Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

30 dllhosts.exe running. Browser's non-functional


  • This topic is locked This topic is locked
9 replies to this topic

#1 dabassguy1

dabassguy1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 06 August 2014 - 11:43 AM

I ran across this months ago and tried for days to remove this infection.  I was only successful after posting here.  I have run DDS.com and have attached the Attach.txt file

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16561  BrowserJavaVersion: 1.6.0_31
Run by Cory at 12:24:15 on 2014-08-06
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3993.2902 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Host Intrusion Prevention Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\mfevtps.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.wintergreenresort.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\9.6\pdfforgeToolbarIE.dll
mWinlogon: Userinit = userinit.exe
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20140614030644.dll
BHO: DefaultTab Browser Helper: {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Cartwheel: {B50DF051-E1D4-439C-B94E-F4DE82B56542} - C:\Users\Cory\AppData\Roaming\Cartwheel\Cartwheel.dll
BHO: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\9.6\pdfforgeToolbarIE.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
TB: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\9.6\pdfforgeToolbarIE.dll
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: aceprs.com
Trusted Zone: agencyanywhere.agency.ni.nwie.net
Trusted Zone: agencyanywhere.agency.ni.nwie.net
Trusted Zone: agents.nationwide.com
Trusted Zone: agents.nationwide.com
Trusted Zone: billerweb.com
Trusted Zone: farmersinsurance.com
Trusted Zone: foremoststar.com
Trusted Zone: msbexpress.net
Trusted Zone: nationwide.com
Trusted Zone: nationwide.com
Trusted Zone: onestop.nationwide.com
Trusted Zone: onestop.nationwide.com
Trusted Zone: skilldialogue.com
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
Trusted Zone: skillport.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {9916D178-71C8-4764-969C-95B9B67A1F76} - hxxps://onestop.nationwide.com/one-stop-web/scan/OneStopScan.CAB
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nationwidenh.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://agents.nationwide.com/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 68.105.28.16 68.105.29.16
TCP: Interfaces\{C0C4C473-169F-4F15-840C-1F1595231468} : DHCPNameServer = 68.105.28.16 68.105.29.16
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: iaklore - C:\Users\Cory\AppData\Local\iaklore.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mSearchAssistant = hxxp://www.google.com/ie
x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20140614030644.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-TB: pdfforge Toolbar: {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files (x86)\pdfforge Toolbar\IE\9.6\pdfforgeToolbarIE64.dll
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-DPF: {AA570693-00E2-4907-B6F1-60A1199B030C} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
x64-DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe
Hosts: 192.168.1.126 EF_SERVER
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.nascar.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=827316&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2011-9-29 782968]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2012-7-11 344176]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-9-16 55856]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2013-9-24 97768]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\System32\drivers\mfenlfk.sys [2011-8-16 75672]
R1 NEOFLTR_720_21697;Juniper Networks TDI Filter Driver (NEOFLTR_720_21697);C:\Windows\System32\drivers\NEOFLTR_720_21697.SYS [2012-11-15 100728]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-4-8 342528]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2011-9-29 311600]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2013-1-2 481504]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2014-5-8 685672]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 FireNfcp;McAfee Inc. FireNfcp;C:\Windows\System32\drivers\FireNfcp.sys [2013-1-2 48840]
S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2013-1-2 195024]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2011-9-29 107032]
S3 netvsc;netvsc;C:\Windows\System32\drivers\netvsc60.sys [2010-11-21 168448]
S3 SynthVid;SynthVid;C:\Windows\System32\drivers\VMBusVideoM.sys [2010-11-21 22528]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
.
=============== Created Last 30 ================
.
2014-08-05 16:38:55 303346 ----a-w- C:\Windows\SysWow64\wyode.exe
2014-08-05 16:38:54 -------- d-----w- C:\Users\Cory\AppData\Roaming\Opboolip
2014-08-05 16:38:51 303346 ----a-w- C:\Windows\SysWow64\zefiev.exe
2014-08-05 16:38:47 -------- d-----w- C:\Users\Cory\AppData\Roaming\Okgovoqi
2014-08-05 16:37:42 159744 ----a-w- C:\Windows\SysWow64\ddodsfc.exe
2014-08-05 16:37:32 23552 ----a-w- C:\Users\Cory\AppData\Local\iaklore.dll
2014-07-31 12:59:06 2620928 ----a-w- C:\Windows\System32\wucltux.dll
2014-07-31 12:58:56 97792 ----a-w- C:\Windows\System32\wudriver.dll
2014-07-31 12:58:56 92672 ----a-w- C:\Windows\SysWow64\wudriver.dll
2014-07-31 12:58:43 36864 ----a-w- C:\Windows\System32\wuapp.exe
2014-07-31 12:58:43 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2014-07-31 12:58:43 198600 ----a-w- C:\Windows\System32\wuwebv.dll
2014-07-31 12:58:43 179656 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2014-07-30 12:54:42 -------- d-----w- C:\Program Files (x86)\Application Updater
2014-07-30 12:54:41 -------- d-----w- C:\Program Files (x86)\pdfforge Toolbar
2014-07-30 12:54:41 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot
2014-07-09 07:09:50 519168 ----a-w- C:\Windows\System32\aepdu.dll
.
==================== Find3M  ====================
.
2014-07-09 15:55:07 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-09 15:55:07 699056 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-06-30 02:04:49 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-06-18 02:18:30 692736 ----a-w- C:\Windows\System32\osk.exe
2014-06-18 01:51:32 646144 ----a-w- C:\Windows\SysWow64\osk.exe
2014-06-18 01:10:36 3157504 ----a-w- C:\Windows\System32\win32k.sys
2014-06-14 07:05:13 344176 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2014-06-14 07:05:13 185280 ----a-w- C:\Windows\System32\mfevtps.exe
2014-06-14 07:05:12 782968 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2014-06-14 07:05:12 121896 ----a-w- C:\Windows\System32\MfeOtlkAddin.dll
2014-06-14 07:05:12 107032 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2014-06-14 07:05:11 311600 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2014-06-14 07:05:11 180272 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2014-06-14 07:05:11 11208 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2014-06-14 07:05:07 94080 ----a-w- C:\Windows\SysWow64\MfeOtlkAddin.dll
2014-06-14 07:05:07 25088 ----a-w- C:\Windows\SysWow64\MFEOtlk.dll
2014-06-07 02:59:53 2339328 ----a-w- C:\Windows\System32\jscript9.dll
2014-06-07 02:51:22 1494016 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-06-07 02:51:06 1392128 ----a-w- C:\Windows\System32\wininet.dll
2014-06-07 02:45:37 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-06-07 02:45:17 599040 ----a-w- C:\Windows\System32\vbscript.dll
2014-06-07 02:40:25 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2014-06-07 02:39:40 12800 ----a-w- C:\Windows\System32\mshta.exe
2014-06-06 23:12:01 1810432 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-06-06 23:03:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-06-06 23:02:16 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-06-06 22:57:04 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-06-06 22:56:20 421376 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-06-06 22:52:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-06-06 22:51:59 11776 ----a-w- C:\Windows\SysWow64\mshta.exe
2014-06-06 10:10:34 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-06-06 09:44:17 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-06-05 14:45:15 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-06-05 14:26:58 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-06-05 14:25:49 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-05-30 08:08:52 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-05-30 08:08:49 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-05-30 08:08:47 340992 ----a-w- C:\Windows\System32\schannel.dll
2014-05-30 08:08:41 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-05-30 08:08:41 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2014-05-30 08:08:36 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-05-30 08:08:31 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-05-30 07:52:51 172032 ----a-w- C:\Windows\SysWow64\wdigest.dll
2014-05-30 07:52:49 65536 ----a-w- C:\Windows\SysWow64\TSpkg.dll
2014-05-30 07:52:45 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2014-05-30 07:52:41 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2014-05-30 07:52:40 259584 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2014-05-30 07:52:36 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-05-30 07:52:30 17408 ----a-w- C:\Windows\SysWow64\credssp.dll
2014-05-30 06:45:52 497152 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 12:31:05.65 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 PM

