Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

30 dllhost.exe *32 Com Surrogates In task Manager


  • This topic is locked This topic is locked
11 replies to this topic

#1 dabassguy1

dabassguy1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 23 March 2014 - 10:18 AM

I have a persistent infection.  

 

Windows 7 Pro 64 bit   Microsoft Security essentials .Dell Dual Core Pentium 4 GB RAM

 

There are 30 dllhost.exe processes in taskmgr.  There is a start item in HKCU that does not seem to be on the hard drive.  I can log on as a different user and the dllhost.exe do not appear.  I can run both RogueKiller and MalwareBytes Anti Malware run under the second login and run and find things to fix but they do not fix the infection.  Under the infected login RogueKiller freezes and the MalwareBytes been running for hours now.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.16521
Run by Bob at 10:56:53 on 2014-03-23
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4009.1387 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_service.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_comm_customer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_system_customer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler64.exe
C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_host.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_user_customer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\msconfig.exe
C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_user_high_customer.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://bing.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [GameServer539] "C:\Users\Bob\AppData\Roaming\Media Center Programs\WIN4830.exe"
uRun: [tyc4h08hcv34] "C:\ProgramData\m9dt734hfbjh\clhhnkfrd.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: securedomaonline.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
TCP: NameServer = 8.8.8.8
TCP: Interfaces\{B256369A-3B66-408D-80E6-78BC838B2F81} : DHCPNameServer = 8.8.8.8
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://www.google.com
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: GoToAssist Express Customer - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_winlogonx64.dll
x64-Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-3-22 55856]
R2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_service.exe [2014-2-25 610888]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-3-22 317440]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-3-22 539240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-13 111616]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 134944]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-4-4 1255736]
S4 HP DS Service;HP DS Service;C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [2011-10-17 13824]
S4 HP LaserJet Service;HP LaserJet Service;C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [2012-5-2 164864]
S4 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
S4 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S4 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S4 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-3-22 1691848]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
S4 WTS Paradigm Base Camp;WTS Paradigm Base Camp;C:\Program Files (x86)\WTS Paradigm\BaseCamp\BaseCampService.exe [2011-1-31 260608]
.
=============== Created Last 30 ================
.
2014-03-23 12:29:27 -------- d-----w- C:\Users\Bob\AppData\Roaming\Malwarebytes
2014-03-23 05:59:10 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{83DE8785-CB20-4557-BEEE-8D4EF137ADA3}\offreg.dll
2014-03-23 05:57:46 10521840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{83DE8785-CB20-4557-BEEE-8D4EF137ADA3}\mpengine.dll
2014-03-22 16:25:32 10521840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-03-22 03:56:33 -------- d-----w- C:\ProgramData\Malwarebytes
2014-03-22 03:56:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-03-22 03:56:32 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-22 00:48:14 -------- d-sh--w- C:\$RECYCLE.BIN
2014-03-21 19:54:48 169544 ----a-w- C:\Windows\System32\g2ax_credential_provider64_637.dll
2014-03-21 16:14:54 -------- d-----w- C:\FRST
2014-03-21 15:32:55 -------- d-----w- C:\AdwCleaner
2014-03-21 15:30:45 -------- d-----w- C:\Users\Bob\AppData\Local\CrashDumps
2014-03-21 13:55:26 -------- d-----w- C:\Windows\pss
2014-02-27 08:01:33 -------- d-----w- C:\Windows\Migration
.
==================== Find3M  ====================
.
2014-03-12 17:44:05 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 17:44:05 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:32:22 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:04:22 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
2013-12-24 23:09:41 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
.
============= FINISH: 11:01:47.89 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:34 PM

Posted 23 March 2014 - 01:55 PM

Hi there,

please run a FRST scan:


Please download Farbar Recovery Scan Tool and save it to your Desktop.
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 dabassguy1

dabassguy1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 23 March 2014 - 02:08 PM

Thank you for your prompt attention.

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Bob (administrator) on CENTRALPRODMGR on 23-03-2014 15:05:27
Running from C:\Users\Bob\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_comm_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_system_customer.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler64.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_user_customer.exe
(Microsoft Corporation) C:\Windows\system32\taskmgr.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\system32\cmd.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_host.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
(Microsoft Corporation) C:\Windows\syswow64\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_winlogonx64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\...\Run: [GameServer539] - C:\Users\Bob\AppData\Roaming\Media Center Programs\WIN4830.exe [0 2014-03-22] ()
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\...\Run: [tyc4h08hcv34] - "C:\ProgramData\m9dt734hfbjh\clhhnkfrd.exe"
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume3\Users\Bob\AppData\Local\Temp\soudwow\sctqppb\wow.dll ATTENTION! ====> ZeroAccess?
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bing.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
URLSearchHook: HKCU - Default Value = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}&fr=mkg028
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 8.8.8.8
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR DefaultSearchKeyword: mysearchdial.com
CHR DefaultSearchProvider: Mysearchdial
CHR DefaultNewTabURL: 
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 7.0.10.8) - C:\Program Files (x86)\Java\jre7\bin\new_plugin\npdeployJava1.dll (Oracle Corporation)
CHR Plugin: (Java™ Platform SE 7 U1) - C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-11-19]
CHR Extension: (Google Search) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-11-19]
CHR Extension: (Yahoo! Toolbar for Chrome) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\eihhgekonheiliaidomffpplfhecmkag [2013-09-30]
CHR Extension: (Google Wallet) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-10]
CHR Extension: (Gmail) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-11-19]
 
==================== Services (Whitelisted) =================
 
R2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_service.exe [610888 2014-02-25] (Citrix Online, a division of Citrix Systems, Inc.)
S4 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S4 WTS Paradigm Base Camp; C:\Program Files (x86)\WTS Paradigm\BaseCamp\BaseCampService.exe [260608 2014-03-13] ()
 
