sys 9840FC418B4CBD632D3D0A667A725C31
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbscan.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS FED648B01349A3C8395A5169DB5FB7D6
C:\Windows\system32\drivers\usbuhci.sys 62069A34518BCF9C1FD9E74B3F6DB7CD
C:\Windows\System32\Drivers\usbvideo.sys 454800C2BC7F3927CE030141EE4F4C50
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifimp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys 442783E2CB0DA19873B7A63833FF4CB4
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wimfltr.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWow64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys FE88B288356E7B47B74B13372ADD906D
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys AB886378EEB55C6C75B4F2D14B6C869F
C:\Windows\System32\DRIVERS\WUDFRd.sys DDA4CAF29D8C0A297F886BFE561E6659
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2013-09-08 18:22 - 2013-09-08 18:22 - 00000000 ____D C:\FRST
2013-09-08 16:27 - 2013-09-08 16:27 - 00000000 ____D C:\Users\Nancy K\Desktop\FixWin
2013-09-08 16:26 - 2013-09-08 16:26 - 00178612 _____ C:\Users\Nancy K\Desktop\FixWin.zip
2013-09-08 14:43 - 2013-09-08 14:43 - 00000000 ____D C:\Users\Nancy K\Desktop\Seven
2013-09-08 13:56 - 2013-09-08 13:56 - 00014086 _____ C:\Users\Nancy K\Desktop\Seven.zip
2013-09-08 13:47 - 2013-09-08 13:47 - 00003294 _____ C:\Users\Nancy K\Downloads\FSS.txt
2013-09-08 13:37 - 2013-09-08 13:37 - 00358609 _____ (Farbar) C:\Users\Nancy K\Downloads\FSS.exe
2013-09-08 12:37 - 2013-09-08 12:37 - 00335322 _____ C:\Users\Nancy K\Documents\sec.reg
2013-09-08 11:03 - 2013-09-08 11:06 - 00000000 ____D C:\Windows\system32\MRT
2013-09-07 21:26 - 2013-09-07 21:26 - 00001895 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2013-09-07 21:26 - 2013-09-07 21:26 - 00000000 ____D C:\Program Files\HitmanPro
2013-09-07 21:25 - 2013-09-07 21:32 - 00000000 ____D C:\ProgramData\HitmanPro
2013-09-07 21:20 - 2013-09-07 21:23 - 09879648 _____ (SurfRight B.V.) C:\Users\Nancy K\Downloads\HitmanPro_x64.exe
2013-09-07 21:07 - 2013-09-07 21:18 - 00000000 ____D C:\Users\Nancy K\Desktop\RK_Quarantine
2013-09-07 21:07 - 2013-09-07 21:07 - 00918016 _____ C:\Users\Nancy K\Downloads\RogueKiller.exe
2013-09-07 20:59 - 2013-09-07 21:00 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Nancy K\Downloads\tdsskiller.exe
2013-09-07 18:07 - 2013-09-07 18:07 - 00022056 _____ C:\ComboFix.txt
2013-09-07 17:11 - 2013-08-21 15:19 - 00132205 _____ C:\Users\Nancy K\OnAccess.log
2013-09-07 17:10 - 2013-09-07 17:10 - 00543293 _____ C:\Users\Nancy K\Desktop\TeamSpybot-20130907-171050.cab
2013-09-06 22:50 - 2013-09-08 17:17 - 00002762 _____ C:\Users\Nancy K\Desktop\Rkill.txt
2013-09-06 22:44 - 2013-09-06 22:44 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\Nancy K\Desktop\iExplore.exe
2013-09-06 17:50 - 2013-09-07 18:16 - 00001694 _____ C:\Windows\PFRO.log
2013-09-06 16:17 - 2013-09-06 16:13 - 05120615 ____R (Swearware) C:\Users\Nancy K\Desktop\ComboFix.exe
2013-08-24 16:48 - 2013-08-24 16:48 - 00002709 _____ C:\Users\Nancy K\Documents\UserPreferences.ini
2013-08-24 14:00 - 2013-09-08 18:24 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\PMB Files
2013-08-24 14:00 - 2013-08-24 15:45 - 00000000 ____D C:\Users\Nancy K\Desktop\TheLordoftheRingsOnlineEN
2013-08-24 14:00 - 2013-08-24 14:00 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\NVIDIA
2013-08-24 13:59 - 2013-08-24 14:00 - 00000000 ____D C:\ProgramData\PMB Files
2013-08-23 14:08 - 2013-09-08 17:16 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\CrashDumps
2013-08-22 13:55 - 2013-08-22 13:55 - 00000259 _____ C:\Users\Nancy K\Desktop\Genealogy, Family Trees & Family History Records at Ancestry.com.url
2013-08-22 13:33 - 2013-08-22 13:33 - 00000993 _____ C:\Users\Public\Desktop\Wordbiz.lnk
2013-08-22 13:33 - 2013-08-22 13:33 - 00000000 ____D C:\Program Files (x86)\WordBiz
2013-08-22 13:32 - 2013-08-22 13:33 - 14114838 _____ C:\Users\Nancy K\Downloads\WordBizInstall (3).exe
2013-08-22 13:28 - 2013-08-22 13:28 - 14114838 _____ C:\Users\Nancy K\Downloads\WordBizInstall (2).exe
2013-08-22 13:24 - 2013-07-09 02:03 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-08-22 13:24 - 2013-07-09 01:54 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-08-22 13:24 - 2013-07-09 01:53 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-08-22 13:24 - 2013-07-09 01:03 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-08-22 13:24 - 2013-07-09 01:03 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-08-22 13:24 - 2013-07-09 00:53 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-08-22 13:24 - 2013-07-09 00:52 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-08-22 13:24 - 2013-07-08 22:49 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-08-22 13:24 - 2013-07-08 22:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-08-22 13:24 - 2013-07-08 22:49 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-08-22 13:24 - 2013-07-08 22:49 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-08-21 19:42 - 2013-07-26 01:13 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-08-21 19:42 - 2013-07-26 01:12 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-08-21 19:42 - 2013-07-26 01:12 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-08-21 19:42 - 2013-07-26 01:12 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-08-21 19:42 - 2013-07-26 01:12 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-08-21 19:42 - 2013-07-26 01:12 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-08-21 19:42 - 2013-07-26 01:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-08-21 19:42 - 2013-07-25 23:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-08-21 19:42 - 2013-07-25 23:12 - 02048512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-08-21 19:42 - 2013-07-25 23:12 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-08-21 19:42 - 2013-07-25 23:12 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-08-21 19:42 - 2013-07-25 23:12 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-08-21 19:42 - 2013-07-25 23:12 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-08-21 19:42 - 2013-07-25 23:11 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-08-21 19:42 - 2013-07-25 22:49 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-08-21 19:42 - 2013-07-25 22:39 