Posted 11 August 2014 - 10:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 dabassguy1

dabassguy1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 11 August 2014 - 03:28 PM

RogueKiller Log

 

RogueKiller V9.2.6.0 (x64) [Jul 11 2014] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Cory [Admin rights]
Mode : Remove -- Date : 08/11/2014  16:09:41
 
¤¤¤ Bad processes : 2 ¤¤¤
[Suspicious.Path] biwuihv.exe -- C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe[-] -> KILLED [TermProc]
[Tr.Poweliks] dllhost.exe -- [x] -> KILLED [TermProc]
 
¤¤¤ Registry Entries : 31 ¤¤¤
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Dyyhelfihookox : C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [x] -> DELETED
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\Microsoft\Windows\CurrentVersion\Run | iaklore : rundll32 "C:\Users\Cory\AppData\Local\iaklore.dll",iaklore [x] -> DELETED
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\Microsoft\Windows\CurrentVersion\Run | iaklore : rundll32 "C:\Users\Cory\AppData\Local\iaklore.dll",iaklore  -> ERROR [2]
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Agent -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Agent -> NOT SELECTED
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Agent -> NOT SELECTED
[PUM.Https] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | WarnOnHTTPSToHTTPRedirect : 0  -> NOT SELECTED
[PUM.Https] (X64) HKEY_USERS\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | WarnOnHTTPSToHTTPRedirect : 0  -> NOT SELECTED
[PUM.Https] (X86) HKEY_USERS\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | WarnOnHTTPSToHTTPRedirect : 0  -> NOT SELECTED
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.16 68.105.29.16  -> NOT SELECTED
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.16 68.105.29.16  -> NOT SELECTED
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.16 68.105.29.16  -> NOT SELECTED
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C0C4C473-169F-4F15-840C-1F1595231468} | DhcpNameServer : 68.105.28.16 68.105.29.16  -> NOT SELECTED
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C0C4C473-169F-4F15-840C-1F1595231468} | DhcpNameServer : 68.105.28.16 68.105.29.16  -> NOT SELECTED
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C0C4C473-169F-4F15-840C-1F1595231468} | DhcpNameServer : 68.105.28.16 68.105.29.16  -> NOT SELECTED
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> NOT SELECTED
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0  -> NOT SELECTED
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> NOT SELECTED
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> NOT SELECTED
[PUM.SecurityCenter] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center | FirewallDisableNotify : 1  -> NOT SELECTED
[PUM.StartMenu] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.StartMenu] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> NOT SELECTED
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> NOT SELECTED
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> DELETED
 
¤¤¤ Scheduled tasks : 4 ¤¤¤
[Suspicious.Path] Security Center Update - 1289701922.job -- C:\Users\Cory\AppData\Roaming\Opboolip\tocee.exe -> DELETED
[Suspicious.Path] Security Center Update - 2295223159.job -- C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe -> DELETED
[Suspicious.Path] \\Security Center Update - 1289701922 -- C:\Users\Cory\AppData\Roaming\Opboolip\tocee.exe -> DELETED
[Suspicious.Path] \\Security Center Update - 2295223159 -- C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe -> ERROR [0]
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 192.168.1.126     EF_SERVER 
 
¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD2500AAKX-753CA1 ATA Device +++++
--- User ---
[MBR] 46b0b6e781331e51198bbcebbfb2a18a
[BSP] faae897ac9644a695fc89c68a8f41fbb : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 13466 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 27660288 | Size: 224968 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_08112014_160759.log
 