==================== Drivers (Whitelisted) ====================
 
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 qknfd; system32\drivers\qknfd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-23 15:05 - 2014-03-23 15:05 - 00011289 _____ () C:\Users\Bob\Desktop\FRST.txt
2014-03-23 15:00 - 2014-03-23 15:00 - 02157056 _____ (Farbar) C:\Users\Bob\Desktop\FRST64.exe
2014-03-23 11:02 - 2014-03-23 11:03 - 00016652 _____ () C:\Users\Bob\Desktop\attach.txt
2014-03-23 11:02 - 2014-03-23 11:03 - 00014194 _____ () C:\Users\Bob\Desktop\dds.txt
2014-03-23 10:54 - 2014-03-23 10:53 - 00688992 ____R (Swearware) C:\Users\Bob\Desktop\dds.com
2014-03-23 08:29 - 2014-03-23 08:29 - 00000000 ____D () C:\Users\Bob\AppData\Roaming\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\Users\ITTech\AppData\Roaming\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-21 23:56 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-03-21 23:55 - 2014-03-21 23:55 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\ITTech\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-21 22:18 - 2014-03-21 22:18 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-03-21 20:48 - 2014-03-21 20:48 - 00010951 _____ () C:\ComboFix.txt
2014-03-21 15:56 - 2014-03-21 15:56 - 05190052 ____R (Swearware) C:\Users\ITTech\Downloads\ComboFix.exe
2014-03-21 15:54 - 2014-02-25 16:59 - 00169544 _____ (Citrix Online) C:\Windows\system32\g2ax_credential_provider64_637.dll
2014-03-21 15:53 - 2014-03-21 15:53 - 00753704 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Users\ITTech\Downloads\g2ax_customer_downloader_win32_x86.exe
2014-03-21 15:51 - 2014-03-21 15:51 - 00000000 ____D () C:\Users\ITTech\AppData\Local\Google
2014-03-21 15:48 - 2014-03-21 15:51 - 00002257 _____ () C:\Users\ITTech\Desktop\Google Chrome.lnk
2014-03-21 15:48 - 2014-03-21 15:48 - 00001415 _____ () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\Virtual Machines
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-03-21 15:47 - 2014-03-21 15:47 - 00000000 ____D () C:\Users\ITTech\AppData\Local\VirtualStore
2014-03-21 15:44 - 2014-03-21 15:44 - 00127392 _____ () C:\Users\ITTech\AppData\Local\GDIPFONTCACHEV1.DAT
2014-03-21 15:44 - 2014-03-21 15:44 - 00001511 _____ () C:\Users\ITTech\Desktop\RKreport[0]_DN_03212014_154415.txt
2014-03-21 15:43 - 2014-03-21 15:43 - 00003199 _____ () C:\Users\ITTech\Desktop\RKreport[0]_S_03212014_154317.txt
2014-03-21 15:43 - 2014-03-21 15:43 - 00002685 _____ () C:\Users\ITTech\Desktop\RKreport[0]_D_03212014_154354.txt
2014-03-21 15:41 - 2014-03-21 15:44 - 00000000 ____D () C:\Users\ITTech\Desktop\RK_Quarantine
2014-03-21 15:41 - 2014-03-21 15:41 - 00000000 ____D () C:\Users\ITTech\AppData\Roaming\Adobe
2014-03-21 15:38 - 2014-03-21 15:48 - 00000000 ____D () C:\Users\ITTech
2014-03-21 15:38 - 2014-03-21 15:38 - 00000020 ___SH () C:\Users\ITTech\ntuser.ini
2014-03-21 15:38 - 2013-11-06 10:40 - 00000000 ____D () C:\Users\ITTech\AppData\Local\SoftThinks
2014-03-21 15:38 - 2012-04-04 16:03 - 00000000 ____D () C:\Users\ITTech\AppData\Local\Microsoft Help
2014-03-21 15:38 - 2012-04-04 13:22 - 00001150 _____ () C:\Users\ITTech\Desktop\My Business Toolkit.lnk
2014-03-21 15:38 - 2009-07-14 00:54 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-03-21 15:38 - 2009-07-14 00:49 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-03-21 15:17 - 2014-03-21 15:16 - 03539584 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Users\Bob\Documents\g2a_rs_installer_jgoodmangoodmanadjusting_com.exe
2014-03-21 15:14 - 2014-03-21 15:14 - 00014950 _____ () C:\Users\Bob\Desktop\hs_err_pid7672.log
2014-03-21 12:35 - 2014-03-21 13:30 - 00041700 _____ () C:\Users\Bob\Documents\Addition.txt
2014-03-21 12:32 - 2014-03-21 12:32 - 00000000 ____D () C:\Users\Bob\Documents\ProcessMonitor
2014-03-21 12:22 - 2011-06-05 17:20 - 03412856 _____ (Sysinternals - www.sysinternals.com) C:\Users\Bob\Documents\procexp.exe
2014-03-21 12:19 - 2014-03-21 13:30 - 00033953 _____ () C:\Users\Bob\Documents\FRST.txt
2014-03-21 12:14 - 2014-03-23 15:05 - 00000000 ____D () C:\FRST
2014-03-21 12:13 - 2014-03-21 12:02 - 02157056 _____ (Farbar) C:\Users\Bob\Documents\FRST64.exe
2014-03-21 11:32 - 2014-03-21 11:49 - 00000000 ____D () C:\AdwCleaner
2014-03-21 11:30 - 2014-03-23 15:05 - 00000000 ____D () C:\Users\Bob\AppData\Local\CrashDumps
2014-03-21 11:29 - 2014-03-21 11:29 - 00003313 _____ () C:\Users\Bob\Desktop\RKreport[0]_S_03212014_112928.txt
2014-03-21 11:29 - 2014-03-21 11:27 - 01950720 _____ () C:\Users\Bob\Documents\adwcleaner.exe
2014-03-21 10:35 - 2014-03-21 10:31 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Bob\Documents\tdsskiller.exe
2014-03-21 10:31 - 2014-03-21 10:42 - 00000000 ____D () C:\Users\Bob\Desktop\RK_Quarantine
2014-03-21 10:25 - 2014-03-21 10:48 - 04486144 _____ () C:\Users\Bob\Documents\RogueKillerX64.exe
2014-03-21 09:55 - 2014-03-21 09:55 - 00000000 ____D () C:\Windows\pss
2014-03-20 15:10 - 2014-03-23 14:21 - 00000072 _____ () C:\Windows\system32\wmehw.tkh
2014-03-20 15:00 - 2014-03-20 15:00 - 00000064 _____ () C:\Windows\system32\yajx.aze
2014-03-20 15:00 - 2014-03-20 15:00 - 00000000 _____ () C:\Windows\system32\uyqlfoj.uts
2014-03-20 14:41 - 2014-03-20 14:41 - 00230894 ____S () C:\Windows\system32\tznmkaj.eis
2014-03-17 02:21 - 2014-03-17 02:21 - 00000000 ____D () C:\Windows\Sun
2014-03-16 16:12 - 2014-03-17 10:47 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2014-03-13 15:00 - 2014-03-14 15:41 - 00000000 ____D () C:\Users\Bob\Desktop\ROOFING RELATED ITEMS
2014-03-13 00:32 - 2014-03-01 02:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-13 00:32 - 2014-03-01 01:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-13 00:32 - 2014-03-01 01:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-13 00:32 - 2014-03-01 00:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-13 00:32 - 2014-03-01 00:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-13 00:32 - 2014-03-01 00:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-13 00:32 - 2014-03-01 00:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-13 00:32 - 2014-03-01 00:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-13 00:32 - 2014-03-01 00:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-13 00:32 - 2014-03-01 00:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-13 00:32 - 2014-03-01 00:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-13 00:32 - 2014-03-01 00:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-13 00:32 - 2014-03-01 00:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-13 00:32 - 2014-03-01 00:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-13 00:32 - 2014-03-01 00:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-13 00:32 - 2014-03-01 00:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-13 00:32 - 2014-03-01 00:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-13 00:32 - 2014-02-28 23:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-13 00:32 - 2014-02-28 23:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-13 00:32 - 2014-02-28 23:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-13 00:32 - 2014-02-28 23:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-13 00:32 - 2014-02-28 23:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-13 00:32 - 2014-02-28 23:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-13 00:32 - 2014-02-28 23:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-13 00:32 - 2014-02-28 23:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-13 00:32 - 2014-02-28 23:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-13 00:32 - 2014-02-28 23:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-13 00:32 - 2014-02-28 23:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-13 00:32 - 2014-02-28 23:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-13 00:32 - 2014-02-28 23:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-13 00:32 - 2014-02-28 23:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-13 00:32 - 2014-02-28 23:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-13 00:32 - 2014-02-28 23:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-13 00:32 - 2014-02-28 23:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-13 00:32 - 2014-02-28 22:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-13 00:32 - 2014-02-28 22:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-13 00:32 - 2014-02-28 22:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-13 00:32 - 2014-02-28 22:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-13 00:32 - 2014-02-28 22:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-13 00:32 - 2014-02-28 22:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-13 00:32 - 2014-02-06 21:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-13 00:32 - 2014-02-03 22:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-13 00:32 - 2014-02-03 22:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-13 00:32 - 2014-02-03 22:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-13 00:32 - 2014-02-03 22:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-13 00:32 - 2014-01-28 22:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-13 00:32 - 2014-01-28 22:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-13 00:32 - 2014-01-27 22:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-06 08:38 - 2014-03-21 09:38 - 00000090 _____ () C:\Users\Bob\AppData\Roaming\WB.CFG
2014-02-28 14:34 - 2014-02-28 14:34 - 00016553 _____ () C:\Users\Bob\Documents\Copy of FEBRUARY 2014.xlsx
2014-02-25 17:04 - 2014-02-25 17:04 - 05185084 _____ (Swearware) C:\Users\Bob\Downloads\ComboFix (1).exe
2014-02-25 17:03 - 2014-03-20 16:48 - 05190052 ____R (Swearware) C:\Users\Bob\Desktop\ComboFix.exe
2014-02-25 16:59 - 2014-02-25 16:59 - 00001506 _____ () C:\Users\Bob\Desktop\GoToAssist Customer.lnk
2014-02-25 16:59 - 2014-02-25 16:59 - 00000000 ____D () C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
2014-02-24 12:09 - 2014-02-26 18:49 - 00944976 _____ () C:\Users\Bob\Documents\Window Base Price Book Training.pptx
 
