Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Rootkit threat on my computer-Ran ComboFix myself (sorry)


  • This topic is locked This topic is locked
21 replies to this topic

#1 ontheriver

ontheriver

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 07 April 2014 - 06:17 PM

     

  • I discovered I have the ZeroAccess virus that does not allow me to download files from the internet.

    "filename" has a virus and has been deleted - is the message I kept getting.

    Went online to malwaretips.com and started going through the seven steps they advised to correct the problem.

    First step was downloading and running ComboFix.

    It started running and seemed to be deleting a lot of files and didn't really get past this part.

    One box popped up and said Volsnap.sys was infected and that it was trying to resolve the issue and would continue, which it seemed to do.

    Another box popped up and said it couldn't find NIRKMD.exe and told me to check if the spelling was right.

    I just hit the OK button in that box.

    It then started popping up with boxes that inferred that I didn't have the correct version of ComboFix from bleepingcomputer.com but when I double checked the website I downloaded it from, it was correct.

    I then started looking through your website and found all the warnings about running it myself.

    I have not rerun it and will await your reply.

    ComboFix did not get to the point where it created a System Restore point and had not started scanning for infected files or going through the 50 stages.

    Any suggestions you can offer will be greatly appreciated.

    I am running Windows 7 (64 bit) and Internet Explorer 11.

    I have not rebooted the computer yet... afraid to.

    Thanks

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:17 PM

Posted 08 April 2014 - 08:09 AM





Hello ontheriver

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ontheriver

ontheriver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 08 April 2014 - 08:39 AM

Hi Gringo,
Thanks SO much for your help!
I have followed your instructions and have copied First.txt below and also copied Addition.txt as I did not see an attachment option.
Hope we can get to the bottom of this. Would be more than happy to make a donation.
Thanks again!
on the river

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014 (ATTENTION: ====> FRST version is 26 days old and could be outdated)
Ran by Bev (administrator) on NAHANNI on 08-04-2014 09:29:59
Running from C:\Users\Bev\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Adobe Systems) C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\ProgramData\DatacardService\HWDeviceService64.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Microsoft Corporation) C:\Windows\system32\UI0Detect.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corp.) C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe
(Synaptics Incorporated) C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Ask) C:\Program Files (x86)\Ask.com\Updater\Updater.exe
(SweetIM Technologies Ltd.) C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\PeerManager.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
() C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe
() C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
(Microsoft Corporation) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
() C:\Program Files (x86)\Connection Manager\Connection Manager.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Huawei Technologies Co., Ltd.) C:\ProgramData\DatacardService\DCSHelper.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6486120 2011-07-15] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IntelliPoint] - c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2833920 2013-09-24] (Microsoft Corporation)
HKLM\...\Run: [mphcd] - "C:\Windows\System32\rundll32.exe" "C:\Users\Bev\AppData\Roaming\mphcd.dll",Number_Coerce <===== ATTENTION
HKLM\...\Run: [chcshc] - "C:\Windows\System32\rundll32.exe" "C:\Users\Bev\AppData\Roaming\chcshc.dll",SystemExit <===== ATTENTION
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-04-13] (Intel Corporation)
HKLM-x32\...\Run: [Bing Bar] - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe [243544 2010-04-13] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1464320 2014-04-01] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] - [X]
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [2061824 2013-11-04] (Ask)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [549376 2014-03-24] (Apple Inc.)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [1083392 2014-04-08] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [SweetIM] - C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe [115032 2012-10-04] (SweetIM Technologies Ltd.)
HKLM-x32\...\Run: [Sweetpacks Communicator] - C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe [231768 2012-08-15] (SweetIM Technologies Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited)
HKLM-x32\...\Run: [RIM PeerManager] - C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe [4265472 2013-04-26] (Research In Motion Limited)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2014-03-25] (Hewlett-Packard)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\.DEFAULT\...\Run: [Exetender] - C:\Program Files (x86)\Free Ride Games\GPlayer.exe [5378048 2014-04-08] (Exent Technologies Ltd.)
HKU\.DEFAULT\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [3248128 2013-12-10] (Hewlett-Packard Company)
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\Run: [HPAdvisorDock] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [2218496 2013-10-28] ()
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\Run: [LightScribe Control Panel] - C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [3248128 2013-12-10] (Hewlett-Packard Company)
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\Run: [Exetender] - C:\Program Files (x86)\Free Ride Games\GPlayer.exe [5378048 2014-04-08] (Exent Technologies Ltd.)
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\Run: [Google Update*] - [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\Run: [Mobile Partner] - C:\Program Files (x86)\Connection Manager\Connection Manager.exe [105824 2012-01-10] ()
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: F - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {2afd11f0-c3a0-11e2-b971-001e101f2c0e} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {36fe7a7c-a21b-11e2-9bca-002682da9366} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {36fe7a80-a21b-11e2-9bca-002682da9366} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {38557950-c0dc-11e2-a874-806e6f6e6963} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\start.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {6f129112-8e7b-11e3-b41a-026080720701} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {7c9b726c-16e9-11e3-8f04-026070610801} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {cc90cd86-c973-11e2-ae9e-0290e95a0801} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {dee16153-1acc-11e0-849f-ddfbf15e6274} - F:\AutoLaunch.exe
Startup: C:\Users\Bev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
URLSearchHook: HKCU - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
URLSearchHook: HKCU - SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelper.dll (SweetIM Technologies Ltd.)
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {57ECDA8D-0DE8-4553-B1F8-A98F129CEA5C} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM - {AFB77025-1591-4D7A-B4E4-416A4954958B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM - {C7AFBF27-9762-445E-82D7-C6B4EF94367C} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.sweetim.com/search.asp?src=6&crg=3.36010003&st=12&q={searchTerms}&barid={15B7A7EB-24D3-4596-A667-3F41D2A2C6B5}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {57ECDA8D-0DE8-4553-B1F8-A98F129CEA5C} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 - {AFB77025-1591-4D7A-B4E4-416A4954958B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 - {C7AFBF27-9762-445E-82D7-C6B4EF94367C} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.sweetim.com/search.asp?src=6&crg=3.36010003&st=12&q={searchTerms}&barid={15B7A7EB-24D3-4596-A667-3F41D2A2C6B5}
SearchScopes: HKCU - {57ECDA8D-0DE8-4553-B1F8-A98F129CEA5C} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKCU - {995C261B-764A-43C6-9834-BFDF338F5E97} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000027&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=U3&apn_dtid=OSJ000YYCA&apn_uid=8237AD09-24D4-453F-8E84-6D1C75DAA31E&apn_sauid=5C081580-AE6A-4B38-B238-9B8A391FDBA1
SearchScopes: HKCU - {AFB77025-1591-4D7A-B4E4-416A4954958B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKCU - {C7AFBF27-9762-445E-82D7-C6B4EF94367C} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.sweetim.com/search.asp?src=6&crg=3.36010003&st=12&q={searchTerms}&barid={15B7A7EB-24D3-4596-A667-3F41D2A2C6B5}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-x32: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll (Microsoft Corporation)
BHO-x32: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: SweetPacks Browser Helper - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
DPF: HKLM-x32 {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files%20(x86)/Big%20City%20Adventure/Images/stg_drm.ocx
DPF: HKLM-x32 {6A060448-60F9-11D5-A6CD-0002B31F7455}
DPF: HKLM-x32 {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files%20(x86)/Big%20City%20Adventure/Images/armhelper.ocx
DPF: HKLM-x32 {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - C:\Program Files (x86)\TurboTax 2010\ic2010pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - C:\Program Files (x86)\TurboTax 2011\ic2011pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - C:\Program Files (x86)\TurboTax 2012\ic2012pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - C:\Program Files (x86)\TurboTax 2013\ic2013pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - No File
Tcpip\..\Interfaces\{078BFB36-6370-499A-9638-C40EC5629B84}: [NameServer]207.219.69.11 216.218.29.11
Tcpip\..\Interfaces\{09B28B97-F679-4377-8FC5-5F2DCA1535BF}: [NameServer]216.218.29.11 207.219.69.11
Tcpip\..\Interfaces\{5B120D70-8ED0-4C33-AA23-B54093DAC287}: [NameServer]216.218.29.11 207.219.69.11
Tcpip\..\Interfaces\{92926713-6469-47D9-80D0-3F0754AF8FAA}: [NameServer]207.219.69.11 216.218.29.11
Tcpip\..\Interfaces\{97E9B8DD-4C23-47DF-827F-61CCAA157075}: [NameServer]207.219.69.11 216.218.29.11
Tcpip\..\Interfaces\{CADDB13A-34F0-4C7D-9B30-9341B022A6F6}: [NameServer]216.218.29.11 207.219.69.11

==================== Services (Whitelisted) =================

R2 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [584704 2013-07-05] (Adobe Systems)
S2 BlackBerry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [1097728 2013-07-07] (Research In Motion Limited)
S2 Connection Manager. RunOuc; C:\Program Files (x86)\Connection Manager\UpdateDog\ouc.exe [655712 2011-08-23] ()
R2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [853504 2013-07-11] ()
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3311104 2013-07-12] (Symantec Corporation)
U4 RemoteAccess; C:\Windows\System32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S2 RIM MDNS; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [901632 2013-07-12] (Apple Inc.)
R2 RIM Tunnel Service; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe [1747456 2013-07-12] (Research In Motion Limited)
U2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] ()

==================== Drivers (Whitelisted) ====================

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 rimvndis; C:\Windows\System32\Drivers\rimvndis6_AMD64.sys [17920 2013-04-26] (Research in Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-22] (Realtek Semiconductor Corp.)
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2013-02-12] (Microsoft Corporation)
R2 X5XSEx; C:\Program Files (x86)\Free Ride Games\X5XSEx.Sys [55400 2010-11-22] (Exent Technologies Ltd.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-08 09:29 - 2014-04-08 09:30 - 00022240 _____ () C:\Users\Bev\Desktop\FRST.txt
2014-04-08 09:29 - 2014-04-08 09:29 - 00000000 ____D () C:\FRST
2014-04-08 09:27 - 2014-04-08 09:27 - 02157056 _____ (Farbar) C:\Users\Bev\Desktop\FRST64.exe
2014-04-07 19:08 - 2014-04-07 19:08 - 00024562 _____ () C:\Users\Bev\Desktop\dds.txt
2014-04-07 19:08 - 2014-04-07 19:08 - 00014157 _____ () C:\Users\Bev\Desktop\attach.txt
2014-04-07 19:04 - 2014-04-07 19:04 - 00688992 ____R (Swearware) C:\Users\Bev\Desktop\dds.com
2014-04-07 16:53 - 2014-04-07 17:03 - 00000000 ___SD () C:\ComboFix
2014-04-07 16:52 - 2014-04-07 16:54 - 00000000 ____D () C:\Windows\erdnt
2014-04-07 16:52 - 2014-04-07 16:53 - 00000000 ___SD () C:\32788R22FWJFW
2014-04-07 16:52 - 2014-04-07 16:52 - 00000000 ____D () C:\Qoobox
2014-04-07 16:44 - 2014-04-07 16:44 - 04009167 _____ () C:\Users\Bev\Desktop\ServicesRepair.exe
2014-04-07 16:44 - 2014-04-07 16:44 - 01426178 _____ () C:\Users\Bev\Desktop\adwcleaner.exe
2014-04-07 16:43 - 2014-04-07 16:43 - 10971424 _____ (SurfRight B.V.) C:\Users\Bev\Desktop\HitmanPro_x64.exe
2014-04-07 16:38 - 2014-04-07 16:38 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Bev\Desktop\mbam-setup-2.0.1.1004.exe
2014-04-07 16:35 - 2014-04-07 16:35 - 03972608 _____ () C:\Users\Bev\Desktop\RogueKiller.exe
2014-03-24 08:14 - 2014-03-24 08:14 - 00002181 _____ () C:\Users\Bev\Desktop\HP Support Assistant.lnk
2014-03-24 08:10 - 2014-03-24 08:10 - 00000000 ____D () C:\ProgramData\{18165758-115C-4DC0-9EC2-FF89F725767F}
2014-03-23 12:29 - 2014-03-23 12:29 - 00000000 ____D () C:\ProgramData\Recovery
2014-03-18 21:47 - 2014-03-20 13:11 - 00000000 ____D () C:\9aa1d5aa3a18d030809890
2014-03-18 20:31 - 2014-04-02 08:01 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-03-18 20:31 - 2014-03-18 20:31 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-18 20:31 - 2014-03-18 20:31 - 00000000 ____D () C:\Program Files\iTunes
2014-03-18 20:31 - 2014-03-18 20:31 - 00000000 ____D () C:\Program Files\iPod
2014-03-18 20:27 - 2014-03-18 20:27 - 00001805 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-03-18 20:27 - 2014-03-18 20:27 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-03-12 08:59 - 2014-03-14 10:00 - 00623616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-12 08:59 - 2014-03-01 02:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-12 08:59 - 2014-03-01 01:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-12 08:59 - 2014-03-01 01:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-12 08:59 - 2014-03-01 00:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-12 08:59 - 2014-03-01 00:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-12 08:59 - 2014-03-01 00:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-12 08:59 - 2014-03-01 00:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-12 08:59 - 2014-03-01 00:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-12 08:59 - 2014-03-01 00:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-12 08:59 - 2014-03-01 00:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-12 08:59 - 2014-03-01 00:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-12 08:59 - 2014-03-01 00:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-12 08:59 - 2014-03-01 00:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-12 08:59 - 2014-03-01 00:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-12 08:59 - 2014-03-01 00:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-12 08:59 - 2014-03-01 00:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-12 08:59 - 2014-02-28 23:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-12 08:59 - 2014-02-28 23:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-12 08:59 - 2014-02-28 23:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-12 08:59 - 2014-02-28 23:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-12 08:59 - 2014-02-28 23:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-12 08:59 - 2014-02-28 23:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-12 08:59 - 2014-02-28 23:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-12 08:59 - 2014-02-28 23:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-12 08:59 - 2014-02-28 23:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-12 08:59 - 2014-02-28 23:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-12 08:59 - 2014-02-28 23:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-12 08:59 - 2014-02-28 23:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-12 08:59 - 2014-02-28 23:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-12 08:59 - 2014-02-28 23:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-12 08:59 - 2014-02-28 23:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-12 08:59 - 2014-02-28 23:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-12 08:59 - 2014-02-28 23:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-12 08:59 - 2014-02-28 22:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-12 08:59 - 2014-02-28 22:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-12 08:59 - 2014-02-28 22:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-12 08:59 - 2014-02-28 22:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-12 08:59 - 2014-02-28 22:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-12 08:59 - 2014-02-28 22:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-12 08:59 - 2014-02-06 21:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-12 08:59 - 2014-01-28 22:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-12 08:59 - 2014-01-28 22:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-12 08:59 - 2014-01-27 22:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-12 08:58 - 2014-02-03 22:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-12 08:58 - 2014-02-03 22:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-12 08:58 - 2014-02-03 22:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-03-12 08:58 - 2014-02-03 22:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll

==================== One Month Modified Files and Folders =======

2014-04-08 09:30 - 2014-04-08 09:29 - 00022240 _____ () C:\Users\Bev\Desktop\FRST.txt
2014-04-08 09:29 - 2014-04-08 09:29 - 00000000 ____D () C:\FRST
2014-04-08 09:27 - 2014-04-08 09:27 - 02157056 _____ (Farbar) C:\Users\Bev\Desktop\FRST64.exe
2014-04-08 09:27 - 2012-07-14 11:11 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-08 09:24 - 2013-09-03 21:05 - 00000003 _____ () C:\ProgramData\cebajfcb28.nls
2014-04-08 09:18 - 2011-01-07 18:26 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-08 08:40 - 2012-08-19 20:05 - 00000000 ____D () C:\Program Files (x86)\Free Ride Games
2014-04-08 06:07 - 2011-01-07 15:54 - 00003914 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{2066A404-CB7E-46B3-8A3D-DDCB714C8FCC}
2014-04-08 03:00 - 2010-09-19 17:49 - 01982898 _____ () C:\Windows\WindowsUpdate.log
2014-04-07 22:18 - 2011-01-07 18:26 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-07 21:31 - 2011-12-18 01:17 - 00000000 ____D () C:\Program Files (x86)\Big City Adventure - Vancouver
2014-04-07 21:30 - 2012-01-12 23:33 - 00000000 ____D () C:\Program Files (x86)\Big City Adventure - Sydney Australia
2014-04-07 19:08 - 2014-04-07 19:08 - 00024562 _____ () C:\Users\Bev\Desktop\dds.txt
2014-04-07 19:08 - 2014-04-07 19:08 - 00014157 _____ () C:\Users\Bev\Desktop\attach.txt
2014-04-07 19:04 - 2014-04-07 19:04 - 00688992 ____R (Swearware) C:\Users\Bev\Desktop\dds.com
2014-04-07 18:41 - 2009-07-14 00:45 - 00022432 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-07 18:41 - 2009-07-14 00:45 - 00022432 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-07 17:03 - 2014-04-07 16:53 - 00000000 ___SD () C:\ComboFix
2014-04-07 16:54 - 2014-04-07 16:52 - 00000000 ____D () C:\Windows\erdnt
2014-04-07 16:53 - 2014-04-07 16:52 - 00000000 ___SD () C:\32788R22FWJFW
2014-04-07 16:53 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-07 16:52 - 2014-04-07 16:52 - 00000000 ____D () C:\Qoobox
2014-04-07 16:52 - 2011-01-22 10:57 - 00000000 ____D () C:\Users\Bev\AppData\Local\CrashDumps
2014-04-07 16:52 - 2009-07-14 01:08 - 00032612 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-07 16:44 - 2014-04-07 16:44 - 04009167 _____ () C:\Users\Bev\Desktop\ServicesRepair.exe
2014-04-07 16:44 - 2014-04-07 16:44 - 01426178 _____ () C:\Users\Bev\Desktop\adwcleaner.exe
2014-04-07 16:43 - 2014-04-07 16:43 - 10971424 _____ (SurfRight B.V.) C:\Users\Bev\Desktop\HitmanPro_x64.exe
2014-04-07 16:38 - 2014-04-07 16:38 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Bev\Desktop\mbam-setup-2.0.1.1004.exe
2014-04-07 16:35 - 2014-04-07 16:35 - 03972608 _____ () C:\Users\Bev\Desktop\RogueKiller.exe
2014-04-07 15:37 - 2009-07-14 01:13 - 00787190 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-07 15:24 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\Registration
2014-04-07 15:23 - 2013-09-24 11:48 - 00015398 _____ () C:\Windows\setupact.log
2014-04-07 10:07 - 2012-03-30 09:59 - 00000000 ____D () C:\Users\Bev\AppData\Roaming\SoftGrid Client
2014-04-06 16:05 - 2011-01-14 19:26 - 00000000 ____D () C:\Users\Bev\Documents\Bev
2014-04-06 15:28 - 2014-02-09 11:11 - 00000000 ____D () C:\Users\Bev\Documents\Alaska Trip
2014-04-06 12:10 - 2011-04-23 20:20 - 00000324 _____ () C:\Windows\Tasks\HPCeeScheduleForBev.job
2014-04-05 10:35 - 2011-04-23 20:20 - 00003174 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForBev
2014-04-05 10:35 - 2011-01-08 13:34 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-04-05 10:34 - 2011-11-05 10:01 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-04-02 08:01 - 2014-03-18 20:31 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-04-02 07:54 - 2011-09-13 00:09 - 04036608 _____ (Microsoft Corporation) C:\Windows\system32\sppsvc.exe
2014-04-01 21:11 - 2013-05-15 09:23 - 00000000 ____D () C:\Users\Bev\Documents\Telus
2014-04-01 21:10 - 2011-03-28 13:48 - 00116736 ___SH () C:\Users\Bev\Documents\Thumbs.db
2014-04-01 21:09 - 2011-01-14 21:50 - 00000000 ____D () C:\Users\Bev\Documents\Legal
2014-04-01 21:01 - 2011-01-14 21:50 - 00000000 ____D () C:\Users\Bev\Documents\Mom
2014-04-01 20:51 - 2011-01-14 21:50 - 00000000 ____D () C:\Users\Bev\Documents\Mark
2014-04-01 20:10 - 2011-01-14 21:50 - 00000000 ____D () C:\Users\Bev\Documents\John
2014-04-01 20:08 - 2011-01-14 21:50 - 00000000 ____D () C:\Users\Bev\Documents\House Purchase
2014-04-01 19:59 - 2012-04-09 18:06 - 00000000 ____D () C:\Users\Bev\Documents\Gardening
2014-04-01 19:59 - 2011-01-14 21:50 - 00000000 ____D () C:\Users\Bev\Documents\Galiano
2014-04-01 19:54 - 2011-01-14 21:50 - 00000000 ____D () C:\Users\Bev\Documents\Creativity
2014-04-01 19:39 - 2011-01-14 19:26 - 00000000 ____D () C:\Users\Bev\Documents\ALLIE
2014-04-01 18:49 - 2013-12-01 13:36 - 00000000 ____D () C:\Users\Bev\Desktop\Turbotax
2014-04-01 18:49 - 2013-05-19 20:36 - 00000000 ____D () C:\Users\Bev\Documents\BlackBerry
2014-04-01 18:33 - 2011-01-07 19:07 - 00000000 ____D () C:\BigFishGamesCache
2014-04-01 18:27 - 2011-01-07 15:24 - 00000000 ____D () C:\Users\Bev
2014-03-31 22:13 - 2011-01-07 18:26 - 00003888 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-03-31 22:13 - 2011-01-07 18:26 - 00003636 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-03-24 08:14 - 2014-03-24 08:14 - 00002181 _____ () C:\Users\Bev\Desktop\HP Support Assistant.lnk
2014-03-24 08:14 - 2010-07-15 15:16 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-03-24 08:14 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\Help
2014-03-24 08:11 - 2010-07-15 15:14 - 00000000 ____D () C:\Program Files (x86)\Hewlett-Packard
2014-03-24 08:10 - 2014-03-24 08:10 - 00000000 ____D () C:\ProgramData\{18165758-115C-4DC0-9EC2-FF89F725767F}
2014-03-24 08:09 - 2010-07-15 16:24 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2014-03-24 08:08 - 2009-09-06 20:40 - 00000000 ____D () C:\SwSetup
2014-03-23 12:29 - 2014-03-23 12:29 - 00000000 ____D () C:\ProgramData\Recovery
2014-03-20 13:11 - 2014-03-18 21:47 - 00000000 ____D () C:\9aa1d5aa3a18d030809890
2014-03-18 21:48 - 2013-10-15 10:17 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-18 21:48 - 2011-02-15 11:42 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-18 20:31 - 2014-03-18 20:31 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-18 20:31 - 2014-03-18 20:31 - 00000000 ____D () C:\Program Files\iTunes
2014-03-18 20:31 - 2014-03-18 20:31 - 00000000 ____D () C:\Program Files\iPod
2014-03-18 20:29 - 2011-01-07 18:19 - 00000000 ____D () C:\ProgramData\Apple
2014-03-18 20:27 - 2014-03-18 20:27 - 00001805 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-03-18 20:27 - 2014-03-18 20:27 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-03-14 10:00 - 2014-03-12 08:59 - 00623616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-14 10:00 - 2009-07-14 00:45 - 00373568 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-12 20:28 - 2014-02-27 10:46 - 00000000 ____D () C:\Program Files (x86)\TurboTax 2013
2014-03-12 09:27 - 2012-07-14 11:11 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-12 09:27 - 2012-07-10 20:50 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-12 09:27 - 2011-10-04 21:51 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-11 21:01 - 2011-01-07 17:26 - 00000000 ____D () C:\Users\Bev\AppData\Roaming\Skype
ZeroAccess:
C:\Users\Bev\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install

Files to move or delete:
====================
C:\Users\Bev\zpwelm.exe


Some content of TEMP:
====================
C:\Users\Bev\AppData\Local\Temp\sp64126.exe
C:\Users\Bev\AppData\Local\Temp\UninstallHPSA.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe
[2009-07-13 19:19] - [2013-07-05 14:51] - 0532992 ____N (Microsoft Corporation) CFE8A352DF78401A497BDE9A09627254

C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender


LastRegBack: 2014-03-30 12:53

==================== End Of Log ============================


Addition.txt follows:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Bev at 2014-04-08 09:30:22
Running from C:\Users\Bev\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Norton Internet Security (Disabled - Out of date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Disabled - Out of date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security (Disabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

