Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frequent Malcious Outbound Attempts & Many COM Surrogate Processes


  • This topic is locked This topic is locked
11 replies to this topic

#1 mistercoleman

mistercoleman

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 06 October 2014 - 01:00 PM

Very frustrated IT professional.

The frequent attempt to connect me to malicious websites are being blocked by Malwarebytes but they never seem to let up. I don't think it's right for me to include all the IP #s and domains or ports but the misbehaving processes are below.
Process 1: C:\Windows\SysWOW64\svchost.exe
Process 2: C:\Windows\SysWOW64\dllhost.exe

 

Also I occasionally get 30+ COM Surrogate Processes showing up to max out my CPU. Hasn't happened yet today but was frequent last night.

I applied all the latest Microsoft Updates, took 2 tries they all had problems the first time. I also updated java as I think a buffer overflow problem with java was exploited to give me these problems.

I've followed the anchored topics by running defogger and attaching the DDS logs (My apologies for the massive amount of installed games clogging up attach).

Any help to make my computer healthy again would be greatly appreciated.

EDIT: Nevermind the COM Surrogate fun has just started again.

DDS Log Below (Misread Prep Guide, This is from before the COM Surrogate flood)

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.67.2
Run by wcmav_000 at 12:48:57 on 2014-10-06
Microsoft Windows 8 Single Language  6.2.9200.0.1252.1.1033.18.16382.13821 [GMT -5:00]
.
AV: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\dwm.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Windows\system32\dashost.exe
C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Online Games Manager\ogmservice.exe
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe
C:\Program Files (x86)\Cox, Inc\Cox PC HealthCheck\PCMonitoringService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskhostex.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe
svchost.exe
C:\Windows\System32\TiltWheelMouse.exe
C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe
C:\Program Files (x86)\Cox, Inc\Cox PC HealthCheck\DesktopClient.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\System32\Taskmgr.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
svchost.exe
C:\Windows\SysWOW64\ctfmon.exe
D:\Steam\Steam.exe
D:\Steam\bin\steamwebhelper.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
D:\Steam\bin\steamwebhelper.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
D:\Steam\bin\steamwebhelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: ClassicIEBHO Class: {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIEDLL_32.dll
TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
uRun: [Spotify] "C:\Users\wcmav_000\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
uRun: [Spotify Web Helper] "C:\Users\wcmav_000\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [GoogleChromeAutoLaunch_63515899E1DB44F9AABF9C4DEC97953B] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [uTorrent] "C:\Users\wcmav_000\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes Anti-Exploit] C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
StartupFolder: C:\Users\WCMAV_~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\COXPCH~1.LNK - C:\Program Files (x86)\Cox, Inc\Cox PC HealthCheck\DesktopClient.exe
StartupFolder: C:\Users\WCMAV_~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {56753E59-AF1D-4FBA-9E15-31557124ADA2} - C:\Program Files\Classic Shell\ClassicIE_32.exe
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: NameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{9A584BFF-F5E9-49D6-8BFB-98F20344698E} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{F6F5E705-C80F-408D-92C6-6A0062712DC4} : DHCPNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Skype Click to Call for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-BHO: ClassicIEBHO Class: {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIEDLL_64.dll
x64-TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-Run: [MouseDriver] TiltWheelMouse.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {56753E59-AF1D-4FBA-9E15-31557124ADA2} - C:\Program Files\Classic Shell\ClassicIE_32.exe
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\Drivers\SCMNdisP.sys [2013-8-6 29472]
R1 AppleCharger;AppleCharger;C:\Windows\System32\Drivers\AppleCharger.sys [2013-1-9 22680]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\Drivers\dtsoftbus01.sys [2013-11-12 283064]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [2014-10-5 63000]
R2 c2cautoupdatesvc;Skype Click to Call Updater;C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-7-14 1390176]
R2 c2cpnrsvc;Skype Click to Call PNR Service;C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-7-14 1767520]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2014-3-16 2428088]
R2 COX CommunicationsMonitoringService;COX Communications Monitoring Service;C:\Program Files (x86)\Cox, Inc\Cox PC HealthCheck\PCMonitoringService.exe [2012-10-31 15104]
R2 HTCMonitorService;HTCMonitorService;C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [2013-11-18 87368]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [2014-10-5 441144]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-10-5 1809720]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-10-5 860472]
