Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple persistent infections...currently showing kuluoz.d


  • This topic is locked This topic is locked
15 replies to this topic

#1 skeeterbyte

skeeterbyte

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 March 2014 - 11:09 AM

Hi,

 

Needing more help from the BC crew. Thank goodness for your expertise and accessibility.

I'm working on a friend's computer. It's a Dell Vostro 430 Desktop running Windows 7 Home Premium 64-bit.

Have already removed several items via Malwarebytes, ESET, and JRT. Thought I had it in good shape at day's

end yesterday but when I turned it on again this morning, it detected and blocked Kuluoz.d in Microsoft

Security Essentials. This appears to be a really persistent Trojan downloader. Will attach the FRST logs for you

to review and advise. Thinking the next step would be ComboFix but, as directed, won't try that without your

direction. Please let me know what other information you would find helpful to get this one cleaned.

 

Thanks in advance for your help.

Skeet

 

FRST log

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by office (administrator) on OFFICE-PC on 26-03-2014 11:53:06
Running from C:\Users\office\Desktop\anita
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corp.) C:\Program Files\Broadcom\BPowMon\BPowMon.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Trend Micro Inc.) c:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Trend Micro Inc.) c:\Program Files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Trend Micro Inc.) c:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe
(Trend Micro Inc.) c:\Program Files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Trend Micro Inc.) c:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Trend Micro Inc.) c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Google Inc.) C:\Users\office\AppData\Local\Google\Update\1.3.22.5\GoogleCrashHandler.exe
(Google Inc.) C:\Users\office\AppData\Local\Google\Update\1.3.22.5\GoogleCrashHandler64.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\Client Server Security Agent\PccNtMon.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2014\QBW32.EXE
() C:\Program Files (x86)\Common Files\Intuit\DataProtect\IBuEngHost.exe
(Trend Micro Inc.) c:\Program Files (x86)\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicator.exe
(Microsoft Corporation) C:\Windows\system32\wbem\WMIADAP.EXE


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8067616 2009-08-18] (Realtek Semiconductor)
HKLM\...\Run: [DBRMTray] - C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [206336 2010-05-20] (Microsoft)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [OfficeScanNT Monitor] - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe [1705296 2010-06-25] (Trend Micro Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] - C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [3775800 2014-02-27] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [DBRMTray] - C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [Google Update] - C:\Users\office\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-01-17] (Google Inc.)
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [HP Deskjet 3050A J611 series (NET)] - C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe [2676584 2011-06-08] (Hewlett-Packard Co.)
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [cgbsbnmn] - "C:\Users\office\AppData\Local\bjtwhasq.exe"
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [Huycermoixxenai] - C:\Users\office\AppData\Roaming\Mayhduep\xiudh.exe
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [Zuvat] - C:\Users\office\AppData\Roaming\Cosyhu\hoyso.exe
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [hjdmdhgb] - C:\Users\office\AppData\Local\ceglbaoi.exe [118784 2014-03-25] ()
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [Oskygenui] - "C:\Users\office\AppData\Roaming\Qoucet\siorf.exe"
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\MountPoints2: {94544e4c-26f7-11e1-85e3-f04da2daedd0} - E:\LaunchU3.exe -a
Startup: C:\Users\office\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3050A J611 series (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3050A J611 series (Network).lnk -> C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
URLSearchHook: HKCU - YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {29404C39-F01C-4FCD-BC76-49C4C0E25E64} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=att-ie8
SearchScopes: HKCU - {17D4DE48-0EA7-440D-91C6-FD6B86064BA0} URL =
SearchScopes: HKCU - {29404C39-F01C-4FCD-BC76-49C4C0E25E64} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=att-ie8
SearchScopes: HKCU - {6F746655-4049-44D1-B734-5D1A8025E66D} URL = http://www.flickr.com/search/?q={searchTerms}
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll (Trend Micro Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll (Microsoft Corporation.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll (Trend Micro Inc.)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\amd64\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} -  No File
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll (Trend Micro Inc.)
Handler-x32: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files (x86)\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll (Trend Micro Inc.)
Tcpip\Parameters: [DhcpNameServer] 97.81.22.195 71.92.29.130 24.217.201.67

FireFox:
========
FF ProfilePath: C:\Users\office\AppData\Roaming\Mozilla\Firefox\Profiles\adrx03x5.default
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\office\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\office\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\office\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF Extension: Yahoo! Toolbar - C:\Users\office\AppData\Roaming\Mozilla\Firefox\Profiles\adrx03x5.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2013-08-20]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension
FF Extension: Trend Micro NSC Firefox Extension - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension [2010-11-24]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: SmartPrintButton - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2012-01-04]

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR Plugin: (Chrome PDF Viewer) - C:\Users\office\AppData\Local\Google\Chrome\Application\33.0.1750.154\pdf.dll ()
CHR Plugin: (Google Gears 0.5.33.0) - C:\Users\office\AppData\Local\Google\Chrome\Application\33.0.1750.154\gears.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\office\AppData\Local\Google\Chrome\Application\33.0.1750.154\gcswf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.200.2) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U20) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\office\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrl.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (Google Wallet) - C:\Users\office\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-05]

==================== Services (Whitelisted) =================

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [398184 2012-12-14] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [682344 2012-12-14] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 ntrtscan; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe [1835912 2010-06-22] (Trend Micro Inc.)
R2 svcGenericHost; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe [45056 2010-07-05] (Trend Micro Inc.)
R3 TMBMServer; c:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe [570632 2009-07-06] (Trend Micro Inc.)
R2 tmlisten; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe [2057096 2010-06-22] (Trend Micro Inc.)
R3 TmPfw; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe [595960 2009-07-15] (Trend Micro Inc.)
S3 TmProxy; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [917768 2009-07-15] (Trend Micro Inc.)

