Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess: SORP, Issues Still Exist


  • This topic is locked This topic is locked
54 replies to this topic

#1 Dairy-oh

Dairy-oh

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 13 June 2014 - 01:58 PM

Hello,

 

(Possible) ZeroAccess: Self Oriented Removal Process, Issues Still Exist

 

I purchased this computer used and it was highly infested with malware. I don't have discs to reinstall Windows. I used various anti-malware tools to remove as much as I could until the tools were no longer seeing any issues. Over the next several months I was still having issues, like fresh MBAM updates would error (Don't recall the exact error but not a connection type i.e. 403.) causing the update not to install. I have used various ARK's to check for hooks and drivers, I may have deleted some malware components missed by AM tools using the ARK's, while other components I was not aware of would not get deleted. I have uninstalled as many problem programs as I thought were issues, one wifi tool had 26,000 hooks, ???, yes thousand. I think I've done a fair job getting rid of the majority of the noise. A recent run of OTL showed a possible ZeroAccess problem, so I followed Malwaretips and some posts on BleepingComputer, including composing my own fix.

Problems that continue:
Connecting to public hotspots (Library, Coffee Shop, Restaurant) noticing a lot of arp attacks. I thought they were external systems attacking me, but now I think it is my system attacking others. One reason I think this is so, Wireshark capture graphed with netgrok showed my system in communication with 10-12 other hotspot computers. Lot's of arp attacks still occurring.
MBAM new updates would error, 1 hour later update is fine, now OK after RK and OTL fix.
Windows updates constantly fail, especially Internet Explorer updates and security fixes.
Firefox experiences (not responding) while loading, except when I install a new version where loading is OK for a day.
Strange Chinese DNS in registry, 75.75.75.75, (I altered the entry to point to UltraDNS, then UltraDNS was Ddos'd, coincidence, maybe. :) )
A recent scan with OTL showed 1 ZeroAccess item, though other tools were coming up empty.
Rogue Killer found some non-legit .dlls

After running Rogue Killer, deleting it's finds, and utilizing my own custom fix for OTL, MBAM new updates are without errors. There may still be remnants, arp attacks continue, Firefox still has issues. I have include logs of what I ran, a few not posted.

 

Logs:

 

OTL logfile created on: 5/26/2014 11:23:47 AM - Run 5
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\RDJ\Desktop
 Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16521)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.87 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 58.04% Memory free
3.75 Gb Paging File | 2.70 Gb Available in Paging File | 72.10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 297.99 Gb Total Space | 158.78 Gb Free Space | 53.28% Space Free | Partition Type: NTFS
 
Computer Name: goring | User Name: RDJ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/05/26 11:22:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\RDJ\Desktop\OTL.exe
PRC - [2014/05/20 09:00:40 | 001,863,856 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
PRC - [2014/05/06 22:26:43 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2014/03/11 17:44:52 | 000,241,728 | ---- | M] (Foxit Corporation) -- C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
PRC - [2014/03/11 10:13:24 | 000,022,216 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2014/03/11 10:13:14 | 000,951,576 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2014/02/18 09:25:06 | 001,802,240 | ---- | M] (Don HO don.h@free.fr) -- C:\Program Files\Notepad++\notepad++.exe
PRC - [2014/01/07 22:09:16 | 001,662,224 | ---- | M] (Toolwiz) -- C:\Program Files\Toolwiz Time Freeze 2014\ToolwizTimeFreeze.exe
PRC - [2013/07/02 10:16:32 | 000,507,264 | ---- | M] (Oracle Corporation) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2013/04/04 15:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 15:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 15:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2013/01/10 01:53:12 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/06/24 02:40:36 | 000,077,824 | ---- | M] (Avid Technology, Inc..) -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/05/20 09:00:40 | 016,361,136 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32_13_0_0_214.dll
MOD - [2014/05/06 22:27:10 | 003,839,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2014/01/06 19:42:32 | 001,611,264 | ---- | M] () -- C:\Program Files\Notepad++\plugins\NppFTP.dll
MOD - [2011/07/18 17:07:28 | 000,014,336 | ---- | M] () -- C:\Program Files\Notepad++\plugins\NppExport.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2014/05/06 22:27:01 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/03/21 11:42:34 | 000,108,032 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV - [2014/03/11 17:44:52 | 000,241,728 | ---- | M] (Foxit Corporation) [Auto | Running] -- C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe -- (FoxitCloudUpdateService)
SRV - [2014/03/11 10:13:24 | 000,279,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2014/03/11 10:13:24 | 000,022,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/07/26 05:09:42 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/04/04 15:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 15:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2013/02/28 21:48:58 | 000,118,520 | ---- | M] (Riverbed Technology, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2010/08/07 05:00:53 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/06/24 02:40:36 | 000,077,824 | ---- | M] (Avid Technology, Inc..) [Auto | Running] -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe -- (DigiRefresh)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\vmnetadapter.sys -- (VMnetAdapter)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmci.sys -- (vmci)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (TrueSight)
DRV - File not found [Kernel | Unavailable | Unknown] -- C:\Program Files\NoVirusThanks\Anti-Rootkit (Free Edition)\nvtark.sys -- (nvtark)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\RDJ~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\BCM42RLY.sys -- (BCM42RLY)
DRV - [2014/03/16 00:15:56 | 000,050,200 | ---- | M] (Emsisoft GmbH) [File_System | On_Demand | Stopped] -- C:\EEK\Run\cleanhlp32.sys -- (cleanhlp)
DRV - [2014/03/11 09:52:30 | 000,104,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2014/01/07 22:09:18 | 000,033,040 | ---- | M] (Toolwiz.com) [File_System | System | Running] -- C:\Windows\System32\drivers\TWZFILE.sys -- (TWZFILE)
DRV - [2014/01/07 22:09:17 | 000,066,704 | ---- | M] (Toolwiz.com) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TWZDISK.sys -- (TWZDISK)
DRV - [2013/12/04 14:06:28 | 000,049,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2013/12/04 14:06:27 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2013/04/04 15:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2013/02/28 21:48:42 | 000,036,600 | ---- | M] (Riverbed Technology, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2012/06/20 12:51:34 | 000,017,672 | ---- | M] (HandSet Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\massfilter_hs.sys -- (massfilter_hs)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/10 05:49:50 | 004,323,040 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC)
DRV - [2009/10/02 14:53:46 | 000,158,344 | ---- | M] (Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MAudioFastTrack.sys -- (MAUSBFASTTRACK)
DRV - [2009/08/05 16:59:30 | 000,750,592 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netr28u.sys -- (netr28u)
DRV - [2009/07/13 19:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 18:02:49 | 000,046,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2007/09/29 05:13:58 | 003,154,944 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/02/19 15:27:34 | 001,228,296 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\sthda.sys -- (STHDA)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/02 19:47:36 | 000,989,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 19:47:00 | 000,209,152 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/11/02 19:46:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSF_CNXT.sys -- (winachsf)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "https://www.ixquick.com"
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:29.0.1
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 29.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 29.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2014/05/20 08:51:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\RDJ\AppData\Roaming\mozilla\Extensions
[2014/05/21 17:00:52 | 000,000,000 | ---D | M] (No name found) -- C:\Users\RDJ\AppData\Roaming\mozilla\Firefox\Profiles\4miak4g6.default\extensions
[2014/05/20 09:04:07 | 000,178,612 | ---- | M] () (No name found) -- C:\Users\RDJ\AppData\Roaming\mozilla\firefox\profiles\4miak4g6.default\extensions\feca4b87-3be4-43da-a1b1-137c24220968@jetpack.xpi
[2014/05/21 17:00:52 | 000,957,880 | ---- | M] () (No name found) -- C:\Users\RDJ\AppData\Roaming\mozilla\firefox\profiles\4miak4g6.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2014/05/20 08:50:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/05/20 08:50:01 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
O1 HOSTS File: ([2013/12/17 10:53:11 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RandMAC] C:\Users\RDJ\Downloads\MadMACs2.0\MadMACs2.0\MadMACs.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [XArp] C:\Program Files\XArp\xarp.exe (www.chrismc.de)
O4 - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001..\Run: [ToolwizTimeFreeze] C:\Program Files\Toolwiz Time Freeze 2014\ToolwizTimeFreeze.exe (Toolwiz)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 10.0.5.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{40D84BA5-550F-4B8A-9052-283AA2BA5090}: DhcpNameServer = 156.154.70.1 156.154.71.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{73791434-C003-46E2-8031-51415F4C204E}: DhcpNameServer = 156.154.70.1 156.154.71.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AAE14767-CD91-4E22-B1C9-F149E893C2C9}: DhcpNameServer = 156.154.70.1 156.154.71.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EF54476A-55A7-47B2-AEF3-E16F97E88643}: DhcpNameServer = 8.8.8.8 10.0.5.73
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\linkscanner - No CLSID value found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/05/26 11:22:12 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\RDJ\Desktop\OTL.exe
[2014/05/26 11:12:44 | 001,056,256 | ---- | C] (Farbar) -- C:\Users\RDJ\Desktop\FRST.exe
[2014/05/20 09:00:40 | 000,692,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2014/05/20 09:00:40 | 000,070,832 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2014/05/20 08:50:14 | 000,000,000 | ---D | C] -- C:\Users\RDJ\AppData\Roaming\Mozilla
[2014/05/20 08:50:02 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2014/05/20 08:50:00 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2014/05/13 17:46:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Reader
[2014/05/10 09:04:41 | 000,000,000 | ---D | C] -- C:\TDSSQlook
[2014/05/09 23:29:49 | 000,000,000 | ---D | C] -- C:\Windows\rescache
[2014/05/09 13:43:19 | 004,164,448 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\RDJ\Desktop\firefox.exe
[2014/05/09 13:29:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2014/05/08 17:59:33 | 002,724,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2014/05/08 14:47:25 | 000,000,000 | ---D | C] -- C:\Users\RDJ\AppData\Roaming\diogenes
[2014/05/08 14:47:24 | 000,000,000 | ---D | C] -- C:\Users\RDJ\AppData\Local\diogenes
[2014/05/08 10:37:42 | 000,000,000 | ---D | C] -- C:\Users\RDJ\Desktop\Office
[2014/05/07 18:44:36 | 000,149,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\storport.sys
[2014/05/07 18:44:36 | 000,027,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\Diskdump.sys
[2014/05/07 18:44:35 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iologmsg.dll
 