R2 ogmservice;Online Games Manager;C:\Program Files (x86)\Online Games Manager\ogmservice.exe [2014-3-27 581568]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2013-10-17 166912]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2014-5-24 411936]
R2 WSWNA3100;WSWNA3100;C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe [2013-8-6 307488]
R3 CompFilter64;UVCCompositeFilter;C:\Windows\System32\Drivers\lvbflt64.sys [2012-10-26 26784]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\Drivers\lvrs64.sys [2012-10-26 351520]
R3 LVUVC64;@oem10.inf,%PID_082C_DD%(UVC);Logitech HD Webcam C615(UVC);C:\Windows\System32\Drivers\lvuvc64.sys [2012-10-26 4758176]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\Drivers\mbam.sys [2014-10-5 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\Drivers\MBAMSwissArmy.sys [2014-10-5 122584]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\Drivers\mwac.sys [2014-10-5 64216]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2013-4-11 683664]
R3 WSDScan;WSD Scan Support;C:\Windows\System32\Drivers\WSDScan.sys [2013-5-3 23552]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;C:\Windows\System32\Drivers\bcmwlhigh664.sys [2013-8-6 1258272]
S3 Desura Install Service;Desura Install Service;C:\Program Files (x86)\Common Files\Desura\desura_service.exe [2013-5-26 131912]
S3 etdrv;etdrv;C:\Windows\etdrv.sys [2013-1-9 25640]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2013-1-9 30528]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\Drivers\htcnprot.sys [2013-10-17 36928]
S3 HtcVCom32;HTC Diagnostic Port;C:\Windows\System32\Drivers\HtcVComV64.sys [2010-3-9 121800]
S3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2013-1-9 160256]
S3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\Windows\System32\Drivers\nvstusb.sys [2013-1-9 446312]
S3 t_mouse.sys;HID-compliand device;C:\Windows\System32\Drivers\t_mouse.sys [2013-4-9 6144]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\Drivers\usbaapl64.sys [2012-12-13 54784]
S3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
S3 xusb22;Xbox 360 Wireless Receiver Driver Service 22;C:\Windows\System32\Drivers\xusb22.sys [2012-7-25 89088]
.
=============== File Associations ===============
.
FileExt: .chm: Free Zip Opener.chm="C:\Program Files (x86)\Free Zip Opener\FreeZipOpener.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2014-10-06 08:00:00 11578928 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CB69AB3D-9372-4A23-A50C-51EB92ECEC67}\mpengine.dll
2014-10-06 05:10:29 71168 ----a-w- C:\Windows\System32\drivers\hdaudbus.sys
2014-10-06 04:47:37 35480 ----a-w- C:\Windows\SysWow64\TsWpfWrp.exe
2014-10-06 04:47:37 35480 ----a-w- C:\Windows\System32\TsWpfWrp.exe
2014-10-06 04:05:05 3262464 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll
2014-10-06 04:05:04 394624 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
2014-10-06 04:05:04 1616896 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll
2014-10-06 04:05:04 1557504 ----a-w- C:\Windows\System32\osk.exe
2014-10-06 04:05:04 1440256 ----a-w- C:\Windows\SysWow64\osk.exe
2014-10-06 04:05:03 92672 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll
2014-10-06 04:04:24 778752 ----a-w- C:\Windows\System32\oleaut32.dll
2014-10-06 04:04:24 626688 ----a-w- C:\Windows\System32\resutils.dll
2014-10-06 04:04:24 488960 ----a-w- C:\Windows\SysWow64\resutils.dll
2014-10-06 04:04:24 447320 ----a-w- C:\Windows\System32\drivers\USBHUB3.SYS
2014-10-06 04:04:24 374784 ----a-w- C:\Windows\System32\clusapi.dll
2014-10-06 04:04:23 302080 ----a-w- C:\Windows\SysWow64\clusapi.dll
2014-10-06 04:04:22 285016 ----a-w- C:\Windows\System32\drivers\spaceport.sys
2014-10-06 04:04:19 551424 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2014-10-06 04:03:19 1413632 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll
2014-10-06 04:03:18 1617920 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2014-10-06 04:03:18 1318912 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2014-10-06 04:03:16 627712 ----a-w- C:\Program Files\Windows Journal\MSPVWCTL.DLL
2014-10-06 04:03:16 1306624 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2014-10-06 04:03:16 1272320 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2014-10-06 04:03:16 1029120 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\journal.dll
2014-10-06 04:03:14 881152 ----a-w- C:\Program Files\Windows Journal\InkSeg.dll
2014-10-06 04:03:14 265216 ----a-w- C:\Windows\System32\InkEd.dll
2014-10-06 04:03:12 336384 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll
2014-10-06 04:01:50 982016 ----a-w- C:\Windows\System32\KernelBase.dll
2014-10-06 03:59:33 2062848 ----a-w- C:\Windows\System32\d3d11.dll
2014-10-06 03:58:59 148480 ----a-w- C:\Windows\System32\poqexec.exe
2014-10-06 03:58:50 370688 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2014-10-06 03:58:49 83968 ----a-w- C:\Windows\System32\drivers\hidclass.sys
2014-10-06 03:58:49 78336 ----a-w- C:\Windows\System32\drivers\IPMIDrv.sys
2014-10-06 03:58:49 247808 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2014-10-06 03:58:49 215040 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2014-10-06 03:58:49 1120768 ----a-w- C:\Windows\System32\gpedit.dll
2014-10-06 03:58:49 1075200 ----a-w- C:\Windows\SysWow64\gpedit.dll
2014-10-06 03:47:54 -------- d-----w- C:\ProgramData\Malwarebytes Anti-Exploit
2014-10-06 03:47:48 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Exploit