==================== Installed Programs ======================

Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe AIR (x32 Version: 1.5.0.7220 - Adobe Systems Inc.) Hidden
Adobe Bridge 1.0 (x32 Version: 001.000.000 - Adobe Systems) Hidden
Adobe Common File Installer (x32 Version: 1.00.0000 - Adobe System Incorporated) Hidden
Adobe Flash Player 12 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Help Center 1.0 (x32 Version: 001.000.000 - Adobe Systems) Hidden
Adobe Photoshop CS2 (HKLM-x32\...\Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}) (Version: 9.0 - Adobe Systems, Inc.)
Adobe Photoshop CS2 (x32 Version: 9.0 - Adobe Systems, Inc.) Hidden
Adobe Reader X (10.1.6) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.6 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM-x32\...\{9ECF7817-DB11-4FBA-9DF1-296A578D513A}) (Version: 11.5.7.609 - Adobe Systems, Inc)
Adobe Stock Photos 1.0 (x32 Version: 001.000.000 - Adobe Systems) Hidden
Apple Application Support (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Ask Toolbar (HKLM-x32\...\{86D4B82A-ABED-442A-BE86-96357B70F4FE}) (Version: 1.15.1.0 - Ask.com) <==== ATTENTION
Ask Toolbar Updater (HKCU\...\{79A765E1-C399-405B-85AF-466F52E918B0}) (Version: 1.2.1.22229 - Ask.com) <==== ATTENTION
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Big City Adventure (HKLM-x32\...\Big City Adventure) (Version: - Spintop Media, Inc)
Big City Adventure: Sydney, Australia (HKLM-x32\...\BFG-Big City Adventure - Sydney Australia) (Version: - )
Big City Adventure: Vancouver (HKLM-x32\...\BFG-Big City Adventure - Vancouver) (Version: - )
Big Fish Games: Game Manager (HKLM-x32\...\BFGC) (Version: 3.0.1.60 - )
Bing Bar (HKLM-x32\...\{08234a0d-cf39-4dca-99f0-0c5cb496da81}) (Version: 5.0.1438.0 - Microsoft Corporation)
Bing Bar Platform (x32 Version: 5.0.1438.0 - Microsoft Corporation) Hidden
BlackBerry Link (HKLM-x32\...\BlackBerry_10_Desktop) (Version: 1.1.0.37 - Research In Motion Ltd.)
BlackBerry Link (x32 Version: 1.1.0.37 - Research In Motion Ltd.) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom 802.11 Wireless LAN Adapter (HKLM\...\Broadcom 802.11 Wireless LAN Adapter) (Version: 5.60.350.6 - Broadcom Corporation)
Build-a-lot 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Canon MOV Decoder (HKLM-x32\...\Canon MOV Decoder) (Version: 1.5.0.7 - Canon Inc.)
Canon MOV Encoder (HKLM-x32\...\Canon MOV Encoder) (Version: 1.3.1.3 - Canon Inc.)
Canon MovieEdit Task for ZoomBrowser EX (HKLM-x32\...\MovieEditTask) (Version: 3.4.1.9 - Canon Inc.)
Canon Utilities CameraWindow (HKLM-x32\...\CameraWindowLauncher) (Version: 7.4.0.7 - Canon Inc.)
Canon Utilities CameraWindow DC 8 (HKLM-x32\...\CameraWindowDC8) (Version: 8.1.0.11 - Canon Inc.)
Canon Utilities MyCamera (HKLM-x32\...\MyCamera) (Version: 7.3.0.5 - Canon Inc.)
Canon Utilities ZoomBrowser EX (HKLM-x32\...\ZoomBrowser EX) (Version: 6.5.1.15 - Canon Inc.)
Canon ZoomBrowser EX Memory Card Utility (HKLM-x32\...\ZoomBrowser EX Memory Card Utility) (Version: 1.3.0.4 - Canon Inc.)
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
CinemaNow Media Manager (HKLM-x32\...\{6C122441-1861-4CD7-B1C5-A163A6984E12}) (Version: 1.9.1.105 - CinemaNow, Inc.)
Connection Manager (HKLM-x32\...\Connection Manager) (Version: 23.002.08.09.464 - Huawei Technologies Co.,Ltd)
CyberLink DVD Suite (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 7.0.3003 - CyberLink Corp.)
CyberLink DVD Suite (x32 Version: 7.0.3003 - CyberLink Corp.) Hidden
CyberLink MediaShow (HKLM-x32\...\InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}) (Version: 5.0.1616 - CyberLink Corp.)
CyberLink MediaShow (x32 Version: 5.0.1616 - CyberLink Corp.) Hidden
CyberLink PowerDVD 9 (HKLM-x32\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.0.1.4217 - CyberLink Corp.)
CyberLink PowerDVD 9 (x32 Version: 9.0.1.4217 - CyberLink Corp.) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.0.2511 - CyberLink Corp.)
CyberLink YouCam (x32 Version: 3.0.2511 - CyberLink Corp.) Hidden
Diner Dash 2 Restaurant Rescue (x32 Version: 2.2.0.95 - WildTangent) Hidden
Dora's Carnival Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
Driver Detective (HKLM-x32\...\{3839C2FF-2CD0-4601-91A8-B1E40A9BE8A8}) (Version: 7 - PC Drivers HeadQuarters)
DriverSmith (HKLM\...\DriverSmith_is1) (Version: - driversmith.com)
Energy Star Digital Logo (HKLM-x32\...\{BD1A34C9-4764-4F79-AE1F-112F8C89D3D4}) (Version: 1.0.1 - Hewlett-Packard)
Escape Rosecliff Island (x32 Version: 2.2.0.95 - WildTangent) Hidden
ESU for Microsoft Windows 7 (HKLM-x32\...\{3877C901-7B90-4727-A639-B6ED2DD59D43}) (Version: 1.0.0 - Hewlett-Packard)
FATE (x32 Version: 2.2.0.95 - WildTangent) Hidden
Final Drive Nitro (x32 Version: 2.2.0.95 - WildTangent) Hidden
Free Ride Games Player (HKLM-x32\...\{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7}) (Version: - Exent Technologies Ltd)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.23.9 - Google Inc.) Hidden
Haunted Hotel (HKLM-x32\...\BFG-Haunted Hotel) (Version: - )
Heroes of Hellas 2 - Olympia (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
Hidden Expedition &reg;: Titanic (HKLM-x32\...\BFG-Hidden Expedition - Titanic) (Version: - )
HP Advisor (HKLM-x32\...\{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}) (Version: 3.4.10262.3295 - Hewlett-Packard)
HP Customer Experience Enhancements (x32 Version: 6.0.1.8 - Hewlett-Packard) Hidden
HP Documentation (HKLM-x32\...\{69ABD67D-5C2E-4724-B519-695DEF3EC23B}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.1.3 - WildTangent)
HP MediaSmart CinemaNow 2.0 (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.3611 - HP Photo Creations Powered by RocketLife)
HP Power Manager (HKLM-x32\...\{D8BCE5B9-67CF-4F3F-93AE-3ACC754C72EB}) (Version: 1.4.7 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{00A42832-B21A-4296-B5F4-D296D0BC4A3E}) (Version: 2.6.3 - Hewlett-Packard Company)
HP Setup (HKLM-x32\...\{72D90DB3-A16A-4545-B555-868471101833}) (Version: 8.1.4186.3400 - Hewlett-Packard)
HP Software Framework (HKLM-x32\...\{28FE073B-1230-4BF6-830C-7434FD0C0069}) (Version: 4.1.13.1 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}) (Version: 7.4.45.4 - Hewlett-Packard Company)
HP Wireless Assistant (HKLM\...\{B5FC1E1B-E70D-45F1-8E40-A3C30698B323}) (Version: 4.0.9.0 - Hewlett-Packard Company)
IB Updater Service (HKLM-x32\...\WNLT) (Version: 3.0.5.4 - ) <==== ATTENTION
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2131 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.2.1001 - Intel Corporation)
Internet Explorer Toolbar 4.6 by SweetPacks (HKLM-x32\...\{C3E85EE9-5892-4142-B537-BCEB3DAC4C3D}) (Version: 4.6.0004 - SweetIM Technologies Ltd.) <==== ATTENTION
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
Java Auto Updater (x32 Version: 2.0.7.2 - Sun Microsystems, Inc.) Hidden
Java™ 6 Update 20 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416020FF}) (Version: 6.0.200 - Sun Microsystems, Inc.)
Java™ 6 Update 37 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216035FF}) (Version: 6.0.370 - Oracle)
Jewel Craft (HKLM-x32\...\exent_496850) (Version: - )
Jewel Quest 3 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Jewel Quest Solitaire 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2907 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.2907 - CyberLink Corp.) Hidden
LightScribe System Software (HKLM-x32\...\{46BA053F-57B3-4153-BDB6-D37EEC8B12D7}) (Version: 1.18.15.1 - LightScribe)
Magic Academy (HKLM-x32\...\BFG-Magic Academy) (Version: - )
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Choice Guard (x32 Version: 2.0.48.0 - Microsoft Corporation) Hidden
Microsoft Default Manager (x32 Version: 2.1.55.0 - Microsoft Corporation) Hidden
Microsoft IntelliPoint 8.0 (HKLM\...\{563F041C-DFDB-437B-A1E8-E141E0906076}) (Version: 8.0.225.0 - Microsoft)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Edition 2003 (HKLM-x32\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.5614.0 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Search Enhancement Pack (x32 Version: 2.0.271.0 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.10411.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (x32 Version: 3.0.5305.0 - Microsoft Corp.) Hidden
Millionaire Manor: The Hidden Object Show (HKLM-x32\...\BFG-Millionaire Manor - The Hidden Object Show) (Version: - )
MSVCRT (x32 Version: 14.0.1468.721 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery Case Files: Huntsville ™ (HKLM-x32\...\BFG-Mystery Case Files - Huntsville) (Version: - )
Mystery Case Files: Madame Fate &reg; (HKLM-x32\...\BFG-Mystery Case Files - Madame Fate) (Version: - )
Mystery Case Files: Prime Suspects ™ (HKLM-x32\...\BFG-Mystery Case Files - Prime Suspects) (Version: - )
Mystery Case Files: Ravenhearst &reg; (HKLM-x32\...\BFG-Mystery Case Files - Ravenhearst) (Version: - )
Mystery Legends: Sleepy Hollow (HKLM-x32\...\BFG-Mystery Legends - Sleepy Hollow) (Version: - )
Mystery Legends: The Phantom of the Opera (HKLM-x32\...\BFG-Mystery Legends - The Phantom of the Opera) (Version: - )
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.1.17869 - Symantec Corporation)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
PhotoNow! (HKLM-x32\...\InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}) (Version: 1.1.6904 - CyberLink Corp.)
PhotoNow! (x32 Version: 1.1.6904 - CyberLink Corp.) Hidden
Plants vs. Zombies (x32 Version: 2.2.0.95 - WildTangent) Hidden
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.4204 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.4204 - CyberLink Corp.) Hidden
PowerDirector (HKLM-x32\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 8.0.3003 - CyberLink Corp.)
PowerDirector (x32 Version: 8.0.3003 - CyberLink Corp.) Hidden
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.21.531.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6196 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30105 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.3023 - CyberLink Corp.) Hidden
Roads of Rome (HKLM-x32\...\exent_706250) (Version: - )
Roxio CinemaNow 2.0 (x32 Version: 1.0.278 - Hewlett-Packard) Hidden
RtVOsd (HKLM\...\{091A0130-A82F-4A6D-9C61-3BBBB3289030}) (Version: 1.0.6 - Realtek Semiconductor Corp.)
Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 5.6.8442 - Skype Technologies S.A.)
Skype™ 5.5 (HKLM-x32\...\{AA59DDE4-B672-4621-A016-4C248204957A}) (Version: 5.5.124 - Skype Technologies S.A.)
SweetIM for Messenger 3.7 (HKLM-x32\...\{A0C9DF2B-89B5-4483-8983-18A68200F1B4}) (Version: 3.7.0007 - SweetIM Technologies Ltd.) <==== ATTENTION
SweetPacks bundle uninstaller (HKLM-x32\...\{953AA732-9AFB-49C9-84A4-7F96CA0A08DA}) (Version: 1.0.0001 - SweetIM Technologies Ltd.) <==== ATTENTION
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.29.0 - Synaptics Incorporated)
The Treasures of Montezuma (HKLM-x32\...\exent_466550) (Version: - )
TurboTax 2010 (HKLM-x32\...\{24AE6B5B-3D5A-488C-9224-1BEE11F75DD9}) (Version: 1.00.0000 - Intuit Canada)
TurboTax 2011 (HKLM-x32\...\{12CAA28E-56CA-4C3D-B3F2-7311540DD410}) (Version: 1.00.0000 - Intuit Canada)
TurboTax 2012 (HKLM-x32\...\{726DDC29-79B3-41B4-BDBF-97DF25BF1EA8}) (Version: 1.00.0000 - Intuit Canada)
TurboTax 2013 (HKLM-x32\...\{1E0FF98D-4AE4-46CC-B624-E771ABD5EA11}) (Version: 1.00.0000 - Intuit Canada)
Unlikely Suspects (HKLM-x32\...\exent_708650) (Version: - )
Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
Update Manager for SweetPacks 1.1 (HKLM-x32\...\{EA8FA6BE-29BE-4AF2-9352-841F83215EB0}) (Version: 1.1.0008 - SweetIM Technologies Ltd.) <==== ATTENTION
Virtual Families (x32 Version: 2.2.0.95 - WildTangent) Hidden
Virtual Villagers - The Secret City (x32 Version: 2.2.0.95 - WildTangent) Hidden
VLC media player 2.0.3 (HKLM-x32\...\VLC media player) (Version: 2.0.3 - VideoLAN)
Wheel of Fortune 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
WildTangent Games App (HP Games) (HKLM-x32\...\{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-hp) (Version: 4.0.10.17 - WildTangent)
Windows Live Call (x32 Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Windows Live Communications Platform (x32 Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (HKLM\...\{9B48B0AC-C813-4174-9042-476A887592C7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Live Messenger (x32 Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Windows Live Sync (HKLM-x32\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Live Writer (x32 Version: 14.0.8117.0416 - Microsoft Corporation) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden

==================== Restore Points =========================

13-03-2014 01:45:13 Windows Update
19-03-2014 01:47:35 Windows Update
24-03-2014 12:10:49 Installed HP Support Assistant
24-03-2014 12:13:05 Windows Modules Installer
24-03-2014 12:13:46 Windows Modules Installer
31-03-2014 18:43:29 Scheduled Checkpoint
08-04-2014 04:00:00 Scheduled Checkpoint

==================== Hosts content: ==========================

2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {01E9AC1C-1924-4CA3-BAEF-6426666A4918} - System32\Tasks\{E9F58117-F32B-4B03-95B8-2505CC25B196} => Iexplore.exe http://ui.skype.com/ui/0/5.10.0.116/en/abandoninstall?page=tsMain
Task: {1883BA92-01B0-479B-ACCF-BA96F08C20A6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-05] (Google Inc.)
Task: {43CAAF06-A378-47DD-8EB7-3422CBBEEB5F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2014-02-10] (Hewlett-Packard)
Task: {4D6F8BC2-798B-4DDE-BE2C-480590DABF7A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {5E647749-D86F-46FB-9BC9-7CB1ADC2A2F8} - System32\Tasks\{9C184B76-4E31-4E91-820A-E243DC13D84A} => C:\Program Files (x86)\Skype\\Phone\Skype.exe [2011-10-13] (Skype Technologies S.A.)
Task: {61CB7526-64AB-4E32-A026-5E869D171DF0} - System32\Tasks\HPCeeScheduleForBev => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {67022E2C-5C99-4488-ADA6-D74E7DB61AD0} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-14] (Adobe Systems Incorporated)
Task: {6A2549F0-BF72-4440-8777-3DC1C8D7A31B} - System32\Tasks\{61D7AB73-7993-4DF9-8FF5-BA0EF99EEE7E} => Iexplore.exe http://ui.skype.com/ui/0/5.10.0.116/en/abandoninstall?page=tsMain
Task: {7CAD9B6E-C6F8-475D-A1E1-89DF03EF0462} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe [2013-07-07] () <==== ATTENTION
Task: {7E36BD87-D1CA-44E2-B25A-6EBB53BA41E6} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {8D54C309-4E6A-41CD-8F3E-3FF80A1EA35A} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {ACC02312-4C45-42CD-BF58-9B6125BFF31A} - System32\Tasks\ServicePlan => C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe [2010-05-25] ()
Task: {AF309B33-423F-48F6-9E07-7176ED6AD38A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-05] (Google Inc.)
Task: {B276AF02-AB42-40AD-9D5F-3053D1EBC10C} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => c:\Program Files\Microsoft IntelliPoint\IPoint.exe [2013-09-24] (Microsoft Corporation)
Task: {C98C7F55-F2E4-4D7E-996B-7D1AD437494F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2013-12-12] (Hewlett-Packard Company)
Task: {EE0DC0F3-127D-47D5-87EF-BBBE9AD183BF} - System32\Tasks\RecoveryCDWin7 => C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe [2010-05-25] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForBev.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) =============

