Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware or Trojan problem... I need help removing :)


  • This topic is locked This topic is locked
42 replies to this topic

#1 jwlanky

jwlanky

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 29 March 2014 - 11:55 AM

Hi

 

i was redirected here following this post,

 

My pc has and infection stopping all antivirus software and i cant download anything from the web.

 

I have ran DDS and logs as below....

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.16521  BrowserJavaVersion: 10.51.2
Run by sharon at 16:46:56 on 2014-03-29
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.3001.1085 [GMT 0:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\gearsec.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Users\sharon\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\sharon\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\sharon\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\ProgramData\NT Kernel\NTKernel.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.3.23.9\GoogleCrashHandler.exe
C:\Users\sharon\AppData\Local\Temp\desktopbg.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\sharon\AppData\Roaming\Spotify\spotify.exe
C:\Users\sharon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\sharon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\sharon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\sharon\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\vssvc.exe
C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.safesearch.net/?utm_medium=ie&utm_campaign=135185766287&utm_source=sm&utm_content=1&utm_term=a13f2ee8-eea1-4e6b-899b-613602ebc4fd
uSearchAssistant = hxxp://www.google.com
uWinlogon: Shell = explorer.exe,"c:\programdata\nt kernel\NTKernel.exe"
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [MusicManager] "c:\users\sharon\appdata\local\programs\google\musicmanager\MusicManager.exe"
uRun: [Spotify Web Helper] "c:\users\sharon\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\sharon\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\sharon\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\sharon\appdata\roaming\micros~1\windows\startm~1\programs\startup\start.lnk - c:\users\sharon\hipyt\30650.vbs
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{2E99E44F-978D-4DBB-8154-CE32B8196CE5} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{96C7D249-F526-41DC-82E4-565A3A932752} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{B0F7FD02-E21D-4219-9790-E0C6B09289A4} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sharon\appdata\roaming\mozilla\firefox\profiles\mvwx6lc2.default\
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-4-21 15672]
R1 MpKsle6591aed;MpKsle6591aed;c:\programdata\microsoft\microsoft antimalware\definition updates\{dc89b9a3-23a2-43ee-b62b-2c8aed714c9c}\MpKsle6591aed.sys [2014-3-29 39464]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [2005-11-30 58952]
R2 Live Updater Service;Live Updater Service;c:\program files\acer\acer updater\UpdaterService.exe [2013-11-20 255376]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2012-3-23 87040]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-13 229888]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 104768]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ascservice.exe --> c:\program files\iobit\advanced systemcare 5\ASCService.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\imfsrv.exe --> c:\program files\iobit\iobit malware fighter\IMFsrv.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-7-6 36608]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2013-9-11 12400]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-3-13 108032]
S3 KiesAllShare;SAMSUNG KiesAllShare Service;c:\program files\samsung\kies\wiselinkpro\wiselinkpro.exe --> c:\program files\samsung\kies\wiselinkpro\WiselinkPro.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-3-23 40776]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-1-27 7087616]
S3 NisSrv;Microsoft Network Inspection;"c:\program files\microsoft security client\nissrv.exe" --> c:\program files\microsoft security client\NisSrv.exe [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-10-24 14848]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2010-6-15 58880]
S3 Sony PC Companion;Sony PC Companion;c:\program files\sony\sony pc companion\PCCService.exe [2012-5-16 155824]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-10-24 49664]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-29 1343400]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2014-03-29 16:46:36 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{dc89b9a3-23a2-43ee-b62b-2c8aed714c9c}\MpKsle6591aed.sys
2014-03-29 07:59:58 -------- d-----w- C:\FRST
2014-03-23 19:40:03 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-03-23 19:31:04 -------- d-----w- C:\$RECYCLE.BIN
2014-03-23 19:18:07 98816 ----a-w- c:\windows\sed.exe
2014-03-23 19:18:07 256000 ----a-w- c:\windows\PEV.exe
2014-03-23 19:18:07 208896 ----a-w- c:\windows\MBR.exe
2014-03-23 19:03:48 -------- d-----w- C:\AdwCleaner
2014-03-23 18:38:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2014-03-23 18:37:08 -------- d-sh--w- c:\windows\system32\NT Kernel
2014-03-23 18:27:23 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-03-23 10:47:43 7969936 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{dc89b9a3-23a2-43ee-b62b-2c8aed714c9c}\mpengine.dll
2014-03-22 22:30:25 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2014-03-22 22:29:56 -------- d-----w- c:\windows\system32\xlive
2014-03-22 22:29:55 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2014-03-22 21:41:13 -------- d-----w- c:\users\sharon\appdata\local\Rockstar Games
2014-03-22 21:38:58 -------- d-----w- c:\program files\Rockstar Games
2014-03-22 21:01:31 -------- d-----w- c:\users\sharon\appdata\local\CrashRpt
2014-03-22 16:19:26 -------- d-----w- c:\programdata\Oracle
2014-03-22 11:24:00 -------- d-----w- c:\users\sharon\appdata\local\Deployment
2014-03-22 11:24:00 -------- d-----w- c:\users\sharon\appdata\local\Apps
2014-03-22 09:55:46 7969936 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-03-21 22:26:32 -------- d-sh--w- c:\programdata\NT Kernel
2014-03-21 00:38:59 765968 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1789cec3-e902-4085-9f79-b5f53b30d962}\gapaengine.dll
2014-03-15 12:02:50 -------- d-----w- c:\program files\SearchProtect
2014-03-13 18:10:12 2349056 ----a-w- c:\windows\system32\win32k.sys
2014-03-13 18:10:12 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-03-13 18:10:11 185344 ----a-w- c:\windows\system32\wwansvc.dll
2014-03-13 18:10:10 381440 ----a-w- c:\windows\system32\wer.dll
2014-03-09 09:55:37 -------- d-----w- c:\users\sharon\appdata\local\Sonos,_Inc
2014-03-09 09:52:37 -------- d-----w- c:\program files\iPod
2014-03-09 09:52:34 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-03-09 09:52:34 -------- d-----w- c:\program files\iTunes
2014-03-09 09:45:37 -------- d-----w- c:\program files\Sonos
2014-03-09 09:44:53 -------- d-----w- c:\programdata\Sonos,_Inc
2014-03-09 09:40:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2014-03-09 09:40:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2014-03-09 09:40:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2014-03-09 09:40:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2014-03-09 09:40:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2014-03-08 14:46:30 -------- d-----w- c:\users\sharon\appdata\roaming\.minecraft
2014-03-08 11:05:05 -------- d-----w- c:\users\sharon\appdata\roaming\Open Download Manager
2014-03-07 21:06:58 -------- d-----w- c:\users\sharon\appdata\local\SoftPlanet
2014-03-07 20:52:14 -------- d-----w- c:\users\sharon\appdata\roaming\1H1Q
2014-03-07 20:52:05 -------- d-----w- c:\program files\Minecraft
2014-03-06 20:46:47 -------- d-----w- c:\users\sharon\appdata\roaming\PC-Gizmos
2014-03-02 12:16:31 -------- d-----w- c:\users\sharon\appdata\roaming\uTorrent
.
==================== Find3M  ====================
.
2014-03-12 17:13:10 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 17:13:10 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-01 04:11:20 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-03-01 04:10:48 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-03-01 03:52:43 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-03-01 03:38:23 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-01 03:37:35 553472 ----a-w- c:\windows\system32\jscript9diag.dll
2014-03-01 03:31:30 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 03:14:15 4244480 ----a-w- c:\windows\system32\jscript9.dll
2014-03-01 03:00:08 1964032 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- c:\windows\system32\wininet.dll
2014-02-04 02:04:11 509440 ----a-w- c:\windows\system32\qedit.dll
2014-01-28 12:42:08 11980672 ----a-w- c:\windows\system32\XCast.ocx
2014-01-19 07:32:23 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-01-17 16:24:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2014-01-17 16:24:12 69632 ----a-w- c:\windows\system32\QuickTime.qts
2014-01-06 19:23:36 4558848 ----a-w- c:\windows\system32\GPhotos.scr
.
============= FINISH: 16:47:09.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jwlanky

jwlanky
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 30 March 2014 - 01:56 PM

Is anyone able to assist please?



#3 jwlanky

jwlanky
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 01 April 2014 - 12:55 PM

Hi am I beyond help? Im really stuck on this.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 02 April 2014 - 08:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#5 jwlanky

jwlanky
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 02 April 2014 - 02:44 PM

Hi thanks for your assistance.

 

First off RogueKiller would not start when copied onto desk top (ran as admin'), so I had to run off USB. It found files which were deleted. The report is below. Following that I tried to install Mbam but i get part through installation then 'Error5:Access Denied'.............

 

 