========== Files - Modified Within 30 Days ==========
 
[2014/05/26 11:22:13 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\RDJ\Desktop\OTL.exe
[2014/05/26 11:12:44 | 001,056,256 | ---- | M] (Farbar) -- C:\Users\RDJ\Desktop\FRST.exe
[2014/05/26 10:31:09 | 000,022,592 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/05/26 10:31:09 | 000,022,592 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/05/26 10:23:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/05/26 10:23:45 | 1508,413,440 | -HS- | M] () -- C:\hiberfil.sys
[2014/05/20 09:00:40 | 000,692,400 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2014/05/20 09:00:40 | 000,070,832 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2014/05/20 08:50:05 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2014/05/17 16:28:40 | 000,003,725 | ---- | M] () -- C:\Users\RDJ\Documents\aleph-tao3.jpg
[2014/05/17 16:28:25 | 000,018,625 | ---- | M] () -- C:\Users\RDJ\Documents\aleph-tao3.xcf
[2014/05/17 16:25:25 | 000,003,523 | ---- | M] () -- C:\Users\RDJ\Documents\aleph-tao2.jpg
[2014/05/17 16:24:43 | 000,007,614 | ---- | M] () -- C:\Users\RDJ\Documents\aleph-tao2.xcf
[2014/05/17 16:22:17 | 000,005,196 | ---- | M] () -- C:\Users\RDJ\Documents\aleph-tao.xcf
[2014/05/13 17:46:18 | 000,002,126 | ---- | M] () -- C:\Users\RDJ\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2014/05/13 17:46:18 | 000,002,102 | ---- | M] () -- C:\Users\Public\Desktop\Foxit Reader.lnk
[2014/05/09 14:17:08 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2014/05/09 13:44:28 | 004,164,448 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\RDJ\Desktop\firefox.exe
[2014/05/09 13:28:53 | 000,074,106 | ---- | M] () -- C:\TDSSQlook.zip
[2014/05/08 20:01:35 | 000,662,634 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/05/08 20:01:35 | 000,122,470 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/05/08 18:25:53 | 000,149,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\storport.sys
[2014/05/08 18:25:53 | 000,027,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\Diskdump.sys
[2014/05/08 18:25:53 | 000,002,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\iologmsg.dll
[2014/05/08 17:59:45 | 002,724,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2014/05/04 08:01:49 | 000,001,264 | ---- | M] () -- C:\Users\RDJ\Desktop\My Videos.lnk
 
========== Files Created - No Company Name ==========
 
[2014/05/20 08:50:05 | 000,001,121 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2014/05/20 08:50:05 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2014/05/17 16:28:40 | 000,002,774 | ---- | C] () -- C:\Users\RDJ\AppData\Local\recently-used.xbel
[2014/05/17 16:28:39 | 000,003,725 | ---- | C] () -- C:\Users\RDJ\Documents\aleph-tao3.jpg
[2014/05/17 16:28:25 | 000,018,625 | ---- | C] () -- C:\Users\RDJ\Documents\aleph-tao3.xcf
[2014/05/17 16:25:25 | 000,003,523 | ---- | C] () -- C:\Users\RDJ\Documents\aleph-tao2.jpg
[2014/05/17 16:24:43 | 000,007,614 | ---- | C] () -- C:\Users\RDJ\Documents\aleph-tao2.xcf
[2014/05/17 16:22:17 | 000,005,196 | ---- | C] () -- C:\Users\RDJ\Documents\aleph-tao.xcf
[2014/05/13 17:46:18 | 000,002,126 | ---- | C] () -- C:\Users\RDJ\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2014/05/13 17:46:18 | 000,002,102 | ---- | C] () -- C:\Users\Public\Desktop\Foxit Reader.lnk
[2014/05/09 13:30:15 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2014/05/09 13:30:02 | 000,002,117 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2014/05/09 13:28:53 | 000,074,106 | ---- | C] () -- C:\TDSSQlook.zip
[2014/05/04 08:01:49 | 000,001,264 | ---- | C] () -- C:\Users\RDJ\Desktop\My Videos.lnk
[2014/03/18 18:54:19 | 000,784,408 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/12/19 17:51:44 | 000,000,632 | RHS- | C] () -- C:\Users\RDJ\ntuser.pol
[2013/12/08 22:53:08 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/12/08 22:53:08 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/12/08 22:53:08 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/12/08 22:53:08 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/12/08 22:53:08 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/11/18 16:22:13 | 000,584,584 | ---- | C] () -- C:\Windows\adb.exe
[2013/02/28 21:47:36 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2012/09/16 22:23:20 | 000,027,520 | ---- | C] () -- C:\Users\RDJ\AppData\Local\dt.dat
[2012/08/19 16:31:29 | 000,000,093 | ---- | C] () -- C:\Windows\brpcfx.ini
[2012/08/19 16:31:27 | 000,000,246 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2012/08/19 16:22:41 | 000,045,056 | ---- | C] () -- C:\Windows\System32\BRTCPCON.DLL
[2012/08/19 16:22:38 | 000,000,114 | ---- | C] () -- C:\Windows\System32\BRLMW03A.INI
[2012/08/19 16:22:36 | 000,000,050 | ---- | C] () -- C:\Windows\System32\BRADM10A.DAT
[2011/05/04 13:12:22 | 000,008,704 | ---- | C] () -- C:\Users\RDJ\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/27 05:11:34 | 000,000,000 | ---- | C] () -- C:\Users\RDJ\AppData\Local\prvlcl.dat
 
========== ZeroAccess Check ==========
 
[2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/10/31 08:12:47 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 21:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >
 

 