2014-10-06 03:47:10 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-10-06 03:46:20 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-10-06 03:46:20 64216 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-10-06 03:46:20 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-10-06 03:46:15 -------- d-----w- C:\ProgramData\Malwarebytes
2014-10-06 03:46:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-06 03:12:36 628024 ----a-w- C:\Windows\System32\NotificationUI.exe
2014-10-06 03:12:36 143872 ----a-w- C:\Windows\SysWow64\Windows.ApplicationModel.Store.dll
2014-10-06 03:12:34 1453400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2014-10-06 03:12:33 199680 ----a-w- C:\Windows\System32\cdd.dll
2014-10-06 03:12:32 1160192 ----a-w- C:\Windows\System32\IKEEXT.DLL
2014-10-06 03:12:31 96600 ----a-w- C:\Windows\System32\drivers\wfplwfs.sys
2014-10-06 03:12:31 723968 ----a-w- C:\Windows\System32\BFE.DLL
2014-10-06 03:12:23 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-06 03:11:54 3246592 ----a-w- C:\Windows\System32\rdpcorets.dll
2014-10-06 03:11:54 235520 ----a-w- C:\Windows\System32\rdpudd.dll
2014-10-06 03:11:50 619008 ----a-w- C:\Windows\System32\drivers\srv2.sys
2014-10-06 03:11:50 309760 ----a-w- C:\Windows\System32\wusa.exe
2014-10-06 03:11:50 305152 ----a-w- C:\Windows\SysWow64\wusa.exe
2014-10-06 03:11:46 62976 ----a-w- C:\Windows\System32\imagehlp.dll
2014-10-06 03:11:46 59392 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2014-10-06 03:11:23 678600 ----a-w- C:\Windows\System32\msvcp120_clr0400.dll
2014-10-06 03:11:23 536776 ----a-w- C:\Windows\SysWow64\msvcp120_clr0400.dll
2014-10-06 03:02:02 13661696 ----a-w- C:\Windows\System32\Windows.UI.Xaml.dll
2014-10-06 02:56:52 -------- d-----w- C:\AdwCleaner
2014-10-05 11:36:52 11578928 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2014-10-05 11:02:31 1890816 ----a-w- C:\Windows\System32\crypt32.dll
2014-10-05 11:02:29 1569280 ----a-w- C:\Windows\SysWow64\crypt32.dll
2014-10-05 10:50:30 1287680 ----a-w- C:\Windows\System32\schedsvc.dll
2014-10-05 10:47:18 94552 ----a-w- C:\Windows\System32\drivers\mountmgr.sys
2014-10-05 10:47:18 328024 ----a-w- C:\Windows\System32\drivers\Classpnp.sys
2014-10-05 10:46:50 312320 ----a-w- C:\Windows\System32\msieftp.dll
2014-10-05 10:46:50 273408 ----a-w- C:\Windows\SysWow64\msieftp.dll
2014-10-05 10:46:32 1845760 ----a-w- C:\Windows\System32\msxml3.dll
2014-10-05 10:46:31 1419264 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-10-05 10:41:55 576512 ----a-w- C:\Windows\System32\drivers\afd.sys
2014-10-05 10:41:49 600064 ----a-w- C:\Windows\System32\vbscript.dll
2014-10-05 10:41:49 523776 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-10-05 10:40:47 420864 ----a-w- C:\Windows\System32\WMPhoto.dll
2014-10-05 10:40:47 368640 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2014-10-02 21:13:28 0 ----a-w- C:\Users\wcmav_000\AppData\Roaming\smsyr.dll
2014-10-02 21:13:26 80384 ----a-w- C:\Users\wcmav_000\AppData\Roaming\tynfwc.dll
2014-10-01 19:46:27 -------- d-----w- C:\Users\wcmav_000\AppData\Roaming\Schoolhouse Technologies
2014-10-01 19:46:18 -------- d-----w- C:\Program Files (x86)\Schoolhouse Technologies
2014-09-25 20:51:16 -------- d-----w- C:\Users\wcmav_000\AppData\Local\Amazon
2014-09-24 01:32:31 -------- d-----w- C:\Users\wcmav_000\AppData\Roaming\Arrowhead
2014-09-23 02:00:37 -------- d-----w- C:\Users\wcmav_000\AppData\Roaming\RotMG.Production
2014-09-18 23:28:16 -------- d-----w- C:\Users\wcmav_000\Citrix
2014-09-16 05:43:59 -------- d-----w- C:\Program Files\OpenTTD
2014-09-15 12:34:19 -------- d-----w- C:\Program Files (x86)\ClearThink
.
==================== Find3M  ====================
.
2014-09-22 06:42:39 278152 ------w- C:\Windows\System32\MpSigStub.exe
2014-09-02 19:32:27 705480 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-09-02 19:32:27 104904 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-08-28 06:05:35 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2014-08-28 06:05:17 86528 ----a-w- C:\Windows\SysWow64\wudriver.dll
2014-08-28 06:05:17 128000 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2014-08-28 06:02:15 40448 ----a-w- C:\Windows\System32\wuapp.exe
2014-08-28 06:01:45 253440 ----a-w- C:\Windows\System32\WUSettingsProvider.dll
2014-08-28 06:01:45 144384 ----a-w- C:\Windows\System32\wuwebv.dll
2014-08-28 06:01:45 100352 ----a-w- C:\Windows\System32\wudriver.dll
2014-08-28 06:01:44 17920 ----a-w- C:\Windows\System32\wuaext.dll
2014-08-28 06:01:44 1623552 ----a-w- C:\Windows\System32\wucltux.dll
2014-08-28 06:01:15 176640 ----a-w- C:\Windows\System32\storewuauth.dll
2014-08-23 06:47:23 4036096 ----a-w- C:\Windows\System32\win32k.sys
2014-08-16 09:34:19 2239488 ----a-w- C:\Windows\System32\wininet.dll
2014-08-16 09:34:10 915968 ----a-w- C:\Windows\System32\uxtheme.dll
2014-08-16 09:32:57 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2014-08-16 09:32:05 1508864 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-08-16 07:37:20 1766400 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-08-16 07:36:19 2861568 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-08-16 07:35:44 1440768 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-08-15 20:06:57 447752 ----a-w- C:\Windows\SysWow64\vp6vfw.dll
2014-08-09 08:29:32 144896 ----a-w- C:\Windows\System32\tssdisai.dll
2014-07-24 03:33:25 869544 ----a-w- C:\Windows\System32\msvcr120_clr0400.dll
2014-07-24 03:33:01 875688 ----a-w- C:\Windows\SysWow64\msvcr120_clr0400.dll
2014-07-15 23:03:48 1300992 ----a-w- C:\Windows\System32\gdi32.dll
2014-07-12 02:36:04 1023488 ----a-w- C:\Windows\SysWow64\gdi32.dll
.
============= FINISH: 12:49:35.30 ===============
 