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-08-21 19:42 - 2013-07-25 21:59 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-08-21 19:41 - 2013-07-26 01:13 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-08-21 19:41 - 2013-07-26 01:13 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-08-21 19:41 - 2013-07-26 01:12 - 19239424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-08-21 19:41 - 2013-07-26 01:12 - 15405056 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-08-21 19:41 - 2013-07-26 01:12 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-08-21 19:41 - 2013-07-26 01:12 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-08-21 19:41 - 2013-07-26 01:12 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-08-21 19:41 - 2013-07-25 23:13 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-08-21 19:41 - 2013-07-25 23:13 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-08-21 19:41 - 2013-07-25 23:12 - 14329344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-08-21 19:41 - 2013-07-25 23:12 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-08-21 19:41 - 2013-07-25 23:12 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-08-21 19:41 - 2013-07-25 23:12 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-08-21 19:41 - 2013-07-25 23:11 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-08-21 19:27 - 2013-07-09 01:52 - 00224256 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-08-21 19:27 - 2013-07-09 01:46 - 01472512 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-08-21 19:27 - 2013-07-09 01:46 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-08-21 19:27 - 2013-07-09 01:46 - 00139776 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-08-21 19:27 - 2013-07-09 00:52 - 00175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2013-08-21 19:27 - 2013-07-09 00:46 - 01166848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-08-21 19:27 - 2013-07-09 00:46 - 00140288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-08-21 19:27 - 2013-07-09 00:46 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-08-21 19:21 - 2013-07-25 05:25 - 01888768 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-08-21 19:21 - 2013-07-25 04:57 - 01620992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-08-21 19:21 - 2013-07-18 21:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-08-21 19:21 - 2013-07-18 21:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2013-08-21 19:21 - 2013-07-09 01:51 - 01217024 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-08-21 19:21 - 2013-07-09 00:52 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2013-08-21 19:21 - 2013-07-06 02:03 - 01910208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-08-21 19:21 - 2013-06-15 00:32 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-08-21 16:38 - 2013-09-07 18:07 - 00000000 ____D C:\Qoobox
2013-08-21 16:38 - 2011-06-26 02:45 - 00256000 _____ C:\Windows\PEV.exe
2013-08-21 16:38 - 2010-11-07 13:20 - 00208896 _____ C:\Windows\MBR.exe
2013-08-21 16:38 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-08-21 16:38 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-08-21 16:38 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-08-21 16:38 - 2000-08-30 20:00 - 00098816 _____ C:\Windows\sed.exe
2013-08-21 16:38 - 2000-08-30 20:00 - 00080412 _____ C:\Windows\grep.exe
2013-08-21 16:38 - 2000-08-30 20:00 - 00068096 _____ C:\Windows\zip.exe
2013-08-21 16:37 - 2013-08-21 17:02 - 00000000 ____D C:\Windows\erdnt
2013-08-21 15:00 - 2013-08-21 15:00 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\Malwarebytes
2013-08-21 14:50 - 2013-08-21 15:01 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-21 14:50 - 2013-08-21 15:01 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-21 14:50 - 2013-08-21 14:50 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-21 14:50 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-08-21 11:06 - 2013-08-21 13:13 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\NPE
2013-08-21 11:06 - 2013-08-21 11:06 - 00000000 ____D C:\ProgramData\Norton
2013-08-20 13:54 - 2013-08-20 13:55 - 00000000 ____D C:\Users\Nancy K\Downloads\stinger64-epo
2013-08-20 13:27 - 2013-08-20 13:27 - 00000000 ____D C:\Users\Nancy K\Documents\ProcAlyzer Dumps
2013-08-20 12:47 - 2013-08-20 12:48 - 00757400 _____ C:\Windows\Minidump\082013-19812-01.dmp
2013-08-20 10:17 - 2013-08-20 10:17 - 00559280 _____ (Safer-Networking Ltd.                                       ) C:\Users\Nancy K\Downloads\spybotsd2-license.exe
2013-08-19 17:14 - 2013-08-19 17:14 - 00001785 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-08-19 17:14 - 2013-08-19 17:14 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-19 17:14 - 2013-08-19 17:14 - 00000000 ____D C:\Program Files\iTunes
2013-08-19 17:14 - 2013-08-19 17:14 - 00000000 ____D C:\Program Files\iPod
2013-08-19 10:31 - 2013-08-19 10:31 - 00217184 _____ C:\Users\Nancy K\Documents\cc_20130819_103114-reg backup.reg
2013-08-18 17:41 - 2013-08-18 17:41 - 00000000 ____D C:\ProgramData\Citrix
2013-08-18 17:09 - 2013-08-20 12:47 - 648817914 _____ C:\Windows\MEMORY.DMP
2013-08-18 17:09 - 2013-08-18 17:09 - 01369472 _____ C:\Windows\Minidump\081813-19188-01.dmp
2013-08-16 18:44 - 2013-09-08 18:00 - 01986146 _____ C:\Windows\WindowsUpdate.log
2013-08-16 18:28 - 2009-06-10 17:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.20130816-182851.backup
2013-08-16 18:18 - 2013-08-20 16:04 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-08-16 18:18 - 2013-08-20 13:26 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-08-16 18:18 - 2013-08-16 18:18 - 00001381 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-08-16 18:18 - 2013-08-16 18:18 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-08-16 18:18 - 2009-01-25 13:14 - 00017272 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2013-08-16 17:43 - 2013-08-16 17:44 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-08-16 17:43 - 2013-08-16 17:43 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\CRE
2013-08-16 10:01 - 2013-09-08 16:50 - 00004100 _____ C:\Windows\setupact.log
2013-08-16 10:01 - 2013-08-16 10:01 - 00000000 _____ C:\Windows\setuperr.log
2013-08-15 22:00 - 2013-08-15 22:02 - 00000288 _____ C:\Users\Nancy K\Downloads\RootkitRemover20130815220034.txt