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : RDJ [Admin rights]
Mode : Scan -- Date : 05/26/2014 18:05:25
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] EAT @explorer.exe (BeginBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A09AE)
[Address] EAT @explorer.exe (BeginBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745949A1)
[Address] EAT @explorer.exe (BeginPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C0731)
[Address] EAT @explorer.exe (BufferedPaintClear) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74596395)
[Address] EAT @explorer.exe (BufferedPaintInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459940E)
[Address] EAT @explorer.exe (BufferedPaintRenderAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A08ED)
[Address] EAT @explorer.exe (BufferedPaintSetAlpha) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745AE6B3)
[Address] EAT @explorer.exe (BufferedPaintStopAllAnimations) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745AD395)
[Address] EAT @explorer.exe (BufferedPaintUnInit) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745994AB)
[Address] EAT @explorer.exe (CloseThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74596A18)
[Address] EAT @explorer.exe (DrawThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74593982)
[Address] EAT @explorer.exe (DrawThemeBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745AD9DA)
[Address] EAT @explorer.exe (DrawThemeEdge) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745B3B52)
[Address] EAT @explorer.exe (DrawThemeIcon) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C35E7)
[Address] EAT @explorer.exe (DrawThemeParentBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745953E5)
[Address] EAT @explorer.exe (DrawThemeParentBackgroundEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745951BF)
[Address] EAT @explorer.exe (DrawThemeText) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74594EA1)
[Address] EAT @explorer.exe (DrawThemeTextEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745963E6)
[Address] EAT @explorer.exe (EnableThemeDialogTexture) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459FCAF)
[Address] EAT @explorer.exe (EnableTheming) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C2FEB)
[Address] EAT @explorer.exe (EndBufferedAnimation) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74593F9A)
[Address] EAT @explorer.exe (EndBufferedPaint) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74593F9A)
[Address] EAT @explorer.exe (EndPanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C06CC)
[Address] EAT @explorer.exe (GetBufferedPaintBits) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74594BAF)
[Address] EAT @explorer.exe (GetBufferedPaintDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A04BC)
[Address] EAT @explorer.exe (GetBufferedPaintTargetDC) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A0473)
[Address] EAT @explorer.exe (GetBufferedPaintTargetRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C2E7F)
[Address] EAT @explorer.exe (GetCurrentThemeName) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A05DD)
[Address] EAT @explorer.exe (GetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A0FB1)
[Address] EAT @explorer.exe (GetThemeBackgroundContentRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459CD2E)
[Address] EAT @explorer.exe (GetThemeBackgroundExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459F8BF)
[Address] EAT @explorer.exe (GetThemeBackgroundRegion) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A165D)
[Address] EAT @explorer.exe (GetThemeBitmap) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459BF93)
[Address] EAT @explorer.exe (GetThemeBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74597C1F)
[Address] EAT @explorer.exe (GetThemeColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459616C)
[Address] EAT @explorer.exe (GetThemeDocumentationProperty) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C2932)
[Address] EAT @explorer.exe (GetThemeEnumValue) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459616C)
[Address] EAT @explorer.exe (GetThemeFilename) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C2412)
[Address] EAT @explorer.exe (GetThemeFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459FF21)
[Address] EAT @explorer.exe (GetThemeInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459616C)
[Address] EAT @explorer.exe (GetThemeIntList) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C23B1)
[Address] EAT @explorer.exe (GetThemeMargins) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745986E9)
[Address] EAT @explorer.exe (GetThemeMetric) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A06E2)
[Address] EAT @explorer.exe (GetThemePartSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459CDB1)
[Address] EAT @explorer.exe (GetThemePosition) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C2350)
[Address] EAT @explorer.exe (GetThemePropertyOrigin) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745B3FBB)
[Address] EAT @explorer.exe (GetThemeRect) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A3611)
[Address] EAT @explorer.exe (GetThemeStream) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A39D9)
[Address] EAT @explorer.exe (GetThemeString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C22E4)
[Address] EAT @explorer.exe (GetThemeSysBool) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C3172)
[Address] EAT @explorer.exe (GetThemeSysColor) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745B3274)
[Address] EAT @explorer.exe (GetThemeSysColorBrush) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C301E)
[Address] EAT @explorer.exe (GetThemeSysFont) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C29C4)
[Address] EAT @explorer.exe (GetThemeSysInt) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C2BD3)
[Address] EAT @explorer.exe (GetThemeSysSize) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C320B)
[Address] EAT @explorer.exe (GetThemeSysString) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C2B3F)
[Address] EAT @explorer.exe (GetThemeTextExtent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74592D57)
[Address] EAT @explorer.exe (GetThemeTextMetrics) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459F992)
[Address] EAT @explorer.exe (GetThemeTransitionDuration) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A1081)
[Address] EAT @explorer.exe (GetWindowTheme) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459DF46)
[Address] EAT @explorer.exe (HitTestThemeBackground) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A3CE3)
[Address] EAT @explorer.exe (IsAppThemed) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459F869)
[Address] EAT @explorer.exe (IsCompositionActive) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74592E9A)
[Address] EAT @explorer.exe (IsThemeActive) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459F785)
[Address] EAT @explorer.exe (IsThemeBackgroundPartiallyTransparent) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745960AB)
[Address] EAT @explorer.exe (IsThemeDialogTextureEnabled) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C312B)
[Address] EAT @explorer.exe (IsThemePartDefined) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745985B4)
[Address] EAT @explorer.exe (OpenThemeData) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745973D2)
[Address] EAT @explorer.exe (OpenThemeDataEx) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745B3D43)
[Address] EAT @explorer.exe (SetThemeAppProperties) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C3296)
[Address] EAT @explorer.exe (SetWindowTheme) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745A0134)
[Address] EAT @explorer.exe (SetWindowThemeAttribute) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745ACFE6)
[Address] EAT @explorer.exe (ThemeInitApiHook) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7459B176)
[Address] EAT @explorer.exe (UpdatePanningFeedback) : PROPSYS.dll -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x745C068D)
[Address] EAT @explorer.exe (DllGetClassObject) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412CF9D)
[Address] EAT @explorer.exe (IEnumString_Next_WIC_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E000)
[Address] EAT @explorer.exe (IEnumString_Reset_WIC_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E029)
[Address] EAT @explorer.exe (IPropertyBag2_Write_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E049)
[Address] EAT @explorer.exe (IWICBitmapClipper_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DD2A)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_DoesSupportAnimation_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EA9A)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_DoesSupportLossless_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EABD)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_DoesSupportMultiframe_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EAE0)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetContainerFormat_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E9D3)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetDeviceManufacturer_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E9F6)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetDeviceModels_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EA1F)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetFileExtensions_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EA71)
[Address] EAT @explorer.exe (IWICBitmapCodecInfo_GetMimeTypes_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EA48)
[Address] EAT @explorer.exe (IWICBitmapDecoder_CopyPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D845)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetColorContexts_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E9AA)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetDecoderInfo_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D822)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetFrameCount_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D9A2)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetFrame_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D868)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetMetadataQueryReader_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D8DA)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetPreview_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC74)
[Address] EAT @explorer.exe (IWICBitmapDecoder_GetThumbnail_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E9D3)
[Address] EAT @explorer.exe (IWICBitmapEncoder_Commit_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC05)
[Address] EAT @explorer.exe (IWICBitmapEncoder_CreateNewFrame_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DB87)
[Address] EAT @explorer.exe (IWICBitmapEncoder_GetEncoderInfo_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DB5E)
[Address] EAT @explorer.exe (IWICBitmapEncoder_GetMetadataQueryWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D9A2)
[Address] EAT @explorer.exe (IWICBitmapEncoder_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DB32)
[Address] EAT @explorer.exe (IWICBitmapEncoder_SetPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DBDC)
[Address] EAT @explorer.exe (IWICBitmapEncoder_SetThumbnail_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DBB3)
[Address] EAT @explorer.exe (IWICBitmapFlipRotator_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DD2A)
[Address] EAT @explorer.exe (IWICBitmapFrameDecode_GetColorContexts_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D88E)
[Address] EAT @explorer.exe (IWICBitmapFrameDecode_GetMetadataQueryReader_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D8DA)
[Address] EAT @explorer.exe (IWICBitmapFrameDecode_GetThumbnail_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D8B7)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_Commit_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D9C5)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_GetMetadataQueryWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EB03)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DFB7)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_SetColorContexts_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DB06)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_SetResolution_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DA17)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_SetSize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D9E5)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_SetThumbnail_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DADD)
[Address] EAT @explorer.exe (IWICBitmapFrameEncode_WriteSource_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DA71)
[Address] EAT @explorer.exe (IWICBitmapLock_GetDataPointer_STA_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D7FC)
[Address] EAT @explorer.exe (IWICBitmapLock_GetStride_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC25)
[Address] EAT @explorer.exe (IWICBitmapScaler_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DCFE)
[Address] EAT @explorer.exe (IWICBitmapSource_CopyPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D822)
[Address] EAT @explorer.exe (IWICBitmapSource_CopyPixels_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC48)
[Address] EAT @explorer.exe (IWICBitmapSource_GetPixelFormat_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC25)
[Address] EAT @explorer.exe (IWICBitmapSource_GetResolution_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D7FC)
[Address] EAT @explorer.exe (IWICBitmapSource_GetSize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D91D)
[Address] EAT @explorer.exe (IWICBitmap_Lock_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E981)
[Address] EAT @explorer.exe (IWICBitmap_SetPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC74)
[Address] EAT @explorer.exe (IWICBitmap_SetResolution_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC97)
[Address] EAT @explorer.exe (IWICColorContext_InitializeFromMemory_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EB75)
[Address] EAT @explorer.exe (IWICComponentFactory_CreateMetadataWriterFromReader_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D7AA)
[Address] EAT @explorer.exe (IWICComponentFactory_CreateQueryWriterFromBlockWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D7D3)
[Address] EAT @explorer.exe (IWICComponentInfo_GetAuthor_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E958)
[Address] EAT @explorer.exe (IWICComponentInfo_GetCLSID_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC25)
[Address] EAT @explorer.exe (IWICComponentInfo_GetFriendlyName_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E9AA)
[Address] EAT @explorer.exe (IWICComponentInfo_GetSpecVersion_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D88E)
[Address] EAT @explorer.exe (IWICComponentInfo_GetVersion_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E981)
[Address] EAT @explorer.exe (IWICFastMetadataEncoder_Commit_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D8FD)
[Address] EAT @explorer.exe (IWICFastMetadataEncoder_GetMetadataQueryWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC25)
[Address] EAT @explorer.exe (IWICFormatConverter_Initialize_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DCC7)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapClipper_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D557)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFlipRotator_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D580)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFromHBITMAP_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D6BA)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFromHICON_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D6E6)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFromMemory_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D656)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapFromSource_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D62D)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmapScaler_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D52E)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateBitmap_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D68B)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateComponentInfo_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D4D9)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateDecoderFromFileHandle_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D4A1)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateDecoderFromFilename_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D466)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateDecoderFromStream_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D42E)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateEncoder_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D5D2)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateFastMetadataEncoderFromDecoder_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D70C)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateFastMetadataEncoderFromFrameDecode_Prox´ý\³ø"¬) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D732)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateFormatConverter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D505)
[Address] EAT @explorer.exe (IWICImagingFactory_CreatePalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DADD)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateQueryWriterFromReader_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D781)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateQueryWriter_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D758)
[Address] EAT @explorer.exe (IWICImagingFactory_CreateStream_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D5A9)
[Address] EAT @explorer.exe (IWICMetadataBlockReader_GetCount_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DC25)
[Address] EAT @explorer.exe (IWICMetadataBlockReader_GetReaderByIndex_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D7FC)
[Address] EAT @explorer.exe (IWICMetadataQueryReader_GetContainerFormat_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DFB7)
[Address] EAT @explorer.exe (IWICMetadataQueryReader_GetEnumerator_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D822)
[Address] EAT @explorer.exe (IWICMetadataQueryReader_GetLocation_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E049)
[Address] EAT @explorer.exe (IWICMetadataQueryReader_GetMetadataByName_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D7FC)
[Address] EAT @explorer.exe (IWICMetadataQueryWriter_RemoveMetadataByName_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D8DA)
[Address] EAT @explorer.exe (IWICMetadataQueryWriter_SetMetadataByName_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DFDA)
[Address] EAT @explorer.exe (IWICPalette_GetColorCount_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D96C)
[Address] EAT @explorer.exe (IWICPalette_GetColors_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D88E)
[Address] EAT @explorer.exe (IWICPalette_GetType_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D845)
[Address] EAT @explorer.exe (IWICPalette_HasAlpha_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D9A2)
[Address] EAT @explorer.exe (IWICPalette_InitializeCustom_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EB75)
[Address] EAT @explorer.exe (IWICPalette_InitializeFromBitmap_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D943)
[Address] EAT @explorer.exe (IWICPalette_InitializeFromPalette_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D822)
[Address] EAT @explorer.exe (IWICPalette_InitializePredefined_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D91D)
[Address] EAT @explorer.exe (IWICPixelFormatInfo_GetBitsPerPixel_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EB03)
[Address] EAT @explorer.exe (IWICPixelFormatInfo_GetChannelCount_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DD50)
[Address] EAT @explorer.exe (IWICPixelFormatInfo_GetChannelMask_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EB26)
[Address] EAT @explorer.exe (IWICStream_InitializeFromIStream_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DD50)
[Address] EAT @explorer.exe (IWICStream_InitializeFromMemory_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DD73)
[Address] EAT @explorer.exe (WICConvertBitmapSource) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DDB8)
[Address] EAT @explorer.exe (WICCreateBitmapFromSection) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DF8D)
[Address] EAT @explorer.exe (WICCreateBitmapFromSectionEx) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DE8C)
[Address] EAT @explorer.exe (WICCreateColorContext_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412EB52)
[Address] EAT @explorer.exe (WICCreateImagingFactory_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D02B)
[Address] EAT @explorer.exe (WICGetMetadataContentSize) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E61D)
[Address] EAT @explorer.exe (WICMapGuidToShortName) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D0EC)
[Address] EAT @explorer.exe (WICMapSchemaToName) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D2E0)
[Address] EAT @explorer.exe (WICMapShortNameToGuid) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412D217)
[Address] EAT @explorer.exe (WICMatchMetadataContent) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E072)
[Address] EAT @explorer.exe (WICSerializeMetadataContent) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412E1B4)
[Address] EAT @explorer.exe (WICSetEncoderFormat_Proxy) : XmlLite.dll -> HOOKED (C:\Windows\system32\WindowsCodecs.dll @ 0x7412DD99)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD3200BEVT-00ZCT0 ATA Device +++++
--- User ---
[MBR] ae5d59eeebc72509e59131ce2e4c2028
[BSP] e30bae8907473c7b74f7843130d22593 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_05262014_180525.txt >>




Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.05.26.03

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16661
RDJ :: glamour [administrator]

5/26/2014 8:31:11 PM
mbam-log-2014-05-26 (20-31-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 293130
Time elapsed: 17 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

ComboFix 14-05-26.02 - RDJ 05/26/2014  14:56:05.6.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1918.1322 [GMT -4:00]
Running from: c:\users\RDJ\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-26 to 2014-05-26  )))))))))))))))))))))))))))))))
.
.
2014-05-26 19:12 . 2014-05-26 19:12    --------    dc----w-    c:\users\Space Ace\AppData\Local\temp
2014-05-26 19:12 . 2014-05-26 19:12    --------    dc----w-    c:\users\Public\AppData\Local\temp
2014-05-26 19:12 . 2014-05-26 19:12    --------    dc----w-    c:\users\Default\AppData\Local\temp
2014-05-26 19:12 . 2014-05-26 19:12    --------    dc----w-    c:\users\Administrator\AppData\Local\temp
2014-05-25 19:31 . 2014-04-30 23:37    8073384    -c--a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DAF32794-005C-4697-BA4B-7F9E1858AFC5}\mpengine.dll
2014-05-24 18:31 . 2014-04-30 23:37    8073384    -c--a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-20 13:00 . 2014-05-20 13:00    70832    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-05-20 13:00 . 2014-05-20 13:00    692400    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-05-20 12:50 . 2014-05-20 12:50    --------    dc----w-    c:\program files\Mozilla Maintenance Service
2014-05-10 13:04 . 2014-05-14 15:45    --------    dc----w-    C:\TDSSQlook
2014-05-10 03:29 . 2014-05-10 03:29    --------    dc----w-    c:\windows\rescache
2014-05-09 17:55 . 2014-04-23 15:50    765968    -c----w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1F5BC47B-D6F9-4799-B9AE-6144BCCE2ADA}\gapaengine.dll
2014-05-09 17:29 . 2014-05-09 18:16    --------    dc----w-    c:\program files\Microsoft Security Client
2014-05-08 22:25 . 2014-04-17 09:32    8050496    ------w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{F8AC5234-92CA-4D62-9655-94796512E064}\mpengine.dll
2014-05-08 21:59 . 2014-05-08 21:59    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-05-08 18:47 . 2014-05-19 18:37    --------    dc----w-    c:\users\RDJ\AppData\Roaming\diogenes
2014-05-08 18:47 . 2014-05-19 18:37    --------    dc----w-    c:\users\RDJ\AppData\Local\diogenes
2014-05-07 22:44 . 2014-05-08 22:25    27072    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-05-07 22:44 . 2014-05-08 22:25    149440    ----a-w-    c:\windows\system32\drivers\storport.sys
2014-05-07 22:44 . 2014-02-04 02:07    234432    -c--a-w-    c:\windows\system32\drivers\msiscsi.sys
2014-05-07 22:44 . 2014-05-08 22:25    2048    ----a-w-    c:\windows\system32\iologmsg.dll
2014-05-07 22:44 . 2014-05-08 22:25    1212352    ----a-w-    c:\windows\system32\drivers\ntfs.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-09 17:28 . 2014-05-09 17:28    74106    -c--a-w-    C:\TDSSQlook.zip
2014-04-30 14:43 . 2011-01-26 16:24    736952    -c--a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2014-04-30 14:42 . 2011-02-23 04:30    2876528    -c--a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2014-04-30 14:40 . 2011-01-26 11:15    42168    -c--a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2014-04-29 00:57 . 2011-01-26 10:07    736952    -c--a-w-    c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2014-04-29 00:57 . 2011-03-28 04:46    2876528    -c--a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2014-04-29 00:57 . 2011-01-26 10:05    42168    -c--a-w-    c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2014-04-29 00:57 . 2011-01-26 10:05    539984    -c--a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2014-04-22 17:13 . 2011-02-22 23:00    539984    -c--a-w-    c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2014-03-21 15:42 . 2014-03-21 14:26    509440    ----a-w-    c:\windows\system32\qedit.dll
2014-03-21 15:42 . 2014-03-21 14:30    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-21 15:42 . 2014-03-21 14:30    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-21 15:42 . 2014-03-21 14:30    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-21 15:42 . 2014-03-21 14:30    553472    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-21 15:42 . 2014-03-21 14:30    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-21 15:42 . 2014-03-21 14:30    1820160    ----a-w-    c:\windows\system32\wininet.dll
2014-03-21 15:42 . 2014-03-21 14:30    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-21 15:42 . 2014-03-21 14:30    4244480    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-21 15:42 . 2014-03-21 14:30    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-21 15:42 . 2014-03-21 14:30    1964032    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-21 14:57 . 2014-03-21 14:26    185344    ----a-w-    c:\windows\system32\wwansvc.dll
2014-03-21 14:56 . 2014-03-21 14:26    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-03-21 14:55 . 2014-03-21 14:26    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-03-21 14:55 . 2014-03-21 14:26    381440    ----a-w-    c:\windows\system32\wer.dll
2014-03-11 13:52 . 2013-09-27 13:53    104264    -c--a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolwizTimeFreeze"="c:\program files\Toolwiz Time Freeze 2014\ToolwizTimeFreeze.exe" [2014-01-08 1662224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 857648]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"XArp"="c:\program files\XArp\xarp.exe" [2011-04-01 10413568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"RandMAC"="c:\users\RDJ\Downloads\MadMACs2.0\MadMACs2.0\MadMACs.exe" [2012-12-26 379769]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
2010-06-24 06:40    77824    -c--a-w-    c:\program files\Digidesign\Drivers\MMERefresh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2009-06-25 02:19    140520    ------w-    c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
R3 cleanhlp;cleanhlp;c:\eek\Run\cleanhlp32.sys [2014-03-16 50200]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-21 108032]
R3 massfilter_hs;HS HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2012-06-20 17672]
R3 MAUSBFASTTRACK;Service for M-Audio FastTrack;c:\windows\system32\DRIVERS\MAudioFastTrack.sys [2009-10-02 158344]
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-08-05 750592]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-12-04 14848]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-12-04 49664]
R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-07 1343400]
S0 TWZDISK;TWZDISK;c:\windows\system32\Drivers\TWZDISK.sys [2014-01-08 66704]
S1 TWZFILE;TWZFILE;c:\windows\system32\Drivers\TWZFILE.sys [2014-01-08 33040]
S2 FoxitCloudUpdateService;Foxit Cloud Safe Update Service;c:\program files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [2014-03-11 241728]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2013-03-01 36600]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
FF - ProfilePath - c:\users\RDJ\AppData\Roaming\Mozilla\Firefox\Profiles\4miak4g6.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.ixquick.com
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-14623957.sys
SafeBoot-73663129.sys
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TrueSight]
"ImagePath"="\??\"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-26  15:16:28
ComboFix-quarantined-files.txt  2014-05-26 19:16
ComboFix2.txt  2013-12-18 14:57
ComboFix3.txt  2013-12-17 17:00
ComboFix4.txt  2013-12-10 21:14
ComboFix5.txt  2014-05-26 18:54
.
Pre-Run: 174,282,518,528 bytes free
Post-Run: 174,180,622,336 bytes free
.
- - End Of File - - DDDD77F699E773C7B1AE73BEBB6D130B
A36C5E4F47E84449FF07ED3517B43A31
 

This was the OTL Fix I created:

 

:Services
:Processes
KILLALLPROCESSES
:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR
IE - HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
[2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
:Files

echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
[EMPTYJAVA]

 

Including Bing was a mistake, I don't use IE anyway, not a major mistake. :o



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 AM

Posted 17 June 2014 - 07:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please run these tools in the order listed.

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#3 Dairy-oh

Dairy-oh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 17 June 2014 - 12:49 PM

Logs:

RogueKiller V9.0.3.0 [Jun 17 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : RDJ [Admin rights]
Mode : Remove -- Date : 06/17/2014  13:07:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 22 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MFE_RR -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MFE_RR -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> DELETED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MFE_RR -> DELETED
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 8.8.8.8 10.0.5.73  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 8.8.8.8 10.0.5.73  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 64.89.70.2 64.89.74.2  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{40D84BA5-550F-4B8A-9052-283AA2BA5090} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{73791434-C003-46E2-8031-51415F4C204E} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AAE14767-CD91-4E22-B1C9-F149E893C2C9} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EF54476A-55A7-47B2-AEF3-E16F97E88643} | DhcpNameServer : 8.8.8.8 10.0.5.73  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{40D84BA5-550F-4B8A-9052-283AA2BA5090} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{73791434-C003-46E2-8031-51415F4C204E} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{AAE14767-CD91-4E22-B1C9-F149E893C2C9} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EF54476A-55A7-47B2-AEF3-E16F97E88643} | DhcpNameServer : 8.8.8.8 10.0.5.73  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{40D84BA5-550F-4B8A-9052-283AA2BA5090} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{73791434-C003-46E2-8031-51415F4C204E} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{AAE14767-CD91-4E22-B1C9-F149E893C2C9} | DhcpNameServer : 156.154.70.1 156.154.71.1  -> REPLACED ()
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{EF54476A-55A7-47B2-AEF3-E16F97E88643} | DhcpNameServer : 64.89.70.2 64.89.74.2  -> REPLACED ()
[PUM.Policies] HKEY_USERS\S-1-5-21-2921164733-1426984066-1024815038-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | disableregistrytools : 0  -> DELETED

¤¤¤ Scheduled tasks : 2 ¤¤¤
[Suspicious.Path] \\{1389884A-3E43-437D-8D52-DF2D0F2EB743} -- C:\Windows\system32\pcalua.exe (-a "C:\Users\RDJ\Desktop\Rollbackv102\Setup.exe" -d "C:\Users\RDJ\Desktop\Rollbackv102") -> DELETED
[Suspicious.Path] \\{EEE2C1A2-D373-4B5C-9E72-235EB4E89902} -- C:\Windows\system32\pcalua.exe (-a "C:\Program Files\AVG\AVG10\avgmfapx.exe" -d C:\Windows\system32 -c /AppMode=DOWNLOADMANAGER /SummerUpdate /PackageType=Free /ProductType=Free) -> DELETED