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : sharon [Admin rights]
Mode : Remove -- Date : 04/02/2014 20:38:34
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] NTKernel.exe -- C:\ProgramData\NT Kernel\NTKernel.exe [-] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 5 ¤¤¤
[SHELL][SUSP PATH] HKCU\[...]\Winlogon : shell (explorer.exe,"C:\ProgramData\NT Kernel\NTKernel.exe" [x]) -> DELETED
[SHELL][SUSP PATH] HKUS\[...]\Winlogon : shell (explorer.exe,"C:\ProgramData\NT Kernel\NTKernel.exe" [x]) -> [0x2] The system cannot find the file specified. 
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 1 ¤¤¤
[sharon][ROGUE ST] start.lnk : C:\Users\sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk @C:\Users\sharon\hipyt\30650.vbs [-][-] -> DELETED
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] EAT @explorer.exe (BeginBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743609AE)
[Address] EAT @explorer.exe (BeginBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743549A1)
[Address] EAT @explorer.exe (BeginPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74380731)
[Address] EAT @explorer.exe (BufferedPaintClear) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74356395)
[Address] EAT @explorer.exe (BufferedPaintInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435940E)
[Address] EAT @explorer.exe (BufferedPaintRenderAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743608ED)
[Address] EAT @explorer.exe (BufferedPaintSetAlpha) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7436E6B3)
[Address] EAT @explorer.exe (BufferedPaintStopAllAnimations) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7436D395)
[Address] EAT @explorer.exe (BufferedPaintUnInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743594AB)
[Address] EAT @explorer.exe (CloseThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74356A18)
[Address] EAT @explorer.exe (DrawThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74353982)
[Address] EAT @explorer.exe (DrawThemeBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7436D9DA)
[Address] EAT @explorer.exe (DrawThemeEdge) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74373B52)
[Address] EAT @explorer.exe (DrawThemeIcon) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743835E7)
[Address] EAT @explorer.exe (DrawThemeParentBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743553E5)
[Address] EAT @explorer.exe (DrawThemeParentBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743551BF)
[Address] EAT @explorer.exe (DrawThemeText) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74354EA1)
[Address] EAT @explorer.exe (DrawThemeTextEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743563E6)
[Address] EAT @explorer.exe (EnableThemeDialogTexture) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435FCAF)
[Address] EAT @explorer.exe (EnableTheming) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74382FEB)
[Address] EAT @explorer.exe (EndBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74353F9A)
[Address] EAT @explorer.exe (EndBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74353F9A)
[Address] EAT @explorer.exe (EndPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743806CC)
[Address] EAT @explorer.exe (GetBufferedPaintBits) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74354BAF)
[Address] EAT @explorer.exe (GetBufferedPaintDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743604BC)
[Address] EAT @explorer.exe (GetBufferedPaintTargetDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74360473)
[Address] EAT @explorer.exe (GetBufferedPaintTargetRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74382E7F)
[Address] EAT @explorer.exe (GetCurrentThemeName) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743605DD)
[Address] EAT @explorer.exe (GetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74360FB1)
[Address] EAT @explorer.exe (GetThemeBackgroundContentRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435CD2E)
[Address] EAT @explorer.exe (GetThemeBackgroundExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435F8BF)
[Address] EAT @explorer.exe (GetThemeBackgroundRegion) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7436165D)
[Address] EAT @explorer.exe (GetThemeBitmap) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435BF93)
[Address] EAT @explorer.exe (GetThemeBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74357C1F)
[Address] EAT @explorer.exe (GetThemeColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435616C)
[Address] EAT @explorer.exe (GetThemeDocumentationProperty) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74382932)
[Address] EAT @explorer.exe (GetThemeEnumValue) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435616C)
[Address] EAT @explorer.exe (GetThemeFilename) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74382412)
[Address] EAT @explorer.exe (GetThemeFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435FF21)
[Address] EAT @explorer.exe (GetThemeInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435616C)
[Address] EAT @explorer.exe (GetThemeIntList) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743823B1)
[Address] EAT @explorer.exe (GetThemeMargins) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743586E9)
[Address] EAT @explorer.exe (GetThemeMetric) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743606E2)
[Address] EAT @explorer.exe (GetThemePartSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435CDB1)
[Address] EAT @explorer.exe (GetThemePosition) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74382350)
[Address] EAT @explorer.exe (GetThemePropertyOrigin) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74373FBB)
[Address] EAT @explorer.exe (GetThemeRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74363611)
[Address] EAT @explorer.exe (GetThemeStream) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743639D9)
[Address] EAT @explorer.exe (GetThemeString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743822E4)
[Address] EAT @explorer.exe (GetThemeSysBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74383172)
[Address] EAT @explorer.exe (GetThemeSysColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74373274)
[Address] EAT @explorer.exe (GetThemeSysColorBrush) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7438301E)
[Address] EAT @explorer.exe (GetThemeSysFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743829C4)
[Address] EAT @explorer.exe (GetThemeSysInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74382BD3)
[Address] EAT @explorer.exe (GetThemeSysSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7438320B)
[Address] EAT @explorer.exe (GetThemeSysString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74382B3F)
[Address] EAT @explorer.exe (GetThemeTextExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74352D57)
[Address] EAT @explorer.exe (GetThemeTextMetrics) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435F992)
[Address] EAT @explorer.exe (GetThemeTransitionDuration) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74361081)
[Address] EAT @explorer.exe (GetWindowTheme) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435DF46)
[Address] EAT @explorer.exe (HitTestThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74363CE3)
[Address] EAT @explorer.exe (IsAppThemed) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435F869)
[Address] EAT @explorer.exe (IsCompositionActive) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74352E9A)
[Address] EAT @explorer.exe (IsThemeActive) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435F785)
[Address] EAT @explorer.exe (IsThemeBackgroundPartiallyTransparent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743560AB)
[Address] EAT @explorer.exe (IsThemeDialogTextureEnabled) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7438312B)
[Address] EAT @explorer.exe (IsThemePartDefined) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743585B4)
[Address] EAT @explorer.exe (OpenThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x743573D2)
[Address] EAT @explorer.exe (OpenThemeDataEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74373D43)
[Address] EAT @explorer.exe (SetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74383296)
[Address] EAT @explorer.exe (SetWindowTheme) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74360134)
[Address] EAT @explorer.exe (SetWindowThemeAttribute) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7436CFE6)
[Address] EAT @explorer.exe (ThemeInitApiHook) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7435B176)
[Address] EAT @explorer.exe (UpdatePanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7438068D)
[Address] EAT @explorer.exe (DllGetClassObject) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EECF9D)
[Address] EAT @explorer.exe (IEnumString_Next_WIC_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE000)
[Address] EAT @explorer.exe (IEnumString_Reset_WIC_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE029)
[Address] EAT @explorer.exe (IPropertyBag2_Write_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE049)
[Address] EAT @explorer.exe (IWICBitmapClipper_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDD2A)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_DoesSupportAnimation_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEA9A)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_DoesSupportLossless_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEABD)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_DoesSupportMultiframe_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEAE0)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetContainerFormat_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE9D3)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetDeviceManufacturer_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE9F6)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetDeviceModels_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEA1F)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetFileExtensions_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEA71)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetMimeTypes_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEA48)
[Address] EAT @explorer.exe (IWICBitmapDecoder_CopyPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED845)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetColorContexts_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE9AA)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetDecoderInfo_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED822)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetFrameCount_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED9A2)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetFrame_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED868)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetMetadataQueryReader_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED8DA)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetPreview_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC74)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetThumbnail_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE9D3)
[Address] EAT @explorer.exe (IWICBitmapEncoder_Commit_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC05)
[Address] EAT @explorer.exe (IWICBitmapEncoder_CreateNewFrame_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDB87)
[Address] EAT @explorer.exe (IWICBitmapEncoder_GetEncoderInfo_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDB5E)
[Address] EAT @explorer.exe (IWICBitmapEncoder_GetMetadataQueryWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED9A2)
[Address] EAT @explorer.exe (IWICBitmapEncoder_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDB32)
[Address] EAT @explorer.exe (IWICBitmapEncoder_SetPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDBDC)
[Address] EAT @explorer.exe (IWICBitmapEncoder_SetThumbnail_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDBB3)
[Address] EAT @explorer.exe (IWICBitmapFlipRotator_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDD2A)
[Address] EAT @explorer.exe (IWICBitmapFrameDecode_GetColorContexts_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED88E)
[Address] EAT @explorer.exe (IWICBitmapFrameDecode_GetMetadataQueryReader_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED8DA)
[Address] EAT @explorer.exe (IWICBitmapFrameDecode_GetThumbnail_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED8B7)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_Commit_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED9C5)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_GetMetadataQueryWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEB03)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDFB7)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_SetColorContexts_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDB06)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_SetResolution_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDA17)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_SetSize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED9E5)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_SetThumbnail_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDADD)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_WriteSource_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDA71)
[Address] EAT @explorer.exe (IWICBitmapLock_GetDataPointer_STA_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED7FC)
[Address] EAT @explorer.exe (IWICBitmapLock_GetStride_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC25)
[Address] EAT @explorer.exe (IWICBitmapScaler_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDCFE)
[Address] EAT @explorer.exe (IWICBitmapSource_CopyPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED822)
[Address] EAT @explorer.exe (IWICBitmapSource_CopyPixels_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC48)
[Address] EAT @explorer.exe (IWICBitmapSource_GetPixelFormat_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC25)
[Address] EAT @explorer.exe (IWICBitmapSource_GetResolution_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED7FC)
[Address] EAT @explorer.exe (IWICBitmapSource_GetSize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED91D)
[Address] EAT @explorer.exe (IWICBitmap_Lock_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE981)
[Address] EAT @explorer.exe (IWICBitmap_SetPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC74)
[Address] EAT @explorer.exe (IWICBitmap_SetResolution_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC97)
[Address] EAT @explorer.exe (IWICColorContext_InitializeFromMemory_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEB75)
[Address] EAT @explorer.exe (IWICComponentFactory_CreateMetadataWriterFromReader_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED7AA)
[Address] EAT @explorer.exe (IWICComponentFactory_CreateQueryWriterFromBlockWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED7D3)
[Address] EAT @explorer.exe (IWICComponentInfo_GetAuthor_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE958)
[Address] EAT @explorer.exe (IWICComponentInfo_GetCLSID_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC25)
[Address] EAT @explorer.exe (IWICComponentInfo_GetFriendlyName_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE9AA)
[Address] EAT @explorer.exe (IWICComponentInfo_GetSpecVersion_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED88E)
[Address] EAT @explorer.exe (IWICComponentInfo_GetVersion_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE981)
[Address] EAT @explorer.exe (IWICFastMetadataEncoder_Commit_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED8FD)
[Address] EAT @explorer.exe (IWICFastMetadataEncoder_GetMetadataQueryWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC25)
[Address] EAT @explorer.exe (IWICFormatConverter_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDCC7)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapClipper_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED557)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFlipRotator_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED580)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFromHBITMAP_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED6BA)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFromHICON_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED6E6)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFromMemory_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED656)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFromSource_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED62D)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapScaler_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED52E)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmap_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED68B)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateComponentInfo_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED4D9)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateDecoderFromFileHandle_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED4A1)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateDecoderFromFilename_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED466)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateDecoderFromStream_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED42E)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateEncoder_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED5D2)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateFastMetadataEncoderFromDecoder_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED70C)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateFastMetadataEncoderFromFrameDecode_ProxùS)Á) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED732)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateFormatConverter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED505)
[Address] EAT @explorer.exe (IWICImagingFactory_CreatePalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDADD)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateQueryWriterFromReader_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED781)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateQueryWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED758)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateStream_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED5A9)
[Address] EAT @explorer.exe (IWICMetadataBlockReader_GetCount_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDC25)