 
AdwCleanerLog
# AdwCleaner v3.304 - Report created 11/08/2014 at 16:14:04
# Updated 08/08/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Cory - CORYW7
# Running from : C:\Users\Cory\Desktop\adwcleaner_3.304.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Public\util
File Deleted : C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\Extensions\pdfforge@mybrowserbar.com
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\pdfforgeToolbar-stub-1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\pdfforgeToolbar-stub-1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchSettings_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchSettings_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{B922D405-6D13-4A2B-AE89-08A030DA4402}
Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKLM\Software\Freeze.com
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16561
 
 
-\\ Mozilla Firefox v22.0 (en-US)
 
[ File : C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\prefs.js ]
 
 
-\\ Google Chrome v36.0.1985.125
 
[ File : C:\Users\Cory\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2001 octets] - [11/08/2014 16:11:28]
AdwCleaner[S0].txt - [1946 octets] - [11/08/2014 16:14:04]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2006 octets] ##########
 
 
FRST log
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-08-2014
Ran by Cory (administrator) on CORYW7 on 11-08-2014 16:16:24
Running from C:\Users\Cory\Desktop\bleep
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(j2 Global Communications, Inc.) C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler64.exe
(Maskiseft Corporation) C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe
(Maskiseft Corporation) C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [Dyyhelfihookox] => C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\iaklore-x32: C:\Users\Cory\AppData\Local\iaklore.dll ()
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...\Run: [eFax 4.4] => C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe [95744 2012-08-29] (j2 Global Communications, Inc.)
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...\Run: [Preskmgr] => C:\Windows\system32\ddodsfc.exe
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...\Run: [Dyyhelfihookox] => C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation)
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wintergreenresort.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {54A846B4-05DA-4A60-B337-A8D1E4456046} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=827316&p={searchTerms}
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20140614030644.dll (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20140614030644.dll (McAfee, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Cartwheel -> {B50DF051-E1D4-439C-B94E-F4DE82B56542} -> C:\Users\Cory\AppData\Roaming\Cartwheel\Cartwheel.dll (Cartwheel, Inc.)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} https://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {9916D178-71C8-4764-969C-95B9B67A1F76} https://onestop.nationwide.com/one-stop-web/scan/OneStopScan.CAB
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://agents.nationwide.com/dana-cached/sc/JuniperSetupClient.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Hosts: 192.168.1.126     EF_SERVER 
Tcpip\Parameters: [DhcpNameServer] 68.105.28.16 68.105.29.16
 