2011-03-14 11:27 - 2013-07-11 20:56 - 00853504 _____ () C:\ProgramData\DatacardService\HWDeviceService64.exe
2013-04-26 09:47 - 2013-04-26 09:47 - 00661008 _____ () C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe
2013-04-10 16:24 - 2012-01-10 06:48 - 00105824 _____ () C:\Program Files (x86)\Connection Manager\Connection Manager.exe
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-02-14 15:25 - 2014-02-14 15:25 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\29335dc88d799664dcd97362bcb687e9\IsdiInterop.ni.dll
2010-09-19 17:52 - 2010-04-13 12:52 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2010-05-19 13:05 - 2010-05-19 13:05 - 02121728 _____ () C:\Program Files (x86)\Common Files\LightScribe\QtCore4.dll
2010-05-19 13:05 - 2010-05-19 13:05 - 07745536 _____ () C:\Program Files (x86)\Common Files\LightScribe\QtGui4.dll
2010-05-19 13:05 - 2010-05-19 13:05 - 00135168 _____ () C:\Program Files (x86)\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll
2010-02-09 21:58 - 2010-02-09 21:58 - 00061440 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
2010-02-09 21:58 - 2010-02-09 21:58 - 00131072 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Pillars\ECenter\ECLibrary.dll
2010-02-09 21:58 - 2010-02-09 21:58 - 00040960 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingServer.dll
2010-02-09 21:58 - 2010-02-09 21:58 - 00005632 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingInterface.dll
2010-02-09 21:58 - 2010-02-09 21:58 - 00018944 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingMessages.dll
2010-02-09 21:58 - 2010-02-09 21:58 - 00036864 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingClients.dll
2010-02-09 21:58 - 2010-02-09 21:58 - 00007680 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\RemotingClient.dll
2010-02-09 21:58 - 2010-02-09 21:58 - 00028672 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll
2013-04-10 16:24 - 2012-01-16 02:28 - 00518144 _____ () C:\Program Files (x86)\Connection Manager\core.dll
2013-04-10 16:24 - 2012-01-18 03:48 - 00280576 _____ () C:\Program Files (x86)\Connection Manager\sdk.dll
2013-04-10 16:24 - 2009-01-10 06:32 - 00011362 _____ () C:\Program Files (x86)\Connection Manager\mingwm10.dll
2013-04-10 16:24 - 2009-06-22 14:42 - 00043008 _____ () C:\Program Files (x86)\Connection Manager\libgcc_s_dw2-1.dll
2013-04-10 16:24 - 2010-05-14 05:57 - 02415104 _____ () C:\Program Files (x86)\Connection Manager\QtCore4.dll
2013-04-10 16:24 - 2010-02-10 10:43 - 09515520 _____ () C:\Program Files (x86)\Connection Manager\QtGui4.dll
2013-04-10 16:24 - 2012-01-18 03:48 - 00399360 _____ () C:\Program Files (x86)\Connection Manager\Proxy.DLL
2013-04-10 16:24 - 2011-09-26 21:16 - 00627712 _____ () C:\Program Files (x86)\Connection Manager\Common.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00157184 _____ () C:\Program Files (x86)\Connection Manager\Trace.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00583168 _____ () C:\Program Files (x86)\Connection Manager\PluginContainer.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00646144 _____ () C:\Program Files (x86)\Connection Manager\AtCodec.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00715776 _____ () C:\Program Files (x86)\Connection Manager\DeviceSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00195584 _____ () C:\Program Files (x86)\Connection Manager\XCodec.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00239616 _____ () C:\Program Files (x86)\Connection Manager\NetSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00154624 _____ () C:\Program Files (x86)\Connection Manager\OSDialup.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00154624 _____ () C:\Program Files (x86)\Connection Manager\DataServicePlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00176128 _____ () C:\Program Files (x86)\Connection Manager\CallSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00672768 _____ () C:\Program Files (x86)\Connection Manager\AddrBookSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00219648 _____ () C:\Program Files (x86)\Connection Manager\SmsSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00142336 _____ () C:\Program Files (x86)\Connection Manager\USSDSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00157184 _____ () C:\Program Files (x86)\Connection Manager\STKSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00725504 _____ () C:\Program Files (x86)\Connection Manager\DeviceAppPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00065536 _____ () C:\Program Files (x86)\Connection Manager\OSPowerMgr.dll
2013-04-10 16:24 - 2011-09-21 22:39 - 00114688 _____ () C:\Program Files (x86)\Connection Manager\Win7Support.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 01123840 _____ () C:\Program Files (x86)\Connection Manager\AddrBookPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00694272 _____ () C:\Program Files (x86)\Connection Manager\SmsAppPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00187392 _____ () C:\Program Files (x86)\Connection Manager\CallAppPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00569344 _____ () C:\Program Files (x86)\Connection Manager\CallLogSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00158720 _____ () C:\Program Files (x86)\Connection Manager\NetConnectSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00235008 _____ () C:\Program Files (x86)\Connection Manager\DialUpPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00102400 _____ () C:\Program Files (x86)\Connection Manager\OSAdapt.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00196096 _____ () C:\Program Files (x86)\Connection Manager\NDISPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00131584 _____ () C:\Program Files (x86)\Connection Manager\OSNDIS.dll
2013-04-10 16:24 - 2011-09-21 22:39 - 01101824 _____ () C:\Program Files (x86)\Connection Manager\NDISAPI.dll
2013-04-10 16:24 - 2012-01-19 22:02 - 00700928 _____ () C:\Program Files (x86)\Connection Manager\NetInfoSrvPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00062976 _____ () C:\Program Files (x86)\Connection Manager\OSCall.dll
2013-04-10 16:24 - 2011-09-21 22:39 - 00224256 _____ () C:\Program Files (x86)\Connection Manager\tdpcvoice.dll
2013-04-10 16:24 - 2012-02-10 04:52 - 00563712 _____ () C:\Program Files (x86)\Connection Manager\DeviceMgrUIPlugin.dll
2013-04-10 16:24 - 2010-02-10 10:06 - 00398336 _____ () C:\Program Files (x86)\Connection Manager\QtXml4.dll
2013-04-10 16:24 - 2011-09-26 21:16 - 00168960 _____ () C:\Program Files (x86)\Connection Manager\ATR2SMgr.dll
2013-04-10 16:24 - 2012-01-05 02:33 - 00264704 _____ () C:\Program Files (x86)\Connection Manager\XFramePlugin.dll
2013-04-10 16:24 - 2012-02-10 03:49 - 00316416 _____ () C:\Program Files (x86)\Connection Manager\StatusBarMgrPlugin.dll
2013-04-10 16:24 - 2012-02-20 00:04 - 00345088 _____ () C:\Program Files (x86)\Connection Manager\NetConnectPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:17 - 00570368 _____ () C:\Program Files (x86)\Connection Manager\DialupUIPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:17 - 00097792 _____ () C:\Program Files (x86)\Connection Manager\NotifyServicePlugin.dll
2013-04-10 16:24 - 2011-09-26 21:18 - 00117248 _____ () C:\Program Files (x86)\Connection Manager\LayoutPlugin.dll
2013-04-10 16:24 - 2012-02-10 04:26 - 00212992 _____ () C:\Program Files (x86)\Connection Manager\NetInfoRecordUIPlugin.dll
2013-04-10 16:24 - 2012-02-20 00:04 - 00791552 _____ () C:\Program Files (x86)\Connection Manager\MiniFramePlugin.dll
2013-04-10 16:24 - 2011-09-26 21:18 - 00325120 _____ () C:\Program Files (x86)\Connection Manager\MenuMgrPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:19 - 00300032 _____ () C:\Program Files (x86)\Connection Manager\DiagnosisPlugin.dll
2013-04-10 16:24 - 2012-02-17 04:56 - 00494080 _____ () C:\Program Files (x86)\Connection Manager\NetInfoUIExPlugin.dll
2013-04-10 16:24 - 2011-12-20 04:31 - 00834560 _____ () C:\Program Files (x86)\Connection Manager\SMSUIPlugin.dll
2013-04-10 16:24 - 2011-09-26 21:18 - 00801280 _____ () C:\Program Files (x86)\Connection Manager\AddrBookUIPlugin.dll
2013-04-10 16:24 - 2011-08-23 04:27 - 00693760 _____ () C:\Program Files (x86)\Connection Manager\LiveUpdateInterface.DLL
2013-04-10 16:24 - 2010-02-10 10:10 - 01148416 _____ () C:\Program Files (x86)\Connection Manager\QtNetwork4.dll
2013-04-10 16:24 - 2011-09-21 22:37 - 00082944 _____ () C:\Program Files (x86)\Connection Manager\plugins\imageformats\qgif4.dll
2013-04-10 16:24 - 2011-09-21 22:37 - 00081920 _____ () C:\Program Files (x86)\Connection Manager\plugins\imageformats\qico4.dll
2013-04-10 16:24 - 2011-09-21 22:37 - 00192000 _____ () C:\Program Files (x86)\Connection Manager\plugins\imageformats\qjpeg4.dll
2013-04-10 16:24 - 2011-09-21 22:37 - 00350720 _____ () C:\Program Files (x86)\Connection Manager\plugins\imageformats\qmng4.dll
2013-04-10 16:24 - 2011-09-21 22:37 - 00370176 _____ () C:\Program Files (x86)\Connection Manager\plugins\imageformats\qtiff4.dll
2013-04-10 16:24 - 2011-09-26 21:18 - 00218112 _____ () C:\Program Files (x86)\Connection Manager\ToolBarMgrPlugin.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\Temp:090FB735
AlternateDataStreams: C:\ProgramData\Temp:0AC32449
AlternateDataStreams: C:\ProgramData\Temp:114BD271
AlternateDataStreams: C:\ProgramData\Temp:260575F1
AlternateDataStreams: C:\ProgramData\Temp:270A3983
AlternateDataStreams: C:\ProgramData\Temp:279FF250
AlternateDataStreams: C:\ProgramData\Temp:4673E9EA
AlternateDataStreams: C:\ProgramData\Temp:5C6EBC69
AlternateDataStreams: C:\ProgramData\Temp:78E0DF72
AlternateDataStreams: C:\ProgramData\Temp:82529191
AlternateDataStreams: C:\ProgramData\Temp:9ACB70D7
AlternateDataStreams: C:\ProgramData\Temp:A7DA2BCD
AlternateDataStreams: C:\ProgramData\Temp:C6D0ABC3
AlternateDataStreams: C:\ProgramData\Temp:D31BE97C
AlternateDataStreams: C:\ProgramData\Temp:ED873558
AlternateDataStreams: C:\ProgramData\Temp:FC70A22A

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\44656272.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\44656272.sys => ""="Driver"

==================== Disabled items from MSCONFIG ==============


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/08/2014 00:32:47 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
Invalid Xml syntax.

Error: (04/08/2014 00:31:40 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (04/08/2014 00:30:17 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
Multiple requestedPrivileges elements are not allowed in manifest.

Error: (04/07/2014 05:03:42 PM) (Source: Application Hang) (User: )
Description: The program ComboFix.exe version 14.4.6.1 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 17a0

Start Time: 01cf52a35c5c9c74

Termination Time: 16

Application Path: C:\Users\Bev\Desktop\ComboFix.exe

Report Id:

Error: (04/07/2014 04:52:11 PM) (Source: Application Error) (User: )
Description: Faulting application name: HPMSGSVC.exe, version: 2.6.3.0, time stamp: 0x4f2791fa
Faulting module name: HPMSGSVC.exe, version: 2.6.3.0, time stamp: 0x4f2791fa
Exception code: 0xc0000005
Fault offset: 0x0000399f
Faulting process id: 0x10e8
Faulting application start time: 0xHPMSGSVC.exe0
Faulting application path: HPMSGSVC.exe1
Faulting module path: HPMSGSVC.exe2
Report Id: HPMSGSVC.exe3

Error: (04/07/2014 03:35:20 PM) (Source: CVHSVC) (User: )
Description: Information only.
(Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (04/07/2014 03:27:07 PM) (Source: CVHSVC) (User: )
Description: Information only.
(Stream product id=0x0066): Streaming Failed

Error: (04/07/2014 03:26:37 PM) (Source: CVHSVC) (User: )
Description: Information only.
Too many failures while downloading ranges: 2

Error: (04/07/2014 07:52:30 AM) (Source: RIM MDNS) (User: )
Description: 660: ERROR: read_msg errno 0 (The operation completed successfully.)

Error: (04/07/2014 07:52:30 AM) (Source: RIM MDNS) (User: )
Description: ERROR: mDNSPlatformReadTCP - recv: 10053


System errors:
=============
Error: (04/07/2014 04:57:10 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:
%%1056

Error: (04/07/2014 04:54:09 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error:
%%1056

Error: (04/07/2014 04:54:09 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:
%%1056

Error: (04/07/2014 04:53:09 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Application Experience service, but this action failed with the following error:
%%1056

Error: (04/07/2014 04:52:14 PM) (Source: Service Control Manager) (User: )
Description: The Application Virtualization Client service terminated unexpectedly. It has done this 1 time(s).

Error: (04/07/2014 04:52:13 PM) (Source: Service Control Manager) (User: )
Description: The GamesAppService service terminated unexpectedly. It has done this 1 time(s).

Error: (04/07/2014 04:52:13 PM) (Source: Service Control Manager) (User: )
Description: The Client Virtualization Handler service terminated unexpectedly. It has done this 1 time(s).

Error: (04/07/2014 04:52:13 PM) (Source: Service Control Manager) (User: )
Description: The Application Virtualization Service Agent service terminated unexpectedly. It has done this 1 time(s).