2013-08-15 21:49 - 2013-08-15 21:49 - 00002898 _____ C:\Windows\System32\Tasks\{53BBC8B5-CBFF-44B9-9898-05E167B43221}
2013-08-13 19:26 - 2013-08-13 19:26 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\Citrix
2013-08-12 16:40 - 2013-08-12 16:40 - 00000165 _____ C:\ProgramData\ievndgksnuceobdtjpe.reg
2013-08-11 16:38 - 2013-08-11 16:38 - 12710739 _____ C:\Users\Nancy K\Downloads\stinger64-epo.zip
2013-08-11 16:36 - 2013-08-11 16:36 - 00551408 _____ (McAfee, Inc.) C:\Users\Nancy K\Downloads\rootkitremover.exe
2013-08-11 16:24 - 2013-08-11 16:24 - 00002776 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2013-08-11 16:24 - 2013-08-11 16:24 - 00000824 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-08-11 16:24 - 2013-08-11 16:24 - 00000000 ____D C:\Program Files\CCleaner
2013-08-11 15:46 - 2013-08-18 07:29 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\DriverCure
2013-08-11 15:46 - 2013-08-11 15:46 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\SpeedyPC Software
2013-08-11 15:45 - 2013-08-16 18:37 - 00000000 ____D C:\ProgramData\SpeedyPC Software
2013-08-10 09:04 - 2013-08-20 12:47 - 00000000 ____D C:\Windows\Minidump
==================== One Month Modified Files and Folders =======
2013-09-08 18:24 - 2013-08-24 14:00 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\PMB Files
2013-09-08 18:22 - 2013-09-08 18:22 - 01948988 _____ (Farbar) C:\Users\Nancy K\Downloads\FRST64.exe
2013-09-08 18:22 - 2013-09-08 18:22 - 00000000 ____D C:\FRST
2013-09-08 18:00 - 2013-08-16 18:44 - 01986146 _____ C:\Windows\WindowsUpdate.log
2013-09-08 17:51 - 2013-04-30 17:24 - 00000900 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-08 17:45 - 2011-06-16 16:45 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-738033969-1467119907-4213131906-1000UA.job
2013-09-08 17:29 - 2012-03-30 11:26 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-08 17:17 - 2013-09-06 22:50 - 00002762 _____ C:\Users\Nancy K\Desktop\Rkill.txt
2013-09-08 17:16 - 2013-08-23 14:08 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\CrashDumps
2013-09-08 16:58 - 2009-07-14 00:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-08 16:58 - 2009-07-14 00:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-08 16:57 - 2009-07-14 01:13 - 00792290 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-08 16:51 - 2013-04-30 17:24 - 00000896 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-08 16:51 - 2012-05-25 15:42 - 00000000 ___RD C:\Users\Nancy K\Dropbox
2013-09-08 16:51 - 2012-05-23 17:30 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\Dropbox
2013-09-08 16:51 - 2011-01-20 16:53 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-09-08 16:51 - 2011-01-20 16:53 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-09-08 16:51 - 2011-01-14 07:34 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-09-08 16:50 - 2013-08-16 10:01 - 00004100 _____ C:\Windows\setupact.log
2013-09-08 16:50 - 2011-01-14 09:10 - 00000000 ____D C:\ProgramData\NVIDIA
2013-09-08 16:50 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-08 16:27 - 2013-09-08 16:27 - 00000000 ____D C:\Users\Nancy K\Desktop\FixWin
2013-09-08 16:26 - 2013-09-08 16:26 - 00178612 _____ C:\Users\Nancy K\Desktop\FixWin.zip
2013-09-08 14:43 - 2013-09-08 14:43 - 00000000 ____D C:\Users\Nancy K\Desktop\Seven
2013-09-08 13:56 - 2013-09-08 13:56 - 00014086 _____ C:\Users\Nancy K\Desktop\Seven.zip
2013-09-08 13:47 - 2013-09-08 13:47 - 00003294 _____ C:\Users\Nancy K\Downloads\FSS.txt
2013-09-08 13:37 - 2013-09-08 13:37 - 00358609 _____ (Farbar) C:\Users\Nancy K\Downloads\FSS.exe
2013-09-08 12:37 - 2013-09-08 12:37 - 00335322 _____ C:\Users\Nancy K\Documents\sec.reg
2013-09-08 12:12 - 2013-05-21 18:58 - 00003440 _____ C:\Windows\System32\Tasks\PCDEventLauncherTask
2013-09-08 11:51 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\registration
2013-09-08 11:06 - 2013-09-08 11:03 - 00000000 ____D C:\Windows\system32\MRT
2013-09-08 10:58 - 2011-06-16 16:45 - 00000864 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-738033969-1467119907-4213131906-1000Core.job
2013-09-07 21:32 - 2013-09-07 21:25 - 00000000 ____D C:\ProgramData\HitmanPro
2013-09-07 21:26 - 2013-09-07 21:26 - 00001895 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2013-09-07 21:26 - 2013-09-07 21:26 - 00000000 ____D C:\Program Files\HitmanPro
2013-09-07 21:23 - 2013-09-07 21:20 - 09879648 _____ (SurfRight B.V.) C:\Users\Nancy K\Downloads\HitmanPro_x64.exe
2013-09-07 21:18 - 2013-09-07 21:07 - 00000000 ____D C:\Users\Nancy K\Desktop\RK_Quarantine
2013-09-07 21:07 - 2013-09-07 21:07 - 00918016 _____ C:\Users\Nancy K\Downloads\RogueKiller.exe
2013-09-07 21:00 - 2013-09-07 20:59 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Nancy K\Downloads\tdsskiller.exe
2013-09-07 18:16 - 2013-09-06 17:50 - 00001694 _____ C:\Windows\PFRO.log
2013-09-07 18:07 - 2013-09-07 18:07 - 00022056 _____ C:\ComboFix.txt
2013-09-07 18:07 - 2013-08-21 16:38 - 00000000 ____D C:\Qoobox
2013-09-07 18:05 - 2009-07-13 22:34 - 00000215 _____ C:\Windows\system.ini
2013-09-07 17:11 - 2011-01-20 16:51 - 00000000 ____D C:\Users\Nancy K
2013-09-07 17:10 - 2013-09-07 17:10 - 00543293 _____ C:\Users\Nancy K\Desktop\TeamSpybot-20130907-171050.cab
2013-09-07 01:15 - 2011-06-16 16:46 - 00002379 _____ C:\Users\Nancy K\Desktop\Google Chrome.lnk
2013-09-06 22:44 - 2013-09-06 22:44 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\Nancy K\Desktop\iExplore.exe
2013-09-06 17:51 - 2009-07-14 01:08 - 00032648 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-06 16:13 - 2013-09-06 16:17 - 05120615 ____R (Swearware) C:\Users\Nancy K\Desktop\ComboFix.exe
2013-08-25 12:11 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\LiveKernelReports
2013-08-24 16:57 - 2011-08-22 09:20 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\Turbine
2013-08-24 16:48 - 2013-08-24 16:48 - 00002709 _____ C:\Users\Nancy K\Documents\UserPreferences.ini
2013-08-24 16:44 - 2011-08-22 09:12 - 00002227 _____ C:\Users\Nancy K\Desktop\The Lord of the Rings Online.lnk
2013-08-24 15:45 - 2013-08-24 14:00 - 00000000 ____D C:\Users\Nancy K\Desktop\TheLordoftheRingsOnlineEN
2013-08-24 14:00 - 2013-08-24 14:00 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\NVIDIA
2013-08-24 14:00 - 2013-08-24 13:59 - 00000000 ____D C:\ProgramData\PMB Files