FireFox:
========
FF ProfilePath: C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default
FF DefaultSearchEngine: Yahoo
FF SelectedSearchEngine: Yahoo
FF Homepage: hxxp://www.nascar.com/
FF Keyword.URL: hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=827316&p=
FF NetworkProxy: "no_proxies_on", "localhost"
FF NetworkProxy: "type", 0
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.38 -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_35 -> C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Address Bar Search - C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\Extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9} [2013-08-30]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension
FF HKLM-x32\...\Firefox\Extensions: [{B7082FAA-CB62-4872-9106-E42DD88EDE45}] - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise
FF Extension: McAfee SiteAdvisor Enterprise - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise [2011-09-29]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: IDS_SS_NAME - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2012-11-29]
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\gcswf32.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\Cory\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-08-23]
CHR Extension: (Google Search) - C:\Users\Cory\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-08-23]
CHR Extension: (Gmail) - C:\Users\Cory\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-08-23]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 Agent; C:\Windows\VPDAgent_x64.exe [156672 2012-11-15] (Two Pilots) [File not signed]
S4 enterceptAgent; C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [641336 2011-09-12] (McAfee, Inc.)
S4 McAfee SiteAdvisor Enterprise Service; C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [226624 2010-03-25] (McAfee, Inc.)
S4 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [127520 2013-12-04] (McAfee, Inc.)
S4 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [242448 2014-06-14] (McAfee, Inc.)
S4 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [208416 2014-01-15] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208272 2011-08-09] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [185280 2014-06-14] (McAfee, Inc.)
S4 Printer Control; C:\Windows\system32\PrintCtrl.exe [127968 2013-11-01] (ActMask Co.,Ltd - HTTP://WWW.ALL2PDF.COM) [File not signed]
S4 SecurityCenterServer1289701922; C:\Users\Cory\AppData\Roaming\Opboolip\tocee.exe [303346 2014-01-13] (Maskiseft Corporation) [File not signed]
S4 SecurityCenterServer2295223159; C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 FireNfcp; C:\Windows\System32\drivers\FireNfcp.sys [48840 2011-10-07] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [195024 2011-09-12] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2014-06-14] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2014-06-14] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481504 2011-08-16] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782968 2014-06-14] (McAfee, Inc.)
R1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75672 2011-08-16] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [107032 2014-06-14] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344176 2014-06-14] (McAfee, Inc.)
R1 NEOFLTR_720_21697; C:\Windows\system32\Drivers\NEOFLTR_720_21697.SYS [100728 2012-08-23] (Juniper Networks)
S3 Firehk; system32\DRIVERS\firehk.sys [X]
S3 FirehkMP; system32\DRIVERS\firehk.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-11 16:16 - 2014-08-11 16:16 - 00000000 ____D () C:\FRST
2014-08-11 16:15 - 2014-08-11 16:15 - 00002090 _____ () C:\Users\Cory\Desktop\AdwCleaner[S0].txt
2014-08-11 16:13 - 2014-08-11 16:13 - 00002001 _____ () C:\Users\Cory\Desktop\AdwCleaner[R0].txt
2014-08-11 16:11 - 2014-08-11 16:14 - 00000000 ____D () C:\AdwCleaner
2014-08-11 16:11 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-08-11 16:10 - 2014-08-11 16:10 - 00006926 _____ () C:\Users\Cory\Desktop\RKreport_DEL_08112014_160941.log
2014-08-11 16:04 - 2014-08-11 16:04 - 00030312 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-08-11 16:04 - 2014-08-11 16:04 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-08-11 16:04 - 2014-08-11 16:01 - 05392984 _____ () C:\Users\Cory\Desktop\RogueKillerX64.exe
2014-08-11 16:04 - 2014-08-11 16:01 - 01366203 _____ () C:\Users\Cory\Desktop\adwcleaner_3.304.exe
2014-08-06 12:44 - 2014-08-06 12:44 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-06 12:31 - 2014-08-06 12:31 - 00022349 _____ () C:\Users\Cory\Desktop\dds.txt
2014-08-06 12:31 - 2014-08-06 12:31 - 00010180 _____ () C:\Users\Cory\Desktop\attach.txt
2014-08-06 12:22 - 2014-08-11 16:16 - 00000000 ____D () C:\Users\Cory\Desktop\bleep
2014-08-06 12:22 - 2014-08-06 12:22 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2014-08-06 09:38 - 2014-08-06 09:38 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 9.5
2014-08-05 12:38 - 2014-08-05 12:38 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Opboolip
2014-08-05 12:38 - 2014-08-05 12:38 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Okgovoqi
2014-08-05 12:38 - 2014-01-13 18:11 - 00303346 _____ (Maskiseft Corporation) C:\Windows\SysWOW64\wyode.exe
2014-08-05 12:38 - 2012-09-21 01:02 - 00303346 _____ (Maskiseft Corporation) C:\Windows\SysWOW64\zefiev.exe
2014-08-05 12:37 - 2014-08-05 12:37 - 00159744 _____ () C:\Windows\SysWOW64\ddodsfc.exe
2014-08-05 12:37 - 2014-08-05 12:37 - 00023552 _____ () C:\Users\Cory\AppData\Local\iaklore.dll
2014-07-31 08:59 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-07-31 08:59 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-07-31 08:59 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-07-31 08:59 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-07-31 08:58 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-07-31 08:58 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2014-07-31 08:58 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-07-31 08:58 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2014-07-31 08:58 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-07-31 08:58 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2014-07-31 08:58 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-07-31 08:58 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2014-07-31 08:58 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-07-31 08:58 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2014-07-14 17:11 - 2014-07-14 17:11 - 460840986 _____ () C:\Windows\MEMORY.DMP
2014-07-14 17:11 - 2014-07-14 17:11 - 00280656 _____ () C:\Windows\Minidump\071414-23680-01.dmp
2014-07-14 17:11 - 2014-07-14 17:11 - 00000000 ____D () C:\Windows\Minidump
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-11 16:16 - 2014-08-11 16:16 - 00000000 ____D () C:\FRST
2014-08-11 16:16 - 2014-08-06 12:22 - 00000000 ____D () C:\Users\Cory\Desktop\bleep
2014-08-11 16:15 - 2014-08-11 16:15 - 00002090 _____ () C:\Users\Cory\Desktop\AdwCleaner[S0].txt
2014-08-11 16:15 - 2012-08-23 09:53 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-11 16:15 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-11 16:15 - 2009-07-14 00:51 - 00065543 _____ () C:\Windows\setupact.log
2014-08-11 16:14 - 2014-08-11 16:11 - 00000000 ____D () C:\AdwCleaner
2014-08-11 16:14 - 2011-09-16 13:28 - 01574112 _____ () C:\Windows\WindowsUpdate.log
2014-08-11 16:14 - 2010-11-20 23:47 - 00532380 _____ () C:\Windows\PFRO.log
2014-08-11 16:14 - 2009-07-14 00:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-11 16:14 - 2009-07-14 00:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-11 16:13 - 2014-08-11 16:13 - 00002001 _____ () C:\Users\Cory\Desktop\AdwCleaner[R0].txt
2014-08-11 16:10 - 2014-08-11 16:10 - 00006926 _____ () C:\Users\Cory\Desktop\RKreport_DEL_08112014_160941.log
2014-08-11 16:06 - 2009-07-14 01:13 - 00801238 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-11 16:04 - 2014-08-11 16:04 - 00030312 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-08-11 16:04 - 2014-08-11 16:04 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-08-11 16:02 - 2012-08-23 09:53 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-11 16:01 - 2014-08-11 16:04 - 05392984 _____ () C:\Users\Cory\Desktop\RogueKillerX64.exe
2014-08-11 16:01 - 2014-08-11 16:04 - 01366203 _____ () C:\Users\Cory\Desktop\adwcleaner_3.304.exe
2014-08-06 13:14 - 2013-09-17 13:45 - 00000000 ____D () C:\Users\Cory\Documents\Outlook Files
2014-08-06 12:55 - 2012-03-29 09:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-06 12:44 - 2014-08-06 12:44 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-06 12:31 - 2014-08-06 12:31 - 00022349 _____ () C:\Users\Cory\Desktop\dds.txt
2014-08-06 12:31 - 2014-08-06 12:31 - 00010180 _____ () C:\Users\Cory\Desktop\attach.txt
2014-08-06 12:22 - 2014-08-06 12:22 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2014-08-06 11:49 - 2013-10-01 12:52 - 00000527 _____ () C:\Users\Cory\Desktop\EZ File.website
2014-08-06 11:18 - 2009-04-09 09:26 - 00000000 ____D () C:\EMAIL Out
2014-08-06 10:49 - 2011-09-16 13:40 - 00000000 ____D () C:\ProgramData\Temp
2014-08-06 10:49 - 2006-10-05 11:31 - 00000000 ____D () C:\Temp
2014-08-06 10:06 - 2008-07-29 15:47 - 00000000 ____D () C:\QUARANTINE
2014-08-06 09:46 - 2013-11-13 09:19 - 00003380 _____ () C:\Windows\System32\Tasks\IE11
2014-08-06 09:38 - 2014-08-06 09:38 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 9.5
2014-08-05 17:12 - 2014-07-02 14:43 - 00000000 ____D () C:\Users\Cory\AppData\Local\TMPEZA
2014-08-05 17:12 - 2010-11-29 15:17 - 00000059 _____ () C:\APPTWN.LOG
2014-08-05 13:00 - 2011-09-29 13:39 - 00000000 ____D () C:\Program Files (x86)\ScanPoint
2014-08-05 12:38 - 2014-08-05 12:38 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Opboolip
2014-08-05 12:38 - 2014-08-05 12:38 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Okgovoqi
2014-08-05 12:37 - 2014-08-05 12:37 - 00159744 _____ () C:\Windows\SysWOW64\ddodsfc.exe
2014-08-05 12:37 - 2014-08-05 12:37 - 00023552 _____ () C:\Users\Cory\AppData\Local\iaklore.dll
2014-08-04 11:16 - 2013-05-06 08:22 - 00003380 _____ () C:\Windows\System32\Tasks\IE10
2014-07-29 08:54 - 2013-03-13 16:13 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-07-29 08:54 - 2013-03-13 16:13 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-07-28 16:59 - 2013-03-13 16:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-07-22 13:02 - 2011-03-02 09:50 - 00000000 ____D () C:\archive_to_easyfile
2014-07-14 17:11 - 2014-07-14 17:11 - 460840986 _____ () C:\Windows\MEMORY.DMP
2014-07-14 17:11 - 2014-07-14 17:11 - 00280656 _____ () C:\Windows\Minidump\071414-23680-01.dmp
2014-07-14 17:11 - 2014-07-14 17:11 - 00000000 ____D () C:\Windows\Minidump
 