Error: (04/07/2014 04:52:13 PM) (Source: Service Control Manager) (User: )
Description: The SeaPort service terminated unexpectedly. It has done this 1 time(s).

Error: (04/07/2014 04:52:13 PM) (Source: Service Control Manager) (User: )
Description: The RIM MDNS service terminated unexpectedly. It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (04/08/2014 00:32:47 AM) (Source: SideBySide)(User: )
Description: c:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dllc:\program files (x86)\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll2

Error: (04/08/2014 00:31:40 AM) (Source: SideBySide)(User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllc:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (04/08/2014 00:30:17 AM) (Source: SideBySide)(User: )
Description: C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exeC:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe2

Error: (04/07/2014 05:03:42 PM) (Source: Application Hang)(User: )
Description: ComboFix.exe14.4.6.117a001cf52a35c5c9c7416C:\Users\Bev\Desktop\ComboFix.exe

Error: (04/07/2014 04:52:11 PM) (Source: Application Error)(User: )
Description: HPMSGSVC.exe2.6.3.04f2791faHPMSGSVC.exe2.6.3.04f2791fac00000050000399f10e801cf5298025f842aC:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exeC:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe7d05e4f6-be96-11e3-a957-0220ba650701

Error: (04/07/2014 03:35:20 PM) (Source: CVHSVC)(User: )
Description: (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

Error: (04/07/2014 03:27:07 PM) (Source: CVHSVC)(User: )
Description: (Stream product id=0x0066): Streaming Failed

Error: (04/07/2014 03:26:37 PM) (Source: CVHSVC)(User: )
Description: Too many failures while downloading ranges: 2

Error: (04/07/2014 07:52:30 AM) (Source: RIM MDNS)(User: )
Description: 660: ERROR: read_msg errno 0 (The operation completed successfully.)

Error: (04/07/2014 07:52:30 AM) (Source: RIM MDNS)(User: )
Description: ERROR: mDNSPlatformReadTCP - recv: 10053


==================== Memory info ===========================

Percentage of memory in use: 48%
Total physical RAM: 3893.86 MB
Available physical RAM: 2012.91 MB
Total Pagefile: 7785.9 MB
Available Pagefile: 5762.43 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:449.45 GB) (Free:368.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (RECOVERY) (Fixed) (Total:16.02 GB) (Free:2.31 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (HUAWEI) (CDROM) (Total:0.04 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 1D505CB8)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=449 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=16 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

==================== End Of Log ============================

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:17 PM

Posted 08 April 2014 - 10:55 AM

Hello ontheriver



I need you to download this script I have made for you --> Attached File  fixlist.txt   1.58KB   6 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ontheriver

ontheriver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 08 April 2014 - 11:06 AM

Hi Gringo,
Here is fixlog.txt


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Bev at 2014-04-08 12:04:51 Run:1
Running from C:\Users\Bev\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
(SweetIM Technologies Ltd.) C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\Run: [Google Update*] - [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: F - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {2afd11f0-c3a0-11e2-b971-001e101f2c0e} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {36fe7a7c-a21b-11e2-9bca-002682da9366} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {36fe7a80-a21b-11e2-9bca-002682da9366} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {38557950-c0dc-11e2-a874-806e6f6e6963} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\start.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {6f129112-8e7b-11e3-b41a-026080720701} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {7c9b726c-16e9-11e3-8f04-026070610801} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {cc90cd86-c973-11e2-ae9e-0290e95a0801} - F:\AutoRun.exe
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\...\MountPoints2: {dee16153-1acc-11e0-849f-ddfbf15e6274} - F:\AutoLaunch.exe
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteJunctionsInDirectory: C:\Program Files\Microsoft Security Client
DeleteJunctionsIndirectory: C:\Windows\system64
cmd: Dir /b /a:l "C:\Program Files" /s

*****************

[4356] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe => Process closed successfully.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\S-1-5-21-2675935227-3191869917-3245838043-1000 => Key not found.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2afd11f0-c3a0-11e2-b971-001e101f2c0e} => Key deleted successfully.
HKCR\CLSID\{2afd11f0-c3a0-11e2-b971-001e101f2c0e} => Key not found.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{36fe7a7c-a21b-11e2-9bca-002682da9366} => Key deleted successfully.
HKCR\CLSID\{36fe7a7c-a21b-11e2-9bca-002682da9366} => Key not found.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{36fe7a80-a21b-11e2-9bca-002682da9366} => Key deleted successfully.
HKCR\CLSID\{36fe7a80-a21b-11e2-9bca-002682da9366} => Key not found.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{38557950-c0dc-11e2-a874-806e6f6e6963} => Key deleted successfully.
HKCR\CLSID\{38557950-c0dc-11e2-a874-806e6f6e6963} => Key not found.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f129112-8e7b-11e3-b41a-026080720701} => Key deleted successfully.
HKCR\CLSID\{6f129112-8e7b-11e3-b41a-026080720701} => Key not found.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7c9b726c-16e9-11e3-8f04-026070610801} => Key deleted successfully.
HKCR\CLSID\{7c9b726c-16e9-11e3-8f04-026070610801} => Key not found.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cc90cd86-c973-11e2-ae9e-0290e95a0801} => Key deleted successfully.
HKCR\CLSID\{cc90cd86-c973-11e2-ae9e-0290e95a0801} => Key not found.
HKU\S-1-5-21-2675935227-3191869917-3245838043-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{dee16153-1acc-11e0-849f-ddfbf15e6274} => Key deleted successfully.
HKCR\CLSID\{dee16153-1acc-11e0-849f-ddfbf15e6274} => Key not found.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Not Found
"C:\Windows\system64" => Not Found

========= Dir /b /a:l "C:\Program Files" /s =========

File Not Found

========= End of CMD: =========


==== End of Fixlog ====

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:17 PM

Posted 09 April 2014 - 07:36 AM



Hello ontheriver

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ontheriver

ontheriver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 09 April 2014 - 08:49 AM

Hi Gringo,

Before I ran AdwCleaner and Junkware Removal Tool,it was the first time that I was able to download programs without first renaming Windows Defender... so the download process seemed to be working before running these two. After running them, I went online and tried to download a file that I was unable to get prior to starting this process and was now able to download it also. SO... main problem seems to be corrected.

Other than that, the only other things that have been happening (before contacting you)are annoying pop-up boxes that say the following at startup:
There was a problem starting C:Users\Bev\Appdata\Roaming\chcshc.dll
and also C:Users\Bev\Appdata\Roaming\mphcd.dll
Specified modules could not be found.

I was hoping that these boxes, that pop up when booting might have been related to the virus but they still come up.
I have also been getting a pop up box that says I am not running a valid version of Windows, but it is the version that was included with the computer when I bought it at BestBuy and never used to come up.
These things are probably unrelated to our current problem, so don't feel the need to answer unless you are familiar with them and can tell me an easy fix for them.

I noticed in one of the logs that a folder called BigFishGames was deleted. I hadn't played any of those games for quite some time but last time I tried they didn't work. Is that where the virus came from or was it just infected by the virus? Can I now uninstall those game programs?

Last but not least, do you have a suggestion for a good antivirus program? Firewall?

Not sure if we are done yet, but thanks for all your efforts... greatly appreciated!!


Here is the AdwCleaner log, followed by the Junkware log:

# AdwCleaner v3.023 - Report created 09/04/2014 at 08:57:49
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Bev - NAHANNI
# Running from : C:\Users\Bev\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Free Ride Games
Folder Deleted : C:\ProgramData\SweetIM
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\Program Files (x86)\Free Ride Games
Folder Deleted : C:\Program Files (x86)\SweetIM
Folder Deleted : C:\Windows\installer\{86d4b82a-abed-442a-be86-96357b70f4fe}
Folder Deleted : C:\Windows\Installer\{A0C9DF2B-89B5-4483-8983-18A68200F1B4}
Folder Deleted : C:\Windows\SysWOW64\ARFC
Folder Deleted : C:\Windows\SysWOW64\jmdp
Folder Deleted : C:\Windows\SysWOW64\WNLT
Folder Deleted : C:\Users\Bev\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Bev\AppData\LocalLow\SweetIM
Folder Deleted : C:\Users\Bev\AppData\Roaming\iWin
Folder Deleted : C:\Users\Bev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Ride Games
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Windows\Downloaded Program Files\popcaploader.inf
File Deleted : C:\Windows\System32\dmwu.exe
File Deleted : C:\Windows\System32\ImhxxpComm.dll
File Deleted : C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils
Key Deleted : HKLM\SOFTWARE\Classes\MediaPlayer.GraphicsUtils.1
Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator
Key Deleted : HKLM\SOFTWARE\Classes\MgMediaPlayer.GifAnimator.1
Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2
Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2.1
Key Deleted : HKLM\SOFTWARE\Classes\sim-packages
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\SWEETIE.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook
Key Deleted : HKLM\SOFTWARE\Classes\sweetim_urlsearchhook.toolbarurlsearchhook.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.sweetie.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetpacksupdatemanager_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SweetIM.exe
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SweetIM]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Sweetpacks Communicator]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgHelperApp.exe]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs [C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82AC53B4-164C-4B07-A016-437A8388B81A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A4A0CB15-8465-4F58-A7E5-73084EA2A064}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A439801C-961D-452C-AB42-7848E9CBD289}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4EBB1E2-21F3-4786-8CF4-16EC5925867F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4D3B167E-5FD8-4276-8FD7-9DF19C1E4D19}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35D-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EEE6C35D-6118-11DC-9C72-001320C79847}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EEE6C358-6118-11DC-9C72-001320C79847}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EEE6C359-6118-11DC-9C72-001320C79847}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EEE6C35A-6118-11DC-9C72-001320C79847}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE}
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\wnlt
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2B7BDADB-EC8C-4C54-B5DD-CE45A016D3A7}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{953AA732-9AFB-49C9-84A4-7F96CA0A08DA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0C9DF2B-89B5-4483-8983-18A68200F1B4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c3e85ee9-5892-4142-b537-bceb3dac4c3d}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ea8fa6be-29be-4af2-9352-841f83215eb0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wnlt
Key Deleted : [x64] HKLM\SOFTWARE\wnlt
Key Deleted : HKLM\Software\Classes\Installer\Features\237AA359BFA99C94484AF769ACA080AD
Key Deleted : HKLM\Software\Classes\Installer\Features\9EE58E3C298524145B73CBBED3CAC4D3
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Features\B2FD9C0A5B9838449838816A28001F4B
Key Deleted : HKLM\Software\Classes\Installer\Features\EB6AF8AEEB922FA4392548F13812E50B
Key Deleted : HKLM\Software\Classes\Installer\Products\237AA359BFA99C94484AF769ACA080AD
Key Deleted : HKLM\Software\Classes\Installer\Products\9EE58E3C298524145B73CBBED3CAC4D3
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\B2FD9C0A5B9838449838816A28001F4B
Key Deleted : HKLM\Software\Classes\Installer\Products\EB6AF8AEEB922FA4392548F13812E50B

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521


*************************

AdwCleaner[R0].txt - [12028 octets] - [09/04/2014 08:55:00]
AdwCleaner[S0].txt - [11908 octets] - [09/04/2014 08:57:49]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [11969 octets] ##########



JUNKWARE LOG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Bev on Wed 04/09/2014 at 9:08:22.89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2675935227-3191869917-3245838043-1000\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\installer\upgradecodes\f928123a039649549966d4c29d35b1c9
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\Free Ride Games
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{995C261B-764A-43C6-9834-BFDF338F5E97}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C7AFBF27-9762-445E-82D7-C6B4EF94367C}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{C7AFBF27-9762-445E-82D7-C6B4EF94367C}
Successfully deleted: [Registry Key] "hkey_current_user\software\microsoft\internet explorer\low rights\elevationpolicy\{a5aa24ea-11b8-4113-95ae-9ed71deaf12a}"



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\big fish games"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/09/2014 at 9:14:13.33
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:17 PM

Posted 09 April 2014 - 09:26 PM


Hello ontheriver

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 ontheriver

ontheriver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 11 April 2014 - 02:46 PM

Hi Gringo:

Sorry for the delay... I somehow missed your last reply.

I have run Combofix and the log is below.

There didn't seem to be any problems while running it. A few system files came up as being infected, but the entire process seemed to complete with only one reboot at the end.

It took about 1.25 hours to complete.

The only thing that I noticed happening with my computer was not being able to download files from the internet. That is now working. I also noticed that my games from BigFishGames were not working, but I didn't associate it with a virus and didn't really care or try to fix it. I have not tried to run these as I noticed that the folder was deleted through this process. There may have been other things happening, but I sometimes just chalk it up to computer glitches and carry on.