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 3 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] ÿþ1
[C:\Windows\System32\drivers\etc\hosts]
[C:\Windows\System32\drivers\etc\hosts]

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEVT-00ZCT0 ATA Device +++++
--- User ---
[MBR] ae5d59eeebc72509e59131ce2e4c2028
[BSP] e30bae8907473c7b74f7843130d22593 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB
User = LL1 ... OK
User = LL2 ... OK



============================================
RKreport_SCN_06172014_130525.log

 

 

# AdwCleaner v3.212 - Report created 17/06/2014 at 13:17:56
# Updated 05/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : RDJ - accelerometers
# Running from : C:\Users\RDJ\Desktop\adwcleaner_3.212.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1EC9510D-A439-4950-9399-B6399EDF9EA7}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521


-\\ Mozilla Firefox v30.0 (en-US)

[ File : C:\Users\RDJ\AppData\Roaming\Mozilla\Firefox\Profiles\mr25hvwc.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [7341 octets] - [17/12/2013 11:06:39]
AdwCleaner[R1].txt - [1096 octets] - [14/02/2014 09:36:49]
AdwCleaner[R2].txt - [1187 octets] - [17/06/2014 13:14:52]
AdwCleaner[S0].txt - [6744 octets] - [17/12/2013 11:09:29]
AdwCleaner[S1].txt - [1164 octets] - [14/02/2014 09:40:30]
AdwCleaner[S2].txt - [1115 octets] - [17/06/2014 13:17:56]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1175 octets] ##########

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:16-06-2014
Ran by RDJ (administrator) on anciently on 17-06-2014 13:24:42
Running from C:\Users\RDJ\Desktop\cleaning
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Avid Technology, Inc..) C:\Program Files\Digidesign\Drivers\MMERefresh.exe
(Foxit Corporation) C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Toolwiz) C:\Program Files\Toolwiz Time Freeze 2014\ToolwizTimeFreeze.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Farbar) C:\Users\RDJ\Desktop\cleaning\FRST_6-17-14.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [857648 2007-04-27] (Synaptics, Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] => C:\Windows\stsystra.exe [303104 2007-02-19] (SigmaTel, Inc.)
HKLM\...\Run: [XArp] => C:\Program Files\XArp\xarp.exe [10413568 2011-04-01] (www.chrismc.de)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [RandMAC] => C:\Users\RDJ\Downloads\MadMACs2.0\MadMACs2.0\MadMACs.exe [379769 2012-12-25] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\...\Run: [ToolwizTimeFreeze] => C:\Program Files\Toolwiz Time Freeze 2014\ToolwizTimeFreeze.exe [1662224 2014-01-07] (Toolwiz)
HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-2921164733-1426984066-1024815038-1001\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
GroupPolicyUsers\S-1-5-21-2921164733-1426984066-1024815038-1003\User: Group Policy restriction detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 10.0.5.73

FireFox:
========
FF ProfilePath: C:\Users\RDJ\AppData\Roaming\Mozilla\Firefox\Profiles\mr25hvwc.default
FF Homepage: https://www.ixquick.com
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf - C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf - C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Plugin HKCU: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf - C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)
FF Extension: YouTube Video and Audio Downloader - C:\Users\RDJ\AppData\Roaming\Mozilla\Firefox\Profiles\mr25hvwc.default\Extensions\feca4b87-3be4-43da-a1b1-137c24220968@jetpack.xpi [2014-06-11]
FF Extension: Adblock Plus - C:\Users\RDJ\AppData\Roaming\Mozilla\Firefox\Profiles\mr25hvwc.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-06-11]

========================== Services (Whitelisted) =================

R2 DigiRefresh; C:\Program Files\Digidesign\Drivers\MMERefresh.exe [77824 2010-06-24] (Avid Technology, Inc..) [File not signed]
R2 FoxitCloudUpdateService; C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [241728 2014-03-11] (Foxit Corporation)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

==================== Drivers (Whitelisted) ====================

S3 cleanhlp; C:\EEK\Run\cleanhlp32.sys [50200 2014-03-16] (Emsisoft GmbH)
R3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [209152 2006-11-02] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [989696 2006-11-02] (Conexant Systems, Inc.)
S3 MAUSBFASTTRACK; C:\Windows\System32\DRIVERS\MAudioFastTrack.sys [158344 2009-10-02] (Avid Technology, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [750592 2009-08-05] (Ralink Technology Corp.)
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R3 STHDA; C:\Windows\System32\drivers\sthda.sys [1228296 2007-02-19] (SigmaTel, Inc.)
R0 TWZDISK; C:\Windows\System32\Drivers\TWZDISK.sys [66704 2014-01-07] (Toolwiz.com)
R1 TWZFILE; C:\Windows\system32\Drivers\TWZFILE.sys [33040 2014-01-07] (Toolwiz.com)
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S3 UIUSys; system32\DRIVERS\UIUSYS.SYS [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-17 13:24 - 2014-06-17 13:24 - 00000000 ___DC () C:\FRST
2014-06-17 13:23 - 2014-06-17 13:24 - 00000000 ___DC () C:\Users\RDJ\Desktop\cleaning
2014-06-17 13:12 - 2014-06-17 13:22 - 00006294 ____C () C:\Users\RDJ\Desktop\bleepingcomputerpost_6-17-14.txt
2014-06-17 12:58 - 2014-06-17 12:58 - 00026624 ____C () C:\Windows\system32\Drivers\TrueSight.sys
2014-06-17 12:58 - 2014-06-17 12:58 - 00000000 ___DC () C:\ProgramData\RogueKiller
2014-06-17 11:08 - 2014-06-17 11:08 - 00002667 ____C () C:\Users\RDJ\Desktop\malware response_6-17-14.txt
2014-06-17 11:01 - 2014-06-17 11:02 - 01333465 ____C () C:\Users\RDJ\Desktop\adwcleaner_3.212.exe
2014-06-17 10:59 - 2014-06-17 11:01 - 04707328 ____C () C:\Users\RDJ\Desktop\RogueKiller_6-17-14.exe
2014-06-17 10:55 - 2014-06-17 10:57 - 04161050 ____C () C:\Users\RDJ\Desktop\tdsskiller.zip
2014-06-17 10:55 - 2014-06-17 10:55 - 00380416 ____C () C:\Users\RDJ\Downloads\quxjbjwr.exe
2014-06-13 10:37 - 2014-06-13 10:39 - 00000000 ___DC () C:\Users\RDJ\Desktop\clean help
2014-06-13 09:36 - 2014-06-13 09:36 - 00001135 ____C () C:\Users\Public\Desktop\Xiphos.lnk
2014-06-13 09:36 - 2014-06-13 09:36 - 00000000 ___DC () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xiphos
2014-06-11 13:54 - 2014-06-11 13:54 - 00001121 ____C () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-06-11 13:54 - 2014-06-11 13:54 - 00001109 ____C () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-06-11 13:54 - 2014-06-11 13:54 - 00000000 ___DC () C:\Users\RDJ\AppData\Roaming\Mozilla
2014-06-11 13:54 - 2014-06-11 13:54 - 00000000 ___DC () C:\Program Files\Mozilla Firefox
2014-06-07 10:59 - 2014-06-07 10:59 - 00011322 ____C () C:\Users\RDJ\Downloads\The 39 Prohibited Sabbath Activities.htm
2014-06-07 10:59 - 2014-06-07 10:59 - 00000000 ___DC () C:\Users\RDJ\Downloads\The 39 Prohibited Sabbath Activities_files
2014-06-03 23:50 - 2014-06-03 23:50 - 00001050 ____C () C:\Users\RDJ\Desktop\raised bed job.txt
2014-06-03 17:46 - 2014-06-03 17:46 - 00001175 ____C () C:\Users\Public\Desktop\PDF-Viewer.lnk
2014-06-03 17:46 - 2014-06-03 17:46 - 00000000 ___DC () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF-XChange PDF Viewer
2014-06-03 17:45 - 2014-06-03 17:46 - 00000000 ___DC () C:\Program Files\Tracker Software
2014-06-02 11:08 - 2014-06-02 11:08 - 00011732 ____C () C:\Users\RDJ\Downloads\SPORTSTER PRICE ON A BIG BOY BIKE.htm
2014-06-02 11:08 - 2014-06-02 11:08 - 00000000 ___DC () C:\Users\RDJ\Downloads\SPORTSTER PRICE ON A BIG BOY BIKE_files
2014-05-31 15:23 - 2014-05-31 15:23 - 00131017 ____C () C:\Users\RDJ\Downloads\46743-5-acre-abundance-on-a-budget.htm
2014-05-30 17:29 - 2014-05-30 19:54 - 00004182 ____C () C:\Users\RDJ\Desktop\loveYehovah.txt
2014-05-29 16:41 - 2014-05-29 16:41 - 00000123 ____C () C:\Users\RDJ\Documents\apaertment.txt
2014-05-28 16:50 - 2014-05-28 16:52 - 04165472 ____C (Kaspersky Lab ZAO) C:\Users\RDJ\Desktop\servicehost.exe
2014-05-28 16:42 - 2014-05-28 16:42 - 00000000 ___DC () C:\Users\RDJ\AppData\Roaming\FixZeroAccess
2014-05-28 16:39 - 2014-05-28 16:39 - 01805736 ____C (Symantec Corporation) C:\Users\RDJ\Desktop\FixZeroAccess.exe
2014-05-27 14:42 - 2014-05-27 14:42 - 00002908 ____C () C:\HitmanPro_20140527_1442.log
2014-05-27 14:13 - 2014-06-11 11:47 - 00217664 ____C () C:\Users\RDJ\AppData\Local\GDIPFONTCACHEV1.DAT
2014-05-26 20:18 - 2014-05-26 20:18 - 00000000 ___DC () C:\Users\RDJ\Downloads\mbam-chameleon-1.62.1.1000
2014-05-26 19:32 - 2014-05-26 19:32 - 01440846 ____C () C:\Users\RDJ\Downloads\mbam-chameleon-1.62.1.1000.zip
2014-05-26 19:30 - 2014-05-26 19:30 - 00067655 ____C () C:\Users\RDJ\Downloads\Remove Trojan ZeroAccess virus (Removal Guide).htm
2014-05-26 19:30 - 2014-05-26 19:30 - 00000000 ___DC () C:\Users\RDJ\Downloads\Remove Trojan ZeroAccess virus (Removal Guide)_files
2014-05-26 19:26 - 2014-05-26 19:26 - 00934376 ____C () C:\Users\RDJ\Downloads\HashTab v5.1.0.23 Setup.exe
2014-05-26 18:53 - 2014-05-26 20:16 - 2564476928 ____C () C:\Users\RDJ\Downloads\a2-X17-59463.iso
2014-05-26 18:47 - 2014-05-26 18:47 - 01350808 ____C (Torch Media, Inc) C:\Users\RDJ\Downloads\TorchSetup-r0-n-bu.exe
2014-05-26 17:56 - 2014-05-26 18:09 - 00000000 ___DC () C:\Users\RDJ\Desktop\RK_Quarantine
2014-05-26 17:55 - 2014-05-26 17:55 - 03972608 ____C () C:\Users\RDJ\Desktop\RogueKiller.exe
2014-05-26 17:43 - 2014-05-26 17:43 - 00782584 ____C (McAfee, Inc.) C:\Users\RDJ\Desktop\rootkitremover.exe
2014-05-26 15:43 - 2014-05-26 15:43 - 00000512 ____C () C:\Users\RDJ\Desktop\MBR.dat
2014-05-26 15:40 - 2014-05-26 15:40 - 04745728 ____C (AVAST Software) C:\Users\RDJ\Desktop\aswMBR.exe
2014-05-26 15:16 - 2014-05-26 15:16 - 00011316 ____C () C:\ComboFix.txt
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Space Ace\AppData\Local\temp
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Public\AppData\Local\temp
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Default\AppData\Local\temp
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Default User\AppData\Local\temp
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Administrator\AppData\Local\temp
2014-05-26 11:22 - 2014-05-26 11:22 - 00602112 ____C (OldTimer Tools) C:\Users\RDJ\Desktop\OTL.exe
2014-05-26 11:12 - 2014-05-26 11:12 - 01056256 ____C (Farbar) C:\Users\RDJ\Desktop\FRST.exe
2014-05-22 16:15 - 2014-05-22 16:15 - 00335911 ____C () C:\Users\RDJ\Downloads\Careers.htm
2014-05-22 16:15 - 2014-05-22 16:15 - 00000000 ___DC () C:\Users\RDJ\Downloads\Careers_files
2014-05-21 15:49 - 2014-05-21 18:45 - 2564476928 ____C () C:\Users\RDJ\Downloads\X17-59463.iso
2014-05-20 09:00 - 2014-05-20 09:00 - 00692400 ____C (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-05-20 09:00 - 2014-05-20 09:00 - 00070832 ____C (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-05-20 07:59 - 2014-05-20 07:59 - 00000000 ___DC () C:\Users\RDJ\Downloads\fp_13.0.0.214_archive
2014-05-19 14:27 - 2014-05-19 14:30 - 156322827 ____C () C:\Users\RDJ\Downloads\fp_13.0.0.214_archive.zip
2014-05-18 15:55 - 2014-05-18 15:38 - 00016687 ____C () C:\Users\RDJ\Documents\genesis-3-24.doc_0.odt