==================== Drivers (Whitelisted) ====================

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [24176 2012-12-14] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R2 TmFilter; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [265744 2010-05-11] (Trend Micro Inc.)
R1 tmlwf; C:\Windows\System32\DRIVERS\tmlwf.sys [200720 2009-07-15] (Trend Micro Inc.)
R2 TmPreFilter; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [42000 2010-05-11] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [107536 2009-07-15] (Trend Micro Inc.)
R2 tmwfp; C:\Windows\System32\DRIVERS\tmwfp.sys [339984 2009-07-15] (Trend Micro Inc.)
R2 VSApiNt; c:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys [2007056 2010-05-11] (Trend Micro Inc.)
S1 doothvsu; \??\C:\Windows\system32\drivers\doothvsu.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-26 11:53 - 2014-03-26 11:53 - 00000000 ____D () C:\FRST
2014-03-26 03:44 - 2014-03-26 03:44 - 00002021 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-03-26 03:43 - 2014-03-26 03:43 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-03-26 03:40 - 2014-03-26 11:18 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-26 03:40 - 2014-03-26 03:40 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-26 03:40 - 2014-03-26 03:40 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-26 03:40 - 2014-03-26 03:40 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-26 00:32 - 2014-03-26 00:32 - 00000000 ____D () C:\Windows\ERUNT
2014-03-25 18:33 - 2014-03-25 18:33 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-03-25 18:32 - 2014-03-25 18:33 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-03-25 18:32 - 2014-03-25 18:32 - 00118784 _____ () C:\Users\office\AppData\Local\ceglbaoi.exe
2014-03-25 18:32 - 2014-03-25 18:32 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-03-25 18:31 - 2013-12-18 21:09 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-03-25 18:31 - 2013-12-18 21:04 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-03-25 18:31 - 2013-12-18 21:04 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-03-25 18:31 - 2013-12-18 21:03 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-03-25 18:30 - 2014-03-25 18:31 - 00005385 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-03-24 21:46 - 2014-03-25 21:40 - 00000000 ____D () C:\Users\office\AppData\Roaming\Qourpiyx
2014-03-24 10:15 - 2014-03-24 10:15 - 00006338 _____ () C:\Users\office\AppData\Local\hjjwcifd
2014-03-24 01:36 - 2014-03-25 21:40 - 00000000 ____D () C:\Users\office\AppData\Roaming\Zyarompu
2014-03-23 21:44 - 2014-03-25 18:44 - 00000000 ____D () C:\Users\office\AppData\Roaming\Beuwynym
2014-03-23 17:47 - 2014-03-25 18:24 - 00000000 ____D () C:\Users\office\AppData\Roaming\Foohody
2014-03-23 17:07 - 2014-03-25 10:09 - 00000000 ____D () C:\Users\office\AppData\Roaming\Cosyhu
2014-03-20 13:38 - 2014-03-22 19:12 - 00000000 ____D () C:\Users\office\AppData\Roaming\Avopra
2014-03-19 21:46 - 2014-03-22 19:06 - 00000000 ____D () C:\Users\office\AppData\Roaming\Mayhduep
2014-03-18 17:49 - 2014-03-25 18:44 - 00000000 ____D () C:\Users\office\AppData\Roaming\Qoucet
2014-03-17 14:05 - 2014-03-17 14:05 - 89481216 _____ () C:\Users\office\Desktop\Psbc (Backup Mar 17,2014  02 05 PM).QBB
2014-03-17 13:17 - 2012-01-05 12:43 - 04218880 _____ (Amyuni Technologies http://www.amyuni.com) C:\Windows\SysWOW64\cdintf400.dll
2014-03-17 13:16 - 2014-03-17 13:16 - 00002115 _____ () C:\Users\Public\Desktop\QuickBooks Pro Plus 2014.lnk
2014-03-17 13:03 - 2014-03-17 13:05 - 00000000 ____D () C:\Users\office\AppData\Roaming\Download Manager
2014-03-17 13:03 - 2014-03-17 13:03 - 00001728 _____ () C:\Users\office\Desktop\Setup_QuickBooksPro2014.lnk
2014-03-17 13:03 - 2014-03-17 13:03 - 00000000 ____D () C:\Program Files (x86)\Akamai
2014-03-17 13:00 - 2014-03-18 09:37 - 00000000 ____D () C:\Users\office\AppData\Local\LogMeIn Rescue Applet
2014-03-17 12:56 - 2014-03-17 12:56 - 01527104 _____ (LogMeIn, Inc.) C:\Users\office\Downloads\Support-LogMeInRescue(1).exe
2014-03-17 12:55 - 2014-03-17 12:55 - 01527104 _____ (LogMeIn, Inc.) C:\Users\office\Downloads\Support-LogMeInRescue.exe
2014-03-13 12:40 - 2014-03-13 12:40 - 00012326 _____ () C:\Users\office\AppData\Local\vcsxkjei
2014-03-13 12:39 - 2014-03-13 12:39 - 00068465 _____ () C:\Users\office\AppData\Local\nhhxssbf
2014-03-13 12:38 - 2014-03-13 12:38 - 00000000 _____ () C:\Users\office\AppData\Roaming\SharedSettings.ccs
2014-03-13 05:44 - 2014-03-01 02:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-13 05:44 - 2014-03-01 01:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-13 05:44 - 2014-03-01 01:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-13 05:44 - 2014-03-01 00:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-13 05:44 - 2014-03-01 00:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-13 05:44 - 2014-03-01 00:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-13 05:44 - 2014-03-01 00:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-13 05:44 - 2014-03-01 00:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-13 05:44 - 2014-03-01 00:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-13 05:44 - 2014-03-01 00:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-13 05:44 - 2014-03-01 00:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-13 05:44 - 2014-03-01 00:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-13 05:44 - 2014-03-01 00:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-13 05:44 - 2014-03-01 00:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-13 05:44 - 2014-03-01 00:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-13 05:44 - 2014-03-01 00:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-13 05:44 - 2014-03-01 00:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-13 05:44 - 2014-02-28 23:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-13 05:44 - 2014-02-28 23:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-13 05:44 - 2014-02-28 23:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-13 05:44 - 2014-02-28 23:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-13 05:44 - 2014-02-28 23:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-13 05:44 - 2014-02-28 23:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-13 05:44 - 2014-02-28 23:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-13 05:44 - 2014-02-28 23:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-13 05:44 - 2014-02-28 23:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-13 05:44 - 2014-02-28 23:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-13 05:44 - 2014-02-28 23:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-13 05:44 - 2014-02-28 23:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-13 05:44 - 2014-02-28 23:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-13 05:44 - 2014-02-28 23:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-13 05:44 - 2014-02-28 23:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-13 05:44 - 2014-02-28 23:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-13 05:44 - 2014-02-28 23:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-13 05:44 - 2014-02-28 22:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-13 05:44 - 2014-02-28 22:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-13 05:44 - 2014-02-28 22:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-13 05:44 - 2014-02-28 22:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-13 05:44 - 2014-02-28 22:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-13 05:44 - 2014-02-28 22:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-13 05:44 - 2014-02-06 21:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-13 05:44 - 2014-02-03 22:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-13 05:44 - 2014-02-03 22:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-13 05:44 - 2014-02-03 22:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-13 05:44 - 2014-02-03 22:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-13 05:44 - 2014-01-28 22:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-13 05:44 - 2014-01-28 22:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-13 05:44 - 2014-01-27 22:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-02-25 04:03 - 2014-02-26 04:01 - 00804196 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI

==================== One Month Modified Files and Folders =======

2014-03-26 11:53 - 2014-03-26 11:53 - 00000000 ____D () C:\FRST
2014-03-26 11:53 - 2012-09-19 00:04 - 00000000 ____D () C:\Users\office\Desktop\anita
2014-03-26 11:52 - 2012-08-13 18:31 - 00013590 _____ () C:\Windows\setupact.log
2014-03-26 11:44 - 2011-01-17 19:34 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2260063689-3954163193-2516078245-1000UA.job
2014-03-26 11:42 - 2014-02-18 19:58 - 00000568 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2260063689-3954163193-2516078245-1000.job
2014-03-26 11:25 - 2009-07-14 00:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-26 11:25 - 2009-07-14 00:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-26 11:24 - 2009-07-14 01:10 - 01672029 _____ () C:\Windows\WindowsUpdate.log
2014-03-26 11:19 - 2010-11-24 03:16 - 00000031 _____ () C:\tmuninst.ini
2014-03-26 11:18 - 2014-03-26 03:40 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-26 11:18 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-26 11:17 - 2010-11-24 04:49 - 00840576 _____ () C:\Windows\PFRO.log
2014-03-26 03:46 - 2011-03-09 20:44 - 00000000 ____D () C:\Users\office\AppData\Local\Adobe
2014-03-26 03:44 - 2014-03-26 03:44 - 00002021 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-03-26 03:43 - 2014-03-26 03:43 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-03-26 03:43 - 2011-03-09 20:42 - 00000000 ____D () C:\ProgramData\Adobe
2014-03-26 03:40 - 2014-03-26 03:40 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-26 03:40 - 2014-03-26 03:40 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-26 03:40 - 2014-03-26 03:40 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-26 03:01 - 2012-01-04 18:35 - 00000258 _____ () C:\Windows\Tasks\HP Photo Creations Messager.job
2014-03-26 00:32 - 2014-03-26 00:32 - 00000000 ____D () C:\Windows\ERUNT
2014-03-25 21:40 - 2014-03-24 21:46 - 00000000 ____D () C:\Users\office\AppData\Roaming\Qourpiyx
2014-03-25 21:40 - 2014-03-24 01:36 - 00000000 ____D () C:\Users\office\AppData\Roaming\Zyarompu
2014-03-25 18:44 - 2014-03-23 21:44 - 00000000 ____D () C:\Users\office\AppData\Roaming\Beuwynym
2014-03-25 18:44 - 2014-03-18 17:49 - 00000000 ____D () C:\Users\office\AppData\Roaming\Qoucet
2014-03-25 18:38 - 2012-03-12 10:07 - 00000000 ____D () C:\ProgramData\ATTYToolbar
2014-03-25 18:33 - 2014-03-25 18:33 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-03-25 18:33 - 2014-03-25 18:32 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-03-25 18:33 - 2013-09-24 12:16 - 00000000 ____D () C:\ProgramData\Oracle
2014-03-25 18:32 - 2014-03-25 18:32 - 00118784 _____ () C:\Users\office\AppData\Local\ceglbaoi.exe
2014-03-25 18:32 - 2014-03-25 18:32 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-03-25 18:31 - 2014-03-25 18:30 - 00005385 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-03-25 18:31 - 2013-09-24 12:01 - 00000000 ____D () C:\Program Files (x86)\Java
2014-03-25 18:24 - 2014-03-23 17:47 - 00000000 ____D () C:\Users\office\AppData\Roaming\Foohody
2014-03-25 17:45 - 2012-08-13 23:20 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-03-25 17:15 - 2009-07-14 01:13 - 00812074 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-25 13:15 - 2011-03-07 21:30 - 00000000 ____D () C:\Users\office\Documents\QuickBooks
2014-03-25 12:30 - 2012-03-21 15:23 - 03253760 ___SH () C:\Users\office\Downloads\Thumbs.db
2014-03-25 10:09 - 2014-03-23 17:07 - 00000000 ____D () C:\Users\office\AppData\Roaming\Cosyhu
2014-03-25 07:39 - 2011-12-13 11:19 - 00000000 ____D () C:\Users\office\AppData\Local\CrashDumps
2014-03-24 16:44 - 2011-01-17 19:34 - 00000860 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2260063689-3954163193-2516078245-1000Core.job
2014-03-24 12:45 - 2011-03-07 21:52 - 00000090 _____ () C:\Windows\QBChanUtil_Trigger.ini
2014-03-24 12:43 - 2012-03-12 10:07 - 00000000 ____D () C:\ProgramData\Yahoo! Companion
2014-03-24 10:15 - 2014-03-24 10:15 - 00006338 _____ () C:\Users\office\AppData\Local\hjjwcifd
2014-03-22 19:12 - 2014-03-20 13:38 - 00000000 ____D () C:\Users\office\AppData\Roaming\Avopra
2014-03-22 19:06 - 2014-03-19 21:46 - 00000000 ____D () C:\Users\office\AppData\Roaming\Mayhduep
2014-03-19 03:04 - 2013-08-14 03:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-19 03:04 - 2011-03-08 11:36 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-19 03:02 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-03-18 09:37 - 2014-03-17 13:00 - 00000000 ____D () C:\Users\office\AppData\Local\LogMeIn Rescue Applet
2014-03-17 14:05 - 2014-03-17 14:05 - 89481216 _____ () C:\Users\office\Desktop\Psbc (Backup Mar 17,2014  02 05 PM).QBB
2014-03-17 13:38 - 2011-03-07 21:53 - 00000000 ____D () C:\Users\office\AppData\Local\Intuit
2014-03-17 13:19 - 2011-03-07 21:50 - 00000000 ____D () C:\Windows\Intuit
2014-03-17 13:16 - 2014-03-17 13:16 - 00002115 _____ () C:\Users\Public\Desktop\QuickBooks Pro Plus 2014.lnk
2014-03-17 13:15 - 2011-03-07 21:52 - 00000000 ____D () C:\ProgramData\Nuance