 

ComboFix 14-04-09.02 - Bev 04/11/2014  14:26:13.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3894.2371 [GMT -4:00]
Running from: c:\users\Bev\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Google\Desktop\Install
c:\program files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\@
c:\program files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\00000001.@
c:\program files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\00000002.@
c:\program files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\80000000.@
c:\program files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\80000001.@
c:\program files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\800000cb.@
c:\users\Bev\AppData\Local\Google\Desktop\Install
c:\users\Bev\AppData\Local\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\2E2F~1\28F0~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\@
c:\users\Bev\zpwelm.exe
c:\users\Public\Desktop\Internet Security 2013.lnk
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\SysWow64\out.txt . . . . Failed to delete
.
c:\windows\SysWow64\svchost.exe . . . is infected!!
.
c:\windows\notepad.exe . . . is infected!!
.
c:\windows\ehome\ehsched.exe . . . is infected!!
.
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe . . . is infected!!
.
c:\windows\System32\dllhost.exe . . . is infected!!
.
Infected copy of c:\windows\System32\msiexec.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7600.16385_none_a57666739fcae94c\msiexec.exe
.
c:\windows\SysWOW64\dllhost.exe . . . is infected!!
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-11 to 2014-04-11  )))))))))))))))))))))))))))))))
.
.
2014-04-11 19:27 . 2014-04-11 19:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2014-04-11 19:27 . 2014-04-11 19:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-10 12:08 . 2014-04-10 12:08 -------- d-sh--w- c:\users\Bev\AppData\Local\EmieUserList
2014-04-10 12:08 . 2014-04-10 12:08 -------- d-sh--w- c:\users\Bev\AppData\Local\EmieSiteList
2014-04-09 13:08 . 2014-04-09 13:08 -------- d-----w- c:\windows\ERUNT
2014-04-09 12:54 . 2014-04-09 12:57 -------- d-----w- C:\AdwCleaner
2014-04-08 13:29 . 2014-04-08 16:04 -------- d-----w- C:\FRST
2014-03-24 12:10 . 2014-03-24 12:10 -------- d-----w- c:\programdata\{18165758-115C-4DC0-9EC2-FF89F725767F}
2014-03-23 16:29 . 2014-03-23 16:29 -------- d-----w- c:\programdata\Recovery
2014-03-19 01:47 . 2014-03-20 17:11 -------- d-----w- C:\9aa1d5aa3a18d030809890
2014-03-19 00:31 . 2014-04-02 12:01 -------- d-----w- c:\program files (x86)\iTunes
2014-03-19 00:31 . 2014-03-19 00:31 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-03-19 00:31 . 2014-03-19 00:31 -------- d-----w- c:\program files\iTunes
2014-03-19 00:31 . 2014-03-19 00:31 -------- d-----w- c:\program files\iPod
2014-03-19 00:27 . 2014-03-19 00:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-03-19 00:27 . 2014-03-19 00:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-03-19 00:27 . 2014-03-19 00:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-03-19 00:27 . 2014-03-19 00:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-03-19 00:27 . 2014-03-19 00:27 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-03-19 00:27 . 2014-03-19 00:27 -------- d-----w- c:\program files (x86)\QuickTime
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-11 19:29 . 2011-09-13 04:09 639488 ----a-w- c:\windows\system32\msiexec.exe
2014-04-10 02:05 . 2011-02-15 15:42 90655440 ----a-w- c:\windows\system32\MRT.exe
2014-04-09 13:02 . 2011-09-13 04:09 4036608 ----a-w- c:\windows\system32\sppsvc.exe
2014-03-12 13:27 . 2012-07-11 00:50 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-12 13:27 . 2011-10-05 01:51 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-04 09:17 . 2014-04-08 21:43 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2014-02-07 01:23 . 2014-03-12 12:59 3156480 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:32 . 2014-03-12 12:58 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:32 . 2014-03-12 12:58 624128 ----a-w- c:\windows\system32\qedit.dll
2014-02-04 02:04 . 2014-03-12 12:58 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-12 12:58 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2014-01-29 02:32 . 2014-03-12 12:59 484864 ----a-w- c:\windows\system32\wer.dll
2014-01-29 02:06 . 2014-03-12 12:59 381440 ----a-w- c:\windows\SysWow64\wer.dll
2014-01-28 02:32 . 2014-03-12 12:59 228864 ----a-w- c:\windows\system32\wwansvc.dll
2014-01-17 20:24 . 2014-01-17 20:24 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2014-01-17 20:24 . 2014-01-17 20:24 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2013-10-29 2218496]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2013-12-10 3248128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-04-13 284696]
"Bing Bar"="c:\program files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe" [2010-04-14 243544]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-04-01 1464320]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-03-24 549376]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2014-04-08 1083392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-01-17 267792]
"RIM PeerManager"="c:\program files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe" [2013-04-26 4265472]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2013-12-10 3248128]
.
c:\users\Bev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 625664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Connection Manager. RunOuc;Connection Manager. OUC;c:\program files (x86)\Connection Manager\UpdateDog\ouc.exe;c:\program files (x86)\Connection Manager\UpdateDog\ouc.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
R2 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [x]
R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R2 X5XSEx;X5XSEx;c:\program files (x86)\Free Ride Games\X5XSEx.Sys;c:\program files (x86)\Free Ride Games\X5XSEx.Sys [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\DRIVERS\usb80236.sys;c:\windows\SYSNATIVE\DRIVERS\usb80236.sys [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 BlackBerry Device Manager;BlackBerry Device Manager;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [x]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 RIM MDNS;RIM MDNS;c:\program files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe;c:\program files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [x]
S2 RIM Tunnel Service;BlackBerry Link Communication Manager;c:\program files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe service;c:\program files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe service [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys;c:\windows\SYSNATIVE\DRIVERS\ew_usbenumfilter.sys [x]
S3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys;c:\windows\SYSNATIVE\DRIVERS\ewusbwwan.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 rimvndis;BlackBerry Virtual Private Network;c:\windows\system32\Drivers\rimvndis6_AMD64.sys;c:\windows\SYSNATIVE\Drivers\rimvndis6_AMD64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2013-07-22 03:44 958464 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 14:26]
.
2014-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-07 18:51]
.
2014-04-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-01-07 18:51]
.
2014-04-09 c:\windows\Tasks\HPCeeScheduleForBev.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 08:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-07-15 6486120]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2013-07-07 520192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2013-09-24 2833920]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{078BFB36-6370-499A-9638-C40EC5629B84}: NameServer = 207.219.69.11 216.218.29.11
TCP: Interfaces\{09B28B97-F679-4377-8FC5-5F2DCA1535BF}: NameServer = 216.218.29.11 207.219.69.11
TCP: Interfaces\{5B120D70-8ED0-4C33-AA23-B54093DAC287}: NameServer = 216.218.29.11 207.219.69.11
TCP: Interfaces\{92926713-6469-47D9-80D0-3F0754AF8FAA}: NameServer = 207.219.69.11 216.218.29.11
TCP: Interfaces\{97E9B8DD-4C23-47DF-827F-61CCAA157075}: NameServer = 207.219.69.11 216.218.29.11
TCP: Interfaces\{CADDB13A-34F0-4C7D-9B30-9341B022A6F6}: NameServer = 216.218.29.11 207.219.69.11
Handler: intu-tt2011 - {B3B5DAD9-E96D-45b4-B636-B6CF2F773DE1} - c:\program files (x86)\TurboTax 2011\ic2011pp.dll
Handler: intu-tt2012 - {02F985EF-502B-4597-993F-6BF9E004C138} - c:\program files (x86)\TurboTax 2012\ic2012pp.dll
Handler: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - c:\program files (x86)\TurboTax 2013\ic2013pp.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Exetender - c:\program files (x86)\Free Ride Games\GPlayer.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKU-Default-Run-Exetender - c:\program files (x86)\Free Ride Games\GPlayer.exe
SafeBoot-44656272.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-mphcd - c:\users\Bev\AppData\Roaming\mphcd.dll
HKLM-Run-chcshc - c:\users\Bev\AppData\Roaming\chcshc.dll
AddRemove-{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE} - c:\program files (x86)\InstallShield Installation Information\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\programdata\Connection Manager\OnlineUpdate\ouc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe
c:\programdata\DatacardService\DCSHelper.exe
c:\program files (x86)\Connection Manager\Connection Manager.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
.
**************************************************************************
.
Completion time: 2014-04-11  15:37:54 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-11 19:37
.
Pre-Run: 392,255,340,544 bytes free
Post-Run: 392,836,358,144 bytes free
.
- - End Of File - - DA9E4724A322BFFC2A66101BAFEE4EC5
 



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:17 PM

Posted 11 April 2014 - 08:08 PM


Lets double check the file and make sure it is clean.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\windows\SysWow64\svchost.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html




also do it with this file please

c:\windows\notepad.exe








Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ontheriver

ontheriver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 12 April 2014 - 10:52 AM

Hi Gringo,

Here are the results of checking the above two files at virustotal

Thanks again.

 

 

SHA256: e2da9aebdd5ad23c9749200c32537176d9da2b519a69ac88ccd71f7c987ffaf5 File name: svchost.exe Detection ratio: 39 / 51 Analysis date: 2014-04-12 15:34:27 UTC ( 0 minutes ago )

 

 
0
 
0
  •  
Antivirus Result Update AVG Win32/Expiro 20140412 Ad-Aware Win32.Expiro.BF 20140412 AhnLab-V3 Win32/Expiro4.Gen 20140412 AntiVir W32/Expiro.caj 20140412 Antiy-AVL Virus/Win32.Expiro.ao 20140412 Avast Win32:Xpirat 20140412 BitDefender Win32.Expiro.BF 20140412 Bkav W32.ExpiroVM.PE 20140412 CAT-QuickHeal W32.Expiro.AX 20140412 Commtouch W32/Expiro.AP 20140412 Comodo Virus.Win32.Expiro.isn 20140412 DrWeb Win32.Expiro.56 20140412 ESET-NOD32 Win32/Expiro.NBF 20140412 Emsisoft Win32.Expiro.BF (B) 20140412 F-Prot W32/Expiro.AP 20140412 F-Secure Win32.Expiro.BF 20140412 Fortinet W32/Expiro.fam 20140412 GData Win32.Expiro.BF 20140412 Ikarus Virus.Win32.Expiro 20140412 K7AntiVirus Virus ( 0040f4dc1 ) 20140411 K7GW Virus ( 0040f4dc1 ) 20140411 Kaspersky Virus.Win32.Expiro.ai 20140412 McAfee W32/Expiro.gen.o 20140412 McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.J!89 20140412 MicroWorld-eScan Win32.Expiro.BF 20140412 Microsoft Virus:Win32/Expiro.BP 20140412 NANO-Antivirus Virus.Win32.Expiro.bxhdrv 20140412 Norman Expiro.YG 20140412 Panda W32/Expiro.gen 20140412 Qihoo-360 Virus.Win32.Expiro.F 20140412 Sophos W32/Expiro-H 20140412 Symantec W32.Xpiro.D 20140412 TotalDefense Win32/Expiro.T 20140412 TrendMicro PE_EXPIRO.JX 20140412 TrendMicro-HouseCall PE_EXPIRO.JX 20140412 VBA32 Virus.Expiro.302 20140411 VIPRE Virus.Win32.Expiro.gen.a (v) 20140412 ViRobot Win32.Expiro.O 20140412 nProtect Win32.Expiro.BF 20140411 AegisLab   20140412 Agnitum   20140411 Baidu-International   20140412 ByteHero   20140412 CMC   20140411 ClamAV   20140412 Jiangmin   20140412 Kingsoft   20140412 Malwarebytes   20140412 Rising   20140412 SUPERAntiSpyware   20140412 TheHacker   20140411

 

 

 

SHA256: c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102 File name: notepad.exe Detection ratio: 0 / 51 Analysis date: 2014-04-12 15:43:39 UTC ( 0 minutes ago )

 

 
113
 
51
 
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Antivirus Result Update AVG   20140412 Ad-Aware   20140412 AegisLab   20140412 Agnitum   20140411 AhnLab-V3   20140412 AntiVir   20140412 Antiy-AVL   20140412 Avast   20140412 Baidu-International   20140412 BitDefender   20140412 Bkav   20140412 ByteHero   20140412 CAT-QuickHeal   20140412 CMC   20140411 ClamAV   20140412 Commtouch   20140412 Comodo   20140412 DrWeb   20140412 ESET-NOD32   20140412 Emsisoft   20140412 F-Prot   20140412 F-Secure   20140412 Fortinet   20140412 GData   20140412 Ikarus   20140412 Jiangmin   20140412 K7AntiVirus   20140411 K7GW   20140411 Kaspersky   20140412 Kingsoft   20140412 Malwarebytes   20140412 McAfee   20140412 McAfee-GW-Edition   20140412 MicroWorld-eScan   20140412 Microsoft   20140412 NANO-Antivirus   20140412 Norman   20140412 Panda   20140412 Qihoo-360   20140412 Rising   20140412 SUPERAntiSpyware   20140412 Sophos   20140412 Symantec   20140412 TheHacker   20140411 TotalDefense   20140412 TrendMicro   20140412 TrendMicro-HouseCall   20140412 VBA32   20140411 VIPRE   20140412 ViRobot   20140412 nProtect   20140411


#12 ontheriver

ontheriver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 12 April 2014 - 10:57 AM

I am reposting the results of the svchost.exe file that I just scanned with virustotal.

The formatting didn't seem to come in the first time, and may not this time either.

It was the file that actually found 38 problems. Hope this works.

Let me know if I am doing something wrong in the copy/paste.