[Address] EAT @explorer.exe (IWICMetadataBlockReader_GetReaderByIndex_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED7FC)
[Address] EAT @explorer.exe (IWICMetadataQueryReader_GetContainerFormat_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDFB7)
[Address] EAT @explorer.exe (IWICMetadataQueryReader_GetEnumerator_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED822)
[Address] EAT @explorer.exe (IWICMetadataQueryReader_GetLocation_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE049)
[Address] EAT @explorer.exe (IWICMetadataQueryReader_GetMetadataByName_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED7FC)
[Address] EAT @explorer.exe (IWICMetadataQueryWriter_RemoveMetadataByName_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED8DA)
[Address] EAT @explorer.exe (IWICMetadataQueryWriter_SetMetadataByName_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDFDA)
[Address] EAT @explorer.exe (IWICPalette_GetColorCount_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED96C)
[Address] EAT @explorer.exe (IWICPalette_GetColors_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED88E)
[Address] EAT @explorer.exe (IWICPalette_GetType_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED845)
[Address] EAT @explorer.exe (IWICPalette_HasAlpha_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED9A2)
[Address] EAT @explorer.exe (IWICPalette_InitializeCustom_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEB75)
[Address] EAT @explorer.exe (IWICPalette_InitializeFromBitmap_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED943)
[Address] EAT @explorer.exe (IWICPalette_InitializeFromPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED822)
[Address] EAT @explorer.exe (IWICPalette_InitializePredefined_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED91D)
[Address] EAT @explorer.exe (IWICPixelFormatInfo_GetBitsPerPixel_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEB03)
[Address] EAT @explorer.exe (IWICPixelFormatInfo_GetChannelCount_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDD50)
[Address] EAT @explorer.exe (IWICPixelFormatInfo_GetChannelMask_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEB26)
[Address] EAT @explorer.exe (IWICStream_InitializeFromIStream_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDD50)
[Address] EAT @explorer.exe (IWICStream_InitializeFromMemory_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDD73)
[Address] EAT @explorer.exe (WICConvertBitmapSource) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDDB8)
[Address] EAT @explorer.exe (WICCreateBitmapFromSection) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDF8D)
[Address] EAT @explorer.exe (WICCreateBitmapFromSectionEx) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDE8C)
[Address] EAT @explorer.exe (WICCreateColorContext_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEEB52)
[Address] EAT @explorer.exe (WICCreateImagingFactory_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED02B)
[Address] EAT @explorer.exe (WICGetMetadataContentSize) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE61D)
[Address] EAT @explorer.exe (WICMapGuidToShortName) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED0EC)
[Address] EAT @explorer.exe (WICMapSchemaToName) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED2E0)
[Address] EAT @explorer.exe (WICMapShortNameToGuid) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EED217)
[Address] EAT @explorer.exe (WICMatchMetadataContent) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE072)
[Address] EAT @explorer.exe (WICSerializeMetadataContent) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEE1B4)
[Address] EAT @explorer.exe (WICSetEncoderFormat_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x73EEDD99)
[Address] EAT @explorer.exe (DllCanUnloadNow) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71762B3B)
[Address] EAT @explorer.exe (DllGetClassObject) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7177188E)
[Address] EAT @explorer.exe (DllGetVersion) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71762982)
[Address] EAT @explorer.exe (DllRegisterServer) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717F7DC5)
[Address] EAT @explorer.exe (DllUnregisterServer) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717F818F)
[Address] EAT @explorer.exe (Migrate10CachedPackagesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FC744)
[Address] EAT @explorer.exe (Migrate10CachedPackagesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FE1AC)
[Address] EAT @explorer.exe (MsiAdvertiseProductA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180257F)
[Address] EAT @explorer.exe (MsiAdvertiseProductExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718027D7)
[Address] EAT @explorer.exe (MsiAdvertiseProductExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FD6C1)
[Address] EAT @explorer.exe (MsiAdvertiseProductW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FD46F)
[Address] EAT @explorer.exe (MsiAdvertiseScriptA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71808A3F)
[Address] EAT @explorer.exe (MsiAdvertiseScriptW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180B641)
[Address] EAT @explorer.exe (MsiApplyMultiplePatchesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71815903)
[Address] EAT @explorer.exe (MsiApplyMultiplePatchesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71811057)
[Address] EAT @explorer.exe (MsiApplyPatchA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71802D5D)
[Address] EAT @explorer.exe (MsiApplyPatchW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FD943)
[Address] EAT @explorer.exe (MsiBeginTransactionA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71819441)
[Address] EAT @explorer.exe (MsiBeginTransactionW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718139D4)
[Address] EAT @explorer.exe (MsiCloseAllHandles) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718200C3)
[Address] EAT @explorer.exe (MsiCloseHandle) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71820015)
[Address] EAT @explorer.exe (MsiCollectUserInfoA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71801C3A)
[Address] EAT @explorer.exe (MsiCollectUserInfoW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FD16F)
[Address] EAT @explorer.exe (MsiConfigureFeatureA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71801D5A)
[Address] EAT @explorer.exe (MsiConfigureFeatureFromDescriptorA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180D70A)
[Address] EAT @explorer.exe (MsiConfigureFeatureFromDescriptorW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180E41B)
[Address] EAT @explorer.exe (MsiConfigureFeatureW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FD2B7)
[Address] EAT @explorer.exe (MsiConfigureProductA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180F256)
[Address] EAT @explorer.exe (MsiConfigureProductExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180DACA)
[Address] EAT @explorer.exe (MsiConfigureProductExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180E891)
[Address] EAT @explorer.exe (MsiConfigureProductW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180F581)
[Address] EAT @explorer.exe (MsiCreateAndVerifyInstallerDirectory) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7177B2E1)
[Address] EAT @explorer.exe (MsiCreateRecord) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821514)
[Address] EAT @explorer.exe (MsiCreateTransformSummaryInfoA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718255D1)
[Address] EAT @explorer.exe (MsiCreateTransformSummaryInfoW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718248EF)
[Address] EAT @explorer.exe (MsiDatabaseApplyTransformA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718248A9)
[Address] EAT @explorer.exe (MsiDatabaseApplyTransformW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821397)
[Address] EAT @explorer.exe (MsiDatabaseCommit) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71820DEB)
[Address] EAT @explorer.exe (MsiDatabaseExportA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71824792)
[Address] EAT @explorer.exe (MsiDatabaseExportW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821008)
[Address] EAT @explorer.exe (MsiDatabaseGenerateTransformA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182485D)
[Address] EAT @explorer.exe (MsiDatabaseGenerateTransformW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821270)
[Address] EAT @explorer.exe (MsiDatabaseGetPrimaryKeysA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718245FD)
[Address] EAT @explorer.exe (MsiDatabaseGetPrimaryKeysW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71823C54)
[Address] EAT @explorer.exe (MsiDatabaseImportA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182472E)
[Address] EAT @explorer.exe (MsiDatabaseImportW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71820F1E)
[Address] EAT @explorer.exe (MsiDatabaseIsTablePersistentA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71824643)
[Address] EAT @explorer.exe (MsiDatabaseIsTablePersistentW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71820C8F)
[Address] EAT @explorer.exe (MsiDatabaseMergeA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71824817)
[Address] EAT @explorer.exe (MsiDatabaseMergeW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821111)
[Address] EAT @explorer.exe (MsiDatabaseOpenViewA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718245B7)
[Address] EAT @explorer.exe (MsiDatabaseOpenViewW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718202B7)
[Address] EAT @explorer.exe (MsiDecomposeDescriptorA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180DA7B)
[Address] EAT @explorer.exe (MsiDecomposeDescriptorW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71756286)
[Address] EAT @explorer.exe (MsiDeleteUserDataA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180A367)
[Address] EAT @explorer.exe (MsiDeleteUserDataW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718069EB)
[Address] EAT @explorer.exe (MsiDetermineApplicablePatchesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181D4C5)
[Address] EAT @explorer.exe (MsiDetermineApplicablePatchesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181C559)
[Address] EAT @explorer.exe (MsiDeterminePatchSequenceA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181D9D9)
[Address] EAT @explorer.exe (MsiDeterminePatchSequenceW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181C9E1)
[Address] EAT @explorer.exe (MsiDoActionA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182613D)
[Address] EAT @explorer.exe (MsiDoActionW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71822D61)
[Address] EAT @explorer.exe (MsiEnableLogA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180189B)
[Address] EAT @explorer.exe (MsiEnableLogW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FFBE9)
[Address] EAT @explorer.exe (MsiEnableUIPreview) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718239CD)
[Address] EAT @explorer.exe (MsiEndTransaction) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71813E11)
[Address] EAT @explorer.exe (MsiEnumClientsA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7177EC96)
[Address] EAT @explorer.exe (MsiEnumClientsExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71815D6E)
[Address] EAT @explorer.exe (MsiEnumClientsExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718113A7)
[Address] EAT @explorer.exe (MsiEnumClientsW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71763647)
[Address] EAT @explorer.exe (MsiEnumComponentCostsA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71827847)
[Address] EAT @explorer.exe (MsiEnumComponentCostsW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71827A95)
[Address] EAT @explorer.exe (MsiEnumComponentQualifiersA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180CD6D)
[Address] EAT @explorer.exe (MsiEnumComponentQualifiersW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7176384D)
[Address] EAT @explorer.exe (MsiEnumComponentsA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718091B9)
[Address] EAT @explorer.exe (MsiEnumComponentsExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71815B08)
[Address] EAT @explorer.exe (MsiEnumComponentsExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181121D)
[Address] EAT @explorer.exe (MsiEnumComponentsW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180BA57)
[Address] EAT @explorer.exe (MsiEnumFeaturesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71809C04)
[Address] EAT @explorer.exe (MsiEnumFeaturesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180C259)
[Address] EAT @explorer.exe (MsiEnumPatchesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718197EB)
[Address] EAT @explorer.exe (MsiEnumPatchesExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71814897)
[Address] EAT @explorer.exe (MsiEnumPatchesExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71810E79)
[Address] EAT @explorer.exe (MsiEnumPatchesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181468E)
[Address] EAT @explorer.exe (MsiEnumProductsA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71809175)
[Address] EAT @explorer.exe (MsiEnumProductsExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71816313)
[Address] EAT @explorer.exe (MsiEnumProductsExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71811729)
[Address] EAT @explorer.exe (MsiEnumProductsW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7176559D)
[Address] EAT @explorer.exe (MsiEnumRelatedProductsA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71809109)
[Address] EAT @explorer.exe (MsiEnumRelatedProductsW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180B9EB)
[Address] EAT @explorer.exe (MsiEvaluateConditionA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718261C6)
[Address] EAT @explorer.exe (MsiEvaluateConditionW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718230C1)
[Address] EAT @explorer.exe (MsiExtractPatchXMLDataA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71814FAE)
[Address] EAT @explorer.exe (MsiExtractPatchXMLDataW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71814C22)
[Address] EAT @explorer.exe (MsiFormatRecordA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71822A73)
[Address] EAT @explorer.exe (MsiFormatRecordW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71822BF9)
[Address] EAT @explorer.exe (MsiGetActiveDatabase) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71822639)
[Address] EAT @explorer.exe (MsiGetComponentPathA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180EEBD)
[Address] EAT @explorer.exe (MsiGetComponentPathExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71816053)
[Address] EAT @explorer.exe (MsiGetComponentPathExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71811559)
[Address] EAT @explorer.exe (MsiGetComponentPathW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717562DD)
[Address] EAT @explorer.exe (MsiGetComponentStateA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718271E3)
[Address] EAT @explorer.exe (MsiGetComponentStateW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718272DC)
[Address] EAT @explorer.exe (MsiGetDatabaseState) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71820ED9)
[Address] EAT @explorer.exe (MsiGetFeatureCostA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718275FD)
[Address] EAT @explorer.exe (MsiGetFeatureCostW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71827702)
[Address] EAT @explorer.exe (MsiGetFeatureInfoA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71800D1A)
[Address] EAT @explorer.exe (MsiGetFeatureInfoW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FF5EE)
[Address] EAT @explorer.exe (MsiGetFeatureStateA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71826CD5)
[Address] EAT @explorer.exe (MsiGetFeatureStateW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71826DC3)
[Address] EAT @explorer.exe (MsiGetFeatureUsageA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180A111)
[Address] EAT @explorer.exe (MsiGetFeatureUsageW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180C9BD)
[Address] EAT @explorer.exe (MsiGetFeatureValidStatesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71827CC5)
[Address] EAT @explorer.exe (MsiGetFeatureValidStatesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718236EC)
[Address] EAT @explorer.exe (MsiGetFileHashA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71801214)
[Address] EAT @explorer.exe (MsiGetFileHashW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FCA49)
[Address] EAT @explorer.exe (MsiGetFileSignatureInformationA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180128C)
[Address] EAT @explorer.exe (MsiGetFileSignatureInformationW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FCA9F)
[Address] EAT @explorer.exe (MsiGetFileVersionA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71800EF8)
[Address] EAT @explorer.exe (MsiGetFileVersionW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71803D2F)
[Address] EAT @explorer.exe (MsiGetLanguage) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71822727)
[Address] EAT @explorer.exe (MsiGetLastErrorRecord) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821D69)
[Address] EAT @explorer.exe (MsiGetMode) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182279F)
[Address] EAT @explorer.exe (MsiGetPatchFileListA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181D25D)
[Address] EAT @explorer.exe (MsiGetPatchFileListW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71818B6E)
[Address] EAT @explorer.exe (MsiGetPatchInfoA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180A24F)
[Address] EAT @explorer.exe (MsiGetPatchInfoExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718155E9)
[Address] EAT @explorer.exe (MsiGetPatchInfoExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71815177)
[Address] EAT @explorer.exe (MsiGetPatchInfoW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180CAFB)
[Address] EAT @explorer.exe (MsiGetProductCodeA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7177EADC)
[Address] EAT @explorer.exe (MsiGetProductCodeFromPackageCodeA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180ED5F)
[Address] EAT @explorer.exe (MsiGetProductCodeFromPackageCodeW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180F353)
[Address] EAT @explorer.exe (MsiGetProductCodeW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7177EE6C)
[Address] EAT @explorer.exe (MsiGetProductInfoA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180D362)