2013-08-22 19:15 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\rescache
2013-08-22 13:55 - 2013-08-22 13:55 - 00000259 _____ C:\Users\Nancy K\Desktop\Genealogy, Family Trees & Family History Records at Ancestry.com.url
2013-08-22 13:33 - 2013-08-22 13:33 - 00000993 _____ C:\Users\Public\Desktop\Wordbiz.lnk
2013-08-22 13:33 - 2013-08-22 13:33 - 00000000 ____D C:\Program Files (x86)\WordBiz
2013-08-22 13:33 - 2013-08-22 13:32 - 14114838 _____ C:\Users\Nancy K\Downloads\WordBizInstall (3).exe
2013-08-22 13:28 - 2013-08-22 13:28 - 14114838 _____ C:\Users\Nancy K\Downloads\WordBizInstall (2).exe
2013-08-22 13:19 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2013-08-21 19:46 - 2011-01-14 08:39 - 00000000 ____D C:\Windows\Panther
2013-08-21 19:37 - 2011-01-20 21:22 - 00000000 ____D C:\Users\eoin
2013-08-21 19:31 - 2011-06-30 20:46 - 00000000 ____D C:\Users\Hubris
2013-08-21 17:11 - 2011-12-27 19:37 - 00000000 ____D C:\Users\SpryAssets
2013-08-21 17:02 - 2013-08-21 16:37 - 00000000 ____D C:\Windows\erdnt
2013-08-21 16:24 - 2013-05-23 14:15 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\wabEventSupport16
2013-08-21 15:19 - 2013-09-07 17:11 - 00132205 _____ C:\Users\Nancy K\OnAccess.log
2013-08-21 15:01 - 2013-08-21 14:50 - 00001111 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-21 15:01 - 2013-08-21 14:50 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-21 15:00 - 2013-08-21 15:00 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\Malwarebytes
2013-08-21 14:50 - 2013-08-21 14:50 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-21 13:13 - 2013-08-21 11:06 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\NPE
2013-08-21 11:06 - 2013-08-21 11:06 - 00000000 ____D C:\ProgramData\Norton
2013-08-21 11:03 - 2011-01-14 07:36 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-08-21 08:58 - 2011-01-21 05:38 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\Macrovision
2013-08-20 16:04 - 2013-08-16 18:18 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-08-20 14:29 - 2012-03-30 11:26 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-20 14:29 - 2012-03-30 11:26 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-20 14:29 - 2011-05-18 17:26 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-20 13:55 - 2013-08-20 13:54 - 00000000 ____D C:\Users\Nancy K\Downloads\stinger64-epo
2013-08-20 13:27 - 2013-08-20 13:27 - 00000000 ____D C:\Users\Nancy K\Documents\ProcAlyzer Dumps
2013-08-20 13:26 - 2013-08-16 18:18 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-08-20 12:48 - 2013-08-20 12:47 - 00757400 _____ C:\Windows\Minidump\082013-19812-01.dmp
2013-08-20 12:47 - 2013-08-18 17:09 - 648817914 _____ C:\Windows\MEMORY.DMP
2013-08-20 12:47 - 2013-08-10 09:04 - 00000000 ____D C:\Windows\Minidump
2013-08-20 10:17 - 2013-08-20 10:17 - 00559280 _____ (Safer-Networking Ltd.                                       ) C:\Users\Nancy K\Downloads\spybotsd2-license.exe
2013-08-19 17:14 - 2013-08-19 17:14 - 00001785 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-08-19 17:14 - 2013-08-19 17:14 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-19 17:14 - 2013-08-19 17:14 - 00000000 ____D C:\Program Files\iTunes
2013-08-19 17:14 - 2013-08-19 17:14 - 00000000 ____D C:\Program Files\iPod
2013-08-19 17:14 - 2011-10-21 14:58 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-08-19 10:31 - 2013-08-19 10:31 - 00217184 _____ C:\Users\Nancy K\Documents\cc_20130819_103114-reg backup.reg
2013-08-18 17:41 - 2013-08-18 17:41 - 00000000 ____D C:\ProgramData\Citrix
2013-08-18 17:30 - 2011-06-16 16:45 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\Deployment
2013-08-18 17:09 - 2013-08-18 17:09 - 01369472 _____ C:\Windows\Minidump\081813-19188-01.dmp
2013-08-18 07:29 - 2013-08-11 15:46 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\DriverCure
2013-08-16 18:37 - 2013-08-11 15:45 - 00000000 ____D C:\ProgramData\SpeedyPC Software
2013-08-16 18:28 - 2009-07-13 22:34 - 00447822 ____R C:\Windows\system32\Drivers\etc\hosts.20130819-141123.backup
2013-08-16 18:18 - 2013-08-16 18:18 - 00001381 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2013-08-16 18:18 - 2013-08-16 18:18 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2013-08-16 17:44 - 2013-08-16 17:43 - 00000000 ____D C:\Program Files (x86)\Conduit
2013-08-16 17:43 - 2013-08-16 17:43 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\CRE
2013-08-16 17:39 - 2011-06-16 16:45 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\Google
2013-08-16 10:01 - 2013-08-16 10:01 - 00000000 _____ C:\Windows\setuperr.log
2013-08-15 22:02 - 2013-08-15 22:00 - 00000288 _____ C:\Users\Nancy K\Downloads\RootkitRemover20130815220034.txt
2013-08-15 21:49 - 2013-08-15 21:49 - 00002898 _____ C:\Windows\System32\Tasks\{53BBC8B5-CBFF-44B9-9898-05E167B43221}
2013-08-13 19:26 - 2013-08-13 19:26 - 00000000 ____D C:\Users\NANCYK~1\AppData\Local\Citrix
2013-08-12 16:40 - 2013-08-12 16:40 - 00000165 _____ C:\ProgramData\ievndgksnuceobdtjpe.reg
2013-08-11 20:29 - 2011-11-23 14:32 - 00153600 ___SH C:\Users\Nancy K\Downloads\Thumbs.db
2013-08-11 16:58 - 2011-12-29 09:55 - 00000000 ____D C:\Users\Nancy K\Downloads\Celebrating Vermont Craftsmanship - Welcome to the 28th Annual Weston Craft Show in Weston, Vermont_files
2013-08-11 16:38 - 2013-08-11 16:38 - 12710739 _____ C:\Users\Nancy K\Downloads\stinger64-epo.zip
2013-08-11 16:37 - 2011-06-16 16:29 - 00000000 ____D C:\Users\Nancy K\Documents\Outlook Files
2013-08-11 16:36 - 2013-08-11 16:36 - 00551408 _____ (McAfee, Inc.) C:\Users\Nancy K\Downloads\rootkitremover.exe
2013-08-11 16:26 - 2011-01-26 19:19 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\Skype
2013-08-11 16:26 - 2011-01-21 07:53 - 00000000 ___DC C:\Users\NANCYK~1\AppData\Local\MigWiz
2013-08-11 16:24 - 2013-08-11 16:24 - 00002776 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2013-08-11 16:24 - 2013-08-11 16:24 - 00000824 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-08-11 16:24 - 2013-08-11 16:24 - 00000000 ____D C:\Program Files\CCleaner
2013-08-11 15:46 - 2013-08-11 15:46 - 00000000 ____D C:\Users\Nancy K\AppData\Roaming\SpeedyPC Software
Files to move or delete:
====================
C:\ProgramData\ievndgksnuceobdtjpe.reg
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-09-03 16:54
==================== End Of Log ============================