 

 

 

 

SHA256: e2da9aebdd5ad23c9749200c32537176d9da2b519a69ac88ccd71f7c987ffaf5 File name: svchost.exe Detection ratio: 38 / 51 Analysis date: 2014-04-12 15:48:20 UTC ( 0 minutes ago )

 

0
 
0
 
Antivirus Result Update AVG Win32/Expiro 20140412 Ad-Aware Win32.Expiro.BF 20140412 AhnLab-V3 Win32/Expiro4.Gen 20140412 AntiVir W32/Expiro.caj 20140412 Avast Win32:Xpirat 20140412 BitDefender Win32.Expiro.BF 20140412 Bkav W32.ExpiroVM.PE 20140412 CAT-QuickHeal W32.Expiro.AX 20140412 Commtouch W32/Expiro.AP 20140412 Comodo Virus.Win32.Expiro.isn 20140412 DrWeb Win32.Expiro.56 20140412 ESET-NOD32 Win32/Expiro.NBF 20140412 Emsisoft Win32.Expiro.BF (B) 20140412 F-Prot W32/Expiro.AP 20140412 F-Secure Win32.Expiro.BF 20140412 Fortinet W32/Expiro.fam 20140412 GData Win32.Expiro.BF 20140412 Ikarus Virus.Win32.Expiro 20140412 K7AntiVirus Virus ( 0040f4dc1 ) 20140411 K7GW Virus ( 0040f4dc1 ) 20140411 Kaspersky Virus.Win32.Expiro.ai 20140412 McAfee W32/Expiro.gen.o 20140412 McAfee-GW-Edition Heuristic.LooksLike.Win32.Suspicious.J!89 20140412 MicroWorld-eScan Win32.Expiro.BF 20140412 Microsoft Virus:Win32/Expiro.BP 20140412 NANO-Antivirus Virus.Win32.Expiro.bxhdrv 20140412 Norman Expiro.YG 20140412 Panda W32/Expiro.gen 20140412 Qihoo-360 Virus.Win32.Expiro.F 20140412 Sophos W32/Expiro-H 20140412 Symantec W32.Xpiro.D 20140412 TotalDefense Win32/Expiro.T 20140412 TrendMicro PE_EXPIRO.JX 20140412 TrendMicro-HouseCall PE_EXPIRO.JX 20140412 VBA32 Virus.Expiro.302 20140411 VIPRE Virus.Win32.Expiro.gen.a (v) 20140412 ViRobot Win32.Expiro.O 20140412 nProtect Win32.Expiro.BF 20140411 AegisLab   20140412 Agnitum   20140411 Antiy-AVL   20140412 Baidu-International   20140412 ByteHero   20140412 CMC   20140411 ClamAV   20140412 Jiangmin   20140412 Kingsoft   20140412 Malwarebytes   20140412 Rising   20140412 SUPERAntiSpyware   20140412 TheHacker   20140411


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:17 PM

Posted 12 April 2014 - 05:41 PM

Hello

That virus is very bad if it is true

lets see just how bad it is



Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
When the scan is complete
  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 ontheriver

ontheriver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:17 PM

Posted 12 April 2014 - 09:06 PM

Certainly doesn't look good. Over 500 files infected.

Here is result of ESET scan:

 