==================== One Month Modified Files and Folders =======
 
2014-03-23 15:05 - 2014-03-23 15:05 - 00011289 _____ () C:\Users\Bob\Desktop\FRST.txt
2014-03-23 15:05 - 2014-03-21 12:14 - 00000000 ____D () C:\FRST
2014-03-23 15:05 - 2014-03-21 11:30 - 00000000 ____D () C:\Users\Bob\AppData\Local\CrashDumps
2014-03-23 15:00 - 2014-03-23 15:00 - 02157056 _____ (Farbar) C:\Users\Bob\Desktop\FRST64.exe
2014-03-23 14:58 - 2012-04-05 16:54 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-23 14:44 - 2012-07-19 12:39 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-23 14:24 - 2014-02-20 16:18 - 00000550 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1393054999-600409691-2559954116-1000.job
2014-03-23 14:21 - 2014-03-20 15:10 - 00000072 _____ () C:\Windows\system32\wmehw.tkh
2014-03-23 14:04 - 2012-03-22 19:40 - 01260204 _____ () C:\Windows\WindowsUpdate.log
2014-03-23 11:16 - 2009-07-14 00:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-23 11:16 - 2009-07-14 00:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-23 11:03 - 2014-03-23 11:02 - 00016652 _____ () C:\Users\Bob\Desktop\attach.txt
2014-03-23 11:03 - 2014-03-23 11:02 - 00014194 _____ () C:\Users\Bob\Desktop\dds.txt
2014-03-23 10:53 - 2014-03-23 10:54 - 00688992 ____R (Swearware) C:\Users\Bob\Desktop\dds.com
2014-03-23 10:04 - 2013-05-22 10:07 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2014-03-23 08:29 - 2014-03-23 08:29 - 00000000 ____D () C:\Users\Bob\AppData\Roaming\Malwarebytes
2014-03-23 08:28 - 2012-04-05 16:54 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-22 13:57 - 2009-07-14 01:13 - 00802218 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-22 13:52 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-22 13:52 - 2009-07-14 00:51 - 00049877 _____ () C:\Windows\setupact.log
2014-03-22 12:13 - 2010-11-20 23:47 - 00411466 _____ () C:\Windows\PFRO.log
2014-03-22 12:13 - 2009-07-14 01:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-03-22 12:12 - 2014-02-12 16:36 - 00000000 __SHD () C:\ProgramData\m9dt734hfbjh
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\Users\ITTech\AppData\Roaming\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-21 23:55 - 2014-03-21 23:55 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\ITTech\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-21 22:18 - 2014-03-21 22:18 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-03-21 20:48 - 2014-03-21 20:48 - 00010951 _____ () C:\ComboFix.txt
2014-03-21 20:48 - 2012-05-23 09:55 - 00000000 ____D () C:\Qoobox
2014-03-21 20:41 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-03-21 18:45 - 2012-04-05 12:16 - 00000376 _____ () C:\Windows\ODBC.INI
2014-03-21 17:09 - 2012-04-04 13:11 - 00000000 ____D () C:\Users\Bob
2014-03-21 15:56 - 2014-03-21 15:56 - 05190052 ____R (Swearware) C:\Users\ITTech\Downloads\ComboFix.exe
2014-03-21 15:53 - 2014-03-21 15:53 - 00753704 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Users\ITTech\Downloads\g2ax_customer_downloader_win32_x86.exe
2014-03-21 15:51 - 2014-03-21 15:51 - 00000000 ____D () C:\Users\ITTech\AppData\Local\Google
2014-03-21 15:51 - 2014-03-21 15:48 - 00002257 _____ () C:\Users\ITTech\Desktop\Google Chrome.lnk
2014-03-21 15:48 - 2014-03-21 15:48 - 00001415 _____ () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\Virtual Machines
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-03-21 15:48 - 2014-03-21 15:38 - 00000000 ____D () C:\Users\ITTech
2014-03-21 15:47 - 2014-03-21 15:47 - 00000000 ____D () C:\Users\ITTech\AppData\Local\VirtualStore
2014-03-21 15:44 - 2014-03-21 15:44 - 00127392 _____ () C:\Users\ITTech\AppData\Local\GDIPFONTCACHEV1.DAT
2014-03-21 15:44 - 2014-03-21 15:44 - 00001511 _____ () C:\Users\ITTech\Desktop\RKreport[0]_DN_03212014_154415.txt
2014-03-21 15:44 - 2014-03-21 15:41 - 00000000 ____D () C:\Users\ITTech\Desktop\RK_Quarantine
2014-03-21 15:43 - 2014-03-21 15:43 - 00003199 _____ () C:\Users\ITTech\Desktop\RKreport[0]_S_03212014_154317.txt
2014-03-21 15:43 - 2014-03-21 15:43 - 00002685 _____ () C:\Users\ITTech\Desktop\RKreport[0]_D_03212014_154354.txt
2014-03-21 15:41 - 2014-03-21 15:41 - 00000000 ____D () C:\Users\ITTech\AppData\Roaming\Adobe
2014-03-21 15:38 - 2014-03-21 15:38 - 00000020 ___SH () C:\Users\ITTech\ntuser.ini
2014-03-21 15:16 - 2014-03-21 15:17 - 03539584 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Users\Bob\Documents\g2a_rs_installer_jgoodmangoodmanadjusting_com.exe
2014-03-21 15:14 - 2014-03-21 15:14 - 00014950 _____ () C:\Users\Bob\Desktop\hs_err_pid7672.log
2014-03-21 13:30 - 2014-03-21 12:35 - 00041700 _____ () C:\Users\Bob\Documents\Addition.txt
2014-03-21 13:30 - 2014-03-21 12:19 - 00033953 _____ () C:\Users\Bob\Documents\FRST.txt
2014-03-21 12:32 - 2014-03-21 12:32 - 00000000 ____D () C:\Users\Bob\Documents\ProcessMonitor
2014-03-21 12:02 - 2014-03-21 12:13 - 02157056 _____ (Farbar) C:\Users\Bob\Documents\FRST64.exe
2014-03-21 11:49 - 2014-03-21 11:32 - 00000000 ____D () C:\AdwCleaner
2014-03-21 11:29 - 2014-03-21 11:29 - 00003313 _____ () C:\Users\Bob\Desktop\RKreport[0]_S_03212014_112928.txt
2014-03-21 11:27 - 2014-03-21 11:29 - 01950720 _____ () C:\Users\Bob\Documents\adwcleaner.exe
2014-03-21 10:48 - 2014-03-21 10:25 - 04486144 _____ () C:\Users\Bob\Documents\RogueKillerX64.exe
2014-03-21 10:42 - 2014-03-21 10:31 - 00000000 ____D () C:\Users\Bob\Desktop\RK_Quarantine
2014-03-21 10:31 - 2014-03-21 10:35 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Bob\Documents\tdsskiller.exe
2014-03-21 09:55 - 2014-03-21 09:55 - 00000000 ____D () C:\Windows\pss
2014-03-21 09:55 - 2012-04-04 13:14 - 00000000 ___RD () C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-21 09:38 - 2014-03-06 08:38 - 00000090 _____ () C:\Users\Bob\AppData\Roaming\WB.CFG
2014-03-21 09:18 - 2012-03-22 18:01 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-03-20 16:48 - 2014-02-25 17:03 - 05190052 ____R (Swearware) C:\Users\Bob\Desktop\ComboFix.exe
2014-03-20 15:00 - 2014-03-20 15:00 - 00000064 _____ () C:\Windows\system32\yajx.aze
2014-03-20 15:00 - 2014-03-20 15:00 - 00000000 _____ () C:\Windows\system32\uyqlfoj.uts
2014-03-20 14:41 - 2014-03-20 14:41 - 00230894 ____S () C:\Windows\system32\tznmkaj.eis
2014-03-20 14:41 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-03-20 13:58 - 2009-07-07 11:18 - 00000000 ____D () C:\Users\Bob\Desktop\FAX COVER PAGES
2014-03-20 07:39 - 2010-08-20 18:12 - 00000000 ____D () C:\Users\Bob\Desktop\SALES RELATED ITEMS
2014-03-19 03:01 - 2013-08-15 03:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-19 03:00 - 2012-04-04 15:21 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-17 17:50 - 2012-04-05 13:13 - 00002815 _____ () C:\Windows\mapping.ini
2014-03-17 17:50 - 2012-04-05 13:13 - 00000030 _____ () C:\Windows\capture.ini
2014-03-17 10:47 - 2014-03-16 16:12 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2014-03-17 02:21 - 2014-03-17 02:21 - 00000000 ____D () C:\Windows\Sun
2014-03-14 15:41 - 2014-03-13 15:00 - 00000000 ____D () C:\Users\Bob\Desktop\ROOFING RELATED ITEMS
2014-03-13 03:20 - 2009-07-14 00:45 - 00465160 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-13 03:19 - 2013-03-14 03:01 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-13 03:19 - 2013-03-14 03:01 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-13 03:03 - 2012-04-04 13:35 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-12 16:32 - 2012-12-05 08:57 - 00000000 ____D () C:\Users\Bob\Desktop\BOBS STUFF
2014-03-12 13:44 - 2012-07-19 12:39 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-12 13:44 - 2012-07-19 12:39 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-12 13:44 - 2012-03-22 17:46 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-07 04:00 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-03-06 09:35 - 2012-11-13 14:41 - 00000000 ____D () C:\Users\Bob\AppData\Local\Apps\2.0
2014-03-06 09:33 - 2013-01-07 10:50 - 00000000 ___RD () C:\Users\Bob\Desktop\ADMIN FORMS
2014-03-05 14:17 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-03-01 02:05 - 2014-03-13 00:32 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-01 01:17 - 2014-03-13 00:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-01 01:16 - 2014-03-13 00:32 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-01 00:58 - 2014-03-13 00:32 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-01 00:52 - 2014-03-13 00:32 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-01 00:51 - 2014-03-13 00:32 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-01 00:42 - 2014-03-13 00:32 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-01 00:40 - 2014-03-13 00:32 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-01 00:37 - 2014-03-13 00:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-01 00:33 - 2014-03-13 00:32 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-01 00:33 - 2014-03-13 00:32 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-01 00:32 - 2014-03-13 00:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-01 00:30 - 2014-03-13 00:32 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-01 00:23 - 2014-03-13 00:32 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-01 00:17 - 2014-03-13 00:32 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-01 00:11 - 2014-03-13 00:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-01 00:02 - 2014-03-13 00:32 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-28 23:54 - 2014-03-13 00:32 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-28 23:52 - 2014-03-13 00:32 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 23:51 - 2014-03-13 00:32 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 23:47 - 2014-03-13 00:32 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 23:43 - 2014-03-13 00:32 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 23:43 - 2014-03-13 00:32 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 23:42 - 2014-03-13 00:32 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-28 23:40 - 2014-03-13 00:32 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 23:38 - 2014-03-13 00:32 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 23:37 - 2014-03-13 00:32 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 23:35 - 2014-03-13 00:32 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-28 23:18 - 2014-03-13 00:32 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-28 23:16 - 2014-03-13 00:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 23:14 - 2014-03-13 00:32 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 23:10 - 2014-03-13 00:32 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-28 23:03 - 2014-03-13 00:32 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 23:00 - 2014-03-13 00:32 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 22:57 - 2014-03-13 00:32 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 22:38 - 2014-03-13 00:32 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-28 22:32 - 2014-03-13 00:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 22:27 - 2014-03-13 00:32 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 22:25 - 2014-03-13 00:32 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-28 22:25 - 2014-03-13 00:32 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-28 14:34 - 2014-02-28 14:34 - 00016553 _____ () C:\Users\Bob\Documents\Copy of FEBRUARY 2014.xlsx
2014-02-28 04:01 - 2011-02-10 10:33 - 00796594 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-02-26 18:49 - 2014-02-24 12:09 - 00944976 _____ () C:\Users\Bob\Documents\Window Base Price Book Training.pptx
2014-02-25 17:04 - 2014-02-25 17:04 - 05185084 _____ (Swearware) C:\Users\Bob\Downloads\ComboFix (1).exe
2014-02-25 16:59 - 2014-03-21 15:54 - 00169544 _____ (Citrix Online) C:\Windows\system32\g2ax_credential_provider64_637.dll
2014-02-25 16:59 - 2014-02-25 16:59 - 00001506 _____ () C:\Users\Bob\Desktop\GoToAssist Customer.lnk
2014-02-25 16:59 - 2014-02-25 16:59 - 00000000 ____D () C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
2014-02-24 14:15 - 2011-02-04 16:32 - 00000000 ____D () C:\Users\Bob\Desktop\JOB PHOTOS
 
ZeroAccess:
C:\Users\Bob\AppData\Local\{54c2e053-120a-f778-1168-84b81a007bb1}
C:\Users\Bob\AppData\Local\{54c2e053-120a-f778-1168-84b81a007bb1}\@
 
Alureon:
C:\Users\Bob\AppData\Local\Temp\soudwow\sctqppb\wow.dll
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 23:24] - [2010-11-20 23:24] - 0513536 ____A (Microsoft Corporation) E8FFC9884F8E47F7C53A477FF6B48736
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-20 00:54
 