==================== One Month Modified Files and Folders =======

2014-06-17 13:25 - 2013-12-10 16:09 - 00000000 ___DC () C:\Users\RDJ\AppData\Local\temp
2014-06-17 13:24 - 2014-06-17 13:24 - 00000000 ___DC () C:\FRST
2014-06-17 13:24 - 2014-06-17 13:23 - 00000000 ___DC () C:\Users\RDJ\Desktop\cleaning
2014-06-17 13:23 - 2010-08-06 16:58 - 01946721 ____C () C:\Windows\WindowsUpdate.log
2014-06-17 13:22 - 2014-06-17 13:12 - 00006294 ____C () C:\Users\RDJ\Desktop\bleepingcomputerpost_6-17-14.txt
2014-06-17 13:20 - 2013-12-23 16:08 - 00000000 ___DC () C:\Users\RDJ\AppData\Roaming\xarp-RDJ
2014-06-17 13:19 - 2014-03-22 20:23 - 00002262 ____C () C:\Windows\PFRO.log
2014-06-17 13:19 - 2014-03-18 18:54 - 00011256 ____C () C:\Windows\setupact.log
2014-06-17 13:19 - 2009-07-14 00:53 - 00000006 ___HC () C:\Windows\Tasks\SA.DAT
2014-06-17 13:17 - 2013-12-17 11:06 - 00000000 ___DC () C:\AdwCleaner
2014-06-17 12:59 - 2009-07-14 00:34 - 00022592 ___HC () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-17 12:59 - 2009-07-14 00:34 - 00022592 ___HC () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-17 12:58 - 2014-06-17 12:58 - 00026624 ____C () C:\Windows\system32\Drivers\TrueSight.sys
2014-06-17 12:58 - 2014-06-17 12:58 - 00000000 ___DC () C:\ProgramData\RogueKiller
2014-06-17 11:08 - 2014-06-17 11:08 - 00002667 ____C () C:\Users\RDJ\Desktop\malware response_6-17-14.txt
2014-06-17 11:02 - 2014-06-17 11:01 - 01333465 ____C () C:\Users\RDJ\Desktop\adwcleaner_3.212.exe
2014-06-17 11:01 - 2014-06-17 10:59 - 04707328 ____C () C:\Users\RDJ\Desktop\RogueKiller_6-17-14.exe
2014-06-17 10:57 - 2014-06-17 10:55 - 04161050 ____C () C:\Users\RDJ\Desktop\tdsskiller.zip
2014-06-17 10:55 - 2014-06-17 10:55 - 00380416 ____C () C:\Users\RDJ\Downloads\quxjbjwr.exe
2014-06-13 19:56 - 2014-05-08 10:37 - 00000000 ___DC () C:\Users\RDJ\Desktop\Office
2014-06-13 19:08 - 2010-08-06 16:25 - 00782470 ____C () C:\Windows\system32\PerfStringBackup.INI
2014-06-13 10:39 - 2014-06-13 10:37 - 00000000 ___DC () C:\Users\RDJ\Desktop\clean help
2014-06-13 10:09 - 2013-11-21 15:40 - 00000000 ___DC () C:\Users\RDJ\AppData\Roaming\.xiphos
2014-06-13 09:36 - 2014-06-13 09:36 - 00001135 ____C () C:\Users\Public\Desktop\Xiphos.lnk
2014-06-13 09:36 - 2014-06-13 09:36 - 00000000 ___DC () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xiphos
2014-06-13 09:35 - 2013-11-21 15:35 - 00000000 ___DC () C:\Program Files\CrossWire
2014-06-11 13:54 - 2014-06-11 13:54 - 00001121 ____C () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-06-11 13:54 - 2014-06-11 13:54 - 00001109 ____C () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-06-11 13:54 - 2014-06-11 13:54 - 00000000 ___DC () C:\Users\RDJ\AppData\Roaming\Mozilla
2014-06-11 13:54 - 2014-06-11 13:54 - 00000000 ___DC () C:\Program Files\Mozilla Firefox
2014-06-11 12:39 - 2009-07-13 22:37 - 00000000 ___DC () C:\Windows\Microsoft.NET
2014-06-11 11:47 - 2014-05-27 14:13 - 00217664 ____C () C:\Users\RDJ\AppData\Local\GDIPFONTCACHEV1.DAT
2014-06-11 11:46 - 2014-03-18 18:54 - 00757344 ____C () C:\Windows\system32\FNTCACHE.DAT
2014-06-11 11:42 - 2014-02-20 13:18 - 00000000 ___DC () C:\Users\RDJ\AppData\Roaming\OpenOffice
2014-06-07 10:59 - 2014-06-07 10:59 - 00011322 ____C () C:\Users\RDJ\Downloads\The 39 Prohibited Sabbath Activities.htm
2014-06-07 10:59 - 2014-06-07 10:59 - 00000000 ___DC () C:\Users\RDJ\Downloads\The 39 Prohibited Sabbath Activities_files
2014-06-06 16:01 - 2013-11-05 10:49 - 00000000 ___DC () C:\Windows\system32\MRT
2014-06-06 15:52 - 2010-08-16 01:37 - 90547776 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-06-03 23:50 - 2014-06-03 23:50 - 00001050 ____C () C:\Users\RDJ\Desktop\raised bed job.txt
2014-06-03 17:46 - 2014-06-03 17:46 - 00001175 ____C () C:\Users\Public\Desktop\PDF-Viewer.lnk
2014-06-03 17:46 - 2014-06-03 17:46 - 00000000 ___DC () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF-XChange PDF Viewer
2014-06-03 17:46 - 2014-06-03 17:45 - 00000000 ___DC () C:\Program Files\Tracker Software
2014-06-02 11:08 - 2014-06-02 11:08 - 00011732 ____C () C:\Users\RDJ\Downloads\SPORTSTER PRICE ON A BIG BOY BIKE.htm
2014-06-02 11:08 - 2014-06-02 11:08 - 00000000 ___DC () C:\Users\RDJ\Downloads\SPORTSTER PRICE ON A BIG BOY BIKE_files
2014-05-31 16:53 - 2014-02-22 14:44 - 00000000 ___DC () C:\Users\RDJ\dwhelper
2014-05-31 15:23 - 2014-05-31 15:23 - 00131017 ____C () C:\Users\RDJ\Downloads\46743-5-acre-abundance-on-a-budget.htm
2014-05-30 19:54 - 2014-05-30 17:29 - 00004182 ____C () C:\Users\RDJ\Desktop\loveYehovah.txt
2014-05-29 16:41 - 2014-05-29 16:41 - 00000123 ____C () C:\Users\RDJ\Documents\apaertment.txt
2014-05-28 17:04 - 2013-12-08 22:51 - 00000000 ___DC () C:\Windows\erdnt
2014-05-28 16:52 - 2014-05-28 16:50 - 04165472 ____C (Kaspersky Lab ZAO) C:\Users\RDJ\Desktop\servicehost.exe
2014-05-28 16:45 - 2009-07-13 22:37 - 00000000 ___DC () C:\Windows\system32\LogFiles
2014-05-28 16:42 - 2014-05-28 16:42 - 00000000 ___DC () C:\Users\RDJ\AppData\Roaming\FixZeroAccess
2014-05-28 16:39 - 2014-05-28 16:39 - 01805736 ____C (Symantec Corporation) C:\Users\RDJ\Desktop\FixZeroAccess.exe
2014-05-27 14:42 - 2014-05-27 14:42 - 00002908 ____C () C:\HitmanPro_20140527_1442.log
2014-05-27 14:19 - 2014-01-17 17:40 - 00000000 ___DC () C:\Users\RDJ\AppData\Local\CrashDumps
2014-05-26 20:18 - 2014-05-26 20:18 - 00000000 ___DC () C:\Users\RDJ\Downloads\mbam-chameleon-1.62.1.1000
2014-05-26 20:16 - 2014-05-26 18:53 - 2564476928 ____C () C:\Users\RDJ\Downloads\a2-X17-59463.iso
2014-05-26 19:32 - 2014-05-26 19:32 - 01440846 ____C () C:\Users\RDJ\Downloads\mbam-chameleon-1.62.1.1000.zip
2014-05-26 19:30 - 2014-05-26 19:30 - 00067655 ____C () C:\Users\RDJ\Downloads\Remove Trojan ZeroAccess virus (Removal Guide).htm
2014-05-26 19:30 - 2014-05-26 19:30 - 00000000 ___DC () C:\Users\RDJ\Downloads\Remove Trojan ZeroAccess virus (Removal Guide)_files
2014-05-26 19:26 - 2014-05-26 19:26 - 00934376 ____C () C:\Users\RDJ\Downloads\HashTab v5.1.0.23 Setup.exe
2014-05-26 18:47 - 2014-05-26 18:47 - 01350808 ____C (Torch Media, Inc) C:\Users\RDJ\Downloads\TorchSetup-r0-n-bu.exe
2014-05-26 18:09 - 2014-05-26 17:56 - 00000000 ___DC () C:\Users\RDJ\Desktop\RK_Quarantine
2014-05-26 17:55 - 2014-05-26 17:55 - 03972608 ____C () C:\Users\RDJ\Desktop\RogueKiller.exe
2014-05-26 17:43 - 2014-05-26 17:43 - 00782584 ____C (McAfee, Inc.) C:\Users\RDJ\Desktop\rootkitremover.exe
2014-05-26 15:43 - 2014-05-26 15:43 - 00000512 ____C () C:\Users\RDJ\Desktop\MBR.dat
2014-05-26 15:40 - 2014-05-26 15:40 - 04745728 ____C (AVAST Software) C:\Users\RDJ\Desktop\aswMBR.exe
2014-05-26 15:16 - 2014-05-26 15:16 - 00011316 ____C () C:\ComboFix.txt
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Space Ace\AppData\Local\temp
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Public\AppData\Local\temp
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Default\AppData\Local\temp
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Default User\AppData\Local\temp
2014-05-26 15:16 - 2014-05-26 15:16 - 00000000 ___DC () C:\Users\Administrator\AppData\Local\temp
2014-05-26 15:12 - 2009-07-13 22:04 - 00000273 ____C () C:\Windows\system.ini
2014-05-26 11:22 - 2014-05-26 11:22 - 00602112 ____C (OldTimer Tools) C:\Users\RDJ\Desktop\OTL.exe
2014-05-26 11:12 - 2014-05-26 11:12 - 01056256 ____C (Farbar) C:\Users\RDJ\Desktop\FRST.exe
2014-05-22 16:15 - 2014-05-22 16:15 - 00335911 ____C () C:\Users\RDJ\Downloads\Careers.htm
2014-05-22 16:15 - 2014-05-22 16:15 - 00000000 ___DC () C:\Users\RDJ\Downloads\Careers_files
2014-05-21 18:45 - 2014-05-21 15:49 - 2564476928 ____C () C:\Users\RDJ\Downloads\X17-59463.iso
2014-05-20 09:00 - 2014-05-20 09:00 - 00692400 ____C (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-05-20 09:00 - 2014-05-20 09:00 - 00070832 ____C (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-05-20 07:59 - 2014-05-20 07:59 - 00000000 ___DC () C:\Users\RDJ\Downloads\fp_13.0.0.214_archive
2014-05-19 14:30 - 2014-05-19 14:27 - 156322827 ____C () C:\Users\RDJ\Downloads\fp_13.0.0.214_archive.zip
2014-05-18 15:38 - 2014-05-18 15:55 - 00016687 ____C () C:\Users\RDJ\Documents\genesis-3-24.doc_0.odt