2014-03-17 13:15 - 2011-03-07 21:52 - 00000000 ____D () C:\ProgramData\Intuit
2014-03-17 13:14 - 2011-03-07 21:52 - 00000000 ____D () C:\Users\Public\Documents\Intuit
2014-03-17 13:14 - 2011-03-07 21:52 - 00000000 ____D () C:\Program Files (x86)\Intuit
2014-03-17 13:05 - 2014-03-17 13:03 - 00000000 ____D () C:\Users\office\AppData\Roaming\Download Manager
2014-03-17 13:03 - 2014-03-17 13:03 - 00001728 _____ () C:\Users\office\Desktop\Setup_QuickBooksPro2014.lnk
2014-03-17 13:03 - 2014-03-17 13:03 - 00000000 ____D () C:\Program Files (x86)\Akamai
2014-03-17 12:56 - 2014-03-17 12:56 - 01527104 _____ (LogMeIn, Inc.) C:\Users\office\Downloads\Support-LogMeInRescue(1).exe
2014-03-17 12:55 - 2014-03-17 12:55 - 01527104 _____ (LogMeIn, Inc.) C:\Users\office\Downloads\Support-LogMeInRescue.exe
2014-03-16 17:47 - 2011-01-17 19:39 - 00002378 _____ () C:\Users\office\Desktop\Google Chrome.lnk
2014-03-16 17:22 - 2009-07-14 00:45 - 00422896 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-16 17:21 - 2012-07-10 11:16 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-16 17:21 - 2012-07-10 11:16 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-13 17:49 - 2011-01-17 19:26 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-13 12:40 - 2014-03-13 12:40 - 00012326 _____ () C:\Users\office\AppData\Local\vcsxkjei
2014-03-13 12:39 - 2014-03-13 12:39 - 00068465 _____ () C:\Users\office\AppData\Local\nhhxssbf
2014-03-13 12:38 - 2014-03-13 12:38 - 00000000 _____ () C:\Users\office\AppData\Roaming\SharedSettings.ccs
2014-03-10 12:22 - 2014-02-18 19:58 - 00003598 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-2260063689-3954163193-2516078245-1000
2014-03-01 02:05 - 2014-03-13 05:44 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-01 01:17 - 2014-03-13 05:44 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-01 01:16 - 2014-03-13 05:44 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-01 00:58 - 2014-03-13 05:44 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-01 00:52 - 2014-03-13 05:44 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-01 00:51 - 2014-03-13 05:44 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-01 00:42 - 2014-03-13 05:44 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-01 00:40 - 2014-03-13 05:44 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-01 00:37 - 2014-03-13 05:44 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-01 00:33 - 2014-03-13 05:44 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-01 00:33 - 2014-03-13 05:44 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-01 00:32 - 2014-03-13 05:44 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-01 00:30 - 2014-03-13 05:44 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-01 00:23 - 2014-03-13 05:44 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-01 00:17 - 2014-03-13 05:44 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-01 00:11 - 2014-03-13 05:44 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-01 00:02 - 2014-03-13 05:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-28 23:54 - 2014-03-13 05:44 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-28 23:52 - 2014-03-13 05:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 23:51 - 2014-03-13 05:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 23:47 - 2014-03-13 05:44 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 23:43 - 2014-03-13 05:44 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 23:43 - 2014-03-13 05:44 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 23:42 - 2014-03-13 05:44 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-28 23:40 - 2014-03-13 05:44 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 23:38 - 2014-03-13 05:44 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 23:37 - 2014-03-13 05:44 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 23:35 - 2014-03-13 05:44 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-28 23:18 - 2014-03-13 05:44 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-28 23:16 - 2014-03-13 05:44 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 23:14 - 2014-03-13 05:44 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 23:10 - 2014-03-13 05:44 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-28 23:03 - 2014-03-13 05:44 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 23:00 - 2014-03-13 05:44 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 22:57 - 2014-03-13 05:44 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 22:38 - 2014-03-13 05:44 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-28 22:32 - 2014-03-13 05:44 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 22:27 - 2014-03-13 05:44 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 22:25 - 2014-03-13 05:44 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-28 22:25 - 2014-03-13 05:44 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-26 04:01 - 2014-02-25 04:03 - 00804196 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI

Some content of TEMP:
====================
C:\Users\office\AppData\Local\Temp\Abspdf.exe
C:\Users\office\AppData\Local\Temp\acfpdfu.dll
C:\Users\office\AppData\Local\Temp\acfpdfuamd64.dll
C:\Users\office\AppData\Local\Temp\acfpdfui.dll
C:\Users\office\AppData\Local\Temp\acfpdfuia64.dll
C:\Users\office\AppData\Local\Temp\acfpdfuiamd64.dll
C:\Users\office\AppData\Local\Temp\acfpdfuiia64.dll
C:\Users\office\AppData\Local\Temp\cdintf.dll
C:\Users\office\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\office\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe
C:\Users\office\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\office\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe
C:\Users\office\AppData\Local\Temp\ose00000.exe
C:\Users\office\AppData\Local\Temp\PDFPRT400.exe
C:\Users\office\AppData\Local\Temp\xmllite.dll


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-24 10:01

==================== End Of Log ============================

 

 

Addition log generated by FRST

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by office at 2014-03-26 11:53:38
Running from C:\Users\office\Desktop\anita
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
FW: Trend Micro Personal Firewall (Enabled) {70A91CD9-303D-A217-A80E-6DEE136EDB2B}

==================== Installed Programs ======================

Adobe Flash Player 12 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
att.net Toolbar (HKLM-x32\...\Yahoo! Companion) (Version:  - att.net)
Bing Bar (HKLM-x32\...\{3365E735-48A6-4194-9988-CE59AC5AE503}) (Version: 7.3.132.0 - Microsoft Corporation)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Management Programs (HKLM\...\{5DB87A63-9420-48CC-9F9A-B8801D38D6B5}) (Version: 12.35.01 - Broadcom Corporation)
Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.0.3) (Version: 5.0.0.3 - Coupons.com Incorporated) <==== ATTENTION
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{92C42EDD-6524-4577-B2EB-6C68C63B6D4A}) (Version:  - Microsoft)
Dell Backup and Recovery Manager (HKLM\...\{975DFE7C-8E56-45BC-A329-401E6B1F8102}) (Version: 1.3 - Dell Inc.)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
GIMP 2.6.11 (HKLM-x32\...\WinGimp-2.0_is1) (Version: 2.6.11 - The GIMP Team)
Google Chrome (HKCU\...\Google Chrome) (Version: 33.0.1750.154 - Google Inc.)
GoToMeeting 6.2.0.1350 (HKCU\...\GoToMeeting) (Version: 6.2.0.1350 - CitrixOnline)
HP Deskjet 3050A J611 series Basic Device Software (HKLM\...\{FB555BCF-9202-4886-9203-88C9A210D727}) (Version: 25.0.571.0 - Hewlett-Packard Co.)
HP Deskjet 3050A J611 series Help (HKLM-x32\...\{97DDCAB8-B770-4089-A10F-67568069D78A}) (Version: 140.0.2.2 - Hewlett Packard)
HP Deskjet 3050A J611 series Product Improvement Study (HKLM\...\{710D4D91-1924-4A6B-8659-9CDE02DC7207}) (Version: 25.0.571.0 - Hewlett-Packard Co.)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.5192 - HP Photo Creations)
HP Update (HKLM-x32\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.0.1014 - Intel Corporation)
Java 7 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217040FF}) (Version: 7.0.510 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 1.70.0.1100 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.70.0.1100 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Standard 2010 (HKLM-x32\...\Office14.STANDARD) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Standard 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.4.0304.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.40303 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.40308 - Microsoft Corporation) Hidden
Mozilla Firefox 27.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 27.0.1 (x86 en-US)) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 27.0.1 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.9 - NVIDIA Corporation)
PuTTY version 0.62 (HKLM-x32\...\PuTTY_is1) (Version: 0.62 - Simon Tatham)
QuickBooks (x32 Version: 21.0.4014.904 - Intuit Inc.) Hidden
QuickBooks (x32 Version: 24.0.4005.2403 - Intuit Inc.) Hidden
QuickBooks Pro 2011 (HKLM-x32\...\{11E0AC7D-6822-4F67-865F-EE1C13D28C38}) (Version: 21.0.4014.904 - Intuit Inc.)
QuickBooks Pro 2014 (HKLM-x32\...\{4A21D17E-2FE8-42CD-88B7-ACF8E8860834}) (Version: 24.0.4004.2403 - Intuit Inc.)
QuickBooks Runtime Redistributable (HKLM\...\{F2A4F809-2DE6-4D27-888B-4D2BB8DAF20E}) (Version: 1.00.0000 - Intuit Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5919 - Realtek Semiconductor Corp.)
Roxio Creator Audio (x32 Version: 3.7.0 - Roxio) Hidden
Roxio Creator Copy (x32 Version: 3.7.0 - Roxio) Hidden
Roxio Creator Data (x32 Version: 3.7.0 - Roxio) Hidden
Roxio Creator DE 10.3 (HKLM-x32\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.3 - Roxio)
Roxio Creator DE 10.3 (x32 Version: 3.7.0 - Roxio) Hidden
Roxio Creator Tools (x32 Version: 3.7.0 - Roxio) Hidden
Roxio Express Labeler 3 (x32 Version: 3.2.2 - Roxio) Hidden
Roxio Update Manager (x32 Version: 6.0.0 - Roxio) Hidden
Safari (HKLM-x32\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version:  - Microsoft) Hidden
Trend Micro Client/Server Security Agent (HKLM-x32\...\{BED0B8A2-2986-49F8-90D6-FA008D37A3D2}) (Version: 3.0.3152 - Trend Micro)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.STANDARD_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{3FCFD88F-4D13-4F38-8625-ABABEA7F61EA}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.STANDARD_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.STANDARD_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.STANDARD_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.STANDARD_{5E8EB600-8B94-429E-873E-98369C6DC1BC}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.STANDARD_{83B1B530-7D9E-4C6A-907F-E979CEE9C295}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{EFF5EBA3-40AD-4859-85E7-3C1CF4F297EB}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.STANDARD_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.STANDARD_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (HKLM-x32\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.STANDARD_{DA2F7ECE-6629-4A80-9CDE-EC95261B75E2}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{80F56E3F-1D47-4E45-B6E0-FEF4E919F4F9}) (Version:  - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.STANDARD_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version:  - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (HKLM-x32\...\{90140000-0012-0000-0000-0000000FF1CE}_Office14.STANDARD_{E78E2B68-8FD1-42EE-BB74-99A4D9E6222D}) (Version:  - Microsoft)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (x32 Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
WinSCP 5.1 (HKLM-x32\...\winscp3_is1) (Version: 5.1 - Martin Prikryl)
Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version:  - )

==================== Restore Points  =========================

25-03-2014 21:43:49 Removed LogMeIn
25-03-2014 22:29:38 Installed Java 7 Update 51
25-03-2014 22:41:59 Windows Update