==================== End Of Log ============================
 
Addition.txt
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Bob at 2014-03-23 15:05:52
Running from C:\Users\Bob\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Microsoft Security Essentials (Disabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Disabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
 
==================== Installed Programs ======================
 
64 Bit HP CIO Components Installer (Version: 8.2.4 - Hewlett-Packard) Hidden
Accidental Damage Services Agreement (HKLM-x32\...\{EF85FEF4-EB92-4075-A6D2-5F519BB30A2C}) (Version: 2.0.0 - Dell Inc.)
Adobe Flash Player 12 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader X (10.1.9) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.9 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Banctec Service Agreement (HKLM-x32\...\{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}) (Version: 2.0.0 - Dell Inc.)
Bing Bar (HKLM-x32\...\{08234a0d-cf39-4dca-99f0-0c5cb496da81}) (Version: 6.0.2282.0 - Microsoft Corporation)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Complete Care Business Service Agreement (HKLM-x32\...\{0ECFCB07-9BFE-4970-ACA1-D568D982760B}) (Version: 2.0.0 - Dell Inc.)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.50.4.0 - Conexant)
Consumer In-Home Service Agreement (HKLM-x32\...\{F47C37A4-7189-430A-B81D-739FF8A7A554}) (Version: 2.0.0 - Dell Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{92C42EDD-6524-4577-B2EB-6C68C63B6D4A}) (Version:  - Microsoft)
Dell DataSafe Local Backup - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 9.4.64 - Dell Inc.)
Dell DataSafe Local Backup (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 9.4.64 - Dell Inc.)
Dell DataSafe Online (HKLM-x32\...\{7EC66A95-AC2D-4127-940B-0445A526AB2F}) (Version: 2.1.19634 - Dell)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Home Systems Service Agreement (HKLM-x32\...\{AB2FDE4F-6BED-4E9E-B676-3DCCEBB1FBFE}) (Version: 2.0.0 - Dell Inc.)
DirectX 9 Runtime (x32 Version: 1.00.0000 - Sonic Solutions) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 33.0.1750.154 - Google Inc.)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.4805.320 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.22.5 - Google Inc.) Hidden
GoToAssist Customer 2.0.0.637 (HKLM-x32\...\GoToAssist Express Customer) (Version: 2.0.0.637 - Citrix Online)
GoToMeeting 6.2.0.1350 (HKCU\...\GoToMeeting) (Version: 6.2.0.1350 - CitrixOnline)
HostExplorer for Windows NT (HKLM-x32\...\HostExplorer) (Version:  - )
HP LaserJet 400 M401 (HKLM-x32\...\{8989F6D9-550C-4178-A8CB-75B82A06621F}) (Version: 5.0.12200.835 - Hewlett-Packard)
HP LaserJet 400 M401 HP Device Toolbox (x32 Version: 29.0.84.0 - Hewlett-Packard Co.) Hidden
HP Product FWUpdater (x32 Version: 4.0.0.7242 - Hewlett-Packard Company) Hidden
HP Unified IO (Version: 2.0.0.404 - HP) Hidden
HP Unified IO (x32 Version: 2.0.0.404 - HP) Hidden
HP Update (HKLM-x32\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
hpbDSService (x32 Version: 002.002.07399 - Hewlett-Packard) Hidden
hpbM401DSService (x32 Version: 001.001.05874 - Hewlett-Packard) Hidden
HPDXP (x32 Version: 3.0.26.1 - HP) Hidden
HPLaserJet400-M401_HelpLearnCenter_SI (HKLM-x32\...\{4989DD05-86FB-4CA2-96C5-923DFAD89DA3}) (Version: 1.01.0000 - Hewlett-Packard)
HPLJDXPHelper (x32 Version: 020.021.004 - HP) Hidden
HPLJUTCore (x32 Version: 004.005.0001 - HP) Hidden
HPLJUTM401 (x32 Version: 3.00.0003 - HP) Hidden
hppLaserJetService (x32 Version: 009.027.00856 - Hewlett-Packard) Hidden
hppM401LaserJetService (x32 Version: 001.019.00639 - Hewlett-Packard) Hidden
hpStatusAlerts (x32 Version: 050.037.00142 - Hewlett Packard) Hidden
hpStatusAlertsM401 (x32 Version: 050.034.00131 - Hewlett-Packard) Hidden
iCloud (HKLM\...\{EAFB2AD8-D92B-464C-8D97-B9CB94703C4A}) (Version: 3.0.2.163 - Apple Inc.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2291 - Intel Corporation)
iTunes (HKLM\...\{F73A118B-8271-47E2-8790-0C636B2539C5}) (Version: 11.1.0.126 - Apple Inc.)
Java Auto Updater (x32 Version: 2.1.5.1 - Sun Microsystems, Inc.) Hidden
Java™ 7 Update 1 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417001FF}) (Version: 7.0.10 - Oracle)
Java™ 7 Update 1 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217001FF}) (Version: 7.0.10 - Oracle)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
LJDXPHelperUI (x32 Version: 020.021.004 - HP) Hidden
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2000 SR-1 Premium (HKLM-x32\...\{00000409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.9327 - Microsoft Corporation)
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Business 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.4.0304.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{820B6609-4C97-3A2B-B644-573B06A0F0CC}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
PhotoShowExpress (x32 Version: 2.0.063 - Sonic Solutions) Hidden
QualxServ Service Agreement (HKLM-x32\...\{903679E8-44C8-4C07-9600-05C92654FC50}) (Version: 2.0.0 - Dell Inc.)
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
RBVirtualFolder64Inst (Version: 1.00.0000 - Roxio, Inc.) Hidden
Roxio Activation Module (x32 Version: 1.0 - Roxio) Hidden
Roxio BackOnTrack (x32 Version: 1.3.3 - Roxio) Hidden
Roxio Burn (x32 Version: 1.8 - Roxio) Hidden
Roxio Creator Starter (HKLM-x32\...\{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}) (Version: 12.1.77.0 - Roxio)
Roxio Creator Starter (x32 Version: 1.0.439 - Roxio) Hidden
Roxio Creator Starter (x32 Version: 5.0.0 - Roxio) Hidden
Roxio Express Labeler 3 (x32 Version: 3.2.2 - Roxio) Hidden
Roxio File Backup (Version: 1.3.2 - Roxio) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version:  - Microsoft) Hidden
Sonic CinePlayer Decoder Pack (x32 Version: 4.3.0 - Sonic Solutions) Hidden
The Weather Channel App (HKLM-x32\...\The Weather Channel App) (Version:  - )
Uninstall EyeMax DVR Client (HKLM-x32\...\TibetSystem - Uninstall EyeMax DVR Client) (Version: Version 5.5.4.0 - )
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{3FCFD88F-4D13-4F38-8625-ABABEA7F61EA}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{5E8EB600-8B94-429E-873E-98369C6DC1BC}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{83B1B530-7D9E-4C6A-907F-E979CEE9C295}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{EFF5EBA3-40AD-4859-85E7-3C1CF4F297EB}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (HKLM-x32\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{DA2F7ECE-6629-4A80-9CDE-EC95261B75E2}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{80F56E3F-1D47-4E45-B6E0-FEF4E919F4F9}) (Version:  - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version:  - Microsoft)
Update for Microsoft Visio 2010 (KB2878227) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{5D357893-40BA-4323-86BA-D97C66CD72F4}) (Version:  - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{8C55AA83-54C2-4236-A622-78440A411DC5}) (Version:  - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E78E2B68-8FD1-42EE-BB74-99A4D9E6222D}) (Version:  - Microsoft)
WindowExpress (HKLM-x32\...\InstallShield_{EA27125F-5782-4285-8466-BFFC1BFCC3E2}) (Version: 3.5.3025 - WTS Paradigm)
WindowExpress (x32 Version: 3.5.3025 - WTS Paradigm) Hidden
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows XP Mode (HKLM\...\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}) (Version: 1.3.7600.16423 - Microsoft Corporation)
WTS Paradigm Base Camp (HKLM-x32\...\{85F38E17-C6C2-4846-9CCB-37BF05A7EBB7}) (Version: 1.0.0 - WTS Paradigm)
Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version:  - Yahoo! Inc.)
Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version:  - )
Yahoo! Toolbar (HKLM-x32\...\Yahoo! Companion) (Version:  - Yahoo! Inc.)
 