Attached Files


Edited by mistercoleman, 06 October 2014 - 03:11 PM.


BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 11 October 2014 - 07:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 mistercoleman

mistercoleman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 11 October 2014 - 08:57 AM

# AdwCleaner v3.311 - Report created 11/10/2014 at 08:39:04
# Updated 30/09/2014 by Xplode
# Operating System : Windows 8 Single Language  (64 bits)
# Username : wcmav_000 - COLEMAN-AVATAR
# Running from : C:\Users\wcmav_000\Downloads\adwcleaner_3.311.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16537
 
 
-\\ Google Chrome v37.0.2062.124
 
[ File : C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [3993 octets] - [05/10/2014 21:57:03]
AdwCleaner[R1].txt - [1017 octets] - [11/10/2014 08:37:44]
AdwCleaner[S0].txt - [3593 octets] - [05/10/2014 22:02:21]
AdwCleaner[S1].txt - [942 octets] - [11/10/2014 08:39:04]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1001 octets] ##########
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-10-2014
Ran by wcmav_000 (administrator) on COLEMAN-AVATAR on 11-10-2014 08:45:34
Running from C:\Users\wcmav_000\Desktop
Loaded Profile: wcmav_000 (Available profiles: wcmav_000)
Platform: Windows 8 Single Language (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Nero AG) C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Online Games Manager\ogmservice.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
() C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe
(PlumChoice, Inc.) C:\Program Files (x86)\Cox, Inc\Cox PC HealthCheck\PCMonitoringService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
() C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe
(Pixart Imaging Inc) C:\Windows\System32\TiltWheelMouse.exe
() C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MouseDriver] => C:\Windows\system32\TiltWheelMouse.exe [241152 2013-04-09] (Pixart Imaging Inc)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [440632 2014-08-29] (Malwarebytes Corporation)
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...\Run: [Spotify] => C:\Users\wcmav_000\AppData\Roaming\Spotify\Spotify.exe [6621752 2014-08-28] (Spotify Ltd)
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...\Run: [Spotify Web Helper] => C:\Users\wcmav_000\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1245752 2014-08-28] (Spotify Ltd)
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...\Run: [GoogleChromeAutoLaunch_63515899E1DB44F9AABF9C4DEC97953B] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [852808 2014-09-22] (Google Inc.)
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21648480 2014-07-02] (Skype Technologies S.A.)
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...\MountPoints2: {213b712c-4a37-11e3-be87-94de80249113} - "F:\Setup.exe" 
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...\MountPoints2: {4f6685a3-de8e-11e3-be8f-94de80249113} - "G:\HTC_Sync_Manager_PC.exe" 
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...\MountPoints2: {9c38a78a-108c-11e3-be7d-94de80249113} - "F:\HTC_Sync_Manager_PC.exe" 
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNA3100 Genie.lnk
ShortcutTarget: NETGEAR WNA3100 Genie.lnk -> C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe ()
Startup: C:\Users\wcmav_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cox PC HealthCheck.lnk
ShortcutTarget: Cox PC HealthCheck.lnk -> C:\Program Files (x86)\Cox, Inc\Cox PC HealthCheck\DesktopClient.exe (PlumChoice, Inc.)
Startup: C:\Users\wcmav_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll (IvoSoft)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 68.105.28.12 68.105.29.12 68.105.28.11
 
FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKCU: ubisoft.com/uplaypc -> D:\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll ()
 