==================== Hosts content: ==========================

2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {518DE8CA-ED57-4448-B1D1-DCC85ACC1F95} - System32\Tasks\HPCustParticipation HP Deskjet 3050A J611 series => C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2011-06-08] (Hewlett-Packard Co.)
Task: {74C59D5A-CFD2-45BE-ABB5-ADD9604D5DC2} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-26] (Adobe Systems Incorporated)
Task: {B32DB812-206D-4ED8-A68D-A6D91D4EC2A5} - System32\Tasks\HP Photo Creations Messager => C:\ProgramData\HP Photo Creations\MessageCheck.exe [2011-02-15] ()
Task: {BD86FDFB-89DA-414A-82CF-E740161B211E} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2260063689-3954163193-2516078245-1000Core => C:\Users\office\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17] (Google Inc.)
Task: {CB8328D0-0297-4050-A200-03E60255C855} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2260063689-3954163193-2516078245-1000UA => C:\Users\office\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17] (Google Inc.)
Task: {D62704E2-2715-41AB-9EB1-518FF69E6E7B} - System32\Tasks\G2MUpdateTask-S-1-5-21-2260063689-3954163193-2516078245-1000 => C:\Users\office\AppData\Local\Citrix\GoToMeeting\1350\g2mupdate.exe [2014-03-10] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {F9552672-13CF-4526-8F2A-54AD6BE4F8E8} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {FF3B7786-A6E7-4EF7-8761-09B132E73FEA} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2260063689-3954163193-2516078245-1000.job => C:\Users\office\AppData\Local\Citrix\GoToMeeting\1350\g2mupdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2260063689-3954163193-2516078245-1000Core.job => C:\Users\office\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2260063689-3954163193-2516078245-1000UA.job => C:\Users\office\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HP Photo Creations Messager.job => C:\ProgramData\HP Photo Creations\MessageCheck.exe

==================== Loaded Modules (whitelisted) =============

2011-06-08 17:57 - 2011-06-08 17:57 - 02812776 _____ () C:\Windows\system32\HPScanTRDrv_DJ3050A_J611.dll
2010-06-25 14:41 - 2010-06-25 14:41 - 00094544 _____ () c:\Program Files (x86)\Trend Micro\Client Server Security Agent\zlibwapi.dll
2013-11-27 19:06 - 2014-03-22 19:11 - 00082744 _____ () C:\Program Files (x86)\Common Files\Intuit\DataProtect\IBuEngHost.exe
2013-11-27 19:05 - 2014-03-22 19:11 - 00066360 _____ () C:\Program Files (x86)\Common Files\Intuit\DataProtect\IBuEng_x64Vista.dll
2013-11-27 19:05 - 2014-03-22 19:11 - 00084280 _____ () C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.XmlSerializers.dll
2011-07-09 00:51 - 2014-03-17 18:22 - 00198992 _____ () C:\Program Files (x86)\Common Files\Intuit\DataProtect\NCalc.dll
2014-02-27 17:58 - 2014-02-27 17:58 - 00623432 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\boost_regex-vc100-mt-1_47.dll
2014-02-27 17:58 - 2014-02-27 17:58 - 00021320 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\QBCompressor.dll
2013-12-02 14:27 - 2013-12-02 14:27 - 00059904 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\zlib1.dll
2014-02-27 17:58 - 2014-02-27 17:58 - 00149320 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\QBMAPILibrary.dll
2014-02-27 17:58 - 2014-02-27 17:58 - 00247112 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\boost_serialization-vc100-mt-1_47.dll
2014-02-27 17:58 - 2014-02-27 17:58 - 00623944 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\FtuEngine.dll
2014-02-27 17:58 - 2014-02-27 17:58 - 00581960 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\BackupLib.dll
2014-02-27 17:59 - 2014-02-27 17:59 - 00142664 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\QBProActiveCore.dll
2014-02-27 17:58 - 2014-02-27 17:58 - 00778056 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\FeaturesBridge.dll
2014-02-27 17:58 - 2014-02-27 17:58 - 00043848 _____ () C:\Program Files (x86)\Intuit\QuickBooks 2014\mbpopup.dll
2014-02-13 04:32 - 2014-02-13 04:32 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\bfd5296be62268bc7a31a424f0d1ad5f\IsdiInterop.ni.dll
2010-11-24 03:05 - 2010-03-03 22:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============

Name: Microsoft Virtual WiFi Miniport Adapter
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============
Error: (03/26/2014 11:20:48 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (03/26/2014 11:19:27 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (03/26/2014 03:49:22 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Display Driver Service service has reported an invalid current state 32.

Error: (03/26/2014 03:21:30 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (03/26/2014 03:21:28 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (03/26/2014 03:21:26 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (03/26/2014 03:21:25 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Percentage of memory in use: 61%
Total physical RAM: 3959.11 MB
Available physical RAM: 1538.63 MB
Total Pagefile: 7916.41 MB
Available Pagefile: 5201.18 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:455.94 GB) (Free:400.31 GB) NTFS
Drive e: (STORE N GO) (Removable) (Total:7.45 GB) (Free:7.43 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 259D4594)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=456 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)

Partition: GPT Partition Type.

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 26 March 2014 - 11:10 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 26 March 2014 - 11:27 AM

Hi Marius,

 

Thanks for your help.

 

Here's the content to the ark.txt file generated by GMER:

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-03-26 12:24:07
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.05.0 465.76GB
Running: v82slfxv.exe; Driver: C:\Users\office\AppData\Local\Temp\pwdiapod.sys


---- Threads - GMER 2.1 ----

Thread  C:\Windows\SysWOW64\svchost.exe [1420:5420]  000000000088891c
Thread  C:\Windows\SysWOW64\svchost.exe [1420:5520]  000000000088853b
Thread  C:\Windows\SysWOW64\svchost.exe [1420:5960]  00000000008850d3
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4872]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:712]   0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4308]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:3436]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:2852]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:5332]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:2492]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:5532]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:3276]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:5340]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:6088]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:1192]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:5008]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:2144]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4292]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:5512]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4756]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:1384]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4736]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:2664]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:1260]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4628]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4664]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:2176]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:3880]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:2680]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:2428]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:3232]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:3272]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:496]   0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:2612]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4204]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:1504]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4792]  0000000000885126
Thread  C:\Windows\SysWOW64\svchost.exe [1420:4444]  0000000000885126

---- EOF - GMER 2.1 ----



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 27 March 2014 - 03:45 AM

Add-/remove programms

Click on start-->control panel.