Some content of TEMP:
====================
C:\Users\Cory\AppData\Local\Temp\atwbxdet.dll
C:\Users\Cory\AppData\Local\Temp\exthelper.exe
C:\Users\Cory\AppData\Local\Temp\FP_PL_PFS_INSTALLER.exe
C:\Users\Cory\AppData\Local\Temp\InitBDE.exe
C:\Users\Cory\AppData\Local\Temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Users\Cory\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\Cory\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Cory\AppData\Local\Temp\MetroFaxPrinter.exe
C:\Users\Cory\AppData\Local\Temp\Quarantine.exe
C:\Users\Cory\AppData\Local\Temp\spupdater.exe
C:\Users\Cory\AppData\Local\Temp\UpdateFlashPlayer_4b6a9bd7.exe
C:\Users\Cory\AppData\Local\Temp\UpdateFlashPlayer_72a2ee1c.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-06-30 13:02
 
==================== End Of Log ============================
 
I have attached the addition.txt
 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 PM

Posted 12 August 2014 - 07:28 AM

This is a bad infection.
http://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99&tabid=2

I suggest your run the RogueKiller tool one more time and fix/delele everything that is identified.
Some items will be removed others where need will be replaced.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
HKLM-x32\...\Run: [Dyyhelfihookox] => C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation)
Winlogon\Notify\iaklore-x32: C:\Users\Cory\AppData\Local\iaklore.dll ()
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...\Run: [Preskmgr] => C:\Windows\system32\ddodsfc.exe
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...\Run: [Dyyhelfihookox] => C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation)
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Extension: Address Bar Search - C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\Extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9} [2013-08-30]
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\gcswf32.dll No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
S4 SecurityCenterServer1289701922; C:\Users\Cory\AppData\Roaming\Opboolip\tocee.exe [303346 2014-01-13] (Maskiseft Corporation) [File not signed]
S4 SecurityCenterServer2295223159; C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation) [File not signed]
S3 Firehk; system32\DRIVERS\firehk.sys [X]
S3 FirehkMP; system32\DRIVERS\firehk.sys [X]
C:\Users\Cory\AppData\Roaming\Okgovoqi
C:\Users\Cory\AppData\Local\iaklore.dll
C:\Windows\system32\ddodsfc.exe
C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\Extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9}

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Empty flash cache.
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
<<<>>>

Please run the Farbar tool one more time and submit a fresh FRST log for my review.

How is the computer running now?

#5 dabassguy1

dabassguy1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 12 August 2014 - 07:53 PM

Thank you so much for your help.  I've been working on computer for 29 years and this stumps me.

 

I ran this running the computer with GotoAssist.

 

I ran RogueKiller again and then did the fix list thing with FRST.  I have included the log.  When I ran TFC, it ran for over thirty minutes before I terminated it.  I am still getting the infection multiple times in the process list.  I started the TFC program again and I will let it run this time.   TFC said it deleted the Flash cache, But I am going to try that as well.

 

Should I run FRST again even it the TFC never completes?

 

Here is the fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-08-2014
Ran by Cory at 2014-08-12 18:10:28 Run:1
Running from C:\Users\Cory\Desktop\bleep
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
HKLM-x32\...\Run: [Dyyhelfihookox] => C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation)
Winlogon\Notify\iaklore-x32: C:\Users\Cory\AppData\Local\iaklore.dll ()
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...\Run: [Preskmgr] => C:\Windows\system32\ddodsfc.exe
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...\Run: [Dyyhelfihookox] => C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation)
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll No File
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Extension: Address Bar Search - C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\Extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9} [2013-08-30]
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\gcswf32.dll No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
S4 SecurityCenterServer1289701922; C:\Users\Cory\AppData\Roaming\Opboolip\tocee.exe [303346 2014-01-13] (Maskiseft Corporation) [File not signed]
S4 SecurityCenterServer2295223159; C:\Users\Cory\AppData\Roaming\Okgovoqi\biwuihv.exe [303346 2012-09-21] (Maskiseft Corporation) [File not signed]
S3 Firehk; system32\DRIVERS\firehk.sys [X]
S3 FirehkMP; system32\DRIVERS\firehk.sys [X]
C:\Users\Cory\AppData\Roaming\Okgovoqi
C:\Users\Cory\AppData\Local\iaklore.dll
C:\Windows\system32\ddodsfc.exe
C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\Extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9}
 