[Address] EAT @explorer.exe (MsiGetProductInfoExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718165DE)
[Address] EAT @explorer.exe (MsiGetProductInfoExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718118FF)
[Address] EAT @explorer.exe (MsiGetProductInfoFromScriptA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71800880)
[Address] EAT @explorer.exe (MsiGetProductInfoFromScriptW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FF132)
[Address] EAT @explorer.exe (MsiGetProductInfoW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71764273)
[Address] EAT @explorer.exe (MsiGetProductPropertyA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71800B90)
[Address] EAT @explorer.exe (MsiGetProductPropertyW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FF48B)
[Address] EAT @explorer.exe (MsiGetPropertyA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182596D)
[Address] EAT @explorer.exe (MsiGetPropertyW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71825BA3)
[Address] EAT @explorer.exe (MsiGetShortcutTargetA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71802A58)
[Address] EAT @explorer.exe (MsiGetShortcutTargetW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71804689)
[Address] EAT @explorer.exe (MsiGetSourcePathA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71826209)
[Address] EAT @explorer.exe (MsiGetSourcePathW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182640D)
[Address] EAT @explorer.exe (MsiGetSummaryInformationA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718258BD)
[Address] EAT @explorer.exe (MsiGetSummaryInformationW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71824293)
[Address] EAT @explorer.exe (MsiGetTargetPathA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718265F5)
[Address] EAT @explorer.exe (MsiGetTargetPathW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718267F9)
[Address] EAT @explorer.exe (MsiGetUserInfoA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718091FE)
[Address] EAT @explorer.exe (MsiGetUserInfoW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7177E466)
[Address] EAT @explorer.exe (MsiInstallMissingComponentA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718022C7)
[Address] EAT @explorer.exe (MsiInstallMissingComponentW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718043D9)
[Address] EAT @explorer.exe (MsiInstallMissingFileA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71802067)
[Address] EAT @explorer.exe (MsiInstallMissingFileW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71804179)
[Address] EAT @explorer.exe (MsiInstallProductA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180197E)
[Address] EAT @explorer.exe (MsiInstallProductW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FCE4B)
[Address] EAT @explorer.exe (MsiInvalidateFeatureCache) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717BD1D3)
[Address] EAT @explorer.exe (MsiIsProductElevatedA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71803306)
[Address] EAT @explorer.exe (MsiIsProductElevatedW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71804A5D)
[Address] EAT @explorer.exe (MsiJoinTransaction) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71813FEB)
[Address] EAT @explorer.exe (MsiLoadStringA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180141F)
[Address] EAT @explorer.exe (MsiLoadStringW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7176AE09)
[Address] EAT @explorer.exe (MsiLocateComponentA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180F19F)
[Address] EAT @explorer.exe (MsiLocateComponentW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180F4CA)
[Address] EAT @explorer.exe (MsiMessageBoxA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718016DA)
[Address] EAT @explorer.exe (MsiMessageBoxExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71801528)
[Address] EAT @explorer.exe (MsiMessageBoxExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FCCB1)
[Address] EAT @explorer.exe (MsiMessageBoxW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FCE24)
[Address] EAT @explorer.exe (MsiNotifySidChangeA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180A306)
[Address] EAT @explorer.exe (MsiNotifySidChangeW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180501B)
[Address] EAT @explorer.exe (MsiOpenDatabaseA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71824691)
[Address] EAT @explorer.exe (MsiOpenDatabaseW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71823D8D)
[Address] EAT @explorer.exe (MsiOpenPackageA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FEDC0)
[Address] EAT @explorer.exe (MsiOpenPackageExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FC63E)
[Address] EAT @explorer.exe (MsiOpenPackageExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FC8E9)
[Address] EAT @explorer.exe (MsiOpenPackageW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FF7AB)
[Address] EAT @explorer.exe (MsiOpenProductA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71808BF2)
[Address] EAT @explorer.exe (MsiOpenProductW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180B857)
[Address] EAT @explorer.exe (MsiPreviewBillboardA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71827D4E)
[Address] EAT @explorer.exe (MsiPreviewBillboardW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71823AEA)
[Address] EAT @explorer.exe (MsiPreviewDialogA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71827D0B)
[Address] EAT @explorer.exe (MsiPreviewDialogW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71823A96)
[Address] EAT @explorer.exe (MsiProcessAdvertiseScriptA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180CBB2)
[Address] EAT @explorer.exe (MsiProcessAdvertiseScriptW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180DF39)
[Address] EAT @explorer.exe (MsiProcessMessage) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71822F51)
[Address] EAT @explorer.exe (MsiProvideAssemblyA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180FD5D)
[Address] EAT @explorer.exe (MsiProvideAssemblyW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71810765)
[Address] EAT @explorer.exe (MsiProvideComponentA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180F7B9)
[Address] EAT @explorer.exe (MsiProvideComponentFromDescriptorA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180FAB3)
[Address] EAT @explorer.exe (MsiProvideComponentFromDescriptorW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71764F84)
[Address] EAT @explorer.exe (MsiProvideComponentW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181030C)
[Address] EAT @explorer.exe (MsiProvideQualifiedComponentA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7177C385)
[Address] EAT @explorer.exe (MsiProvideQualifiedComponentExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7177D411)
[Address] EAT @explorer.exe (MsiProvideQualifiedComponentExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71758A47)
[Address] EAT @explorer.exe (MsiProvideQualifiedComponentW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71758C86)
[Address] EAT @explorer.exe (MsiQueryComponentStateA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181687C)
[Address] EAT @explorer.exe (MsiQueryComponentStateW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71811AE1)
[Address] EAT @explorer.exe (MsiQueryFeatureStateA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180F6F1)
[Address] EAT @explorer.exe (MsiQueryFeatureStateExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71816A94)
[Address] EAT @explorer.exe (MsiQueryFeatureStateExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71811CD9)
[Address] EAT @explorer.exe (MsiQueryFeatureStateFromDescriptorA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180FC02)
[Address] EAT @explorer.exe (MsiQueryFeatureStateFromDescriptorW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181057D)
[Address] EAT @explorer.exe (MsiQueryFeatureStateW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7175617D)
[Address] EAT @explorer.exe (MsiQueryProductStateA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180D45D)
[Address] EAT @explorer.exe (MsiQueryProductStateW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717649FE)
[Address] EAT @explorer.exe (MsiRecordClearData) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821D27)
[Address] EAT @explorer.exe (MsiRecordDataSize) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718216E5)
[Address] EAT @explorer.exe (MsiRecordGetFieldCount) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821916)
[Address] EAT @explorer.exe (MsiRecordGetInteger) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718218B5)
[Address] EAT @explorer.exe (MsiRecordGetStringA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71823F1D)
[Address] EAT @explorer.exe (MsiRecordGetStringW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718240CC)
[Address] EAT @explorer.exe (MsiRecordIsNull) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718215F5)
[Address] EAT @explorer.exe (MsiRecordReadStream) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821B6D)
[Address] EAT @explorer.exe (MsiRecordSetInteger) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718217C2)
[Address] EAT @explorer.exe (MsiRecordSetStreamA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71825877)
[Address] EAT @explorer.exe (MsiRecordSetStreamW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821A03)
[Address] EAT @explorer.exe (MsiRecordSetStringA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182561D)
[Address] EAT @explorer.exe (MsiRecordSetStringW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182572E)
[Address] EAT @explorer.exe (MsiReinstallFeatureA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71801EDE)
[Address] EAT @explorer.exe (MsiReinstallFeatureFromDescriptorA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180D8C2)
[Address] EAT @explorer.exe (MsiReinstallFeatureFromDescriptorW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180E657)
[Address] EAT @explorer.exe (MsiReinstallFeatureW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71768C24)
[Address] EAT @explorer.exe (MsiReinstallProductA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71801AFE)
[Address] EAT @explorer.exe (MsiReinstallProductW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FCFF1)
[Address] EAT @explorer.exe (MsiRemovePatchesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71819606)
[Address] EAT @explorer.exe (MsiRemovePatchesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71813702)
[Address] EAT @explorer.exe (MsiSequenceA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71826180)
[Address] EAT @explorer.exe (MsiSequenceW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71822E4B)
[Address] EAT @explorer.exe (MsiSetComponentStateA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718273EB)
[Address] EAT @explorer.exe (MsiSetComponentStateW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718274E5)
[Address] EAT @explorer.exe (MsiSetExternalUIA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FC72F)
[Address] EAT @explorer.exe (MsiSetExternalUIRecord) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181336B)
[Address] EAT @explorer.exe (MsiSetExternalUIW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71764E86)
[Address] EAT @explorer.exe (MsiSetFeatureAttributesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71827001)
[Address] EAT @explorer.exe (MsiSetFeatureAttributesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718270B4)
[Address] EAT @explorer.exe (MsiSetFeatureStateA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71826E2D)
[Address] EAT @explorer.exe (MsiSetFeatureStateW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71826EDF)
[Address] EAT @explorer.exe (MsiSetInstallLevel) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71823424)
[Address] EAT @explorer.exe (MsiSetInternalUI) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71764FE6)
[Address] EAT @explorer.exe (MsiSetMode) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718228BB)
[Address] EAT @explorer.exe (MsiSetOfflineContextW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71828485)
[Address] EAT @explorer.exe (MsiSetPropertyA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71825DC1)
[Address] EAT @explorer.exe (MsiSetPropertyW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71825F85)
[Address] EAT @explorer.exe (MsiSetTargetPathA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718269DD)
[Address] EAT @explorer.exe (MsiSetTargetPathW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71826B61)
[Address] EAT @explorer.exe (MsiSourceListAddMediaDiskA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71817136)
[Address] EAT @explorer.exe (MsiSourceListAddMediaDiskW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71812165)
[Address] EAT @explorer.exe (MsiSourceListAddSourceA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71803037)
[Address] EAT @explorer.exe (MsiSourceListAddSourceExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71816F13)
[Address] EAT @explorer.exe (MsiSourceListAddSourceExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71811F43)
[Address] EAT @explorer.exe (MsiSourceListAddSourceW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FDC51)
[Address] EAT @explorer.exe (MsiSourceListClearAllA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71802EF0)
[Address] EAT @explorer.exe (MsiSourceListClearAllExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71817875)
[Address] EAT @explorer.exe (MsiSourceListClearAllExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181281B)
[Address] EAT @explorer.exe (MsiSourceListClearAllW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FDAEB)
[Address] EAT @explorer.exe (MsiSourceListClearMediaDiskA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181764A)
[Address] EAT @explorer.exe (MsiSourceListClearMediaDiskW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181260D)
[Address] EAT @explorer.exe (MsiSourceListClearSourceA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71817436)
[Address] EAT @explorer.exe (MsiSourceListClearSourceW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71812405)
[Address] EAT @explorer.exe (MsiSourceListEnumMediaDisksA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7181834E)
[Address] EAT @explorer.exe (MsiSourceListEnumMediaDisksW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718131B5)
[Address] EAT @explorer.exe (MsiSourceListEnumSourcesA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71817C4B)
[Address] EAT @explorer.exe (MsiSourceListEnumSourcesW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71812C07)
[Address] EAT @explorer.exe (MsiSourceListForceResolutionA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718031B8)
[Address] EAT @explorer.exe (MsiSourceListForceResolutionExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71817A6C)
[Address] EAT @explorer.exe (MsiSourceListForceResolutionExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71812A09)
[Address] EAT @explorer.exe (MsiSourceListForceResolutionW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FDDDB)
[Address] EAT @explorer.exe (MsiSourceListGetInfoA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71817E30)
[Address] EAT @explorer.exe (MsiSourceListGetInfoW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71812DB5)
[Address] EAT @explorer.exe (MsiSourceListSetInfoA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718180F8)
[Address] EAT @explorer.exe (MsiSourceListSetInfoW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71812FAB)
[Address] EAT @explorer.exe (MsiSummaryInfoGetPropertyA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718221B9)
[Address] EAT @explorer.exe (MsiSummaryInfoGetPropertyCount) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821E3D)
[Address] EAT @explorer.exe (MsiSummaryInfoGetPropertyW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182238B)
[Address] EAT @explorer.exe (MsiSummaryInfoPersist) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71822551)
[Address] EAT @explorer.exe (MsiSummaryInfoSetPropertyA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71825906)
[Address] EAT @explorer.exe (MsiSummaryInfoSetPropertyW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71821F2B)
[Address] EAT @explorer.exe (MsiUseFeatureA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71810D83)
[Address] EAT @explorer.exe (MsiUseFeatureExA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7180F9E8)
[Address] EAT @explorer.exe (MsiUseFeatureExW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71764D3A)
[Address] EAT @explorer.exe (MsiUseFeatureW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71810DA0)
[Address] EAT @explorer.exe (MsiVerifyDiskSpace) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71823863)
[Address] EAT @explorer.exe (MsiVerifyPackageA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718007AA)
[Address] EAT @explorer.exe (MsiVerifyPackageW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x717FF097)
[Address] EAT @explorer.exe (MsiViewClose) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71820BAF)
[Address] EAT @explorer.exe (MsiViewExecute) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182070F)
[Address] EAT @explorer.exe (MsiViewFetch) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71820833)
[Address] EAT @explorer.exe (MsiViewGetColumnInfo) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71820A91)
[Address] EAT @explorer.exe (MsiViewGetErrorA) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718203F1)
[Address] EAT @explorer.exe (MsiViewGetErrorW) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x718205CE)
[Address] EAT @explorer.exe (MsiViewModify) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x7182093F)
[Address] EAT @explorer.exe (QueryInstanceCount) : netshell.dll -> HOOKED (C:\Windows\system32\msi.dll @ 0x71762B2A)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS545050B9A300 +++++
--- User ---
[MBR] 36b88865972feda1ee590184471c3d9a
[BSP] 21c8b6e54963a428807465ad0928d5eb : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 10000 MB
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20482048 | Size: 324775 MB
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 685621248 | Size: 142162 MB
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) USB Device +++++
--- User ---
[MBR] 55389136f085ab345737bafe078fd1e1
[BSP] cc1335b4044fe0137cc1ae93838fafce : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 41 | Size: 3987 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )
 