Chrome: 
=======
CHR HomePage: Default -> 
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3322295&octid=EB_ORIGINAL_CTID&ISID=MBB37C17B-5812-4D9E-96E0-6D7C59DCDA8A&SearchSource=55&CUI=&UM=6&UP=SP433F4686-94C8-476E-9A91-E9D0CC8C8DEE&SSPV="
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-04-25]
CHR Extension: (Google Drive) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-04-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-29]
CHR Extension: (YouTube) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-25]
CHR Extension: (Google Search) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-25]
CHR Extension: (AdBlock) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2013-05-04]
CHR Extension: (Offline Bookshelf) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\jicgobmecmidffpgpmdgmeijhihpldoi [2014-02-28]
CHR Extension: (Youtube Subscriptions as Default Page) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\klljlfcipmgohgfdgmliaobikgdoeaah [2013-04-25]
CHR Extension: (Skype Click to Call) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-05-16]
CHR Extension: (Google Wallet) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-25]
CHR Extension: (Gmail) - C:\Users\wcmav_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-25]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2428088 2014-08-12] (Microsoft Corporation)
R2 COX CommunicationsMonitoringService; C:\Program Files (x86)\Cox, Inc\Cox PC HealthCheck\PCMonitoringService.exe [15104 2012-10-31] (PlumChoice, Inc.)
R2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2013-11-18] (Nero AG)
S3 ICCS; C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [160256 2011-08-30] (Intel Corporation) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R3 KeyIso; C:\Windows\SysWOW64\keyiso.dll [43520 2012-07-25] (Microsoft Corporation)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [441144 2014-08-29] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
S3 Netlogon; C:\Windows\SysWOW64\netlogon.dll [634368 2012-07-25] (Microsoft Corporation)
R2 ogmservice; C:\Program Files (x86)\Online Games Manager\ogmservice.exe [581568 2014-03-27] (RealNetworks, Inc.)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2013-05-19] ()
S3 StorSvc; C:\Windows\SysWOW64\storsvc.dll [18432 2012-07-25] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16056 2014-03-29] (Microsoft Corporation)
R2 WSWNA3100; C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe [307488 2012-09-03] ()
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [22680 2012-10-25] ()
R1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283064 2013-11-12] (Disc Soft Ltd)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [63000 2014-08-30] ()
S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2014-01-18] ()
S3 HtcVCom32; C:\Windows\system32\DRIVERS\HtcVComV64.sys [121800 2010-03-09] (QUALCOMM Incorporated)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-10-11] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2014-05-12] (Malwarebytes Corporation)
S3 NPF; C:\Windows\system32\DRIVERS\npf.sys [47632 2010-02-03] (CACE Technologies, Inc.)
R0 SCMNdisP; C:\Windows\System32\DRIVERS\scmndisp.sys [29472 2012-09-05] (SerComm Corporation)
S3 t_mouse.sys; C:\Windows\system32\DRIVERS\t_mouse.sys [6144 2013-04-09] ()
R3 xusb22; C:\Windows\System32\drivers\xusb22.sys [89088 2012-07-25] (Microsoft Corporation)
S1 knydzssc; \??\C:\Windows\system32\drivers\knydzssc.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-11 08:45 - 2014-10-11 08:46 - 00021245 _____ () C:\Users\wcmav_000\Desktop\FRST.txt
2014-10-11 08:44 - 2014-10-11 08:45 - 00000000 ____D () C:\FRST
2014-10-11 08:43 - 2014-10-11 08:43 - 00001081 _____ () C:\Users\wcmav_000\Desktop\AdwCleaner[S1].txt
2014-10-11 08:35 - 2014-10-11 08:35 - 02109952 _____ (Farbar) C:\Users\wcmav_000\Desktop\FRST64.exe
2014-10-11 08:35 - 2014-10-11 08:35 - 01375089 _____ () C:\Users\wcmav_000\Downloads\adwcleaner_3.311 (1).exe
2014-10-10 14:50 - 2014-10-11 02:05 - 00015147 _____ () C:\Users\wcmav_000\Documents\Monthly Payments.xlsx
2014-10-08 16:29 - 2014-10-08 16:29 - 00000051 _____ () C:\Users\wcmav_000\Documents\sleep machine.txt
2014-10-08 02:41 - 2014-10-08 16:07 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\Skyborn
2014-10-07 19:57 - 2014-10-07 23:11 - 00000000 ____D () C:\Users\wcmav_000\Documents\Endless Legend
2014-10-07 19:55 - 2013-08-14 13:41 - 00028776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aspnet_counters.dll
2014-10-07 19:54 - 2013-08-14 13:40 - 00030312 _____ (Microsoft Corporation) C:\Windows\system32\aspnet_counters.dll
2014-10-07 13:14 - 2014-10-07 13:14 - 00003204 _____ () C:\Windows\System32\Tasks\WindowedBorderlessGaming-wcmav_000
2014-10-07 13:13 - 2014-10-07 13:13 - 00554614 _____ () C:\Users\wcmav_000\Downloads\WindowedBorderlessGaming_2.1.0.0.zip
2014-10-07 02:40 - 2014-10-07 02:40 - 00006597 _____ () C:\Users\wcmav_000\Downloads\Willing.txt
2014-10-07 02:38 - 2014-10-07 02:38 - 00003591 _____ () C:\Users\wcmav_000\Downloads\slave_hypno.txt
2014-10-06 16:59 - 2014-08-20 18:40 - 00732880 _____ (Microsoft Corporation) C:\Windows\system32\NotificationUI.exe
2014-10-06 16:59 - 2014-08-20 12:05 - 00694784 _____ (Microsoft Corporation) C:\Windows\system32\WSShared.dll
2014-10-06 16:59 - 2014-08-20 12:05 - 00198656 _____ (Microsoft Corporation) C:\Windows\system32\Windows.ApplicationModel.Store.dll
2014-10-06 16:59 - 2014-08-20 12:05 - 00163840 _____ (Microsoft Corporation) C:\Windows\system32\Windows.ApplicationModel.Store.TestingFramework.dll
2014-10-06 16:59 - 2014-08-20 12:02 - 00567808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSShared.dll
2014-10-06 16:59 - 2014-08-20 12:02 - 00124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.ApplicationModel.Store.TestingFramework.dll
2014-10-06 16:59 - 2014-06-24 02:35 - 00010450 _____ () C:\Windows\system32\autoconfig.cab
2014-10-06 16:59 - 2014-06-24 01:41 - 10115584 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2014-10-06 16:59 - 2014-06-24 01:40 - 00125952 _____ (Microsoft Corporation) C:\Windows\system32\WinSetupUI.dll