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 09 September 2013 - 05:19 AM

Hi,

 

 

Now please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Next let's try to fix the broken services.
 

Please download the following files and save them to your desktop:

iphlpsvc.reg

 

RemoteAccess.reg

 

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Now reboot the computer.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
     
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility. If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
     
  • Reboot the computer and post fresh log from Rkill.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 09 September 2013 - 05:20 AM.

cXfZ4wS.png


#5 Rom2

Rom2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 09 September 2013 - 08:07 AM

Things look good. will attach the rkill.txt



#6 Rom2

Rom2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 09 September 2013 - 08:28 AM

Getting an IasToricon error on reboot....otherwise things look good

 

Hope my thanks does not jinx things....thanks Georgi

 

Attached Files



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 09 September 2013 - 08:51 AM

Hi,

 

You forgot to attach this log:

 

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#8 Rom2

Rom2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 09 September 2013 - 01:13 PM

Sorry...was on the road....here it is

Attached Files



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 10 September 2013 - 03:09 AM

Hi,

 

 

Nice work! :)
Let's check for leftovers.
The most of them should take no more than 5 minutes each.
Eset could take up to an hour or two depending on the size of your hard drive and the speed of your computer.
You can run these scans at night when you are not there and the computer is idle.

Also we need to repair some of the Windows services like Windows Update, Windows Firewall, Security Center etc. which are probably broken by the rootkit.
And then I'll give you my final recommendations:



STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
     
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 2




  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.




STEP 3



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 4




  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and copy and past the results at pastebin.com and post the link to the log in your next reply.




STEP 5



Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 6



Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.




STEP 7
 

  1. Please download OTL from the link below:
  2. Save it to your desktop/
  3. Double click on the otlDesktopIcon.png icon on your desktop.
  4. OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  5. Copy and Paste the following code into the customFix.png textbox.
  6. Don't copy the word "quote"

     netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates\*.*
    %USERPROFILE%\AppData\Local\Microsoft\*.*

    %USERPROFILE%\AppData\Local\Microsoft\*.

    %USERPROFILE%\AppData\Roaming\Microsoft\*.*

    %USERPROFILE%\AppData\Roaming\Microsoft\*.

    %windir%\AppPatch\*.*

    %windir%\AppPatch\*.
    %Public%\Documents\*.*

    %Public%\Documents\*.

    %ProgramData%\*.*
    %ProgramData%\*.
    %CommonProgramFiles%\*.*

    %CommonProgramFiles%\*.
    %CommonProgramFiles%\ComObjects\*.exe
    %ProgramFiles%\*.*
    %ProgramFiles%\*.

    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\DRM\*.tmp
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*

    %systemroot%\system32\config\systemprofile\AppData\Local\*.

    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*

    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.

    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*

    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.

    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*

    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.

    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s

    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s

    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s

    HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s

    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    imapi.sys
    fastfat.sys
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    kbdclass.sys
    kbdhid.sys
    mouclass.sys
    mouhid.sys
    spldr.sys
    dfsc.sys
    hlp.dat
    str.sys

    CREXVX.OCX

    crexv.ocx

    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll

    /md5stop

     

  7. Push the runscanbutton.png button.
  8. Two reports will open, attach the logs to your next reply.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

 

 

Regards,

Georgi


cXfZ4wS.png


#10 Rom2

Rom2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 10 September 2013 - 01:19 PM

here come the logs.....

Attached Files

  • Attached File  OTL.Txt   437.01KB   1 downloads


#11 Rom2

Rom2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 10 September 2013 - 01:28 PM

here comes extra 2 it will be followed by extra 1 and extras

Attached Files



#12 Rom2

Rom2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 10 September 2013 - 01:35 PM

Hi ...I cant seem to get the other 2 parts of the busted up extras to upload.

I will wait for your instuctions and recommendations.
here are the pastebin links:

http://pastebin.com/is1UD5Yc
http://pastebin.com/dGVyyp1K
http://pastebin.com/UwKwDzGt
http://pastebin.com/rWZ3W5M
http://pastebin.com/ixGu84Eu
http://pastebin.com/ubtcUTms

Many thanks....

#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 10 September 2013 - 06:11 PM

Hi,

 

Since I am not very familiar with the Mcafee products please tell me if this is a complete antivirus package with real-time protection or only a free tool that automatically checks and reports if your PC is protected (often bundled as optional software when you download Adobe Reader or Java for example)?

 

About the Extras.txt log if it is too big then you can upload if here => http://www.filedropper.com/ and post back the link to the log in your next reply.

 

Also do you know what is this?

 

C:\ProgramData\ievndgksnuceobdtjpe.reg

 

if not - please don't run/merge the file but instead right-click on it and select Edit and then copy/paste the content of the text file in your next reply.

 

Also some of the links you posted are invalid:

 

http://pastebin.com/rWZ3W5M

http://pastebin.com/ubtcUTms

 

Can you please re-upload these logs?