Finished : << RKreport[0]_D_04022014_203834.txt >>
RKreport[0]_S_04022014_203827.txt


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 03 April 2014 - 07:04 AM

Please run the other two tools (AdwCleaner and Farbar Recovery Scan) and post the logs for my review.

#7 jwlanky

jwlanky
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 05 April 2014 - 10:01 AM

adw report...

 

# AdwCleaner v3.023 - Report created 05/04/2014 at 15:53:28
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : sharon - SHARON-PC
# Running from : E:\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files\SearchProtect
Folder Deleted : C:\Program Files\Vuze_Remote
Folder Deleted : C:\Program Files\Vuze
Folder Deleted : C:\Users\sharon\AppData\Local\CrashRpt
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\7557c731e1aee16cf66ed529a32ca378
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16521
 
 
-\\ Mozilla Firefox v
 
[ File : C:\Users\sharon\AppData\Roaming\Mozilla\Firefox\Profiles\mvwx6lc2.default\prefs.js ]
 
 
[ File : C:\Users\sharon\AppData\Roaming\Mozilla\Firefox\Profiles\xwztjv0d.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\sharon\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [12296 octets] - [23/03/2014 20:03:51]
AdwCleaner[R1].txt - [1315 octets] - [05/04/2014 15:51:14]
AdwCleaner[S0].txt - [10880 octets] - [23/03/2014 20:06:13]
AdwCleaner[S1].txt - [1254 octets] - [05/04/2014 15:53:28]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1314 octets] ##########