2014-10-06 16:59 - 2014-06-24 01:39 - 02307072 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-10-06 16:59 - 2014-06-24 01:39 - 02146304 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2014-10-06 16:59 - 2014-06-23 23:08 - 08858624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2014-10-06 16:59 - 2014-06-23 23:06 - 02037760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2014-10-06 16:59 - 2014-06-23 23:06 - 00754176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\actxprxy.dll
2014-10-06 16:09 - 2014-10-06 16:09 - 00000017 _____ () C:\Users\wcmav_000\Documents\doctor's appointment.txt
2014-10-06 15:30 - 2014-10-06 15:31 - 00509824 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-06 15:12 - 2014-10-06 15:12 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\KSafe
2014-10-06 15:12 - 2014-10-06 15:12 - 00000000 ____D () C:\ProgramData\KSafe
2014-10-06 15:07 - 2014-10-06 15:07 - 00000000 ____D () C:\Program Files (x86)\DllTool
2014-10-06 15:06 - 2014-10-06 15:07 - 08473440 _____ ( ) C:\Users\wcmav_000\Downloads\DllTool.exe
2014-10-06 12:49 - 2014-10-06 12:49 - 00029399 _____ () C:\Users\wcmav_000\Desktop\attach.txt
2014-10-06 12:49 - 2014-10-06 12:49 - 00025148 _____ () C:\Users\wcmav_000\Desktop\dds.txt
2014-10-06 12:45 - 2014-10-06 12:45 - 00688992 ____R (Swearware) C:\Users\wcmav_000\Desktop\dds.com
2014-10-06 12:45 - 2014-10-06 12:45 - 00050477 _____ () C:\Users\wcmav_000\Downloads\Defogger.exe
2014-10-06 12:45 - 2014-10-06 12:45 - 00000550 _____ () C:\Users\wcmav_000\Downloads\defogger_disable.log
2014-10-06 12:45 - 2014-10-06 12:45 - 00000168 _____ () C:\Users\wcmav_000\defogger_reenable
2014-10-06 00:10 - 2014-07-15 17:51 - 00071168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hdaudbus.sys
2014-10-06 00:02 - 2014-08-16 04:34 - 02239488 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-06 00:02 - 2014-08-16 04:34 - 01407488 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-06 00:02 - 2014-08-16 04:34 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2014-10-06 00:02 - 2014-08-16 04:34 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-10-06 00:02 - 2014-08-16 04:33 - 19280384 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-06 00:02 - 2014-08-16 04:33 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-06 00:02 - 2014-08-16 04:33 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-06 00:02 - 2014-08-16 04:32 - 15399424 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-06 00:02 - 2014-08-16 04:32 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-06 00:02 - 2014-08-16 04:32 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-06 00:02 - 2014-08-16 04:32 - 01508864 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-06 00:02 - 2014-08-16 04:32 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-10-06 00:02 - 2014-08-16 04:32 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-06 00:02 - 2014-08-16 04:32 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-06 00:02 - 2014-08-16 04:32 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-10-06 00:02 - 2014-08-16 02:37 - 01766400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-10-06 00:02 - 2014-08-16 02:37 - 01180672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 14369280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 13757440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-10-06 00:02 - 2014-08-16 02:36 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-10-06 00:02 - 2014-08-16 02:35 - 01440768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-10-06 00:02 - 2014-03-06 19:47 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-10-05 23:47 - 2014-06-10 17:44 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2014-10-05 23:47 - 2014-06-10 17:43 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2014-10-05 23:05 - 2014-06-17 18:27 - 01440256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\osk.exe
2014-10-05 23:05 - 2014-06-17 18:24 - 01557504 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-10-05 23:04 - 2013-10-05 01:10 - 00285016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\spaceport.sys
2014-10-05 23:04 - 2013-10-01 21:50 - 00447320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBHUB3.SYS
2014-10-05 23:04 - 2013-09-28 00:48 - 00778752 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-10-05 23:04 - 2013-09-27 22:58 - 00551424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-10-05 23:04 - 2013-08-30 00:19 - 00626688 _____ (Microsoft Corporation) C:\Windows\system32\resutils.dll
2014-10-05 23:04 - 2013-08-30 00:18 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\clusapi.dll
2014-10-05 23:04 - 2013-08-29 18:48 - 00488960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\resutils.dll
2014-10-05 23:04 - 2013-08-29 18:47 - 00302080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\clusapi.dll
2014-10-05 23:03 - 2014-06-02 17:33 - 00265216 _____ (Microsoft Corporation) C:\Windows\system32\InkEd.dll
2014-10-05 23:02 - 2014-07-23 22:33 - 00875688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr120_clr0400.dll
2014-10-05 23:02 - 2014-07-23 22:33 - 00869544 _____ (Microsoft Corporation) C:\Windows\system32\msvcr120_clr0400.dll
2014-10-05 23:02 - 2014-05-03 01:34 - 06974808 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-10-05 23:02 - 2014-05-03 01:33 - 01824808 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2014-10-05 23:02 - 2014-05-02 23:51 - 01408976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2014-10-05 23:02 - 2014-05-01 17:37 - 01023488 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2014-10-05 23:02 - 2014-04-29 17:32 - 00126464 _____ (Microsoft Corporation) C:\Windows\system32\Robocopy.exe
2014-10-05 23:02 - 2014-04-29 17:32 - 00106496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Robocopy.exe
2014-10-05 23:02 - 2014-03-28 14:19 - 00035856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdBoot.sys
2014-10-05 23:02 - 2014-03-23 17:11 - 00269592 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdFilter.sys