End
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Dyyhelfihookox => value deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iaklore" => Key deleted successfully.
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Preskmgr => value deleted successfully.
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Dyyhelfihookox => value deleted successfully.
"HKU\S-1-5-21-4233371878-1667044154-2814643284-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.
"HKU\S-1-5-21-4233371878-1667044154-2814643284-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}" => Key deleted successfully.
"HKCR\CLSID\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{1CA1377B-DC1D-4A52-9585-6E06050FAC53}" => Key deleted successfully.
"HKCR\PROTOCOLS\Handler\dssrequest" => Key deleted successfully.
"HKCR\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}" => Key not found.
"HKCR\PROTOCOLS\Handler\sacore" => Key deleted successfully.
"HKCR\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5}" => Key not found.
"HKCR\PROTOCOLS\Handler\tmpx" => Key deleted successfully.
"HKCR\CLSID\{0E526CB5-7446-41D1-A403-19BFE95E8C23}" => Key deleted successfully.
"HKCR\Wow6432Node\PROTOCOLS\Handler\tmpx" => Key not found.
"HKCR\Wow6432Node\CLSID\{0E526CB5-7446-41D1-A403-19BFE95E8C23}" => Key deleted successfully.
"HKCR\PROTOCOLS\Filter\application/x-ica" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=euc-jp" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=ISO-8859-1" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS936" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS949" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS950" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=UTF-8" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=UTF8" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=euc-jp" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=ISO-8859-1" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS936" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS949" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS950" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=UTF-8" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=UTF8" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\ica" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"FF Plugin: @microsoft.com/GENUINE -> disabled No File" => not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File not found.
C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\Extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9} => Moved successfully.
C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\PepperFlash\pepflashplayer.dll not found.
C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\gcswf32.dll not found.
C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll not found.
C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.72\pdf.dll not found.
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll not found.
C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll not found.
C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll not found.
C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll not found.
c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll not found.
SecurityCenterServer1289701922 => Service deleted successfully.
SecurityCenterServer2295223159 => Service deleted successfully.
Firehk => Service deleted successfully.
FirehkMP => Service deleted successfully.
C:\Users\Cory\AppData\Roaming\Okgovoqi => Moved successfully.
C:\Users\Cory\AppData\Local\iaklore.dll => Moved successfully.
"C:\Windows\system32\ddodsfc.exe" => File/Directory not found.
"C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default\Extensions\{badea1ae-72ed-4f6a-8c37-4db9a4ac7bc9}" => File/Directory not found.
 
==== End of Fixlog ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 PM

Posted 13 August 2014 - 06:45 AM


Run this tool.

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
  • Note:
    Do not mouse click ComboFix's window while it's running. That may cause it to stall


    Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ==============

    Run the Farbar tool and post a fresh log.

    Let me know what problem persists.



#7 dabassguy1

dabassguy1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:21 PM

Posted 13 August 2014 - 03:53 PM

Looks like that combo got it.  I see no more infections in the process list and the computer seems to be running fine.

 

Here is the FRST log

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-08-2014
Ran by Cory (administrator) on CORYW7 on 13-08-2014 16:49:47
Running from C:\Users\Cory\Desktop\bleep
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\715\g2ax_service.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler64.exe
(j2 Global Communications, Inc.) C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\715\g2ax_comm_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\715\g2ax_system_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\715\g2ax_user_customer.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\715\g2ax_winlogonx64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4233371878-1667044154-2814643284-1000\...\Run: [eFax 4.4] => C:\Program Files (x86)\eFax Messenger 4.4\J2GDllCmd.exe [95744 2012-08-29] (j2 Global Communications, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wintergreenresort.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {54A846B4-05DA-4A60-B337-A8D1E4456046} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=827316&p={searchTerms}
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20140614030644.dll (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20140614030644.dll (McAfee, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Cartwheel -> {B50DF051-E1D4-439C-B94E-F4DE82B56542} -> C:\Users\Cory\AppData\Roaming\Cartwheel\Cartwheel.dll (Cartwheel, Inc.)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} https://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {9916D178-71C8-4764-969C-95B9B67A1F76} https://onestop.nationwide.com/one-stop-web/scan/OneStopScan.CAB
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://nationwidenh.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc1.cab
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://agents.nationwide.com/dana-cached/sc/JuniperSetupClient.cab
Tcpip\Parameters: [DhcpNameServer] 68.105.28.16 68.105.29.16

FireFox:
========
FF ProfilePath: C:\Users\Cory\AppData\Roaming\Mozilla\Firefox\Profiles\xhli56ej.default
FF DefaultSearchEngine: Yahoo
FF SelectedSearchEngine: Yahoo
FF Homepage: hxxp://www.nascar.com/
FF Keyword.URL: hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=827316&p=
FF NetworkProxy: "no_proxies_on", "localhost"
FF NetworkProxy: "type", 0
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.38 -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_35 -> C:\Windows\SysWOW64\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension
FF HKLM-x32\...\Firefox\Extensions: [{B7082FAA-CB62-4872-9106-E42DD88EDE45}] - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise
FF Extension: McAfee SiteAdvisor Enterprise - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise [2011-09-29]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: IDS_SS_NAME - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2012-11-29]