C:\08aaeeb998672e60ee\Setup.exe Win32/Expiro.NBF virus
C:\08aaeeb998672e60ee\SetupUtility.exe Win32/Expiro.NBF virus
C:\80569b90a50e1a22e3\Setup.exe Win32/Expiro.NBF virus
C:\80569b90a50e1a22e3\SetupUtility.exe Win32/Expiro.NBF virus
C:\80cd875fea5b77a12f\mrtstub.exe Win64/Expiro.A virus
C:\9aa1d5aa3a18d030809890\mrtstub.exe Win64/Expiro.A virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\precache.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\SaUpdate.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\UpdateTask.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Ask.com\Updater\Updater.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Ride Games\cmhelper.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Ride Games\DoDlg.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Ride Games\GameLauncher.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Ride Games\GPlayer.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Ride Games\GPlrLanc.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Ride Games\Report.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Free Ride Games\Uninstall.exe.vir Win32/Expiro.NBF virus
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe.vir a variant of Win32/SweetIM.F potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SweetIM\Messenger\mgUpdateSupport.dll.vir a variant of Win32/SweetIM.F potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Bev\AppData\LocalLow\AskToolbar\setup.exe.vir a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\AdwCleaner\Quarantine\C\Windows\System32\dmwu.exe.vir Win64/Expiro.A virus
C:\AdwCleaner\Quarantine\C\Windows\SysWOW64\ARFC\wrtc.exe.vir Win32/SweetIM.E potentially unwanted application
C:\AdwCleaner\Quarantine\C\Windows\SysWOW64\jmdp\lmrn.dll.vir Win32/SweetIM.G potentially unwanted application
C:\AdwCleaner\Quarantine\C\Windows\SysWOW64\jmdp\stij.exe.vir Win32/SweetIM.G potentially unwanted application
C:\AdwCleaner\Quarantine\C\Windows\SysWOW64\WNLT\Installation\SKSetup.exe.vir Win32/SweetIM.G potentially unwanted application
C:\b0ea6f3d1392f9e3a2\mrtstub.exe Win64/Expiro.A virus
C:\fe09cd79c7e7291cb4098b0204af71\mrtstub.exe Win64/Expiro.A virus
C:\HP\Bin\animatedlogo.exe Win32/Expiro.NBF virus
C:\HP\Bin\cmd.exe Win64/Expiro.A virus
C:\HP\Bin\EndProcess.exe Win32/Expiro.NBF virus
C:\HP\Bin\HPLocale.exe Win32/Expiro.NBF virus
C:\HP\Bin\HPQSI.exe Win32/Expiro.NBF virus
C:\HP\Bin\HPUtilSL.exe Win32/Expiro.NBF virus
C:\HP\Bin\Locale.exe Win32/Expiro.NBF virus
C:\HP\Bin\Sleep.exe Win32/Expiro.NBF virus
C:\HP\Bin\UIni.exe Win32/Expiro.NBF virus
C:\HP\Bin\WizInstaller.exe Win64/Expiro.A virus
C:\HP\HPQWare\BingBar\x64\WizInstaller.exe Win64/Expiro.A virus
C:\HP\HPQWare\BingBar\x86\WizInstaller.exe Win32/Expiro.NBF virus
C:\HP\HPQWare\Skype\x64\WizInstaller.exe Win64/Expiro.A virus
C:\HP\HPQWare\Skype\x86\WizInstaller.exe Win32/Expiro.NBF virus
C:\HP\HPQWare\WT_OemOrigin\UIni.exe Win32/Expiro.NBF virus
C:\HP\HPQWare\WT_OemOrigin\x64\WizInstaller.exe Win64/Expiro.A virus
C:\HP\HPQWare\WT_OemOrigin\x86\WizInstaller.exe Win32/Expiro.NBF virus
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\DW\DW20.EXE Win32/Expiro.NBF virus
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\DW\DWTRIG20.EXE Win32/Expiro.NBF virus
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\MSOFFICE\OFFICE11\OFFCLN.EXE Win32/Expiro.NBF virus
C:\Program Files\Bonjour\mDNSResponder.exe Win64/Expiro.A virus
C:\Program Files\Broadcom\Broadcom 802.11\Driver\bcmwls64.exe Win64/Expiro.A virus
C:\Program Files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe Win32/Expiro.NBF virus
C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Win64/Expiro.A virus
C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE Win64/Expiro.A virus
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Win64/Expiro.A virus
C:\Program Files\Common Files\Microsoft Shared\Windows Live\SIGNINOPTIONS.EXE Win64/Expiro.A virus
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE Win64/Expiro.A virus
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE Win64/Expiro.A virus
C:\Program Files\DriverSmith\DPInst.exe Win64/Expiro.A virus
C:\Program Files\DriverSmith\driverlib.dll Win32/DriverBoss.B potentially unwanted application
C:\Program Files\DVD Maker\DVDMaker.exe Win64/Expiro.A virus
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe Win32/Expiro.NBF virus
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WAMobCtr.exe Win64/Expiro.A virus
C:\Program Files\Hewlett-Packard\Shared\WizInstaller.exe Win64/Expiro.A virus
C:\Program Files\Internet Explorer\ieinstal.exe Win64/Expiro.A virus
C:\Program Files\Internet Explorer\ielowutil.exe Win64/Expiro.A virus
C:\Program Files\Internet Explorer\iexplore.exe Win64/Expiro.A virus
C:\Program Files\iPod\bin\iPodService.exe Win64/Expiro.A virus
C:\Program Files\Java\jre6\bin\java.exe Win64/Expiro.A virus
C:\Program Files\Java\jre6\bin\javaw.exe Win64/Expiro.A virus
C:\Program Files\Java\jre6\bin\javaws.exe Win64/Expiro.A virus
C:\Program Files\Java\jre6\bin\unpack200.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Chess\Chess.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Hearts\Hearts.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe Win64/Expiro.A virus
C:\Program Files\Microsoft IntelliPoint\btwizard.exe Win64/Expiro.A virus
C:\Program Files\Microsoft IntelliPoint\dpgupdateinstall.exe Win64/Expiro.A virus
C:\Program Files\Microsoft IntelliPoint\DPLaunch.exe Win64/Expiro.A virus
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe Win64/Expiro.A virus
C:\Program Files\Microsoft IntelliPoint\ipoint.exe Win64/Expiro.A virus
C:\Program Files\Microsoft IntelliPoint\mousinfo.exe Win64/Expiro.A virus
C:\Program Files\Microsoft IntelliPoint\qs.exe Win64/Expiro.A virus
C:\Program Files\Microsoft IntelliPoint\Components\Commands\DPGMgy\magnify.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Silverlight\sllauncher.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Silverlight\5.1.10411.0\agcp.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Silverlight\5.1.10411.0\coregen.exe Win64/Expiro.A virus
C:\Program Files\Microsoft Silverlight\5.1.10411.0\Silverlight.Configuration.exe Win64/Expiro.A virus
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe Win64/Expiro.A virus
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe Win64/Expiro.A virus
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Win64/Expiro.A virus
C:\Program Files\Synaptics\SynTP\SynMood.exe Win32/Expiro.NBF virus
C:\Program Files\Synaptics\SynTP\SynZMetr.exe Win32/Expiro.NBF virus
C:\Program Files\Windows Defender\MpCmdRun.exe Win64/Expiro.A virus
C:\Program Files\Windows Defender\MSASCui.exe Win64/Expiro.A virus
C:\Program Files\Windows Mail\wab.exe Win64/Expiro.A virus
C:\Program Files\Windows Mail\wabmig.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\setup_wm.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\wmlaunch.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\wmpconfig.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\WMPDMC.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\wmpenc.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\wmplayer.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\wmpnscfg.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\wmprph.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\wmpshare.exe Win64/Expiro.A virus
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe Win64/Expiro.A virus
C:\Program Files\Windows NT\Accessories\wordpad.exe Win64/Expiro.A virus
C:\Program Files\Windows Photo Viewer\ImagingDevices.exe Win64/Expiro.A virus
C:\Program Files\Windows Sidebar\sidebar.exe Win64/Expiro.A virus
C:\Program Files (x86)\Adobe\Adobe Bridge\Bridge.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Adobe Photoshop CS2\ImageReady.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Adobe Photoshop CS2\Photoshop.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Adobe Photoshop CS2\Required\Droplet Template.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Adobe Utilities\ExtendScript Toolkit\ExtendScript Toolkit.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\64BitMAPIBroker.exe Win64/Expiro.A virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroBroker.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32Info.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroTextExtractor.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\arh.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Eula.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\wow_helper.exe Win64/Expiro.A virus
C:\Program Files (x86)\bfgclient\bfgclient.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\bfgclient\bfggameservices.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\bfgclient\bfgprocess.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Big City Adventure\BigCityAdventureSF.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Big City Adventure - Sydney Australia\dcnwpkw.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Big City Adventure - Vancouver\wxdppps.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Bing Bar Installer\InstallManager.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Bonjour\mDNSResponder.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\zb651vistaupd-en.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\CameraWindow\CameraWindowLauncher\CameraLauncher.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\CameraWindow\MyCamera\MyCamera.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\dbconverter.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\ZbScreenSaver.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\ZoomBrowser.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\ZoomBrowser EX MCU\MCU.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\ZoomBrowser EX MCU\MCULauncher.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Canon\ZoomBrowser EX MCU\MCULauncher_UL.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CleanupCN.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CNRpc.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\IndivDrm.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\Preloadedsvc.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\UpdateLauncher.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\VenueTray.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AcrobatUpdater.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderUpdater.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Adobe\Updater\AdobeUpdater.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\defaults.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\VersionCheckMe.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileBackup.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileSync.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncMapiInterfaceHelper_x64.exe Win64/Expiro.A virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\ATH.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\com.apple.IE.client.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\com.apple.Outlook.client.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\com.apple.Safari.client.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\com.apple.WindowsContacts.client.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\com.apple.WindowsMail.client.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\MDCrashReportTool.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\Mingler.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncDiagnostics.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\syncli.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncPlanObserver.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncUIHandler.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\upgradedb.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Canon\UIW\1.7.0.0\Uninst.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Canon\UPW\2.0.0.0\UPWClean.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe Win64/Expiro.A virus
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe Win64/Expiro.A virus
C:\Program Files (x86)\Common Files\Intuit\Internet Client\Assist.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Java\Java Update\jaucheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\LightScribe\LSLauncher.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\LightScribe\LSPrintDialog.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\LightScribe\LSPrintingDialog.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\MODI\11.0\MSPVIEW.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\OINFOP11.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE11\MSOXMLED.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHBS.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\MAPISERVER.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\VirtualOWSSuppHost.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\VirtualOWSSuppManager.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\VirtualSearchHost.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\VirtualSearchProtocolHost.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\microsoft shared\Web Components\11\DFUICOM.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Research in Motion\AppLoader\Loader.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Research in Motion\AppLoader\MailServerMAPIProxy32.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Research in Motion\AppLoader\MailServerMAPIProxy64.exe Win64/Expiro.A virus
C:\Program Files (x86)\Common Files\Research in Motion\DriverUpdater\USBDriverUpdater.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Research in Motion\RIMDeviceManager\RIMDeviceManager.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\mDNSResponder.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Research in Motion\Tunnel Manager\tunmgr.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\BbDevMgr.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\System\MSMAPI\1033\CNFNOT32.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\System\MSMAPI\1033\SCANOST.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Common Files\System\MSMAPI\1033\SCANPST.EXE Win32/Expiro.NBF virus
C:\Program Files (x86)\Connection Manager\AddPbk.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Connection Manager\mt.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Connection Manager\subinacl.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Connection Manager\UnblockPin.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Connection Manager\Driver\DriverSetup.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Connection Manager\Driver\DriverUninstall.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Connection Manager\UpdateDog\RunLiveUpd.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Connection Manager\UpdateDog\RunOuc.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\DVD Suite\PS.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\DVD Suite\OLRSubmission\OLRStateCheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\LabelPrint\OLRSubmission\OLRStateCheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\MediaShow5\CpuChecker.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\MediaShow5\MediaShow.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\MediaShow5\MFTCodecChk.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\MediaShow5\MShow4.scr Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\MediaShow5\vthum.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\MediaShow5\MUITransfer\MUIStartMenu.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\MediaShow5\OLRSubmission\OLRStateCheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\MediaShow5\subsys\BigBang\Runtime\CLUpdater.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\Power2Go\Power2Go.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\Power2Go\Power2GoExpress.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\Power2Go\Power2GoExpressServer.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\Power2Go\OLRSubmission\OLRStateCheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDirector\MotionMenuGenerator.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDirector\PDHanumanSvr.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDirector\PDR8.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDirector\UACAgent.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDirector\OLRSubmission\OLRStateCheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDVD9\Activate.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVDLaunchPolicy.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDVD9\PowerDVD9.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDVD9\EvoParser\CLUpdater.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDVD9\OLRSubmission\OLRStateCheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\PowerDVD9\PowerDVD Cox\PowerDVDCox.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\Shared files\EffectExtractor.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\YouCam\YouCam.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\YouCam\YouCamTray.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\YouCam\OLRSubmission\OLRStateCheck.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\CyberLink\YouCam\subsys\BigBang\Runtime\CLUpdater.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Google Earth\client\earthflashsol.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Google Earth\client\googleearth.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Google Earth\client\gpsbabel.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Google Earth\plugin\geplugin.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler64.exe Win64/Expiro.A virus
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleUpdate.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleUpdateBroker.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleUpdateComRegisterShell64.exe Win64/Expiro.A virus
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleUpdateOnDemand.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleUpdateSetup.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.23.9\GoogleUpdateSetup.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Google\Update\Download\{A3AF4EE9-6DA0-478F-88B6-BDEC7F4B0FEB}\GoogleUpdateSetup.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Haunted Hotel\khqzdnw.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Energy Star\PowerSav.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\hpsudelpacks.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\SSDK04.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe Win64/Expiro.A virus
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPAsset\HPAsset.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\Tools\ResetFileTime.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Power Manager\HPPowerCfgEnum.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Power Manager\HPPowerManager.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Power Manager\PSOFF.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Power Manager\SetIcon.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\Beats32.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\cnbSysInfo.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPSCRCTL.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\hpSmartAdapterHelp.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPUSRMSG.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\WirelessOffMsg.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\x64\Beats64.exe Win64/Expiro.A virus
C:\Program Files (x86)\Hewlett-Packard\HP Setup\symhpe.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPPSdr\FileExtractor.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPPSdr\HPDiagnosticCoreUI.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPPSdr\DeviceManager\DeviceManager.exe Win64/Expiro.A virus
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPTVTunerCheck\Resources\VisionDiags\AVerTVDiag.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPVideoCheck\Resources\VisionDiags\video-diags.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Recovery\DetectLang.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Recovery\FileRestore.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Recovery\SetMBR.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\CLMUI_TOOL.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Shared\CaslVer.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Shared\MCOEMInfo.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Shared\MCOEMInfo64.exe Win64/Expiro.A virus
C:\Program Files (x86)\Hewlett-Packard\Shared\Wireless.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Hidden Expedition - Titanic\mgkwzkf.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\HP Games\Bejeweled 2 Deluxe\Bejeweled2.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\HP Games\Bejeweled 2 Deluxe\wtmui_de\Bejeweled2.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\HP Games\Bejeweled 2 Deluxe\wtmui_default\WinBej2.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\HP Games\Bejeweled 2 Deluxe\wtmui_es\Bejeweled2.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\HP Games\Bejeweled 2 Deluxe\wtmui_fr\Bejeweled2.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\HP Games\Bejeweled 2 Deluxe\wtmui_it\Bejeweled2.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\iTunes\iTunes.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbampt.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\firefox.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\firefox.scr Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\iexplore.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.scr Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-killer.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\rundll32.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe Win64/Expiro.A virus
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\WildTangent Games\App\GameConsole-wt.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe Win32/Expiro.NBF virus
C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.1\23375\AcrobatUpdater.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.1\23375\AdobeARM.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.1\23375\AdobeARMHelper.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.1\23375\ReaderUpdater.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.4\11613\AcrobatUpdater.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.4\11613\AdobeARM.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.4\11613\AdobeARMHelper.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.4\11613\ReaderUpdater.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.6\630\AcrobatUpdater.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.6\630\AdobeARM.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.6\630\AdobeARMHelper.exe Win32/Expiro.NBF virus
C:\ProgramData\Adobe\ARM\Reader_10.1.6\630\ReaderUpdater.exe Win32/Expiro.NBF virus
C:\ProgramData\DatacardService\HWDeviceService64.exe Win64/Expiro.A virus
C:\Qoobox\Quarantine\C\Program Files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\00000001.@.vir Win64/Conedex.J trojan
C:\Qoobox\Quarantine\C\Program Files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\00000002.@.vir Win64/Conedex.K trojan
C:\Qoobox\Quarantine\C\Program Files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\80000000.@.vir Win64/Sirefef.BG trojan
C:\Qoobox\Quarantine\C\Program Files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\80000001.@.vir Win64/Sirefef.BC trojan
C:\Qoobox\Quarantine\C\Program Files (x86)\Google\Desktop\Install\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\9519~1\A535~1\E628~1\{34abdb91-f75e-6e4d-3541-138e74b7a4fe}\U\800000cb.@.vir Win64/Sirefef.BG trojan
C:\Qoobox\Quarantine\C\Users\Bev\zpwelm.exe.vir a variant of Win32/Kryptik.BGUA trojan
C:\Qoobox\Quarantine\C\Windows\System32\msiexec.exe.vir Win64/Expiro.A virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.1\23375\AcrobatUpdater.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.1\23375\AdobeARM.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.1\23375\AdobeARMHelper.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.1\23375\ReaderUpdater.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.4\11613\AcrobatUpdater.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.4\11613\AdobeARM.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.4\11613\AdobeARMHelper.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.4\11613\ReaderUpdater.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.6\630\AcrobatUpdater.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.6\630\AdobeARM.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.6\630\AdobeARMHelper.exe Win32/Expiro.NBF virus
C:\Users\All Users\Adobe\ARM\Reader_10.1.6\630\ReaderUpdater.exe Win32/Expiro.NBF virus
C:\Users\All Users\DatacardService\HWDeviceService64.exe Win64/Expiro.A virus
C:\Windows\notepad.exe Win64/Expiro.A virus
C:\Windows\ehome\ehsched.exe Win64/Expiro.A virus
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe Win32/Expiro.NBF virus
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Win32/Expiro.NBF virus
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe Win64/Expiro.A virus
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe Win64/Expiro.A virus
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Win64/Expiro.A virus
C:\Windows\System32\dllhost.exe Win32/Expiro.NBF virus
C:\Windows\System32\msiexec.exe Win32/Expiro.NBF virus
C:\Windows\System32\svchost.exe Win32/Expiro.NBF virus
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe Win32/Expiro.NBF virus
C:\Windows\SysWOW64\dllhost.exe Win32/Expiro.NBF virus
C:\Windows\SysWOW64\msiexec.exe Win32/Expiro.NBF virus
C:\Windows\SysWOW64\svchost.exe Win32/Expiro.NBF virus
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\amd64_microsoft-windows-blb-engine-main_31bf3856ad364e35_6.1.7601.17514_none_4207fb67165f731a\wbengine.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_6.1.7600.16385_none_7547f48c79b40229\msdtc.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhost.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehsched_31bf3856ad364e35_6.1.7600.16385_none_0167f08155bf1c81\ehsched.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\FXSSVC.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_8094bd7b62d2b435\ImagingDevices.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_10.2.9200.16721_none_167a56161e499d79\iexplore.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_10.2.9200.16736_none_167ae4781e4936f5\iexplore.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_7b0d6f67c2d3f97a\iexplore.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16518_none_7b019f31c2dcfc14\iexplore.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16521_none_7b033ef3c2db6204\iexplore.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17041_none_7b3b5109c2b10624\iexplore.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1196a9003b674a92\iexplore.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16428_none_a56da9e617d4f97e\ieetwcollector.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16476_none_a572d8e817d044ef\ieetwcollector.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16518_none_a561d9b017ddfc18\ieetwcollector.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.16521_none_a563797217dc6208\ieetwcollector.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ieetwcollector_31bf3856ad364e35_11.2.9600.17041_none_a59b8b8817b20628\ieetwcollector.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_10.2.9200.16521_none_844fa5bae1ae57ee\ielowutil.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.16428_none_e8cd1f348648ebd1\ielowutil.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.17041_none_e8fb00d68625f87b\ielowutil.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_8.0.7600.16385_none_7d25450501edb94f\ielowutil.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_10.2.9200.16521_none_667572b30215fb44\ieinstal.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16428_none_caf2ec2ca6b08f27\ieinstal.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16476_none_caf81b2ea6abda98\ieinstal.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16518_none_cae71bf6a6b991c1\ieinstal.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16521_none_cae8bbb8a6b7f7b1\ieinstal.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.17041_none_cb20cdcea68d9bd1\ieinstal.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_8.0.7601.17514_none_617c25c51f43e03f\ieinstal.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7601.17514_none_a7a77a3b9cb96ce6\msiexec.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_6.1.7600.16385_none_1c92c4d88ce86757\wmprph.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-m..yer-sideshow-gadget_31bf3856ad364e35_6.1.7600.16385_none_841e9494c8a32794\WMPSideShowGadget.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_6.1.7601.17514_none_7920b60d569a4a1e\wmlaunch.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmpconfig.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmplayer.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmpshare.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.18150_none_6960695665dd7343\wmpconfig.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.18150_none_6960695665dd7343\wmplayer.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.18150_none_6960695665dd7343\wmpshare.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.22322_none_6a0c785f7ee0ef0f\wmpconfig.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.22322_none_6a0c785f7ee0ef0f\wmpshare.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.1.7601.17514_none_0c19cef0ed2a642e\setup_wm.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-wmpenc_31bf3856ad364e35_6.1.7600.16385_none_00192601418cadff\wmpenc.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\notepad.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_cb0f7f2289b0c21a\notepad.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-wizard_31bf3856ad364e35_6.1.7600.16385_none_7680aa7b6195f2c6\DVDMaker.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..erinboxgames-spades_31bf3856ad364e35_6.1.7600.16385_none_6fa6d7361acba514\shvlzm.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-checkers_31bf3856ad364e35_6.1.7600.16385_none_d236ad70cedf878a\chkrzm.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-checkers_31bf3856ad364e35_6.1.7601.17514_none_d467c138cbce0b24\chkrzm.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCell.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-shanghai_31bf3856ad364e35_6.1.7600.16385_none_1c98ed5d08db04ce\Mahjong.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..iuminboxgames-chess_31bf3856ad364e35_6.1.7600.16385_none_d0c99374981840d5\Chess.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..l-inboxgames-hearts_31bf3856ad364e35_6.1.7600.16385_none_4ffeefd67d89d45b\Hearts.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..mes-spidersolitaire_31bf3856ad364e35_6.1.7600.16385_none_dead260d8f002b73\SpiderSolitaire.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-minesweeper_31bf3856ad364e35_6.1.7600.16385_none_fe560f0352e04f48\MineSweeper.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-s..oxgames-purbleplace_31bf3856ad364e35_6.1.7600.16385_none_622070221822eb39\PurblePlace.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-security-spp_31bf3856ad364e35_6.1.7601.17514_none_78875ce737927d27\sppsvc.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519\UI0Detect.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_2d02b12c3d47a517\sidebar.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_6.1.7600.16385_none_2b7ff0845918e12f\snmptrap.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a\vds.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-vssservice_31bf3856ad364e35_6.1.7601.17514_none_b8f2d3e62e76fe08\VSSVC.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7600.16385_none_9e9e4f27f143a509\wabmig.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7600.16684_none_9e9d548ff1448327\wabmig.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7600.20814_none_9f72a2b50a295c81\wabmig.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\wab.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\wabmig.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7600.16385_none_1548f4bc3949a69a\WmiApSrv.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_177a088436382a34\WmiApSrv.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wmpdmc-ux_31bf3856ad364e35_6.1.7601.17514_none_4c8976380e00631f\WMPDMC.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-ux_31bf3856ad364e35_6.1.7600.16385_none_13b9b4b7d327a721\wmpnscfg.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_microsoft-windows-wordpad_31bf3856ad364e35_6.1.7601.17514_none_8be07ea283850f02\wordpad.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_acd03d9b9048bd78\mscorsvw.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MpCmdRun.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_b3b1a27171e01f6c\MSASCui.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.17316_none_b3fe3b6771a68ecd\MpCmdRun.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.17316_none_b3fe3b6771a68ecd\MSASCui.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.21531_none_b46d38ce8ad8e4ed\MpCmdRun.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.21531_none_b46d38ce8ad8e4ed\MSASCui.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpCmdRun.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MSASCui.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpCmdRun.exe Win64/Expiro.A virus
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MSASCui.exe Win64/Expiro.A virus
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_10.2.9200.16721_none_20cf006852aa5f74\iexplore.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_10.2.9200.16736_none_20cf8eca52a9f8f0\iexplore.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_856219b9f734bb75\iexplore.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16518_none_85564983f73dbe0f\iexplore.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16521_none_8557e945f73c23ff\iexplore.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\x86_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7601.17514_none_4b88deb7e45bfbb0\msiexec.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\x86_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.17514_none_884c69064922f75b\msinfo32.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.1.7600.16385_none_41c821eeeae8dea2\pipanel.exe Win32/Expiro.NBF virus
C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_f47d7472a4c4e67e\mscorsvw.exe Win32/Expiro.NBF virus
Operating memory Win32/Expiro.NBF virus
 



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:17 PM

Posted 13 April 2014 - 07:17 AM

Hello ontheriver


The virus that you have on the computer is a file infecter and infects all files that end with .exe, The best thing that you can do is remove any files like pictures and documents that cannot be replaced and format the computer


Anything that you do save I would scan with more than one antivirus before I moved it baqck to the computer


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users