Some content of TEMP:
====================
C:\Users\RDJ\AppData\Local\temp\Foxit Reader Updater.exe
C:\Users\RDJ\AppData\Local\temp\ntdll_dump.dll
C:\Users\RDJ\AppData\Local\temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-06-01 19:59

==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:16-06-2014
Ran by RDJ at 2014-06-17 13:25:51
Running from C:\Users\RDJ\Desktop\cleaning
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Microsoft Security Essentials (Disabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Disabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
Adobe Flash Player 13 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 13.0.0.214 - Adobe Systems Incorporated)
AMD Processor Driver (HKLM\...\{C151CE54-E7EA-4804-854B-F515368B0798}) (Version: 1.3.2. - )
Arena 3.0 (HKLM\...\Arena 3.0_is1) (Version:  - )
ASIO4ALL (HKLM\...\ASIO4ALL) (Version:  - )
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1016 - )
Avid Pro Tools SE 8.0.3 (HKLM\...\{371F27A1-9502-4762-AE97-1C1938B21055}) (Version: 8.0.3 - Digidesign, A Division of Avid Technology, Inc.)
Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
ConvertHelper 2.2 (HKLM\...\{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1) (Version:  - DownloadHelper)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 9.1.18.6 - Synaptics)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
FL Studio 9 (HKLM\...\FL Studio 9) (Version:  - Image-Line)
Foxit Cloud (HKLM\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 1.3.99.311 - Foxit Corporation)
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 6.2.0.429 - Foxit Corporation)
GIMP 2.8.10 (HKLM\...\GIMP-2_is1) (Version: 2.8.10 - The GIMP Team)
Guitar Pro 6 (HKLM\...\{14A487F2-1259-4E6C-AE3C-3C888DDBCB60}_is1) (Version:  - Arobas Music)
Hardcore (HKLM\...\Hardcore) (Version:  - Image-Line)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.216 - SurfRight B.V.)
IL Download Manager (HKLM\...\IL Download Manager) (Version:  - Image-Line)
Internet TV for Windows Media Center (HKLM\...\{9D318C86-AF4C-409F-A6AC-7183FF4CF424}) (Version: 4.2.2.0 - Microsoft Corporation)
Java 7 Update 51 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217045FF}) (Version: 7.0.510 - Oracle)
Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
Jpcap 0.7 (HKLM\...\Jpcap) (Version: 0.7 - Keita Fujii)
Karma (HKLM\...\{7EC1C8C0-1C61-49C0-89F0-454AA905B9EA}) (Version: 11.9.13 - Latshaw Systems)
K-Lite Codec Pack 4.6.2 (Full) (HKLM\...\KLiteCodecPack_is1) (Version: 4.6.2 - )
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Age of Empires Gold (HKLM\...\Age of Empires Gold 1.0) (Version:  - )
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 30.0 (x86 en-US) (HKLM\...\Mozilla Firefox 30.0 (x86 en-US)) (Version: 30.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2721691) (HKLM\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Notepad++ (HKLM\...\Notepad++) (Version: 6.5.4 - Notepad++ Team)
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.214.2 - Tracker Software Products Ltd)
PoiZone (HKLM\...\PoiZone) (Version:  - Image-Line)
PowerDVD DX (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.3.5424 - CyberLink Corp.)
Reason 5.0 (HKLM\...\Reason5_is1) (Version: 5.0 - Propellerhead Software AB)
Roxio Creator Audio (Version: 3.7.0 - Roxio) Hidden
Roxio Creator Copy (Version: 3.7.0 - Roxio) Hidden
Roxio Creator Data (Version: 3.7.0 - Roxio) Hidden
Roxio Creator DE (HKLM\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.1 - Roxio)
Roxio Creator DE (Version: 3.7.0 - Roxio) Hidden
Roxio Creator Tools (Version: 3.7.0 - Roxio) Hidden
Roxio Express Labeler 3 (Version: 3.2.1 - Roxio) Hidden
Roxio Update Manager (Version: 6.0.0 - Roxio) Hidden
Sawer (HKLM\...\Sawer) (Version:  - Image-Line)
Scid 4.5.2 (HKCU\...\Scid_is1) (Version: 4.5.2 - The Scid project)
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.4820.0 - SigmaTel)
Strawberry Perl (HKLM\...\{C6A30EE4-6CA4-1014-8046-759D36F7176A}) (Version: 5.18.1001 - strawberryperl.com project)
Tarrasch Chess GUI V2.02ar (HKLM\...\Tarrasch Chess GUI_is1) (Version:  - Triple Happy Ltd.)
Toolwiz Time Freeze 2014 (HKLM\...\{3A74D01E-3AEF-4DF4-8404-0056150C97A3}) (Version: 2.2.0.3500 - Toolwiz)
Toxic Biohazard (HKLM\...\Toxic Biohazard) (Version:  - Image-Line)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WinMHR beta 2 (HKLM\...\WinMHR_is1) (Version:  - Team Cymru, Inc.)
WinPcap 4.1.3 (HKLM\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
Wireshark 1.10.5 (32-bit) (HKLM\...\Wireshark) (Version: 1.10.5 - The Wireshark developer community, http://www.wireshark.org)
XArp 2.2.2 (HKLM\...\XArp) (Version: 2.2.2 - Christoph Mayer)
Xiphos (HKLM\...\Xiphos) (Version:  - )

==================== Restore Points  =========================


==================== Hosts content: ==========================

2009-07-13 22:04 - 2014-05-26 12:40 - 00000098 ___AC C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1       localhost

==================== Scheduled Tasks (whitelisted) =============


==================== Loaded Modules (whitelisted) =============

2012-06-18 11:24 - 2012-06-18 11:24 - 00260096 ____C () C:\Program Files\Notepad++\NppShell_05.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\19589383.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\19589383.sys => ""="Driver"

==================== EXE Association (whitelisted) =============


==================== MSCONFIG/TASK MANAGER disabled items =========

MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: Microsoft SharePoint Workspace Audit Service => 3
MSCONFIG\Services: RasAuto => 3
MSCONFIG\Services: RasMan => 3
MSCONFIG\startupreg: DigidesignMMERefresh => C:\Program Files\Digidesign\Drivers\MMERefresh.exe
MSCONFIG\startupreg: PDVDDXSrv => "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

==================== Faulty Device Manager Devices =============

Name: WAN Miniport (IKEv2)
Description: WAN Miniport (IKEv2)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: RasAgileVpn
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/17/2014 11:03:57 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).