 

 

 

We need to run an OTL Fix


 

  • Please reopen otlDesktopIcon.png on your desktop.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

     

     

    :OTL
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    SafeBootMin:64bit: 06664113.sys - Driver
    SafeBootMin: 06664113.sys - Driver
    SafeBootNet:64bit: 06664113.sys - Driver
    SafeBootNet: 06664113.sys - Driver
    [2012/03/30 07:04:59 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{14DEED65-90B4-44D8-8675-E20086E7DECE}
    [2012/09/03 17:56:16 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{168CB87A-78E7-43B3-9A00-73B8526388D0}
    [2011/12/28 09:11:10 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{24EF8E2D-098D-4BF0-84C2-401109FF0281}
    [2011/06/30 18:25:06 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{52527259-78E2-4A8E-B3DD-70905564C470}
    [2013/05/04 18:16:44 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{6732E9B2-F786-41DA-9A98-06DCB9503F56}
    [2011/04/20 10:44:25 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{6B8655EA-C8DD-4610-A86A-8F3230628D75}
    [2013/01/27 13:52:13 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{8A5135C3-FEBF-42B1-87C9-BC8865B7C0BF}
    [2011/12/28 09:11:10 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{8E056458-9431-4C57-B4B9-A1E5C12EFE63}
    [2012/04/10 10:48:00 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{95910016-FAD5-4242-BF95-F0826C6A9B81}
    [2012/04/06 15:17:42 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{989F1622-89F2-460F-90B5-25481D56BDFB}
    [2011/10/29 20:14:19 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{A5D91EF3-63B6-4D4B-AF98-2D4E5276FA4D}
    [2011/10/29 20:15:04 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{D163157A-0CD1-4F4E-830A-6D853003AED2}
    [2011/05/20 18:04:31 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{D45C68CB-C8BE-4A60-869B-B4F22A746748}
    [2012/04/05 09:56:45 | 000,000,000 | ---D | M] -- C:\Users\Nancy K\AppData\Local\{F503BCA0-8272-4191-A372-18071EEB73D8}
    [2012/01/29 16:02:01 | 000,000,040 | ---- | M] ()(C:\Windows\SysNative\?Õ) -- C:\Windows\SysNative\꫰Õ
    [2012/01/29 16:02:01 | 000,000,040 | ---- | C] ()(C:\Windows\SysNative\?Õ) -- C:\Windows\SysNative\꫰Õ
    :files
    type C:\ComboFix.txt >> test.txt /c
    dir /s /a "C:\Windows\system32\config\systemprofile\AppData\Local\Google" /c
    dir /s /a "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google" /c
    :commands
    [emptytemp]
  • Push runFixbutton.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click btnOK.png.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.

 

And finally can you please try with this version of RogueKillerx64.exe and let me know about the results?

It seems that I gave you the link to the wrong version of RogueKiller in my previous instructions. I am sorry about that!

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 10 September 2013 - 06:16 PM.

cXfZ4wS.png


#14 Rom2

Rom2
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 10 September 2013 - 07:55 PM

McAffe is a full service AV real time protection system.....not a freebee....alas in addition to the yearly fee they want you to pay for rootkit removal! what am I paying for?

Ievnkds....reg is a reg update:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="C:\\PROGRA~3\\ievndgksnuceobdtjpe.bat"