==================== Restore Points  =========================
 
22-03-2014 01:36:33 Scheduled Checkpoint
22-03-2014 16:25:19 Windows Update
 
==================== Hosts content: ==========================
 
2009-07-13 22:34 - 2014-03-21 20:41 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {03919817-8317-4420-A42C-2429AA766AD5} - System32\Tasks\HPLJCustParticipation => C:\Program Files (x86)\HP\HPLJUT\HPLJUTSCH.exe [2012-06-15] (Hewlett Packard)
Task: {0B078FC9-C8DC-4161-B7CE-2578D8622738} - \Digital Sites No Task File
Task: {6078CA8D-665F-4213-8BAB-8EF263872E06} - System32\Tasks\JavaUpdateSched => %COMMONPROGRAMFILES(x86)%\Java\Java Update\jusched.exe
Task: {62CD95FD-ECD4-4DE6-B669-9C4AF562FF29} - System32\Tasks\G2MUpdateTask-S-1-5-21-1393054999-600409691-2559954116-1000 => C:\Users\Bob\AppData\Local\Citrix\GoToMeeting\1298\g2mupdate.exe [2014-02-20] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {80CC9740-1844-4E57-881F-D1C2831BEC6E} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\My Dell\uaclauncher.exe [2014-01-31] (PC-Doctor, Inc.)
Task: {92D56F8D-703D-4FA2-A907-05FFF822207E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-12] (Adobe Systems Incorporated)
Task: {AFCCB41D-5120-4388-9BA3-BCB27DAAB17C} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {B2E4A629-1C29-4228-A7F8-F3076D5AF2C2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-04-05] (Google Inc.)
Task: {C7754459-E48C-41E5-86F8-060102AA0F88} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {D148C69A-8B54-4150-8816-7900EB448C93} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-04-05] (Google Inc.)
Task: {E627952F-B8A2-4998-ADF9-CBF644344FAE} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-31] (PC-Doctor, Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1393054999-600409691-2559954116-1000.job => C:\Users\Bob\AppData\Local\Citrix\GoToMeeting\1298\g2mupdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2014-03-15 13:00 - 2014-03-14 20:50 - 00051016 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\chrome_elf.dll
2014-03-15 13:00 - 2014-03-14 20:50 - 00716616 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\libglesv2.dll
2014-03-15 13:00 - 2014-03-14 20:50 - 00100168 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\libegl.dll
2014-03-15 13:00 - 2014-03-14 20:50 - 04061000 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll
2014-03-15 13:00 - 2014-03-14 20:50 - 00394568 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll
2014-03-15 13:00 - 2014-03-14 20:50 - 01647432 _____ () C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist Remote Support Customer => ""="Service"
 
==================== Disabled items from MSCONFIG ==============
 
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: gusvc => 3
MSCONFIG\Services: HP DS Service => 2
MSCONFIG\Services: HP LaserJet Service => 2
MSCONFIG\Services: iPod Service => 3
MSCONFIG\Services: NOBU => 2
MSCONFIG\Services: RoxMediaDB12OEM => 3
MSCONFIG\Services: RoxWatch12 => 2
MSCONFIG\Services: SftService => 2
MSCONFIG\Services: stllssvr => 3
MSCONFIG\Services: WTS Paradigm Base Camp => 2
MSCONFIG\Services: YahooAUService => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\Windows\pss\Microsoft Office.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^Bob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^flashcl.lnk => C:\Windows\pss\flashcl.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Bob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^flashsec.lnk => C:\Windows\pss\flashsec.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Bob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^flashupdate.lnk => C:\Windows\pss\flashupdate.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: Dell DataSafe Online => C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
MSCONFIG\startupreg: Desktop Disc Tool => "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: MSC => "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: RoxWatchTray => "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
MSCONFIG\startupreg: StatusAlerts => "C:\Program Files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
MSCONFIG\startupreg: tyc4h08hcv34 => "C:\ProgramData\m9dt734hfbjh\clhhnkfrd.exe"
MSCONFIG\startupreg: WTSParadigmBaseCamp => C:\Program Files (x86)\WTS Paradigm\BaseCamp\BaseCampTray.exe
 
==================== Faulty Device Manager Devices =============
 
Name: Internet Access Server
Description: Internet Access Server
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: qknfd
Description: qknfd
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: qknfd
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/23/2014 03:05:23 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000e3244
Faulting process id: 0x27c4
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:05:20 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00133244
Faulting process id: 0x1cd8
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:04:53 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000e3244
Faulting process id: 0x1560
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:04:31 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00283244
Faulting process id: 0x1abc
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:03:15 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x001d3244
Faulting process id: 0x1b14
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:01:34 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00073244
Faulting process id: 0xeb8
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:00:56 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00073244
Faulting process id: 0x2420
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:00:50 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000e3244
Faulting process id: 0x2598
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:00:42 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00073244
Faulting process id: 0x14e4
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
Error: (03/23/2014 03:00:14 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore, version: 0.0.0.0, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000b3244
Faulting process id: 0x1e94
Faulting application start time: 0xiexplore0
Faulting application path: iexplore1
Faulting module path: iexplore2
Report Id: iexplore3
 
 
System errors:
=============
Error: (03/22/2014 01:52:25 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
qknfd
 
Error: (03/22/2014 01:52:15 PM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error: 
%%4203
 
Error: (03/22/2014 00:14:22 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
qknfd
 
Error: (03/22/2014 00:14:11 PM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error: 
%%4203
 
Error: (03/21/2014 08:41:29 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (03/21/2014 05:09:25 PM) (Source: Application Popup) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (03/21/2014 05:09:25 PM) (Source: Application Popup) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (03/21/2014 05:00:14 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (03/21/2014 04:14:19 PM) (Source: volsnap) (User: )
Description: The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time.  Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.
 
Error: (03/21/2014 03:48:06 PM) (Source: UmrdpService) (User: )
Description: Driver EPSON WF-2540 Series required for printer WF-2540 Series(Network) is unknown. Contact the administrator to install the driver before you log in again.
 
 
Microsoft Office Sessions:
=========================
Error: (03/23/2014 03:05:23 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c0000005000e324427c401cf46ca81875a15c:\program files\internet explorer\iexploreunknown157c50eb-b2be-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:05:20 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c0000005001332441cd801cf46cac78231e6c:\program files\internet explorer\iexploreunknown13f50ef0-b2be-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:04:53 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c0000005000e3244156001cf46ca71ca7ef7c:\program files\internet explorer\iexploreunknown03970f76-b2be-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:04:31 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c0000005002832441abc01cf46caae6b8e4bc:\program files\internet explorer\iexploreunknownf688bc96-b2bd-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:03:15 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c0000005001d32441b1401cf46ca81a3bc1fc:\program files\internet explorer\iexploreunknownc946fdb1-b2bd-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:01:34 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c000000500073244eb801cf46ca4794abeec:\program files\internet explorer\iexploreunknown8d08a940-b2bd-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:00:56 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c000000500073244242001cf46ca2c03d74ac:\program files\internet explorer\iexploreunknown76980242-b2bd-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:00:50 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c0000005000e3244259801cf46ca2cb4b351c:\program files\internet explorer\iexploreunknown72859f0f-b2bd-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:00:42 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c00000050007324414e401cf46ca229044dcc:\program files\internet explorer\iexploreunknown6e131913-b2bd-11e3-aad5-d4bed9ccd918
 
Error: (03/23/2014 03:00:14 PM) (Source: Application Error)(User: )
Description: iexplore0.0.0.04a5bc6b7unknown0.0.0.000000000c0000005000b32441e9401cf46c982b388d0c:\program files\internet explorer\iexploreunknown5d3c8c75-b2bd-11e3-aad5-d4bed9ccd918
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-03-22 12:12:27.361
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-22 01:21:33.595
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-21 23:52:15.933
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-21 17:09:25.451
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-21 17:09:25.381
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-21 17:09:25.321
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-21 17:09:25.251
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-21 15:50:15.443
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-20 17:06:59.117
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-20 17:06:59.039
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 67%
Total physical RAM: 4008.64 MB
Available physical RAM: 1307.69 MB
Total Pagefile: 8015.47 MB
Available Pagefile: 4675.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:208.69 GB) (Free:93.56 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 78934D7B)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=24 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=209 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================


#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:34 PM

Posted 23 March 2014 - 02:50 PM

There is more then one infection running on your system.
  • Start FRST with Administrator privileges.
  • Write the following text into the Search: textbox:
    rpcss.dll
  • Click on the Search File(s) button.
  • When finished, a log file (Search.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


#5 dabassguy1

dabassguy1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 23 March 2014 - 03:06 PM

Search.txt

 

Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Bob at 2014-03-23 16:01:29
Running from C:\Users\Bob\Desktop
Boot Mode: Normal
 
================== Search: "rpcss.dll" ===================
 
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2010-11-20 23:24] - [2010-11-20 23:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123
 
C:\Windows\System32\rpcss.dll
[2010-11-20 23:24] - [2010-11-20 23:24] - 0513536 ____A (Microsoft Corporation) E8FFC9884F8E47F7C53A477FF6B48736
 
C:\Windows\ERDNT\cache64\rpcss.dll
[2012-05-23 10:06] - [2010-11-20 23:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123
 
====== End Of Search ======


#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:34 PM

Posted 23 March 2014 - 03:52 PM

Ok, now let's try to remove the malware:


Step 1

Please download this attached Attached File  fixlist.txt   2.08KB   13 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button. Allow a reboot if required.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

 

 

 

Step 2

Start FRST with administator privileges.

  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#7 dabassguy1

dabassguy1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 23 March 2014 - 05:04 PM

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Bob at 2014-03-23 17:54:12 Run:1
Running from C:\Users\Bob\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
Replace: C:\Windows\ERDNT\cache64\rpcss.dll C:\Windows\System32\rpcss.dll
(Microsoft Corporation) C:\Windows\syswow64\svchost.exe
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\...\Run: [GameServer539] - C:\Users\Bob\AppData\Roaming\Media Center Programs\WIN4830.exe [0 2014-03-22] ()
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\...\Run: [tyc4h08hcv34] - "C:\ProgramData\m9dt734hfbjh\clhhnkfrd.exe"
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume3\Users\Bob\AppData\Local\Temp\soudwow\sctqppb\wow.dll ATTENTION! ====> ZeroAccess?
C:\Users\Bob\AppData\Roaming\Media Center Programs\WIN4830.exe
C:\ProgramData\m9dt734hfbjh
2014-03-20 15:10 - 2014-03-23 14:21 - 00000072 _____ () C:\Windows\system32\wmehw.tkh
2014-03-20 15:00 - 2014-03-20 15:00 - 00000064 _____ () C:\Windows\system32\yajx.aze
2014-03-20 15:00 - 2014-03-20 15:00 - 00000000 _____ () C:\Windows\system32\uyqlfoj.uts
2014-03-20 14:41 - 2014-03-20 14:41 - 00230894 ____S () C:\Windows\system32\tznmkaj.eis
C:\Users\Bob\AppData\Local\Temp\soudwow
C:\Users\Bob\AppData\Local\{54c2e053-120a-f778-1168-84b81a007bb1}
Reboot:
*****************
 
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\ERDNT\cache64\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
[3560] C:\Windows\syswow64\svchost.exe => Process closed successfully.
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\Software\Microsoft\Windows\CurrentVersion\Run\\GameServer539 => Value deleted successfully.
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\Software\Microsoft\Windows\CurrentVersion\Run\\tyc4h08hcv34 => Value deleted successfully.
HKU\S-1-5-21-1393054999-600409691-2559954116-1000\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully.
C:\Users\Bob\AppData\Roaming\Media Center Programs\win4830.exe => Moved successfully.
 