2014-10-05 23:01 - 2014-08-23 01:47 - 04036096 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-05 23:01 - 2014-07-15 18:03 - 01300992 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-10-05 23:01 - 2014-07-11 21:36 - 01023488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2014-10-05 23:01 - 2014-03-10 22:25 - 00100184 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2014-10-05 23:01 - 2014-03-10 19:41 - 00559104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2014-10-05 23:01 - 2014-03-10 19:41 - 00323072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-10-05 23:01 - 2014-03-10 19:41 - 00038400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2014-10-05 23:01 - 2014-03-10 19:39 - 00035840 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2014-10-05 23:01 - 2014-03-10 19:38 - 00982016 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2014-10-05 23:01 - 2014-03-10 19:38 - 00684032 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2014-10-05 23:01 - 2014-03-10 19:38 - 00419328 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-10-05 23:01 - 2014-03-10 19:38 - 00179712 _____ (Microsoft Corporation) C:\Windows\system32\dpapisrv.dll
2014-10-05 23:01 - 2014-03-10 19:38 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2014-10-05 23:01 - 2014-03-10 19:38 - 00045056 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2014-10-05 23:01 - 2014-03-10 19:38 - 00027648 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2014-10-05 23:01 - 2014-03-09 22:05 - 00668160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2014-10-05 23:01 - 2014-03-09 20:27 - 00099840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-10-05 23:01 - 2014-01-12 18:30 - 02238976 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-10-05 23:01 - 2014-01-12 18:30 - 02032640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2014-10-05 23:01 - 2013-12-04 18:43 - 00583680 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll
2014-10-05 23:01 - 2013-12-04 18:37 - 00451072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdrm.dll
2014-10-05 23:01 - 2013-11-19 19:15 - 03842560 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2014-10-05 23:01 - 2013-11-19 18:57 - 03288576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2014-10-05 23:01 - 2013-10-31 00:56 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\MPSSVC.dll
2014-10-05 23:01 - 2013-10-31 00:56 - 00758784 _____ (Microsoft Corporation) C:\Windows\system32\FirewallAPI.dll
2014-10-05 23:01 - 2013-10-30 23:01 - 00550400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FirewallAPI.dll
2014-10-05 23:01 - 2013-10-30 22:42 - 00074752 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mpsdrv.sys
2014-10-05 23:01 - 2013-10-13 15:49 - 00100696 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\disk.sys
2014-10-05 23:01 - 2013-10-10 04:32 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cscript.exe
2014-10-05 23:01 - 2013-10-10 04:30 - 00162304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrobj.dll
2014-10-05 23:01 - 2013-10-10 04:30 - 00156160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrrun.dll
2014-10-05 23:01 - 2013-10-10 04:24 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2014-10-05 23:01 - 2013-10-10 04:23 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2014-10-05 23:01 - 2013-10-10 04:22 - 00222720 _____ (Microsoft Corporation) C:\Windows\system32\scrobj.dll
2014-10-05 23:01 - 2013-10-10 04:22 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2014-10-05 23:01 - 2013-08-27 00:21 - 00227840 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll
2014-10-05 23:01 - 2013-08-27 00:19 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\davclnt.dll
2014-10-05 23:01 - 2013-08-26 17:29 - 00199168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WebClnt.dll
2014-10-05 23:01 - 2013-08-26 17:28 - 00086016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\davclnt.dll
2014-10-05 22:59 - 2014-08-09 03:29 - 00144896 _____ (Microsoft Corporation) C:\Windows\system32\tssdisai.dll
2014-10-05 22:59 - 2014-06-19 18:35 - 01312768 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2014-10-05 22:59 - 2014-06-19 17:24 - 00694272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2014-10-05 22:59 - 2014-06-06 09:06 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-10-05 22:59 - 2014-06-06 05:17 - 00497152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-10-05 22:59 - 2014-06-05 12:56 - 00112984 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2014-10-05 22:59 - 2014-06-05 12:29 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-10-05 22:59 - 2014-06-05 12:29 - 00393216 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-10-05 22:59 - 2014-06-05 08:11 - 02416128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-10-05 22:59 - 2014-06-05 08:11 - 00295424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2014-10-05 22:59 - 2014-04-03 06:22 - 02233176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-10-05 22:59 - 2014-01-30 19:48 - 01339392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-10-05 22:59 - 2014-01-30 19:06 - 01628160 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-10-05 22:59 - 2013-09-27 22:35 - 00288768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2014-10-05 22:59 - 2013-08-23 02:22 - 02062848 _____ (Microsoft Corporation) C:\Windows\system32\d3d11.dll
2014-10-05 22:59 - 2013-08-22 20:44 - 01711616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2014-10-05 22:58 - 2014-08-09 03:30 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe
2014-10-05 22:58 - 2014-03-01 04:47 - 01258496 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-10-05 22:58 - 2014-03-01 04:47 - 01120768 _____ (Microsoft Corporation) C:\Windows\system32\gpedit.dll
2014-10-05 22:58 - 2014-03-01 03:07 - 01075200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpedit.dll
2014-10-05 22:58 - 2014-03-01 01:59 - 00974848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2014-10-05 22:58 - 2014-02-26 18:18 - 00370688 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2014-10-05 22:58 - 2014-02-26 18:18 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2014-10-05 22:58 - 2014-02-26 18:18 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2014-10-05 22:58 - 2014-02-14 23:15 - 00078336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\IPMIDrv.sys