Error: (06/13/2014 10:47:01 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).

Error: (06/11/2014 07:45:29 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).

Error: (06/09/2014 04:00:36 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\servicing\TrustedInstaller.exe; Description = Windows Modules Installer; Error = 0x81000101).

Error: (06/09/2014 03:50:34 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).

Error: (06/09/2014 03:31:07 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).

Error: (06/06/2014 03:42:13 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\servicing\TrustedInstaller.exe; Description = Windows Modules Installer; Error = 0x81000101).

Error: (06/06/2014 03:32:11 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).

Error: (06/06/2014 02:54:15 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).

Error: (06/04/2014 05:01:36 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).


System errors:
=============
Error: (06/17/2014 01:19:39 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
%%1058

Error: (06/17/2014 00:52:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
%%1058

Error: (06/17/2014 10:36:51 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
%%1058

Error: (06/13/2014 06:57:52 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
%%1058

Error: (06/13/2014 10:25:01 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
%%1058

Error: (06/13/2014 09:43:35 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.175.1744.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.5.0216.00

    Source Path: 4.5.0216.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (06/13/2014 09:33:10 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
%%1058

Error: (06/13/2014 07:34:21 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.175.1744.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.5.0216.00

    Source Path: 4.5.0216.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (06/13/2014 07:23:00 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Internet Connection Sharing (ICS) service depends on the Remote Access Connection Manager service which failed to start because of the following error:
%%1058

Error: (06/12/2014 08:51:58 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.175.1744.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.5.0216.00

    Source Path: 4.5.0216.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608


Microsoft Office Sessions:
=========================
Error: (06/17/2014 11:03:57 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x81000101

Error: (06/13/2014 10:47:01 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x81000101

Error: (06/11/2014 07:45:29 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x81000101

Error: (06/09/2014 04:00:36 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\servicing\TrustedInstaller.exeWindows Modules Installer0x81000101

Error: (06/09/2014 03:50:34 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x81000101

Error: (06/09/2014 03:31:07 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x81000101

Error: (06/06/2014 03:42:13 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\servicing\TrustedInstaller.exeWindows Modules Installer0x81000101

Error: (06/06/2014 03:32:11 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x81000101

Error: (06/06/2014 02:54:15 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x81000101

Error: (06/04/2014 05:01:36 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: C:\Windows\system32\svchost.exe -k netsvcsWindows Update0x81000101


==================== Memory info ===========================

Percentage of memory in use: 39%
Total physical RAM: 1918.05 MB
Available physical RAM: 1153.01 MB
Total Pagefile: 3836.09 MB
Available Pagefile: 2905.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1912.22 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.99 GB) (Free:156.53 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: D3120B4D)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

Firefox is running better, loads up without (not responding). Arp attacks, I'll have to check over the next few days to see if there is any improvement.

 

High-Ho,

 

Dairy-oh



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 AM

Posted 18 June 2014 - 07:08 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
GroupPolicyUsers\S-1-5-21-2921164733-1426984066-1024815038-1003\User: Group Policy restriction detected <======= ATTENTION
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S3 UIUSys; system32\DRIVERS\UIUSYS.SYS [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Let me know of any remaining issues with this computer.

#5 Dairy-oh

Dairy-oh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 18 June 2014 - 12:30 PM

Log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:16-06-2014
Ran by RDJ at 2014-06-18 12:44:04 Run:1
Running from C:\Users\RDJ\Desktop\cleaning
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
GroupPolicyUsers\S-1-5-21-2921164733-1426984066-1024815038-1003\User: Group Policy restriction detected <======= ATTENTION
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S3 UIUSys; system32\DRIVERS\UIUSYS.SYS [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]

End
*****************

C:\Windows\system32\GroupPolicyUsers\S-1-5-21-2921164733-1426984066-1024815038-1003\User => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
'HKCR\PROTOCOLS\Handler\linkscanner' => Key deleted successfully.
'HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}' => Key deleted successfully.
BCM42RLY => Service deleted successfully.
UIUSys => Service deleted successfully.
vmci => Service deleted successfully.
VMnetAdapter => Service deleted successfully.


The system needed a reboot.

==== End of Fixlog ====

 

I was unable to run Security Check, my library has blacklisted the download address, I get redirected to an internal ip which times out. Is there an alternate download location for Security Check?

 

Firefox doesn't seem to be misbehaving yet, so an improvement.

 

ARP attacks, Some weirdness with arp packets:

Xarp 2.2.2

source ip: 169.254.237.99 -->(Link Local)

dest ip: 17.173.254.222 -->(http://whois.domaintools.com/17.173.254.222)

AS714 APPLE-ENGINEERING - Apple Inc.,US (registered Dec 31, 1969) <--Registering a domain before the internet existed. :lol:

 

itunes used to be on this pc, I removed it because I don't use apple stuff.

Xarp says I have 86 mappings on 2 interfaces. I'm only using one wifi adapter, and I believe I disabled microsoft's virtual adapter.

Could the two adapter listing by Xarp be a MITM attack where one adapter belongs to me and the second one to the attacker?

 

I'll give Windows update a try to see if there are any update install failures.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 AM

Posted 18 June 2014 - 01:28 PM

The Microsoft Windows ARP cache will occasionally become corrupt and need to be cleared.

How to Clear the APR Cache in Windows 7

ARP cache
http://www.tech-faq.com/clear-arp-cache.shtml

Keep me posted.

===

Mirror site for SecurityCheck.
http://www.bleepingcomputer.com/download/securitycheck/

#7 Dairy-oh

Dairy-oh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 18 June 2014 - 08:42 PM

Cleared the arp cache, wow that was a big list, every active ip on the network was in my cache, plus a few external ip entries and link locals.

 

Log:

 

 Results of screen317's Security Check version 0.99.85  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 51  
 Java version out of Date!
  Adobe Flash Player     13.0.0.214 Flash Player out of Date!  
 Mozilla Firefox (30.0)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 17% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 AM

Posted 19 June 2014 - 07:40 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u60.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 51

===

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

===

If all is well:

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#9 Dairy-oh

Dairy-oh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 19 June 2014 - 02:11 PM

I would like to uninstall Java but I can't because Install Shield is not working. No .msi executables will run, this includes uninstalling Java.

I would like to install Private Firewall but it requires Install Shield, no .msi's will run.

Can the Windows Update failures be related to .msi's not running?

 

I don't have discs so installing or repairing from disc isn't an option, can I fix the .msi issue via some other direction?

 

Updating Flash is not a big deal, I download from the archives their latest versions, except for this time, I've been trying to get my system back in non-infected shape, so have been adhereing to the 'Don't run anything unless I tell you' policy. :grinner:

 

Other Improvements:

Download bandwidth has improved, maybe all those dns entries in the registry were compromising my surfing ability. It seemed that if I had the network to myself I would get great DL speeds, but the moment one computer joined the network my bandwidth would go down to 1/30th of my bandwidth, i.e. 1megabit--->36kilobit.

 

I never thought of checking the registry for rogue dns data. Could malware authors put the dns data in hex or decimel form to make it less recognizable when looking through the registry?

 

 

High-ho,

 

Dairy-oh



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 AM

Posted 20 June 2014 - 06:41 AM

Lets check what is missing.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#11 Dairy-oh

Dairy-oh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 20 June 2014 - 07:38 AM

Morning,

 

It seems that Firefox has resumed the (Not Responding) during load up. ADWCleaner cleaned the pref.js, what in pref.js can become corrupted to cause the (Not Responding)? Would a file monitor to watch for pref.js changes be recommended?

 

I have disabled Java in all browsers for now.

 

Log:

 

Farbar Service Scanner Version: 10-06-2014
Ran by RDJ (administrator) on 20-06-2014 at 08:24:46
Running from "C:\Users\RDJ\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed


**** End of log ****



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 AM

Posted 20 June 2014 - 08:51 AM


ADWCleaner cleaned the pref.js, what in pref.js can become corrupted to cause the (Not Responding)?

Can you see in the AdwCleaner log what has been removed?
===

Read the instructions on this Microsoft page and run the Windows installer.

Windows Installer 3.1
http://www.microsoft.com/en-ca/download/details.aspx?id=25

Try to update windows.

Keep me posted.

#13 Dairy-oh

Dairy-oh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 20 June 2014 - 03:23 PM

 

ADWCleaner cleaned the pref.js, what in pref.js can become corrupted to cause the (Not Responding)?

Can you see in the AdwCleaner log what has been removed?
===

Read the instructions on this Microsoft page and run the Windows installer.

Windows Installer 3.1
http://www.microsoft.com/en-ca/download/details.aspx?id=25

Try to update windows.

Keep me posted.

 

 

ADWCleaner either deleted the prefs.js or reset it to the default I would assume, so there is not any specific items listed from within the log file.

 

I can't run the Windows Installer 3.1, error message: 'Not enough storage space to process this command'.

    I followed recommendations to modify or add 'IRPStackSize' in the registry, it did not fix the issue.

    I tried the recommendation to do a 'startup repair' through f8 key, message stated, 'No problems found'.

 

The file name says x86 so I think it is not an x64 file. Not sure what the dillio is.

 

Dairy-oh



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:30 AM

Posted 21 June 2014 - 05:30 AM

Uninstaller of old Java versions.
To be used if the Add/Remove programs does not work properly.
This link http://java.com/en/download/uninstallapplet.jsp will check your Java version. After the check, it offers a tool to uninstall old versions.

Keep me posted.

#15 Dairy-oh

Dairy-oh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 21 June 2014 - 01:01 PM

We are developing into an infinite loop, escape \n

 

#!usr/bin/perl
#To use the java uninstall tool you must have the latest version of java installed.
if (
Windows Installer = non-functioning
);
then (
Install Windows Installer = fail
);
else (
Java installer = hangs
);
if-else (
print = 'Ask somebody for help\!\n'
);





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users