Vista/7: Open Programs and Features
XP: Open add/remove programs

Search for and remove the following programs

Coupon Printer for Window



Close the window.

 

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 March 2014 - 10:15 AM

Hi Marius,

 

Thought I'd go ahead and send you the fixlog you directed while the Malwarebytes scan is running. I will post the Malwarebytes log separately when it finishes.

Here's the content of the fixlog.txt that FRST generated:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by office at 2014-03-27 10:50:18 Run:1
Running from C:\Users\office\Desktop\anita
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [cgbsbnmn] - "C:\Users\office\AppData\Local\bjtwhasq.exe"
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [Huycermoixxenai] - C:\Users\office\AppData\Roaming\Mayhduep\xiudh.exe
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [Zuvat] - C:\Users\office\AppData\Roaming\Cosyhu\hoyso.exe
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [hjdmdhgb] - C:\Users\office\AppData\Local\ceglbaoi.exe [118784 2014-03-25] ()
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\...\Run: [Oskygenui] - "C:\Users\office\AppData\Roaming\Qoucet\siorf.exe"
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {17D4DE48-0EA7-440D-91C6-FD6B86064BA0} URL =
Toolbar: HKLM-x32 - No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)

S1 doothvsu; \??\C:\Windows\system32\drivers\doothvsu.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]

C:\Windows\system32\drivers\doothvsu.sys
C:\Windows\system32\DRIVERS\lmimirr.sys
2014-03-25 18:32 - 2014-03-25 18:32 - 00118784 _____ () C:\Users\office\AppData\Local\ceglbaoi.exe
2014-03-24 21:46 - 2014-03-25 21:40 - 00000000 ____D () C:\Users\office\AppData\Roaming\Qourpiyx
2014-03-24 10:15 - 2014-03-24 10:15 - 00006338 _____ () C:\Users\office\AppData\Local\hjjwcifd
2014-03-24 01:36 - 2014-03-25 21:40 - 00000000 ____D () C:\Users\office\AppData\Roaming\Zyarompu
2014-03-23 21:44 - 2014-03-25 18:44 - 00000000 ____D () C:\Users\office\AppData\Roaming\Beuwynym
2014-03-23 17:47 - 2014-03-25 18:24 - 00000000 ____D () C:\Users\office\AppData\Roaming\Foohody
2014-03-23 17:07 - 2014-03-25 10:09 - 00000000 ____D () C:\Users\office\AppData\Roaming\Cosyhu
2014-03-20 13:38 - 2014-03-22 19:12 - 00000000 ____D () C:\Users\office\AppData\Roaming\Avopra
2014-03-19 21:46 - 2014-03-22 19:06 - 00000000 ____D () C:\Users\office\AppData\Roaming\Mayhduep
2014-03-18 17:49 - 2014-03-25 18:44 - 00000000 ____D () C:\Users\office\AppData\Roaming\Qoucet
2014-03-13 12:40 - 2014-03-13 12:40 - 00012326 _____ () C:\Users\office\AppData\Local\vcsxkjei
2014-03-13 12:39 - 2014-03-13 12:39 - 00068465 _____ () C:\Users\office\AppData\Local\nhhxssbf
2014-03-25 18:24 - 2014-03-23 17:47 - 00000000 ____D () C:\Users\office\AppData\Roaming\Foohody
2014-03-25 10:09 - 2014-03-23 17:07 - 00000000 ____D () C:\Users\office\AppData\Roaming\Cosyhu

Reboot:
*****************

HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\Software\Microsoft\Windows\CurrentVersion\Run\\cgbsbnmn => Value deleted successfully.
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Huycermoixxenai => Value deleted successfully.
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Zuvat => Value deleted successfully.
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\Software\Microsoft\Windows\CurrentVersion\Run\\hjdmdhgb => Value deleted successfully.
HKU\S-1-5-21-2260063689-3954163193-2516078245-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Oskygenui => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{17D4DE48-0EA7-440D-91C6-FD6B86064BA0} => Key deleted successfully.
HKCR\CLSID\{17D4DE48-0EA7-440D-91C6-FD6B86064BA0} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Value deleted successfully.
HKCR\Wow6432Node\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Key not found.
doothvsu => Service deleted successfully.
lmimirr => Service deleted successfully.
"C:\Windows\system32\drivers\doothvsu.sys" => File/Directory not found.
"C:\Windows\system32\DRIVERS\lmimirr.sys" => File/Directory not found.
C:\Users\office\AppData\Local\ceglbaoi.exe => Moved successfully.
C:\Users\office\AppData\Roaming\Qourpiyx => Moved successfully.
C:\Users\office\AppData\Local\hjjwcifd => Moved successfully.
C:\Users\office\AppData\Roaming\Zyarompu => Moved successfully.
C:\Users\office\AppData\Roaming\Beuwynym => Moved successfully.
C:\Users\office\AppData\Roaming\Foohody => Moved successfully.
C:\Users\office\AppData\Roaming\Cosyhu => Moved successfully.
C:\Users\office\AppData\Roaming\Avopra => Moved successfully.
C:\Users\office\AppData\Roaming\Mayhduep => Moved successfully.
C:\Users\office\AppData\Roaming\Qoucet => Moved successfully.
C:\Users\office\AppData\Local\vcsxkjei => Moved successfully.
C:\Users\office\AppData\Local\nhhxssbf => Moved successfully.
"C:\Users\office\AppData\Roaming\Foohody" => File/Directory not found.
"C:\Users\office\AppData\Roaming\Cosyhu" => File/Directory not found.


The system needed a reboot.

==== End of Fixlog ====



#6 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 March 2014 - 11:08 AM

and here's the content of the Malwarebytes log from the scan that just finished: (fyi....it didn't find any malicious items)

 

Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2014.03.27.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
office :: OFFICE-PC [administrator]

Protection: Enabled

3/27/2014 11:02:47 AM
mbam-log-2014-03-27 (11-02-47).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 405996
Time elapsed: 59 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 27 March 2014 - 11:41 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 27 March 2014 - 12:40 PM

results of the ESET scan:

 

C:\FRST\Quarantine\C\Users\office\AppData\Local\ceglbaoi.exe.xBAD    a variant of Win32/Kryptik.BYEJ trojan



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 28 March 2014 - 04:15 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 28 March 2014 - 09:42 AM

Hi Marius,

 

Question before we get to the logs....so one of these three tools will address the trojan found but not removed by ESET?