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01
Ran by sharon (administrator) on SHARON-PC on 05-04-2014 15:58:18
Running from E:\
Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
() c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(GEAR Software) C:\Windows\system32\gearsec.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
() C:\Program Files\CDBurnerXP\NMSAccessU.exe
() C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Skype Technologies) C:\Program Files\Skype\Updater\Updater.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apoint.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\Reader_sl.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Users\sharon\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
(Spotify Ltd) C:\Users\sharon\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Dropbox, Inc.) C:\Users\sharon\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\Apntex.exe
(Alps Electric Co., Ltd.) C:\Program Files\Apoint2K\HidFind.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\ProgramData\NT Kernel\NTKernel.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [192512 2009-01-30] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKU\S-1-5-21-2189304170-2197824444-2469615566-1001\...\Run: [MusicManager] - C:\Users\sharon\AppData\Local\Programs\Google\MusicManager\MusicManager.exe [7382528 2014-03-03] (Google Inc.)
HKU\S-1-5-21-2189304170-2197824444-2469615566-1001\...\Run: [Spotify Web Helper] - C:\Users\sharon\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1171968 2014-02-11] (Spotify Ltd)
HKU\S-1-5-21-2189304170-2197824444-2469615566-1001\...\Winlogon: [Shell] explorer.exe,"C:\ProgramData\NT Kernel\NTKernel.exe" [320000 2014-03-21] (Intel Corporation) <==== ATTENTION 
Startup: C:\Users\sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\sharon\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x07CE23F4CE37CB01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF ProfilePath: C:\Users\sharon\AppData\Roaming\Mozilla\Firefox\Profiles\xwztjv0d.default
FF NetworkProxy: "no_proxies_on", "*.local"
FF DefaultSearchEngine: SafeSearch
FF SearchEngineOrder.1: SafeSearch
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @soe.sony.com/installer,version=1.0.3 - C:\Users\sharon\AppData\Roaming\Mozilla\Firefox\Profiles\mvwx6lc2.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll No File
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\sharon\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\sharon\AppData\Local\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Extension: No Name - C:\Users\sharon\AppData\Roaming\Mozilla\Firefox\Profiles\xwztjv0d.default\Extensions\staged [2014-02-18]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [2010-03-19]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010-07-26]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010-09-03]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2010-11-21]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011-01-20]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2011-03-01]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-07-20]
FF StartMenuInternet: FIREFOX.EXE - C:\Users\sharon\AppData\Local\Mozilla Firefox\firefox.exe
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/ig
CHR DefaultSearchKeyword: igoogle.co.uk
CHR DefaultSearchProvider: igoogle.co.uk
CHR DefaultNewTabURL: 
CHR Extension: (Tank Riders) - C:\Users\sharon\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdmmodjlfegeieihcdcgcalkgmhgmiae [2014-03-20]
CHR Extension: (Google Mail Checker) - C:\Users\sharon\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff [2014-02-09]
CHR Extension: (Google Wallet) - C:\Users\sharon\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-02]
CHR StartMenuInternet: Google Chrome - C:\Users\sharon\AppData\Local\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
R2 gearsec; C:\Windows\system32\gearsec.exe [58952 2005-11-30] (GEAR Software)
R2 Live Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [255376 2012-04-05] (Acer Incorporated)
R2 NMSAccess; C:\Program Files\CDBurnerXP\NMSAccessU.exe [71096 2010-03-04] ()
R2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [87040 2012-03-23] ()
S3 Sony PC Companion; C:\Program Files\Sony\Sony PC Companion\PCCService.exe [155824 2013-02-04] (Avanquest Software)
S2 AdvancedSystemCareService5; C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe [X]
S2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [X]
S3 KiesAllShare; C:\Program Files\Samsung\Kies\WiselinkPro\WiselinkPro.exe [X]
R2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [X]
S3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
S3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [36608 2010-06-14] ()
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2014-03-23] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7087616 2011-01-19] (Intel Corporation)
S3 RT-USB; C:\Windows\System32\drivers\RT-USB.SYS [58880 2009-05-22] (Ross-Tech LLC)
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [15672 2010-11-26] ()
S3 StarOpen; C:\Windows\system32\Drivers\StarOpen.sys [7168 2009-11-12] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\Users\sharon\AppData\Local\Temp\catchme.sys [X]
S3 dgderdrv; System32\drivers\dgderdrv.sys [X]
S3 FileMonitor; \??\C:\Program Files\IObit\IObit Malware Fighter\Drivers\win7_x86\FileMonitor.sys [X]
S3 flash; \??\C:\Users\sharon\AppData\Local\Temp\Rar$EX09.250\BIOS_Acer_1.34_Windows\Winflash32\flash.sys [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
S3 RegFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\win7_x86\regfilter.sys [X]
S3 UrlFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\win7_x86\UrlFilter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-04-05 15:50 - 2014-04-05 15:50 - 00028242 _____ () C:\Users\sharon\Desktop\RKreport[0]_D_04052014_155045.txt
2014-04-05 15:50 - 2014-04-05 15:50 - 00028158 _____ () C:\Users\sharon\Desktop\RKreport[0]_S_04052014_155007.txt
2014-04-02 20:40 - 2014-04-02 20:40 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-02 20:38 - 2014-04-02 20:38 - 00064171 _____ () C:\Users\sharon\Desktop\RKreport[0]_D_04022014_203834.txt
2014-04-02 20:38 - 2014-04-02 20:38 - 00064072 _____ () C:\Users\sharon\Desktop\RKreport[0]_S_04022014_203827.txt
2014-04-02 20:33 - 2014-04-02 20:31 - 03972608 _____ () C:\Users\sharon\Desktop\RogueKiller.exe
2014-04-02 20:32 - 2014-04-05 15:50 - 00000000 ____D () C:\Users\sharon\Desktop\RK_Quarantine
2014-03-30 10:14 - 2014-03-30 10:15 - 09556599 _____ (XB36Hazard) C:\Users\sharon\Documents\gta5 mods.exe
2014-03-29 17:46 - 2014-03-29 17:47 - 00017416 _____ () C:\Users\sharon\Desktop\dds.txt
2014-03-29 17:46 - 2014-03-29 17:47 - 00012277 _____ () C:\Users\sharon\Desktop\attach.txt
2014-03-29 17:46 - 2014-03-29 17:44 - 00688992 ____R (Swearware) C:\Users\sharon\Desktop\dds.com
2014-03-29 09:35 - 2014-04-02 20:31 - 17523384 _____ (Malwarebytes Corporation ) C:\Users\sharon\Desktop\mb3-setup-1878.1878-3.5.1.2522.exe
2014-03-29 09:08 - 2014-03-29 09:08 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4b26d52da25.job
2014-03-29 08:59 - 2014-04-05 15:58 - 00000000 ____D () C:\FRST
2014-03-28 19:55 - 2014-03-28 19:49 - 00987448 _____ () C:\Users\sharon\Desktop\SecurityCheck (1).exe
2014-03-24 16:49 - 2014-03-24 16:49 - 00001296 _____ () C:\Users\sharon\Desktop\Horizon.lnk
2014-03-24 16:44 - 2014-04-02 16:27 - 00000000 ____D () C:\Users\sharon\Desktop\GTAV Backups
2014-03-23 20:40 - 2014-03-23 20:40 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-03-23 20:38 - 2014-03-23 20:38 - 00022182 _____ () C:\ComboFix.txt
2014-03-23 20:18 - 2011-06-26 07:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-03-23 20:18 - 2010-11-07 18:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-03-23 20:18 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-03-23 20:18 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-03-23 20:18 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-03-23 20:18 - 2000-08-31 01:00 - 00098816 _____ () C:\Windows\sed.exe
2014-03-23 20:18 - 2000-08-31 01:00 - 00080412 _____ () C:\Windows\grep.exe
2014-03-23 20:18 - 2000-08-31 01:00 - 00068096 _____ () C:\Windows\zip.exe
2014-03-23 20:13 - 2014-03-23 20:38 - 00000000 ____D () C:\Qoobox
2014-03-23 20:13 - 2014-03-23 20:36 - 00000000 ____D () C:\Windows\erdnt
2014-03-23 20:03 - 2014-04-05 15:53 - 00000000 ____D () C:\AdwCleaner
2014-03-23 19:38 - 2014-03-23 19:38 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware2
2014-03-23 19:37 - 2014-03-23 19:37 - 00000000 __SHD () C:\Windows\system32\NT Kernel
2014-03-23 19:28 - 2014-03-23 19:27 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-03-23 19:27 - 2014-03-23 19:27 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-03-23 19:27 - 2014-03-23 19:27 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-03-23 19:27 - 2014-03-23 19:27 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-03-23 19:26 - 2014-03-23 19:26 - 00921000 _____ (Oracle Corporation) C:\Users\sharon\Downloads\chromeinstall-7u51 (1).exe
2014-03-23 19:10 - 2014-03-23 19:10 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\sharon\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-23 10:20 - 2014-03-23 10:20 - 00000656 _____ () C:\Users\sharon\Documents\Vigero.GTAVV
2014-03-23 10:19 - 2014-03-23 10:19 - 00000656 _____ () C:\Users\sharon\Documents\Sabre Turbo.GTAVV
2014-03-22 23:30 - 2007-04-04 19:53 - 00081768 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2014-03-22 23:29 - 2014-03-22 23:30 - 00000000 ____D () C:\Program Files\Microsoft Games for Windows - LIVE
2014-03-22 23:29 - 2014-03-22 23:29 - 00000000 ____D () C:\Windows\system32\xlive
2014-03-22 22:41 - 2014-03-22 22:41 - 00000000 ____D () C:\Users\sharon\AppData\Local\Rockstar Games
2014-03-22 22:38 - 2014-03-22 22:38 - 00000000 ____D () C:\Program Files\Rockstar Games
2014-03-22 17:19 - 2014-03-23 19:28 - 00000000 ____D () C:\ProgramData\Oracle
2014-03-22 14:54 - 2014-03-22 14:54 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-03-22 12:24 - 2014-03-23 19:25 - 00000000 ____D () C:\Users\sharon\AppData\Local\Deployment
2014-03-22 12:24 - 2014-03-22 12:24 - 00000000 ____D () C:\Users\sharon\AppData\Local\Apps\2.0
2014-03-21 23:26 - 2014-03-21 23:26 - 00000000 __SHD () C:\ProgramData\NT Kernel
2014-03-17 21:12 - 2011-11-23 18:06 - 01197341 _____ () C:\Users\sharon\Desktop\dd.exe
2014-03-16 13:16 - 2014-03-16 13:16 - 00188416 _____ () C:\Users\sharon\Documents\MW2
2014-03-16 13:11 - 2014-03-16 13:11 - 00061440 _____ () C:\Users\sharon\Documents\ContentCache.pkg
2014-03-16 13:06 - 2014-03-16 13:06 - 00909312 _____ () C:\Users\sharon\Documents\savegameMW2
2014-03-16 13:06 - 2014-03-16 13:06 - 00000000 ____D () C:\Users\sharon\Documents\00000001
2014-03-16 13:05 - 2014-03-16 13:05 - 00000000 ____D () C:\Users\sharon\Documents\MW2 SAVE GAME
2014-03-16 13:01 - 2014-03-16 13:01 - 00909312 _____ () C:\Users\sharon\Documents\savegame MW2
2014-03-13 19:11 - 2014-03-01 05:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-13 19:11 - 2014-03-01 05:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-13 19:11 - 2014-03-01 05:10 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-13 19:11 - 2014-03-01 04:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-13 19:11 - 2014-03-01 04:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-13 19:11 - 2014-03-01 04:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-13 19:11 - 2014-03-01 04:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-13 19:11 - 2014-03-01 04:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-13 19:11 - 2014-03-01 04:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-13 19:11 - 2014-03-01 04:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-13 19:11 - 2014-03-01 04:38 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-13 19:11 - 2014-03-01 04:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-13 19:11 - 2014-03-01 04:31 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-13 19:11 - 2014-03-01 04:25 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-13 19:11 - 2014-03-01 04:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-13 19:11 - 2014-03-01 04:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-13 19:11 - 2014-03-01 04:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-13 19:11 - 2014-03-01 04:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-13 19:11 - 2014-03-01 03:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-13 19:11 - 2014-03-01 03:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-13 19:11 - 2014-03-01 03:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-13 19:11 - 2014-03-01 03:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-13 19:11 - 2014-02-04 03:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-13 19:10 - 2014-02-07 02:07 - 02349056 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-13 19:10 - 2014-02-04 03:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-13 19:10 - 2014-01-29 03:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-13 19:10 - 2014-01-28 03:07 - 00185344 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-11 19:49 - 2014-03-11 19:50 - 13026816 _____ () C:\Users\sharon\Documents\common (10) (11) (1) (1).rpf
2014-03-10 20:56 - 2014-04-05 15:57 - 00593920 _____ () C:\Users\sharon\AppData\Roaming\msconfig.ini
2014-03-09 10:55 - 2014-03-09 10:55 - 00000000 ____D () C:\Users\sharon\AppData\Local\Sonos,_Inc
2014-03-09 10:53 - 2014-03-09 10:53 - 00001794 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-03-09 10:52 - 2014-03-09 10:53 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-03-09 10:52 - 2014-03-09 10:53 - 00000000 ____D () C:\Program Files\iTunes
2014-03-09 10:52 - 2014-03-09 10:52 - 00000000 ____D () C:\Program Files\iPod
2014-03-09 10:45 - 2014-03-09 10:45 - 00001952 _____ () C:\Users\Public\Desktop\Sonos.lnk
2014-03-09 10:45 - 2014-03-09 10:45 - 00000000 ____D () C:\Program Files\Sonos
2014-03-09 10:44 - 2014-03-29 09:04 - 00000000 ____D () C:\ProgramData\Sonos,_Inc
2014-03-09 10:40 - 2014-03-09 10:40 - 00001856 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-03-09 10:38 - 2014-03-09 10:40 - 00000000 ____D () C:\Program Files\QuickTime
2014-03-08 18:12 - 2014-03-08 18:14 - 00000000 ____D () C:\Users\sharon\Desktop\world
2014-03-08 16:18 - 2014-03-08 16:18 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Minecraft
2014-03-08 15:46 - 2014-03-22 23:55 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\.minecraft
2014-03-08 12:05 - 2014-03-09 10:49 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\Open Download Manager
2014-03-08 12:05 - 2014-03-08 12:05 - 00001070 _____ () C:\Users\Mcx1-SHARON-PC\Desktop\OpenDownloaderManager.lnk
2014-03-08 11:37 - 2014-03-06 16:50 - 00000056 _____ () C:\Users\sharon\Desktop\Read Me!.url
2014-03-08 10:39 - 2014-03-08 10:39 - 00000656 _____ () C:\Users\sharon\Documents\Rumpo.GTAVV
2014-03-08 09:16 - 2014-03-08 09:16 - 03621916 _____ () C:\Users\sharon\Documents\Minecraft_Gift_Cods_Gnrtor_Updated_Version.rar
2014-03-07 23:01 - 2014-03-30 10:12 - 00058880 ___SH () C:\Users\sharon\Documents\Thumbs.db
2014-03-07 23:00 - 2014-03-07 23:00 - 00008906 _____ () C:\Users\sharon\Documents\profile.htm
2014-03-07 22:07 - 2014-03-09 10:52 - 00000258 __RSH () C:\Users\sharon\ntuser.pol
2014-03-07 22:07 - 2014-03-08 12:25 - 00000000 ____D () C:\Users\sharon\Documents\Add-in Express
2014-03-07 22:06 - 2014-03-07 22:06 - 00000000 ____D () C:\Users\sharon\AppData\Local\SoftPlanet
2014-03-07 21:52 - 2014-03-07 22:07 - 00000000 ____D () C:\Program Files\Minecraft
2014-03-07 21:52 - 2014-03-07 21:52 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\1H1Q
2014-03-07 18:59 - 2014-03-07 18:59 - 04964352 _____ () C:\Users\sharon\Documents\my custum theme
2014-03-06 21:46 - 2014-03-06 21:47 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\PC-Gizmos
2014-03-06 17:06 - 2014-03-06 17:06 - 00000656 _____ () C:\Users\sharon\Documents\Comet.GTAVV
 