New pastebin links: F6Ud215x MP26PR3G

OTL log:
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SafeBootMin 06664113.sys\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\06664113.sys\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SafeBootNet 06664113.sys\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\06664113.sys\ deleted successfully.
C:\Users\Nancy K\AppData\Local\{14DEED65-90B4-44D8-8675-E20086E7DECE} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{168CB87A-78E7-43B3-9A00-73B8526388D0} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{24EF8E2D-098D-4BF0-84C2-401109FF0281} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{52527259-78E2-4A8E-B3DD-70905564C470} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{6732E9B2-F786-41DA-9A98-06DCB9503F56}\{D45C68CB-C8BE-4A60-869B-B4F22A746748} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{6732E9B2-F786-41DA-9A98-06DCB9503F56} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{6B8655EA-C8DD-4610-A86A-8F3230628D75} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{8A5135C3-FEBF-42B1-87C9-BC8865B7C0BF} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{8E056458-9431-4C57-B4B9-A1E5C12EFE63} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{95910016-FAD5-4242-BF95-F0826C6A9B81} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{989F1622-89F2-460F-90B5-25481D56BDFB} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{A5D91EF3-63B6-4D4B-AF98-2D4E5276FA4D} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{D163157A-0CD1-4F4E-830A-6D853003AED2} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{D45C68CB-C8BE-4A60-869B-B4F22A746748} folder moved successfully.
C:\Users\Nancy K\AppData\Local\{F503BCA0-8272-4191-A372-18071EEB73D8} folder moved successfully.
C:\Windows\SysNative\꫰Õ moved successfully.
File C:\Windows\SysNative\꫰Õ not found.
========== FILES ==========
< type C:\ComboFix.txt >> test.txt /c >
ComboFix 13-09-06.01 - Nancy K 09/07/2013 17:27:53.3.8 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6076.5130 [GMT -4:00]
Running from: c:\users\Nancy K\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Spybot - Search and Destroy *Enabled/Updated* {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2013-08-07 to 2013-09-07 )))))))))))))))))))))))))))))))
.
.
2013-09-07 22:05 . 2013-09-07 22:05 -------- d-----w- c:\users\Hubris\AppData\Local\temp
2013-09-07 22:05 . 2013-09-07 22:05 -------- d-----w- c:\users\eoin\AppData\Local\temp
2013-09-07 22:05 . 2013-09-07 22:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-24 18:00 . 2013-08-24 18:00 -------- d-----w- c:\users\Nancy K\AppData\Roaming\NVIDIA
2013-08-24 18:00 . 2013-09-07 21:18 -------- d-----w- c:\users\Nancy K\AppData\Local\PMB Files
2013-08-24 17:59 . 2013-08-24 18:00 -------- d-----w- c:\programdata\PMB Files
2013-08-23 18:08 . 2013-09-07 22:01 -------- d-----w- c:\users\Nancy K\AppData\Local\CrashDumps
2013-08-22 17:33 . 2013-08-22 17:33 -------- d-----w- c:\program files (x86)\WordBiz
2013-08-22 17:24 . 2013-07-09 05:03 3913664 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-08-22 17:24 . 2013-07-09 06:03 5550528 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-22 17:24 . 2013-07-09 05:03 3968960 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-08-22 17:24 . 2013-07-09 05:54 1732032 ----a-w- c:\windows\system32\ntdll.dll
2013-08-22 17:24 . 2013-07-09 05:53 243712 ----a-w- c:\windows\system32\wow64.dll
2013-08-22 17:24 . 2013-07-09 04:53 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll
2013-08-22 17:24 . 2013-07-09 02:49 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2013-08-22 17:24 . 2013-07-09 04:52 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2013-08-22 17:24 . 2013-07-09 02:49 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2013-08-22 17:24 . 2013-07-09 02:49 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2013-08-22 17:24 . 2013-07-09 02:49 2048 ----a-w- c:\windows\SysWow64\user.exe
2013-08-21 23:41 . 2013-07-26 05:12 855552 ----a-w- c:\windows\system32\jscript.dll
2013-08-21 23:27 . 2013-07-09 05:46 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-08-21 23:27 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-08-21 23:27 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-08-21 23:27 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-08-21 23:27 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-21 23:27 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-21 23:27 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-08-21 23:27 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-08-21 23:21 . 2013-07-19 01:58 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-21 23:21 . 2013-07-19 01:41 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2013-08-21 23:21 . 2013-07-25 09:25 1888768 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-21 23:21 . 2013-07-25 08:57 1620992 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2013-08-21 23:21 . 2013-07-09 05:51 1217024 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-21 23:21 . 2013-07-09 04:52 663552 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2013-08-21 23:21 . 2013-06-15 04:32 39936 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-21 23:21 . 2013-07-06 06:03 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-21 19:00 . 2013-08-21 19:00 -------- d-----w- c:\users\Nancy K\AppData\Roaming\Malwarebytes
2013-08-21 18:50 . 2013-08-21 18:50 -------- d-----w- c:\programdata\Malwarebytes
2013-08-21 18:50 . 2013-08-21 19:01 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-08-21 18:50 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-21 15:06 . 2013-08-21 17:13 -------- d-----w- c:\users\Nancy K\AppData\Local\NPE
2013-08-21 15:06 . 2013-08-21 15:06 -------- d-----w- c:\programdata\Norton
2013-08-19 21:14 . 2013-08-19 21:14 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-08-19 21:14 . 2013-08-19 21:14 -------- d-----w- c:\program files\iTunes
2013-08-19 21:14 . 2013-08-19 21:14 -------- d-----w- c:\program files\iPod
2013-08-18 21:41 . 2013-08-18 21:41 -------- d-----w- c:\programdata\Citrix
2013-08-16 22:18 . 2013-08-20 17:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-08-16 22:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-08-16 22:18 . 2013-08-20 20:04 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-08-16 21:43 . 2013-08-16 21:43 -------- d-----w- c:\users\Nancy K\AppData\Local\CRE
2013-08-16 21:43 . 2013-08-16 21:44 -------- d-----w- c:\program files (x86)\Conduit
2013-08-16 21:42 . 2013-08-16 21:42 -------- d-----w- c:\users\Nancy K\AppData\Local\Programs
2013-08-13 23:26 . 2013-08-13 23:26 -------- d-----w- c:\users\Nancy K\AppData\Local\Citrix
2013-08-12 20:40 . 2013-08-12 20:40 165 ----a-w- c:\programdata\ievndgksnuceobdtjpe.reg
2013-08-11 20:24 . 2013-08-11 20:24 -------- d-----w- c:\program files\CCleaner
2013-08-11 19:46 . 2013-08-18 11:29 -------- d-----w- c:\users\Nancy K\AppData\Roaming\DriverCure
2013-08-11 19:46 . 2013-08-11 19:46 -------- d-----w- c:\users\Nancy K\AppData\Roaming\SpeedyPC Software
2013-08-11 19:45 . 2013-08-16 22:37 -------- d-----w- c:\programdata\SpeedyPC Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-20 18:29 . 2012-03-30 15:26 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-08-20 18:29 . 2011-05-18 21:26 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-09 04:45 . 2013-08-22 17:24 44032 ----a-w- c:\windows\apppatch\acwow64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA}]
c:\users\Nancy K\AppData\Local\TopArcadeHits\Toparcadehits.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-17 14:45 130736 ----a-w- c:\users\Nancy K\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-17 14:45 130736 ----a-w- c:\users\Nancy K\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-17 14:45 130736 ----a-w- c:\users\Nancy K\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2013-05-16 3642312]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2013-08-24 4287536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1532992]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2012-02-01 968048]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-08-16 152392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-09 559616]
.
c:\users\Nancy K\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Nancy K\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-1-8 228448]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-3 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R0 SMR322;Symantec SMR Utility Service 3.2.2;c:\windows\System32\drivers\SMR322.SYS;c:\windows\SYSNATIVE\drivers\SMR322.SYS [x]
R1 SDHookDriver;Hook Test Driver;c:\program files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys;c:\program files (x86)\Spybot - Search & Destroy 2\SDHookDrv64.sys [x]
R2 ?etadpug;Google Update Service (gupdate);c:\program files (x86)\Google\Desktop\Install\{5b51cb62-908d-be00-c32a-623c87aba4a2}\ \...\???\{5b51cb62-908d-be00-c32a-623c87aba4a2}\GoogleUpdate.exe <;c:\program files (x86)\Google\Desktop\Install\{5b51cb62-908d-be00-c32a-623c87aba4a2}\ \...\???\{5b51cb62-908d-be00-c32a-623c87aba4a2}\GoogleUpdate.exe < [x]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/14 06:01;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [x]
R2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys;c:\windows\SYSNATIVE\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 qicflt;upper Device Filter Driver;c:\windows\system32\DRIVERS\qicflt.sys;c:\windows\SYSNATIVE\DRIVERS\qicflt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys;c:\windows\SYSNATIVE\DRIVERS\stdcfltn.sys [x]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [x]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys;c:\windows\SYSNATIVE\DRIVERS\Accelern.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:29]
.
2013-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-30 21:24]
.
2013-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-30 21:24]
.
2013-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-738033969-1467119907-4213131906-1000Core.job
- c:\users\Nancy K\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-16 20:45]
.
2013-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-738033969-1467119907-4213131906-1000UA.job
- c:\users\Nancy K\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-16 20:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-17 14:45 164016 ----a-w- c:\users\Nancy K\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-17 14:45 164016 ----a-w- c:\users\Nancy K\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-17 14:45 164016 ----a-w- c:\users\Nancy K\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-17 14:45 164016 ----a-w- c:\users\Nancy K\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-09-03 6486120]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-09-03 2120808]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2010-08-12 283240]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1928976]
"Stage Remote"="c:\program files (x86)\Dell\Stage Remote\StageRemote.exe" [2011-06-27 2022976]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:21320
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
Binary file temp00 matches
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-07 18:07:42
ComboFix-quarantined-files.txt 2013-09-07 22:07
ComboFix2.txt 2013-09-06 21:38
ComboFix3.txt 2013-08-21 21:04
.
Pre-Run: 482,889,990,144 bytes free
Post-Run: 482,710,773,760 bytes free
.
- - End Of File - - CBECCF8565E49F2163A1472F4720C96D
C:\Users\Nancy K\Desktop\cmd.bat deleted successfully.
C:\Users\Nancy K\Desktop\cmd.txt deleted successfully.
< dir /s /a "C:\Windows\system32\config\systemprofile\AppData\Local\Google" /c >
Volume in drive C is OS
Volume Serial Number is A4A8-BA66
C:\Users\Nancy K\Desktop\cmd.bat deleted successfully.
C:\Users\Nancy K\Desktop\cmd.txt deleted successfully.
< dir /s /a "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google" /c >
Volume in drive C is OS
Volume Serial Number is A4A8-BA66
C:\Users\Nancy K\Desktop\cmd.bat deleted successfully.
C:\Users\Nancy K\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: eoin
->Temp folder emptied: 0 bytes