"C:\ProgramData\m9dt734hfbjh" directory move:
 
Could not move "C:\ProgramData\m9dt734hfbjh" directory. => Scheduled to move on reboot.
 
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A4CAF430-B108-4D46-997B-7610BB6B9053} => Key deleted successfully.
HKCR\CLSID\{A4CAF430-B108-4D46-997B-7610BB6B9053} => Key not found.
C:\Windows\system32\wmehw.tkh => Moved successfully.
C:\Windows\system32\yajx.aze => Moved successfully.
Could not move "C:\Windows\system32\uyqlfoj.uts" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\tznmkaj.eis" => Scheduled to move on reboot.
 
"C:\Users\Bob\AppData\Local\Temp\soudwow" directory move:
 
C:\Users\Bob\AppData\Local\Temp\soudwow\sctqppb\tmp3F6A.tmp => Moved successfully.
C:\Users\Bob\AppData\Local\Temp\soudwow\sctqppb\tmp4848.tmp => Moved successfully.
C:\Users\Bob\AppData\Local\Temp\soudwow\sctqppb\tmp8AE2.tmp => Moved successfully.
C:\Users\Bob\AppData\Local\Temp\soudwow\sctqppb\wow.dll => Moved successfully.
C:\Users\Bob\AppData\Local\Temp\soudwow\sctqppb\wow.ini => Moved successfully.
Could not move "C:\Users\Bob\AppData\Local\Temp\soudwow" directory. => Scheduled to move on reboot.
 
C:\Users\Bob\AppData\Local\{54c2e053-120a-f778-1168-84b81a007bb1} => Moved successfully.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-03-23 17:59:49)<=
 
C:\ProgramData\m9dt734hfbjh => Is moved successfully.
C:\Windows\system32\uyqlfoj.uts => Is moved successfully.
C:\Windows\system32\tznmkaj.eis => Is moved successfully.
C:\Users\Bob\AppData\Local\Temp\soudwow => Moved successfully.
 
==== End of Fixlog ====
 
FRST.txt
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Bob (administrator) on CENTRALPRODMGR on 23-03-2014 18:02:21
Running from C:\Users\Bob\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_comm_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_system_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_host.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_user_customer.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.5\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\system32\wbem\WMIADAP.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_winlogonx64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bing.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
URLSearchHook: HKCU - Default Value = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}&fr=mkg028
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 8.8.8.8
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR DefaultSearchKeyword: mysearchdial.com
CHR DefaultSearchProvider: Mysearchdial
CHR DefaultNewTabURL: 
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 7.0.10.8) - C:\Program Files (x86)\Java\jre7\bin\new_plugin\npdeployJava1.dll (Oracle Corporation)
CHR Plugin: (Java™ Platform SE 7 U1) - C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-11-19]
CHR Extension: (Google Search) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-11-19]
CHR Extension: (Yahoo! Toolbar for Chrome) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\eihhgekonheiliaidomffpplfhecmkag [2013-09-30]
CHR Extension: (Google Wallet) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-10]
CHR Extension: (Gmail) - C:\Users\Bob\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-11-19]
 
==================== Services (Whitelisted) =================
 
R2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_service.exe [610888 2014-02-25] (Citrix Online, a division of Citrix Systems, Inc.)
S4 HP DS Service; C:\Program Files (x86)\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S4 WTS Paradigm Base Camp; C:\Program Files (x86)\WTS Paradigm\BaseCamp\BaseCampService.exe [260608 2014-03-13] ()
 
==================== Drivers (Whitelisted) ====================
 
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 qknfd; system32\drivers\qknfd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-23 16:01 - 2014-03-23 16:05 - 00000774 _____ () C:\Users\Bob\Desktop\Search.txt
2014-03-23 15:05 - 2014-03-23 18:02 - 00009404 _____ () C:\Users\Bob\Desktop\FRST.txt
2014-03-23 15:05 - 2014-03-23 15:06 - 00041886 _____ () C:\Users\Bob\Desktop\Addition.txt
2014-03-23 15:00 - 2014-03-23 15:00 - 02157056 _____ (Farbar) C:\Users\Bob\Desktop\FRST64.exe
2014-03-23 11:02 - 2014-03-23 11:03 - 00016652 _____ () C:\Users\Bob\Desktop\attach.txt
2014-03-23 11:02 - 2014-03-23 11:03 - 00014194 _____ () C:\Users\Bob\Desktop\dds.txt
2014-03-23 10:54 - 2014-03-23 10:53 - 00688992 ____R (Swearware) C:\Users\Bob\Desktop\dds.com
2014-03-23 08:29 - 2014-03-23 08:29 - 00000000 ____D () C:\Users\Bob\AppData\Roaming\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\Users\ITTech\AppData\Roaming\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-21 23:56 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-03-21 23:55 - 2014-03-21 23:55 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\ITTech\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-21 22:18 - 2014-03-21 22:18 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-03-21 20:48 - 2014-03-21 20:48 - 00010951 _____ () C:\ComboFix.txt
2014-03-21 15:56 - 2014-03-21 15:56 - 05190052 ____R (Swearware) C:\Users\ITTech\Downloads\ComboFix.exe
2014-03-21 15:54 - 2014-02-25 16:59 - 00169544 _____ (Citrix Online) C:\Windows\system32\g2ax_credential_provider64_637.dll
2014-03-21 15:53 - 2014-03-21 15:53 - 00753704 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Users\ITTech\Downloads\g2ax_customer_downloader_win32_x86.exe
2014-03-21 15:51 - 2014-03-21 15:51 - 00000000 ____D () C:\Users\ITTech\AppData\Local\Google
2014-03-21 15:48 - 2014-03-21 15:51 - 00002257 _____ () C:\Users\ITTech\Desktop\Google Chrome.lnk
2014-03-21 15:48 - 2014-03-21 15:48 - 00001415 _____ () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\Virtual Machines
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-03-21 15:47 - 2014-03-21 15:47 - 00000000 ____D () C:\Users\ITTech\AppData\Local\VirtualStore
2014-03-21 15:44 - 2014-03-21 15:44 - 00127392 _____ () C:\Users\ITTech\AppData\Local\GDIPFONTCACHEV1.DAT
2014-03-21 15:44 - 2014-03-21 15:44 - 00001511 _____ () C:\Users\ITTech\Desktop\RKreport[0]_DN_03212014_154415.txt
2014-03-21 15:43 - 2014-03-21 15:43 - 00003199 _____ () C:\Users\ITTech\Desktop\RKreport[0]_S_03212014_154317.txt
2014-03-21 15:43 - 2014-03-21 15:43 - 00002685 _____ () C:\Users\ITTech\Desktop\RKreport[0]_D_03212014_154354.txt
2014-03-21 15:41 - 2014-03-21 15:44 - 00000000 ____D () C:\Users\ITTech\Desktop\RK_Quarantine
2014-03-21 15:41 - 2014-03-21 15:41 - 00000000 ____D () C:\Users\ITTech\AppData\Roaming\Adobe
2014-03-21 15:38 - 2014-03-21 15:48 - 00000000 ____D () C:\Users\ITTech
2014-03-21 15:38 - 2014-03-21 15:38 - 00000020 ___SH () C:\Users\ITTech\ntuser.ini
2014-03-21 15:38 - 2013-11-06 10:40 - 00000000 ____D () C:\Users\ITTech\AppData\Local\SoftThinks
2014-03-21 15:38 - 2012-04-04 16:03 - 00000000 ____D () C:\Users\ITTech\AppData\Local\Microsoft Help
2014-03-21 15:38 - 2012-04-04 13:22 - 00001150 _____ () C:\Users\ITTech\Desktop\My Business Toolkit.lnk
2014-03-21 15:38 - 2009-07-14 00:54 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-03-21 15:38 - 2009-07-14 00:49 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-03-21 15:17 - 2014-03-21 15:16 - 03539584 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Users\Bob\Documents\g2a_rs_installer_jgoodmangoodmanadjusting_com.exe
2014-03-21 15:14 - 2014-03-21 15:14 - 00014950 _____ () C:\Users\Bob\Desktop\hs_err_pid7672.log
2014-03-21 12:35 - 2014-03-21 13:30 - 00041700 _____ () C:\Users\Bob\Documents\Addition.txt
2014-03-21 12:32 - 2014-03-21 12:32 - 00000000 ____D () C:\Users\Bob\Documents\ProcessMonitor
2014-03-21 12:22 - 2011-06-05 17:20 - 03412856 _____ (Sysinternals - www.sysinternals.com) C:\Users\Bob\Documents\procexp.exe
2014-03-21 12:19 - 2014-03-21 13:30 - 00033953 _____ () C:\Users\Bob\Documents\FRST.txt
2014-03-21 12:14 - 2014-03-23 18:02 - 00000000 ____D () C:\FRST
2014-03-21 12:13 - 2014-03-21 12:02 - 02157056 _____ (Farbar) C:\Users\Bob\Documents\FRST64.exe
2014-03-21 11:32 - 2014-03-21 11:49 - 00000000 ____D () C:\AdwCleaner
2014-03-21 11:30 - 2014-03-23 17:54 - 00000000 ____D () C:\Users\Bob\AppData\Local\CrashDumps
2014-03-21 11:29 - 2014-03-21 11:29 - 00003313 _____ () C:\Users\Bob\Desktop\RKreport[0]_S_03212014_112928.txt
2014-03-21 11:29 - 2014-03-21 11:27 - 01950720 _____ () C:\Users\Bob\Documents\adwcleaner.exe
2014-03-21 10:35 - 2014-03-21 10:31 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Bob\Documents\tdsskiller.exe
2014-03-21 10:31 - 2014-03-21 10:42 - 00000000 ____D () C:\Users\Bob\Desktop\RK_Quarantine
2014-03-21 10:25 - 2014-03-21 10:48 - 04486144 _____ () C:\Users\Bob\Documents\RogueKillerX64.exe
2014-03-21 09:55 - 2014-03-21 09:55 - 00000000 ____D () C:\Windows\pss
2014-03-17 02:21 - 2014-03-17 02:21 - 00000000 ____D () C:\Windows\Sun
2014-03-16 16:12 - 2014-03-17 10:47 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2014-03-13 15:00 - 2014-03-14 15:41 - 00000000 ____D () C:\Users\Bob\Desktop\ROOFING RELATED ITEMS
2014-03-13 00:32 - 2014-03-01 02:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-13 00:32 - 2014-03-01 01:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-13 00:32 - 2014-03-01 01:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-13 00:32 - 2014-03-01 00:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-13 00:32 - 2014-03-01 00:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-13 00:32 - 2014-03-01 00:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-13 00:32 - 2014-03-01 00:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-13 00:32 - 2014-03-01 00:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-13 00:32 - 2014-03-01 00:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-13 00:32 - 2014-03-01 00:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-13 00:32 - 2014-03-01 00:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-13 00:32 - 2014-03-01 00:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-13 00:32 - 2014-03-01 00:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-13 00:32 - 2014-03-01 00:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-13 00:32 - 2014-03-01 00:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-13 00:32 - 2014-03-01 00:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-13 00:32 - 2014-03-01 00:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-13 00:32 - 2014-02-28 23:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-13 00:32 - 2014-02-28 23:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-13 00:32 - 2014-02-28 23:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-13 00:32 - 2014-02-28 23:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-13 00:32 - 2014-02-28 23:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-13 00:32 - 2014-02-28 23:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-13 00:32 - 2014-02-28 23:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-13 00:32 - 2014-02-28 23:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-13 00:32 - 2014-02-28 23:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-13 00:32 - 2014-02-28 23:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-13 00:32 - 2014-02-28 23:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-13 00:32 - 2014-02-28 23:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-13 00:32 - 2014-02-28 23:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-13 00:32 - 2014-02-28 23:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-13 00:32 - 2014-02-28 23:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-13 00:32 - 2014-02-28 23:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-13 00:32 - 2014-02-28 23:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-13 00:32 - 2014-02-28 22:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-13 00:32 - 2014-02-28 22:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-13 00:32 - 2014-02-28 22:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-13 00:32 - 2014-02-28 22:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-13 00:32 - 2014-02-28 22:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-13 00:32 - 2014-02-28 22:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-13 00:32 - 2014-02-06 21:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-13 00:32 - 2014-02-03 22:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-13 00:32 - 2014-02-03 22:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-13 00:32 - 2014-02-03 22:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-13 00:32 - 2014-02-03 22:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-13 00:32 - 2014-01-28 22:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-13 00:32 - 2014-01-28 22:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-13 00:32 - 2014-01-27 22:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-06 08:38 - 2014-03-21 09:38 - 00000090 _____ () C:\Users\Bob\AppData\Roaming\WB.CFG
2014-02-28 14:34 - 2014-02-28 14:34 - 00016553 _____ () C:\Users\Bob\Documents\Copy of FEBRUARY 2014.xlsx
2014-02-25 17:04 - 2014-02-25 17:04 - 05185084 _____ (Swearware) C:\Users\Bob\Downloads\ComboFix (1).exe
2014-02-25 17:03 - 2014-03-20 16:48 - 05190052 ____R (Swearware) C:\Users\Bob\Desktop\ComboFix.exe
2014-02-25 16:59 - 2014-02-25 16:59 - 00001506 _____ () C:\Users\Bob\Desktop\GoToAssist Customer.lnk
2014-02-25 16:59 - 2014-02-25 16:59 - 00000000 ____D () C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
2014-02-24 12:09 - 2014-02-26 18:49 - 00944976 _____ () C:\Users\Bob\Documents\Window Base Price Book Training.pptx
 