 

Here are the logs:

 

AdwCleaner

 

# AdwCleaner v3.022 - Report created 28/03/2014 at 10:21:38
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : office - OFFICE-PC
# Running from : C:\Users\office\Desktop\anita\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\office\AppData\Roaming\Mozilla\Firefox\Profiles\adrx03x5.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{21D9997E-5D2A-4737-BCBA-C958C0590295}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{58E64AEE-516A-4DFC-AC38-31C50E8AF0F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6BDA50D2-5597-4C68-A842-9B857FCCDA49}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8997561D-CF0B-42C7-AAE6-78801B3ADC7F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{92580E8C-88F5-4551-9D9E-8147E7EE2C32}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A786F51D-B3C7-4F52-91EF-E1A892C2A2AE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC4DAE-7794-4E16-9A98-F6001303DCD0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAB77009-B974-48DF-8229-E70CFAA11C69}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EBAA6283-B61F-4DDD-9659-56635433A307}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFB0C189-5077-4340-9838-AF7B8E792A54}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFB4F034-3EB5-48D5-84DD-89BBCF9A182F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F9D45087-1CF1-452E-9649-FDFDAC578E03}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C7E7FB02-C4FD-446E-8F5B-463A049935BF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AF08E71-3657-462F-898C-F7E791948F94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{56965DCF-718F-4148-BECF-5A2B466F4556}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7225F6C9-CF64-4D6D-AE8A-169779FD7B4D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{004EB151-885B-4A9E-A22D-CA98DD998D75}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{041278C7-DF92-486D-AE85-921BDFC75A43}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0F1794F2-900B-4C81-8146-9234E5CC5BE2}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1116A14B-F6A3-4FD9-A00E-FF8CF270EE48}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{21D9997E-5D2A-4737-BCBA-C958C0590295}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{36A7148B-639E-423C-90BB-30B6E1A40BD7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{56965DCF-718F-4148-BECF-5A2B466F4556}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{58E64AEE-516A-4DFC-AC38-31C50E8AF0F1}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{61DAB0AD-AD23-4E40-84AC-7C6CE64D4EB3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{65D8E17B-312E-4E12-913B-A841A8631143}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6BDA50D2-5597-4C68-A842-9B857FCCDA49}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6CA3D0AB-F807-462C-BA7F-E27F07F91E32}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6F99D2AE-5C90-43C2-A2FE-81DBE512E2FC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{860AF5D1-0735-409D-8E5F-E3E99356D7E9}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8997561D-CF0B-42C7-AAE6-78801B3ADC7F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{92580E8C-88F5-4551-9D9E-8147E7EE2C32}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A0636D37-97D0-4DC4-95A6-93AABA07437F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A786F51D-B3C7-4F52-91EF-E1A892C2A2AE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D244EAC5-A0F5-4859-A1F8-18ABC0AC3A00}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D8AF87C1-0B1E-494B-AAF0-CECC3FFEDF99}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DAFC4DAE-7794-4E16-9A98-F6001303DCD0}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAB77009-B974-48DF-8229-E70CFAA11C69}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EBAA6283-B61F-4DDD-9659-56635433A307}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EFB0C189-5077-4340-9838-AF7B8E792A54}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EFB4F034-3EB5-48D5-84DD-89BBCF9A182F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{F9D45087-1CF1-452E-9649-FDFDAC578E03}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FF2EBC1C-6579-41DB-91DD-945A1C8DB2D2}
Key Deleted : HKCU\Software\AppDataLow\Software\CouponAlert_2p
Key Deleted : HKCU\Software\AppDataLow\Software\iWon

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\office\AppData\Roaming\Mozilla\Firefox\Profiles\adrx03x5.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Users\office\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [6234 octets] - [28/03/2014 10:13:53]
AdwCleaner[S0].txt - [6161 octets] - [28/03/2014 10:21:38]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6221 octets] ##########

 

 

and the one from JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 7 Home Premium x64
Ran by office on Fri 03/28/2014 at 10:24:53.89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 03/28/2014 at 10:30:01.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

and. last, the one from Security Check:

 

 Results of screen317's Security Check version 0.99.81  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Disabled!  
Microsoft Security Essentials   
  (On Access scanning disabled!)
 Error obtaining update status for antivirus!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.70.0.1100  
 Out of date Malwarebytes Anti-Malware installed!
 JavaFX 2.1.1    
 Java 7 Update 51  
 Adobe Flash Player 12.0.0.77  
 Adobe Reader XI  
 Mozilla Firefox 27.0.1 Firefox out of Date!  
 Google Chrome 33.0.1750.146  
 Google Chrome 33.0.1750.154  
 Google Chrome plugins...  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials msseces.exe
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Trend Micro OfficeScan Client pccntmon.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````


Edited by skeeterbyte, 28 March 2014 - 10:46 AM.


#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 28 March 2014 - 10:58 AM

This trojan is already deleted:

C:\FRST\Quarantine\C\Users\office\AppData\Local\ceglbaoi.exe.xBAD    a variant of Win32/Kryptik.BYEJ trojan

 

 

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 28 March 2014 - 11:03 AM

Ooppsss.....sorry I missed the reference to it being quarantined.

 

Here's the FSS log:

 

Farbar Service Scanner Version: 25-02-2014
Ran by office (administrator) on 28-03-2014 at 12:00:52
Running from "E:\psbcCathy"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 28 March 2014 - 11:18 AM

Your system is clean now! :)

 

 

 

Mozilla Firefox out of date

Your Firefox browser is outdated. Please follow these instructions to update it:

  • Get the actual firefox from here.
  • Run setup and follow the instructions on your monitor.
  • Report any problems you have with the update.

 

 

Also, please update your Malwarebytes Antimalware.

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 28 March 2014 - 11:24 AM

Thank you so much Marius. Appreciate all your help. I've downloaded the delfix and will run that momentarily.

Then address things that are out of date.

 

Thanks again,

Skeet



#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 31 March 2014 - 02:34 AM

You´re welcome! :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users