==================== One Month Modified Files and Folders =======
 
2014-04-05 15:58 - 2014-03-29 08:59 - 00000000 ____D () C:\FRST
2014-04-05 15:58 - 2012-05-09 18:50 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\Dropbox
2014-04-05 15:57 - 2014-03-10 20:56 - 00593920 _____ () C:\Users\sharon\AppData\Roaming\msconfig.ini
2014-04-05 15:56 - 2013-11-20 20:35 - 00006834 _____ () C:\Windows\setupact.log
2014-04-05 15:55 - 2010-01-26 04:20 - 01669105 _____ () C:\Windows\WindowsUpdate.log
2014-04-05 15:53 - 2014-03-23 20:03 - 00000000 ____D () C:\AdwCleaner
2014-04-05 15:50 - 2014-04-05 15:50 - 00028242 _____ () C:\Users\sharon\Desktop\RKreport[0]_D_04052014_155045.txt
2014-04-05 15:50 - 2014-04-05 15:50 - 00028158 _____ () C:\Users\sharon\Desktop\RKreport[0]_S_04052014_155007.txt
2014-04-05 15:50 - 2014-04-02 20:32 - 00000000 ____D () C:\Users\sharon\Desktop\RK_Quarantine
2014-04-05 15:47 - 2010-01-25 20:44 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-05 14:29 - 2009-07-14 05:34 - 00014832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-05 14:29 - 2009-07-14 05:34 - 00014832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-03 16:19 - 2014-01-27 17:10 - 10187665 _____ (XB36Hazard) C:\Users\sharon\Desktop\save editor.exe
2014-04-02 20:40 - 2014-04-02 20:40 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-02 20:38 - 2014-04-02 20:38 - 00064171 _____ () C:\Users\sharon\Desktop\RKreport[0]_D_04022014_203834.txt
2014-04-02 20:38 - 2014-04-02 20:38 - 00064072 _____ () C:\Users\sharon\Desktop\RKreport[0]_S_04022014_203827.txt
2014-04-02 20:31 - 2014-04-02 20:33 - 03972608 _____ () C:\Users\sharon\Desktop\RogueKiller.exe
2014-04-02 20:31 - 2014-03-29 09:35 - 17523384 _____ (Malwarebytes Corporation ) C:\Users\sharon\Desktop\mb3-setup-1878.1878-3.5.1.2522.exe
2014-04-02 16:27 - 2014-03-24 16:44 - 00000000 ____D () C:\Users\sharon\Desktop\GTAV Backups
2014-03-30 10:15 - 2014-03-30 10:14 - 09556599 _____ (XB36Hazard) C:\Users\sharon\Documents\gta5 mods.exe
2014-03-30 10:12 - 2014-03-07 23:01 - 00058880 ___SH () C:\Users\sharon\Documents\Thumbs.db
2014-03-30 09:06 - 2010-02-23 17:30 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\Spotify
2014-03-29 17:47 - 2014-03-29 17:46 - 00017416 _____ () C:\Users\sharon\Desktop\dds.txt
2014-03-29 17:47 - 2014-03-29 17:46 - 00012277 _____ () C:\Users\sharon\Desktop\attach.txt
2014-03-29 17:44 - 2014-03-29 17:46 - 00688992 ____R (Swearware) C:\Users\sharon\Desktop\dds.com
2014-03-29 17:24 - 2010-02-23 17:30 - 00000000 ____D () C:\Users\sharon\AppData\Local\Spotify
2014-03-29 09:08 - 2014-03-29 09:08 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4b26d52da25.job
2014-03-29 09:04 - 2014-03-09 10:44 - 00000000 ____D () C:\ProgramData\Sonos,_Inc
2014-03-28 19:49 - 2014-03-28 19:55 - 00987448 _____ () C:\Users\sharon\Desktop\SecurityCheck (1).exe
2014-03-25 12:59 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-03-24 16:49 - 2014-03-24 16:49 - 00001296 _____ () C:\Users\sharon\Desktop\Horizon.lnk
2014-03-23 20:40 - 2014-03-23 20:40 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-03-23 20:38 - 2014-03-23 20:38 - 00022182 _____ () C:\ComboFix.txt
2014-03-23 20:38 - 2014-03-23 20:13 - 00000000 ____D () C:\Qoobox
2014-03-23 20:38 - 2009-07-14 03:37 - 00000000 __RHD () C:\Users\Default
2014-03-23 20:38 - 2009-07-14 03:37 - 00000000 ___RD () C:\Users\Public
2014-03-23 20:36 - 2014-03-23 20:13 - 00000000 ____D () C:\Windows\erdnt
2014-03-23 20:31 - 2009-07-14 03:04 - 00000215 _____ () C:\Windows\system.ini
2014-03-23 20:30 - 2013-11-20 20:35 - 00148020 _____ () C:\Windows\PFRO.log
2014-03-23 19:38 - 2014-03-23 19:38 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware2
2014-03-23 19:37 - 2014-03-23 19:37 - 00000000 __SHD () C:\Windows\system32\NT Kernel
2014-03-23 19:28 - 2014-03-22 17:19 - 00000000 ____D () C:\ProgramData\Oracle
2014-03-23 19:27 - 2014-03-23 19:28 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-03-23 19:27 - 2014-03-23 19:27 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-03-23 19:27 - 2014-03-23 19:27 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-03-23 19:27 - 2014-03-23 19:27 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-03-23 19:26 - 2014-03-23 19:26 - 00921000 _____ (Oracle Corporation) C:\Users\sharon\Downloads\chromeinstall-7u51 (1).exe
2014-03-23 19:26 - 2011-03-24 08:16 - 00000000 ____D () C:\Users\sharon\AppData\Local\Mozilla Firefox
2014-03-23 19:26 - 2010-03-10 10:25 - 00000000 ___RD () C:\Program Files\Skype
2014-03-23 19:25 - 2014-03-22 12:24 - 00000000 ____D () C:\Users\sharon\AppData\Local\Deployment
2014-03-23 19:10 - 2014-03-23 19:10 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\sharon\Downloads\mbam-setup-1.75.0.1300.exe
2014-03-23 18:58 - 2010-03-10 10:25 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\Skype
2014-03-23 11:13 - 2013-11-21 21:47 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-23 11:01 - 2011-03-13 12:11 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2189304170-2197824444-2469615566-1001UA.job
2014-03-23 10:55 - 2010-03-26 21:07 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-23 10:20 - 2014-03-23 10:20 - 00000656 _____ () C:\Users\sharon\Documents\Vigero.GTAVV
2014-03-23 10:19 - 2014-03-23 10:19 - 00000656 _____ () C:\Users\sharon\Documents\Sabre Turbo.GTAVV
2014-03-23 00:01 - 2011-03-13 12:11 - 00000860 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2189304170-2197824444-2469615566-1001Core.job
2014-03-22 23:55 - 2014-03-08 15:46 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\.minecraft
2014-03-22 23:37 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-22 23:30 - 2014-03-22 23:29 - 00000000 ____D () C:\Program Files\Microsoft Games for Windows - LIVE
2014-03-22 23:29 - 2014-03-22 23:29 - 00000000 ____D () C:\Windows\system32\xlive
2014-03-22 22:41 - 2014-03-22 22:41 - 00000000 ____D () C:\Users\sharon\AppData\Local\Rockstar Games
2014-03-22 22:38 - 2014-03-22 22:38 - 00000000 ____D () C:\Program Files\Rockstar Games
2014-03-22 14:54 - 2014-03-22 14:54 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-03-22 12:24 - 2014-03-22 12:24 - 00000000 ____D () C:\Users\sharon\AppData\Local\Apps\2.0
2014-03-21 23:27 - 2014-01-31 22:15 - 00000000 __SHD () C:\ProgramData\{$1284-9213-2940-1289$}
2014-03-21 23:26 - 2014-03-21 23:26 - 00000000 __SHD () C:\ProgramData\NT Kernel
2014-03-19 08:14 - 2013-09-02 03:28 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-19 08:10 - 2010-01-25 21:50 - 87350280 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-16 13:16 - 2014-03-16 13:16 - 00188416 _____ () C:\Users\sharon\Documents\MW2
2014-03-16 13:11 - 2014-03-16 13:11 - 00061440 _____ () C:\Users\sharon\Documents\ContentCache.pkg
2014-03-16 13:06 - 2014-03-16 13:06 - 00909312 _____ () C:\Users\sharon\Documents\savegameMW2
2014-03-16 13:06 - 2014-03-16 13:06 - 00000000 ____D () C:\Users\sharon\Documents\00000001
2014-03-16 13:05 - 2014-03-16 13:05 - 00000000 ____D () C:\Users\sharon\Documents\MW2 SAVE GAME
2014-03-16 13:01 - 2014-03-16 13:01 - 00909312 _____ () C:\Users\sharon\Documents\savegame MW2
2014-03-15 09:32 - 2014-01-31 22:14 - 00000000 _RSHD () C:\Users\sharon\hipyt
2014-03-14 04:19 - 2009-07-14 05:33 - 00431896 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-14 04:17 - 2010-01-25 21:49 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-12 18:13 - 2012-05-16 18:44 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-12 18:13 - 2011-07-05 07:22 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 19:50 - 2014-03-11 19:49 - 13026816 _____ () C:\Users\sharon\Documents\common (10) (11) (1) (1).rpf
2014-03-09 10:55 - 2014-03-09 10:55 - 00000000 ____D () C:\Users\sharon\AppData\Local\Sonos,_Inc
2014-03-09 10:53 - 2014-03-09 10:53 - 00001794 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-03-09 10:53 - 2014-03-09 10:52 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-03-09 10:53 - 2014-03-09 10:52 - 00000000 ____D () C:\Program Files\iTunes
2014-03-09 10:52 - 2014-03-09 10:52 - 00000000 ____D () C:\Program Files\iPod
2014-03-09 10:52 - 2014-03-07 22:07 - 00000258 __RSH () C:\Users\sharon\ntuser.pol
2014-03-09 10:52 - 2014-03-02 13:16 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\uTorrent
2014-03-09 10:52 - 2010-01-25 21:25 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-03-09 10:52 - 2010-01-25 20:39 - 00000000 ____D () C:\Users\sharon
2014-03-09 10:49 - 2014-03-08 12:05 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\Open Download Manager
2014-03-09 10:45 - 2014-03-09 10:45 - 00001952 _____ () C:\Users\Public\Desktop\Sonos.lnk
2014-03-09 10:45 - 2014-03-09 10:45 - 00000000 ____D () C:\Program Files\Sonos
2014-03-09 10:44 - 2010-07-21 07:30 - 00000000 ____D () C:\Users\sharon\AppData\Local\Downloaded Installations
2014-03-09 10:40 - 2014-03-09 10:40 - 00001856 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-03-09 10:40 - 2014-03-09 10:38 - 00000000 ____D () C:\Program Files\QuickTime
2014-03-08 18:14 - 2014-03-08 18:12 - 00000000 ____D () C:\Users\sharon\Desktop\world
2014-03-08 16:18 - 2014-03-08 16:18 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Minecraft
2014-03-08 12:25 - 2014-03-07 22:07 - 00000000 ____D () C:\Users\sharon\Documents\Add-in Express
2014-03-08 12:05 - 2014-03-08 12:05 - 00001070 _____ () C:\Users\Mcx1-SHARON-PC\Desktop\OpenDownloaderManager.lnk
2014-03-08 10:39 - 2014-03-08 10:39 - 00000656 _____ () C:\Users\sharon\Documents\Rumpo.GTAVV
2014-03-08 09:16 - 2014-03-08 09:16 - 03621916 _____ () C:\Users\sharon\Documents\Minecraft_Gift_Cods_Gnrtor_Updated_Version.rar
2014-03-07 23:00 - 2014-03-07 23:00 - 00008906 _____ () C:\Users\sharon\Documents\profile.htm
2014-03-07 22:07 - 2014-03-07 21:52 - 00000000 ____D () C:\Program Files\Minecraft
2014-03-07 22:06 - 2014-03-07 22:06 - 00000000 ____D () C:\Users\sharon\AppData\Local\SoftPlanet
2014-03-07 21:52 - 2014-03-07 21:52 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\1H1Q
2014-03-07 18:59 - 2014-03-07 18:59 - 04964352 _____ () C:\Users\sharon\Documents\my custum theme
2014-03-07 18:46 - 2014-02-19 11:19 - 00606208 _____ () C:\Users\sharon\Documents\SGTA50002
2014-03-06 21:47 - 2014-03-06 21:46 - 00000000 ____D () C:\Users\sharon\AppData\Roaming\PC-Gizmos
2014-03-06 17:06 - 2014-03-06 17:06 - 00000656 _____ () C:\Users\sharon\Documents\Comet.GTAVV
2014-03-06 16:50 - 2014-03-08 11:37 - 00000056 _____ () C:\Users\sharon\Desktop\Read Me!.url
 