==================== One Month Modified Files and Folders =======
 
2014-03-23 18:02 - 2014-03-23 15:05 - 00009404 _____ () C:\Users\Bob\Desktop\FRST.txt
2014-03-23 18:02 - 2014-03-21 12:14 - 00000000 ____D () C:\FRST
2014-03-23 18:02 - 2009-07-14 01:13 - 00802218 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-23 17:59 - 2012-04-05 16:54 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-23 17:58 - 2012-04-05 16:54 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-23 17:56 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-23 17:56 - 2009-07-14 00:51 - 00049933 _____ () C:\Windows\setupact.log
2014-03-23 17:55 - 2010-11-20 23:47 - 00411802 _____ () C:\Windows\PFRO.log
2014-03-23 17:54 - 2014-03-21 11:30 - 00000000 ____D () C:\Users\Bob\AppData\Local\CrashDumps
2014-03-23 17:54 - 2012-03-22 19:40 - 01270183 _____ () C:\Windows\WindowsUpdate.log
2014-03-23 17:44 - 2012-07-19 12:39 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-23 17:24 - 2014-02-20 16:18 - 00000550 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1393054999-600409691-2559954116-1000.job
2014-03-23 16:05 - 2014-03-23 16:01 - 00000774 _____ () C:\Users\Bob\Desktop\Search.txt
2014-03-23 15:06 - 2014-03-23 15:05 - 00041886 _____ () C:\Users\Bob\Desktop\Addition.txt
2014-03-23 15:00 - 2014-03-23 15:00 - 02157056 _____ (Farbar) C:\Users\Bob\Desktop\FRST64.exe
2014-03-23 11:16 - 2009-07-14 00:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-23 11:16 - 2009-07-14 00:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-23 11:03 - 2014-03-23 11:02 - 00016652 _____ () C:\Users\Bob\Desktop\attach.txt
2014-03-23 11:03 - 2014-03-23 11:02 - 00014194 _____ () C:\Users\Bob\Desktop\dds.txt
2014-03-23 10:53 - 2014-03-23 10:54 - 00688992 ____R (Swearware) C:\Users\Bob\Desktop\dds.com
2014-03-23 10:04 - 2013-05-22 10:07 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2014-03-23 08:29 - 2014-03-23 08:29 - 00000000 ____D () C:\Users\Bob\AppData\Roaming\Malwarebytes
2014-03-22 12:13 - 2009-07-14 01:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\Users\ITTech\AppData\Roaming\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-03-21 23:56 - 2014-03-21 23:56 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-21 23:55 - 2014-03-21 23:55 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\ITTech\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-21 22:18 - 2014-03-21 22:18 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-03-21 20:48 - 2014-03-21 20:48 - 00010951 _____ () C:\ComboFix.txt
2014-03-21 20:48 - 2012-05-23 09:55 - 00000000 ____D () C:\Qoobox
2014-03-21 20:41 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-03-21 18:45 - 2012-04-05 12:16 - 00000376 _____ () C:\Windows\ODBC.INI
2014-03-21 17:09 - 2012-04-04 13:11 - 00000000 ____D () C:\Users\Bob
2014-03-21 15:56 - 2014-03-21 15:56 - 05190052 ____R (Swearware) C:\Users\ITTech\Downloads\ComboFix.exe
2014-03-21 15:53 - 2014-03-21 15:53 - 00753704 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Users\ITTech\Downloads\g2ax_customer_downloader_win32_x86.exe
2014-03-21 15:51 - 2014-03-21 15:51 - 00000000 ____D () C:\Users\ITTech\AppData\Local\Google
2014-03-21 15:51 - 2014-03-21 15:48 - 00002257 _____ () C:\Users\ITTech\Desktop\Google Chrome.lnk
2014-03-21 15:48 - 2014-03-21 15:48 - 00001415 _____ () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\Virtual Machines
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-21 15:48 - 2014-03-21 15:48 - 00000000 ___RD () C:\Users\ITTech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-03-21 15:48 - 2014-03-21 15:38 - 00000000 ____D () C:\Users\ITTech
2014-03-21 15:47 - 2014-03-21 15:47 - 00000000 ____D () C:\Users\ITTech\AppData\Local\VirtualStore
2014-03-21 15:44 - 2014-03-21 15:44 - 00127392 _____ () C:\Users\ITTech\AppData\Local\GDIPFONTCACHEV1.DAT
2014-03-21 15:44 - 2014-03-21 15:44 - 00001511 _____ () C:\Users\ITTech\Desktop\RKreport[0]_DN_03212014_154415.txt
2014-03-21 15:44 - 2014-03-21 15:41 - 00000000 ____D () C:\Users\ITTech\Desktop\RK_Quarantine
2014-03-21 15:43 - 2014-03-21 15:43 - 00003199 _____ () C:\Users\ITTech\Desktop\RKreport[0]_S_03212014_154317.txt
2014-03-21 15:43 - 2014-03-21 15:43 - 00002685 _____ () C:\Users\ITTech\Desktop\RKreport[0]_D_03212014_154354.txt
2014-03-21 15:41 - 2014-03-21 15:41 - 00000000 ____D () C:\Users\ITTech\AppData\Roaming\Adobe
2014-03-21 15:38 - 2014-03-21 15:38 - 00000020 ___SH () C:\Users\ITTech\ntuser.ini
2014-03-21 15:16 - 2014-03-21 15:17 - 03539584 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Users\Bob\Documents\g2a_rs_installer_jgoodmangoodmanadjusting_com.exe
2014-03-21 15:14 - 2014-03-21 15:14 - 00014950 _____ () C:\Users\Bob\Desktop\hs_err_pid7672.log
2014-03-21 13:30 - 2014-03-21 12:35 - 00041700 _____ () C:\Users\Bob\Documents\Addition.txt
2014-03-21 13:30 - 2014-03-21 12:19 - 00033953 _____ () C:\Users\Bob\Documents\FRST.txt
2014-03-21 12:32 - 2014-03-21 12:32 - 00000000 ____D () C:\Users\Bob\Documents\ProcessMonitor
2014-03-21 12:02 - 2014-03-21 12:13 - 02157056 _____ (Farbar) C:\Users\Bob\Documents\FRST64.exe
2014-03-21 11:49 - 2014-03-21 11:32 - 00000000 ____D () C:\AdwCleaner
2014-03-21 11:29 - 2014-03-21 11:29 - 00003313 _____ () C:\Users\Bob\Desktop\RKreport[0]_S_03212014_112928.txt
2014-03-21 11:27 - 2014-03-21 11:29 - 01950720 _____ () C:\Users\Bob\Documents\adwcleaner.exe
2014-03-21 10:48 - 2014-03-21 10:25 - 04486144 _____ () C:\Users\Bob\Documents\RogueKillerX64.exe
2014-03-21 10:42 - 2014-03-21 10:31 - 00000000 ____D () C:\Users\Bob\Desktop\RK_Quarantine
2014-03-21 10:31 - 2014-03-21 10:35 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Bob\Documents\tdsskiller.exe
2014-03-21 09:55 - 2014-03-21 09:55 - 00000000 ____D () C:\Windows\pss
2014-03-21 09:55 - 2012-04-04 13:14 - 00000000 ___RD () C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-03-21 09:38 - 2014-03-06 08:38 - 00000090 _____ () C:\Users\Bob\AppData\Roaming\WB.CFG
2014-03-21 09:18 - 2012-03-22 18:01 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-03-20 16:48 - 2014-02-25 17:03 - 05190052 ____R (Swearware) C:\Users\Bob\Desktop\ComboFix.exe
2014-03-20 14:41 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-03-20 13:58 - 2009-07-07 11:18 - 00000000 ____D () C:\Users\Bob\Desktop\FAX COVER PAGES
2014-03-20 07:39 - 2010-08-20 18:12 - 00000000 ____D () C:\Users\Bob\Desktop\SALES RELATED ITEMS
2014-03-19 03:01 - 2013-08-15 03:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-19 03:00 - 2012-04-04 15:21 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-17 17:50 - 2012-04-05 13:13 - 00002815 _____ () C:\Windows\mapping.ini
2014-03-17 17:50 - 2012-04-05 13:13 - 00000030 _____ () C:\Windows\capture.ini
2014-03-17 10:47 - 2014-03-16 16:12 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2014-03-17 02:21 - 2014-03-17 02:21 - 00000000 ____D () C:\Windows\Sun
2014-03-14 15:41 - 2014-03-13 15:00 - 00000000 ____D () C:\Users\Bob\Desktop\ROOFING RELATED ITEMS
2014-03-13 03:20 - 2009-07-14 00:45 - 00465160 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-13 03:19 - 2013-03-14 03:01 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-13 03:19 - 2013-03-14 03:01 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-13 03:03 - 2012-04-04 13:35 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-12 16:32 - 2012-12-05 08:57 - 00000000 ____D () C:\Users\Bob\Desktop\BOBS STUFF