User: Hubris
->Temp folder emptied: 0 bytes

User: Nancy K
->Temp folder emptied: 14771945 bytes
->Temporary Internet Files folder emptied: 378039325 bytes
->Java cache emptied: 8163432 bytes
->Google Chrome cache emptied: 464114719 bytes
->Apple Safari cache emptied: 167538688 bytes
->Flash cache emptied: 51616 bytes

User: Public
->Temp folder emptied: 0 bytes

User: SpryAssets
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10364 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42303946 bytes
RecycleBin emptied: 918016 bytes

Total Files Cleaned = 1,026.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 09102013_202643

Files\Folders moved on Reboot...
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UW6NH5P7\postmessageRelay[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UN2XOG7L\300x250_tribal_unsure[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UN2XOG7L\adTag[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UN2XOG7L\MP26PR3G[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T1M97CDS\fastbutton[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T1M97CDS\localStorage[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T1M97CDS\tcode3[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T1M97CDS\tcodewads_at[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QJXOF27F\728x90_tribal_unsure[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QJXOF27F\cs[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QJXOF27F\cs[2].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QJXOF27F\st[1] moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MEFRTYNQ\like[3].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MEFRTYNQ\rkill-uncovers-a-missing-service-iphlpsvchow-do-i-restore-it[2].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MEFRTYNQ\suite[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MEFRTYNQ\suite[2].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CBOLYGXP\728x90[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CBOLYGXP\adTag[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AWGVG5EJ\300x250_us[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AWGVG5EJ\like[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AWGVG5EJ\um[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AWGVG5EJ\xd_arbiter[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9112JKAX\newmail[1].mp3 moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9112JKAX\pd[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6CBP27JI\ai[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6CBP27JI\ai[2].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1RAR4EMX\weatherRefresh[2].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1DO8PZIK\pd[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1DO8PZIK\xd_arbiter[1].htm moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\7A7E08C8-3FF5-45F2-873D-A84D669DC82F.dat moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Nancy K\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File\Folder C:\Windows\temp\mcafee_eNATHaIHnrtYdVV not found!
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


Here is the Rogue report:
RogueKiller V8.6.10 _x64_ [Sep 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Nancy K [Admin rights]
Mode : Scan -- Date : 09/10/2013 20:48:21
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{5b51cb62-908d-be00-c32a-623c87aba4a2}\ \...\???ﯹ๛\{5b51cb62-908d-be00-c32a-623c87aba4a2}\GoogleUpdate.exe" < [x]) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 6 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-738033969-1467119907-4213131906-1000UA.job : C:\Users\Nancy K\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-738033969-1467119907-4213131906-1000Core.job : C:\Users\Nancy K\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-738033969-1467119907-4213131906-1000Core : C:\Users\Nancy K\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-738033969-1467119907-4213131906-1000UA : C:\Users\Nancy K\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND
[V2][SUSP PATH] IHSelfDeleteTASK : CMD - /C DEL C:\Users\NANCYK~1\AppData\Local\Temp\IHU8B63.tmp.exe [x][x] -> FOUND
[V2][SUSP PATH] IHUninstallTrackingTASK : CMD - /C DEL C:\Users\NANCYK~1\AppData\Local\Temp\IHU4ECB.tmp.exe [x][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HM640JJ +++++
--- User ---
[MBR] 2505843aa939947e2bfae47555ac832e
[BSP] fd634e9fab3a83954d641575909685a5 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30800325 | Size: 595440 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_09102013_204821.txt >>




Rogue seem to want me to delete the identified keys and service....should I?

#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:39 AM

Posted 11 September 2013 - 05:33 PM

Hi,

 

 

I am sorry for the delay (but it seems that we have different timezone). :)

 

 

Getting an IasToricon error on reboot....otherwise things look good

 

This is related to your Intel drivers:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

 

You can decide for yourself if you want remove the program from the startup list.

In the Start Menu Search Box type msconfig and then press enter on your keyboard.

Click on the Startup tab and deselect all the software you want to disable.

 

McAffe is a full service AV real time protection system.....not a freebee....alas in addition to the yearly fee they want you to pay for rootkit removal! what am I paying for?

 

Ok, thank you for the clarification. It seems that you are right:
 

 

 

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

 

 

The main reason I asked you this was because there is a free version of Mcafee Security Scan Plus which is used only to inform you about infections but cannot clean them and do not have real-time protection and I was going to recommend you to install a full featured antivirus program (but this is not needed anymore).

 

Ievnkds....reg is a reg update:

 

Reg update of what?

 

Also please double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished this time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

Rogue seem to want me to delete the identified keys and service....should I?

 

I don't beleive that the ZeroAccess service is still there because ControlSet001 always points to the ControlSet that is currently loaded and we don't need to update them. But however to be sure all is ok we can leave RogueKiller get rid of it (if the entry still exists):

Please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.
Now click the Registry tab and locate these:
 

 

[SERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{5b51cb62-908d-be00-c32a-623c87aba4a2}\ \...\???ﯹ๛\{5b51cb62-908d-be00-c32a-623c87aba4a2}\GoogleUpdate.exe" < [x]) -> FOUND

[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND

 

Place a checkmark on it, leave the others unchecked.

Now click on the Scheduled tasks

Place a checkmark each of these items:
 

[V2][SUSP PATH] IHSelfDeleteTASK : CMD - /C DEL C:\Users\NANCYK~1\AppData\Local\Temp\IHU8B63.tmp.exe [x][x] -> FOUND
[V2][SUSP PATH] IHUninstallTrackingTASK : CMD - /C DEL C:\Users\NANCYK~1\AppData\Local\Temp\IHU4ECB.tmp.exe [x][x] -> FOUND

Now press the Delete button.
If asked to restart the computer, please do so immediately.
When it is finished, there will be a log on your desktop called.
Post the newest log in your next reply.

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users