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR StartupUrls: "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\gcswf32.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.125\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\Cory\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-08-23]
CHR Extension: (Google Search) - C:\Users\Cory\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-08-23]
CHR Extension: (Google Wallet) - C:\Users\Cory\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-11]
CHR Extension: (Gmail) - C:\Users\Cory\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-08-23]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 Agent; C:\Windows\VPDAgent_x64.exe [156672 2012-11-15] (Two Pilots) [File not signed]
S4 enterceptAgent; C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [641336 2011-09-12] (McAfee, Inc.)
R2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\715\g2ax_service.exe [610888 2014-08-11] (Citrix Online, a division of Citrix Systems, Inc.)
S4 McAfee SiteAdvisor Enterprise Service; C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [226624 2010-03-25] (McAfee, Inc.)
S4 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [127520 2013-12-04] (McAfee, Inc.)
S4 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [242448 2014-06-14] (McAfee, Inc.)
S4 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [208416 2014-01-15] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [208272 2011-08-09] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [185280 2014-06-14] (McAfee, Inc.)
S4 Printer Control; C:\Windows\system32\PrintCtrl.exe [127968 2013-11-01] (ActMask Co.,Ltd - HTTP://WWW.ALL2PDF.COM) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 FireNfcp; C:\Windows\System32\drivers\FireNfcp.sys [48840 2011-10-07] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [195024 2011-09-12] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2014-06-14] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2014-06-14] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [481504 2011-08-16] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782968 2014-06-14] (McAfee, Inc.)
R1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [75672 2011-08-16] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [107032 2014-06-14] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344176 2014-06-14] (McAfee, Inc.)
R1 NEOFLTR_720_21697; C:\Windows\system32\Drivers\NEOFLTR_720_21697.SYS [100728 2012-08-23] (Juniper Networks)
U3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-13 16:49 - 2014-08-13 16:49 - 00024693 _____ () C:\ComboFix.txt
2014-08-13 16:33 - 2014-08-13 16:49 - 00000000 ____D () C:\Qoobox
2014-08-13 16:33 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-08-13 16:33 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-08-13 16:33 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-08-13 16:33 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-08-13 16:33 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-08-13 16:33 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-08-13 16:33 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-08-13 16:33 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-08-13 16:32 - 2014-08-13 16:48 - 00000000 ____D () C:\Windows\erdnt
2014-08-13 16:15 - 2014-08-13 16:16 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-13 16:15 - 2014-08-13 16:15 - 00001108 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-13 16:15 - 2014-08-13 16:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-13 16:15 - 2014-08-13 16:15 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 16:15 - 2014-08-13 16:15 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-13 16:15 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-08-13 16:15 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-08-13 16:15 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-08-13 16:14 - 2014-08-13 15:06 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Cory\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-13 16:14 - 2014-08-13 15:06 - 05569662 ____R (Swearware) C:\Users\Cory\Desktop\ComboFix.exe
2014-08-12 18:24 - 2014-08-12 18:24 - 00448512 _____ (OldTimer Tools) C:\Users\Cory\Desktop\TFC.exe
2014-08-12 18:10 - 2014-08-13 16:30 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Okgovoqi
2014-08-11 16:33 - 2014-08-11 16:33 - 00169544 _____ (Citrix Online) C:\Windows\system32\g2ax_credential_provider64_715.dll
2014-08-11 16:33 - 2014-08-11 16:33 - 00001582 _____ () C:\Users\Cory\Desktop\GoToAssist Customer.lnk
2014-08-11 16:33 - 2014-08-11 16:33 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
2014-08-11 16:30 - 2014-08-13 12:59 - 00000000 ____D () C:\Users\Cory\AppData\Local\CrashDumps
2014-08-11 16:16 - 2014-08-13 16:49 - 00000000 ____D () C:\FRST
2014-08-11 16:11 - 2014-08-11 16:14 - 00000000 ____D () C:\AdwCleaner
2014-08-11 16:11 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-08-11 16:04 - 2014-08-12 20:17 - 00030312 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-08-11 16:04 - 2014-08-11 16:04 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-08-11 16:04 - 2014-08-11 16:01 - 05392984 _____ () C:\Users\Cory\Desktop\RogueKillerX64.exe
2014-08-11 16:04 - 2014-08-11 16:01 - 01366203 _____ () C:\Users\Cory\Desktop\adwcleaner_3.304.exe
2014-08-06 12:44 - 2014-08-06 12:44 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-06 12:31 - 2014-08-06 12:31 - 00022349 _____ () C:\Users\Cory\Desktop\dds.txt
2014-08-06 12:31 - 2014-08-06 12:31 - 00010180 _____ () C:\Users\Cory\Desktop\attach.txt
2014-08-06 12:22 - 2014-08-13 16:49 - 00000000 ____D () C:\Users\Cory\Desktop\bleep
2014-08-06 12:22 - 2014-08-06 12:22 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2014-08-06 09:38 - 2014-08-06 09:38 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 9.5
2014-08-05 12:38 - 2014-08-13 16:28 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Opboolip
2014-07-31 08:59 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-07-31 08:59 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-07-31 08:59 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-07-31 08:59 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-07-31 08:58 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-07-31 08:58 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2014-07-31 08:58 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-07-31 08:58 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2014-07-31 08:58 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-07-31 08:58 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2014-07-31 08:58 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-07-31 08:58 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2014-07-31 08:58 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-07-31 08:58 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2014-07-14 17:11 - 2014-07-14 17:11 - 460840986 _____ () C:\Windows\MEMORY.DMP
2014-07-14 17:11 - 2014-07-14 17:11 - 00280656 _____ () C:\Windows\Minidump\071414-23680-01.dmp
2014-07-14 17:11 - 2014-07-14 17:11 - 00000000 ____D () C:\Windows\Minidump