2014-03-12 13:44 - 2012-07-19 12:39 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-12 13:44 - 2012-07-19 12:39 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-12 13:44 - 2012-03-22 17:46 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-07 04:00 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-03-06 09:35 - 2012-11-13 14:41 - 00000000 ____D () C:\Users\Bob\AppData\Local\Apps\2.0
2014-03-06 09:33 - 2013-01-07 10:50 - 00000000 ___RD () C:\Users\Bob\Desktop\ADMIN FORMS
2014-03-05 14:17 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-03-01 02:05 - 2014-03-13 00:32 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-01 01:17 - 2014-03-13 00:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-01 01:16 - 2014-03-13 00:32 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-01 00:58 - 2014-03-13 00:32 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-01 00:52 - 2014-03-13 00:32 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-01 00:51 - 2014-03-13 00:32 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-01 00:42 - 2014-03-13 00:32 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-01 00:40 - 2014-03-13 00:32 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-01 00:37 - 2014-03-13 00:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-01 00:33 - 2014-03-13 00:32 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-01 00:33 - 2014-03-13 00:32 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-01 00:32 - 2014-03-13 00:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-01 00:30 - 2014-03-13 00:32 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-01 00:23 - 2014-03-13 00:32 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-01 00:17 - 2014-03-13 00:32 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-01 00:11 - 2014-03-13 00:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-01 00:02 - 2014-03-13 00:32 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-28 23:54 - 2014-03-13 00:32 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-28 23:52 - 2014-03-13 00:32 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 23:51 - 2014-03-13 00:32 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 23:47 - 2014-03-13 00:32 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 23:43 - 2014-03-13 00:32 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 23:43 - 2014-03-13 00:32 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 23:42 - 2014-03-13 00:32 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-28 23:40 - 2014-03-13 00:32 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 23:38 - 2014-03-13 00:32 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 23:37 - 2014-03-13 00:32 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 23:35 - 2014-03-13 00:32 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-28 23:18 - 2014-03-13 00:32 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-28 23:16 - 2014-03-13 00:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 23:14 - 2014-03-13 00:32 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 23:10 - 2014-03-13 00:32 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-28 23:03 - 2014-03-13 00:32 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 23:00 - 2014-03-13 00:32 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 22:57 - 2014-03-13 00:32 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 22:38 - 2014-03-13 00:32 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-28 22:32 - 2014-03-13 00:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 22:27 - 2014-03-13 00:32 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 22:25 - 2014-03-13 00:32 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-28 22:25 - 2014-03-13 00:32 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-28 14:34 - 2014-02-28 14:34 - 00016553 _____ () C:\Users\Bob\Documents\Copy of FEBRUARY 2014.xlsx
2014-02-28 04:01 - 2011-02-10 10:33 - 00796594 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-02-26 18:49 - 2014-02-24 12:09 - 00944976 _____ () C:\Users\Bob\Documents\Window Base Price Book Training.pptx
2014-02-25 17:04 - 2014-02-25 17:04 - 05185084 _____ (Swearware) C:\Users\Bob\Downloads\ComboFix (1).exe
2014-02-25 16:59 - 2014-03-21 15:54 - 00169544 _____ (Citrix Online) C:\Windows\system32\g2ax_credential_provider64_637.dll
2014-02-25 16:59 - 2014-02-25 16:59 - 00001506 _____ () C:\Users\Bob\Desktop\GoToAssist Customer.lnk
2014-02-25 16:59 - 2014-02-25 16:59 - 00000000 ____D () C:\Users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
2014-02-24 14:15 - 2011-02-04 16:32 - 00000000 ____D () C:\Users\Bob\Desktop\JOB PHOTOS
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-20 00:54
 
==================== End Of Log ============================


#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:34 PM

Posted 23 March 2014 - 05:11 PM

Great, this worked well!
You can now re-enable Microsoft Security Essentials in msconfig (MSC => "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey) or uninstall it completely and install an other antivirus software.

How is your computer running now? What problems and symptoms are still present?


Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!

#9 dabassguy1

dabassguy1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 23 March 2014 - 05:14 PM

The dllhost's in task manager are gone and the redirections have stopped.  I think you got it.  I will uninstall MSE and run the above scan.



#10 dabassguy1

dabassguy1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 23 March 2014 - 10:21 PM

The scan did take a while.

 

Log.txt

 

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=5aef427c25a787479bef68319662049c
# engine=17570
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-03-24 02:51:50
# local_time=2014-03-23 10:51:50 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 21180171 147172960 0 0
# scanned=815320
# found=6
# cleaned=0
# scan_time=16463
sh=519AD7F9C1426643A88EFFD02052540A98D8F3BA ft=1 fh=9ddad97b3dcaa5b3 vn="a variant of Generik.MWNMLKT trojan" ac=I fn="C:\$RECYCLE.BIN\S-1-5-21-1393054999-600409691-2559954116-1000\$RRXFDX2.exe"
sh=6665F3F94CDDE37D8DC2982DB1D068C49119EEBF ft=1 fh=cc33d1c5870ba2a5 vn="Win64/Patched.H trojan" ac=I fn="C:\FRST\Quarantine\C\Windows\System32\rpcss.dll.xBAD"
sh=AA14F1BC268D98D06388BE603C92F601B2F12D27 ft=1 fh=ad5e90697b074394 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe"
sh=10EA7B3893F0E9773CDA44926AB414DBFEAE8808 ft=1 fh=a9247b2192b6b140 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe"
sh=822040FE11C6B6E6985D4FEC730AF42B43438265 ft=1 fh=1bfcafed51def25a vn="a variant of Win32/Injector.Autoit.AJH trojan" ac=I fn="C:\Qoobox\Quarantine\C\Users\Bob\AppData\Roaming\driver--grap.exe.vir"
sh=E4998FA852CEA1E07542D0C67489A18771B1539E ft=1 fh=4bb5c36245276abd vn="Win32/Spy.Zbot.AAO trojan" ac=I fn="C:\Qoobox\Quarantine\C\Users\Bob\AppData\Roaming\Izcea\xyok.exe.vir"


#11 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:34 PM

Posted 24 March 2014 - 06:07 AM

It's looking good. No more active malware has been found, just some baddies that already have been moved to quarantine.
You can install a new antivirus software now and then we clean up everything.


That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

 

 

 

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefor it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:


Java™ 7 Update 1 (64-bit)
Java™ 7 Update 1




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.



#12 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:34 PM

Posted 06 April 2014 - 02:03 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users