Files to move or delete:
====================
C:\Users\sharon\AppData\Roaming\msconfig.ini
 
 
Some content of TEMP:
====================
C:\Users\sharon\AppData\Local\Temp\123j12n3jn.exe
C:\Users\sharon\AppData\Local\Temp\desktopbg.exe
C:\Users\sharon\AppData\Local\Temp\ntdll_dump.dll
C:\Users\sharon\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-20 09:15
 
==================== End Of Log ============================


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 05 April 2014 - 12:40 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

HKU\S-1-5-21-2189304170-2197824444-2469615566-1001\...\Winlogon: [Shell] explorer.exe,"C:\ProgramData\NT Kernel\NTKernel.exe" [320000 2014-03-21] (Intel Corporation) <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safesearch.net/?utm_medium=ie&utm_campaign=135185766287&utm_source=sm&utm_content=1&utm_term=a13f2ee8-eea1-4e6b-899b-613602ebc4fd
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {4B51C980-C6B0-11E1-9136-AED16088709B} URL = http://www.safesearch.net/search?q={searchTerms}&utm_medium=ie&utm_campaign=135185766287&utm_source=sm&utm_content=1&utm_term=a13f2ee8-eea1-4e6b-899b-613602ebc4fd
SearchScopes: HKCU - URL http://search.conduit.com/Results.aspx?ctid=CT3320418&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP94FD4216-E302-47AD-BC4A-153E8FFC6EA1&q={searchTerms}&SSPV=
SearchScopes: HKCU - SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
SearchScopes: HKCU - 9943B906913A4EE7BB7596AADED29C7C URL = http://feed.helperbar.com/?publisher=YahooTR&dpid=YahooTR&co=GB&userid=412c4195-48e3-19b2-bc65-466fb1635f20&searchtype=ds&p={searchTerms}&fr=linkury-tb&installDate=26/01/2014&type=hp2000
SearchScopes: HKCU - {4B51C980-C6B0-11E1-9136-AED16088709B} URL = http://www.safesearch.net/search?q={searchTerms}&utm_medium=ie&utm_campaign=135185766287&utm_source=sm&utm_content=1&utm_term=a13f2ee8-eea1-4e6b-899b-613602ebc4fd
FF DefaultSearchEngine: SafeSearch
FF SearchEngineOrder.1: SafeSearch
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin HKCU: @soe.sony.com/installer,version=1.0.3 - C:\Users\sharon\AppData\Roaming\Mozilla\Firefox\Profiles\mvwx6lc2.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll No File
S2 AdvancedSystemCareService5; C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe [X]
S2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [X]
S3 KiesAllShare; C:\Program Files\Samsung\Kies\WiselinkPro\WiselinkPro.exe [X]
R2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [X]
S3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [X]
S3 catchme; \??\C:\Users\sharon\AppData\Local\Temp\catchme.sys [X]
S3 dgderdrv; System32\drivers\dgderdrv.sys [X]
S3 FileMonitor; \??\C:\Program Files\IObit\IObit Malware Fighter\Drivers\win7_x86\FileMonitor.sys [X]
S3 flash; \??\C:\Users\sharon\AppData\Local\Temp\Rar$EX09.250\BIOS_Acer_1.34_Windows\Winflash32\flash.sys [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
S3 RegFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\win7_x86\regfilter.sys [X]
S3 UrlFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\win7_x86\UrlFilter.sys [X]
C:\Users\sharon\AppData\Local\Temp\123j12n3jn.exe
C:\Users\sharon\AppData\Local\Temp\desktopbg.exe
C:\Users\sharon\AppData\Local\Temp\ntdll_dump.dll

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#9 jwlanky

jwlanky
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 05 April 2014 - 01:52 PM

Computer doesnt seem any different. I cant start antivrus or download anything.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014  01
Ran by sharon at 2014-04-05 19:48:24 Run:1
Running from E:\
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
 
HKU\S-1-5-21-2189304170-2197824444-2469615566-1001\...\Winlogon: [Shell] explorer.exe,"C:\ProgramData\NT Kernel\NTKernel.exe" [320000 2014-03-21] (Intel Corporation) <==== ATTENTION
SearchScopes: HKLM - DefaultScope value is missing.
FF DefaultSearchEngine: SafeSearch
FF SearchEngineOrder.1: SafeSearch
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin HKCU: @soe.sony.com/installer,version=1.0.3 - C:\Users\sharon\AppData\Roaming\Mozilla\Firefox\Profiles\mvwx6lc2.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll No File
S2 AdvancedSystemCareService5; C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe [X]
S2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [X]
S3 KiesAllShare; C:\Program Files\Samsung\Kies\WiselinkPro\WiselinkPro.exe [X]
R2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [X]
S3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [X]
S3 catchme; \??\C:\Users\sharon\AppData\Local\Temp\catchme.sys [X]
S3 dgderdrv; System32\drivers\dgderdrv.sys [X]
S3 FileMonitor; \??\C:\Program Files\IObit\IObit Malware Fighter\Drivers\win7_x86\FileMonitor.sys [X]
S3 flash; \??\C:\Users\sharon\AppData\Local\Temp\Rar$EX09.250\BIOS_Acer_1.34_Windows\Winflash32\flash.sys [X]
S3 pccsmcfd; system32\DRIVERS\pccsmcfd.sys [X]
S3 RegFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\win7_x86\regfilter.sys [X]
S3 UrlFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\win7_x86\UrlFilter.sys [X]
C:\Users\sharon\AppData\Local\Temp\123j12n3jn.exe
C:\Users\sharon\AppData\Local\Temp\desktopbg.exe
C:\Users\sharon\AppData\Local\Temp\ntdll_dump.dll
 
end
*****************
 
HKU\S-1-5-21-2189304170-2197824444-2469615566-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4B51C980-C6B0-11E1-9136-AED16088709B} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{4B51C980-C6B0-11E1-9136-AED16088709B} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\URL => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SuggestionsURL_JSON => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\9943B906913A4EE7BB7596AADED29C7C => Key deleted successfully.
HKCR\Wow6432Node\CLSID\9943B906913A4EE7BB7596AADED29C7C => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4B51C980-C6B0-11E1-9136-AED16088709B} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{4B51C980-C6B0-11E1-9136-AED16088709B} => Key not found.
Firefox DefaultSearchEngine deleted successfully.
Firefox SearchEngineOrder.1 deleted successfully.
HKLM\Software\MozillaPlugins\FF Plugin: @microsoft.com/GENUINE - disabled No File => Key not found.
FF Plugin: @microsoft.com/GENUINE - disabled No File not found.
HKCU\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3 => Key deleted successfully.
C:\Users\sharon\AppData\Roaming\Mozilla\Firefox\Profiles\mvwx6lc2.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll not found.
AdvancedSystemCareService5 => Service deleted successfully.
IMFservice => Service deleted successfully.
KiesAllShare => Service deleted successfully.
MsMpSvc => Unable to stop service
MsMpSvc => Unable to delete service
NisSrv => Unable to delete service
catchme => Service deleted successfully.
dgderdrv => Service deleted successfully.
FileMonitor => Service deleted successfully.
flash => Service deleted successfully.
pccsmcfd => Service deleted successfully.
RegFilter => Service deleted successfully.
UrlFilter => Service deleted successfully.
C:\Users\sharon\AppData\Local\Temp\123j12n3jn.exe => Moved successfully.
C:\Users\sharon\AppData\Local\Temp\desktopbg.exe => Moved successfully.
C:\Users\sharon\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.
 
==== End of Fixlog ====


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 06 April 2014 - 07:37 AM

Lets check deeper.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#11 jwlanky

jwlanky
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 06 April 2014 - 11:21 AM

Here you go and thanks!

 

Farbar Service Scanner Version: 25-02-2014
Ran by sharon (administrator) on 06-04-2014 at 17:18:49
Running from "E:\"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2013-10-09 18:56] - [2013-09-14 01:48] - 0338944 ____A (Microsoft Corporation) F81BB7E487EDCEAB630A7EE66CF23913
 
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-10-09 18:56] - [2013-09-08 03:07] - 1294272 ____A (Microsoft Corporation) CA59F7C570AF70BC174F477CFE2D9EE3
 
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-09-01 20:31] - [2013-07-09 05:46] - 0140288 ____A (Microsoft Corporation) 7CA1BECEA5DE2643ADDAD32670E7A4C9
 
C:\Program Files\Windows Defender\MpSvc.dll
[2013-09-01 20:28] - [2013-05-27 05:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47
 
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
 
 
**** End of log ****


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 06 April 2014 - 12:55 PM


Do you only have Windows Defender on this computer.
It's disabled by a Policy rule.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Make sure you have the latest version of this tool.
Delete all the others.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

#13 jwlanky

jwlanky
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 06 April 2014 - 01:14 PM

Hi the pc wont let me run the programme. I have even tried to change the file name, but tells me i don't have the necessary permission (I ran as admin as well ) --- arrgh!



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:57 PM

Posted 07 April 2014 - 07:01 AM

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://windows.microsoft.com/en-gb/windows7/create-a-restore-point
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

Download this program to your desktop.
Tweaking.com - Windows Repair
http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/


Extract and launch the Repair_Windows.exe file

Click on Start repairs tab-click on Start

check mark following options only.

Reset Registry Permissions
Reset File Permissions
Register System Files
Repair WMI
Repair Windows Firewall
Repair Internet Explorer
Repair MDAC & MS Jet
Remove Policies Set By Infections
Remove Temp Files
Repair Proxy Settings
Unhide Non System Files
Repair Windows Updates
  • Checkmark Restart System When Finished option
  • click the Start button
  • System should restart after repair


#15 jwlanky

jwlanky
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 08 April 2014 - 01:09 AM

HI

 

That appears to have improved to Pc so much so I have ran malware antibytes successfully. It picked up quite a few issues including trojan back door..

Should I remove or do you wish to see any logs?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users