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-13 16:49 - 2014-08-13 16:49 - 00024693 _____ () C:\ComboFix.txt
2014-08-13 16:49 - 2014-08-13 16:33 - 00000000 ____D () C:\Qoobox
2014-08-13 16:49 - 2014-08-11 16:16 - 00000000 ____D () C:\FRST
2014-08-13 16:49 - 2014-08-06 12:22 - 00000000 ____D () C:\Users\Cory\Desktop\bleep
2014-08-13 16:48 - 2014-08-13 16:32 - 00000000 ____D () C:\Windows\erdnt
2014-08-13 16:47 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-08-13 16:44 - 2011-09-29 06:54 - 00000000 ____D () C:\Users\Cory
2014-08-13 16:43 - 2011-09-16 13:40 - 00000000 ____D () C:\ProgramData\Temp
2014-08-13 16:38 - 2011-09-16 13:28 - 01909801 _____ () C:\Windows\WindowsUpdate.log
2014-08-13 16:38 - 2009-07-14 00:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-13 16:38 - 2009-07-14 00:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-13 16:31 - 2012-08-23 09:53 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-13 16:31 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-13 16:30 - 2014-08-12 18:10 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Okgovoqi
2014-08-13 16:30 - 2011-09-29 13:41 - 00000000 ____D () C:\Windows\SigPlus
2014-08-13 16:30 - 2010-11-20 23:47 - 00533954 _____ () C:\Windows\PFRO.log
2014-08-13 16:30 - 2009-07-14 00:51 - 00065767 _____ () C:\Windows\setupact.log
2014-08-13 16:28 - 2014-08-05 12:38 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Opboolip
2014-08-13 16:16 - 2014-08-13 16:15 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-13 16:16 - 2009-07-14 01:13 - 00801238 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-08-13 16:15 - 2014-08-13 16:15 - 00001108 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-13 16:15 - 2014-08-13 16:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-13 16:15 - 2014-08-13 16:15 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-13 16:15 - 2014-08-13 16:15 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-08-13 16:01 - 2012-08-23 09:53 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-13 15:55 - 2012-03-29 09:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-13 15:06 - 2014-08-13 16:14 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Cory\Desktop\mbam-setup-2.0.2.1012.exe
2014-08-13 15:06 - 2014-08-13 16:14 - 05569662 ____R (Swearware) C:\Users\Cory\Desktop\ComboFix.exe
2014-08-13 12:59 - 2014-08-11 16:30 - 00000000 ____D () C:\Users\Cory\AppData\Local\CrashDumps
2014-08-12 20:17 - 2014-08-11 16:04 - 00030312 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-08-12 18:24 - 2014-08-12 18:24 - 00448512 _____ (OldTimer Tools) C:\Users\Cory\Desktop\TFC.exe
2014-08-11 16:33 - 2014-08-11 16:33 - 00169544 _____ (Citrix Online) C:\Windows\system32\g2ax_credential_provider64_715.dll
2014-08-11 16:33 - 2014-08-11 16:33 - 00001582 _____ () C:\Users\Cory\Desktop\GoToAssist Customer.lnk
2014-08-11 16:33 - 2014-08-11 16:33 - 00000000 ____D () C:\Users\Cory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Citrix
2014-08-11 16:33 - 2011-09-29 12:07 - 00000000 ____D () C:\Program Files (x86)\Citrix
2014-08-11 16:32 - 2012-01-25 14:12 - 00000000 ____D () C:\Users\Cory\AppData\Local\Citrix
2014-08-11 16:14 - 2014-08-11 16:11 - 00000000 ____D () C:\AdwCleaner
2014-08-11 16:04 - 2014-08-11 16:04 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-08-11 16:01 - 2014-08-11 16:04 - 05392984 _____ () C:\Users\Cory\Desktop\RogueKillerX64.exe
2014-08-11 16:01 - 2014-08-11 16:04 - 01366203 _____ () C:\Users\Cory\Desktop\adwcleaner_3.304.exe
2014-08-06 13:14 - 2013-09-17 13:45 - 00000000 ____D () C:\Users\Cory\Documents\Outlook Files
2014-08-06 12:44 - 2014-08-06 12:44 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-06 12:31 - 2014-08-06 12:31 - 00022349 _____ () C:\Users\Cory\Desktop\dds.txt
2014-08-06 12:31 - 2014-08-06 12:31 - 00010180 _____ () C:\Users\Cory\Desktop\attach.txt
2014-08-06 12:22 - 2014-08-06 12:22 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2014-08-06 11:49 - 2013-10-01 12:52 - 00000527 _____ () C:\Users\Cory\Desktop\EZ File.website
2014-08-06 11:18 - 2009-04-09 09:26 - 00000000 ____D () C:\EMAIL Out
2014-08-06 10:49 - 2006-10-05 11:31 - 00000000 ____D () C:\Temp
2014-08-06 10:06 - 2008-07-29 15:47 - 00000000 ____D () C:\QUARANTINE
2014-08-06 09:46 - 2013-11-13 09:19 - 00003380 _____ () C:\Windows\System32\Tasks\IE11
2014-08-06 09:38 - 2014-08-06 09:38 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 9.5
2014-08-05 17:12 - 2014-07-02 14:43 - 00000000 ____D () C:\Users\Cory\AppData\Local\TMPEZA
2014-08-05 17:12 - 2010-11-29 15:17 - 00000059 _____ () C:\APPTWN.LOG
2014-08-05 13:00 - 2011-09-29 13:39 - 00000000 ____D () C:\Program Files (x86)\ScanPoint
2014-08-04 11:16 - 2013-05-06 08:22 - 00003380 _____ () C:\Windows\System32\Tasks\IE10
2014-07-29 08:54 - 2013-03-13 16:13 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-07-29 08:54 - 2013-03-13 16:13 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-07-28 16:59 - 2013-03-13 16:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-07-22 13:02 - 2011-03-02 09:50 - 00000000 ____D () C:\archive_to_easyfile
2014-07-14 17:11 - 2014-07-14 17:11 - 460840986 _____ () C:\Windows\MEMORY.DMP
2014-07-14 17:11 - 2014-07-14 17:11 - 00280656 _____ () C:\Windows\Minidump\071414-23680-01.dmp
2014-07-14 17:11 - 2014-07-14 17:11 - 00000000 ____D () C:\Windows\Minidump

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-06-30 13:02

==================== End Of Log ============================



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 PM

Posted 14 August 2014 - 08:04 AM


Clean these empty registry keys.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
U3 catchme; \??\C:\ComboFix\catchme.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 PM

Posted 20 August 2014 - 10:08 AM

Are you still with me?



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:21 PM

Posted 26 August 2014 - 08:35 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users