2014-10-05 22:58 - 2013-11-25 18:17 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys
2014-10-05 22:48 - 2014-10-05 22:48 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Exploit.lnk
2014-10-05 22:48 - 2014-10-05 22:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2014-10-05 22:47 - 2014-10-11 08:44 - 00000000 ____D () C:\ProgramData\Malwarebytes Anti-Exploit
2014-10-05 22:47 - 2014-10-11 08:42 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-05 22:47 - 2014-10-05 22:47 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Exploit
2014-10-05 22:46 - 2014-10-05 22:46 - 00001113 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-05 22:46 - 2014-10-05 22:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-05 22:46 - 2014-10-05 22:46 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-05 22:46 - 2014-10-05 22:46 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-05 22:46 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-05 22:46 - 2014-05-12 07:26 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-05 22:46 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-05 22:14 - 2014-08-28 06:34 - 00059400 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-10-05 22:14 - 2014-08-28 01:05 - 00630272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2014-10-05 22:14 - 2014-08-28 01:05 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2014-10-05 22:14 - 2014-08-28 01:05 - 00086528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2014-10-05 22:14 - 2014-08-28 01:05 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2014-10-05 22:14 - 2014-08-28 01:02 - 00040448 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-10-05 22:14 - 2014-08-28 01:01 - 03285504 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-10-05 22:14 - 2014-08-28 01:01 - 01623552 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-10-05 22:14 - 2014-08-28 01:01 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-10-05 22:14 - 2014-08-28 01:01 - 00253440 _____ (Microsoft Corporation) C:\Windows\system32\WUSettingsProvider.dll
2014-10-05 22:14 - 2014-08-28 01:01 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\storewuauth.dll
2014-10-05 22:14 - 2014-08-28 01:01 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-10-05 22:14 - 2014-08-28 01:01 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-10-05 22:14 - 2014-08-28 01:01 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\wuaext.dll
2014-10-05 22:14 - 2014-02-03 18:56 - 00332632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-10-05 22:14 - 2014-02-03 18:56 - 00278872 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-10-05 22:14 - 2014-01-30 19:48 - 00485888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSDApi.dll
2014-10-05 22:14 - 2014-01-30 19:06 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\WSDApi.dll
2014-10-05 22:14 - 2014-01-26 22:39 - 01939288 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-10-05 22:14 - 2014-01-15 18:42 - 00118784 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys
2014-10-05 22:14 - 2014-01-11 01:48 - 05979648 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-10-05 22:14 - 2014-01-11 00:06 - 05092352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-10-05 22:14 - 2014-01-02 18:35 - 00365568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2014-10-05 22:14 - 2014-01-02 18:32 - 00523264 _____ (Microsoft Corporation) C:\Windows\system32\XpsGdiConverter.dll
2014-10-05 22:12 - 2014-07-25 12:55 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-10-05 22:12 - 2014-07-25 12:49 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-10-05 22:12 - 2014-07-25 12:49 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-10-05 22:12 - 2014-07-25 12:49 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-10-05 22:12 - 2014-06-12 20:57 - 01453400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2014-10-05 22:12 - 2014-06-12 20:55 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2014-10-05 22:12 - 2014-01-30 19:48 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll
2014-10-05 22:12 - 2013-10-10 06:53 - 00096600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wfplwfs.sys
2014-10-05 22:12 - 2013-10-10 04:21 - 01160192 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2014-10-05 22:12 - 2013-10-10 04:20 - 00723968 _____ (Microsoft Corporation) C:\Windows\system32\BFE.DLL
2014-10-05 22:11 - 2014-10-05 22:12 - 00005647 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_67-b01.log
2014-10-05 22:11 - 2014-06-04 20:12 - 00678600 _____ (Microsoft Corporation) C:\Windows\system32\msvcp120_clr0400.dll
2014-10-05 22:11 - 2014-06-03 18:12 - 00536776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp120_clr0400.dll
2014-10-05 22:11 - 2014-05-03 00:47 - 03246592 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-10-05 22:11 - 2014-05-02 22:34 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2014-10-05 22:11 - 2014-04-02 22:44 - 00619008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2014-10-05 22:11 - 2014-03-31 17:08 - 00387268 _____ () C:\Windows\system32\ApnDatabase.xml
2014-10-05 22:11 - 2014-03-24 18:42 - 00305152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wusa.exe
2014-10-05 22:11 - 2014-03-24 17:56 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\wusa.exe
2014-10-05 22:11 - 2013-10-19 00:45 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2014-10-05 22:11 - 2013-10-18 23:04 - 00059392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2014-10-05 22:02 - 2013-07-24 18:07 - 13661696 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Xaml.dll
2014-10-05 22:01 - 2014-05-29 18:31 - 00452608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2014-10-05 22:01 - 2014-05-29 18:03 - 00588288 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2014-10-05 22:01 - 2014-05-29 18:02 - 01281536 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-10-05 22:01 - 2014-05-29 18:02 - 00439808 _____ (Microsoft Corporation) C:\Windows\system32\lsm.dll
2014-10-05 22:01 - 2014-04-12 04:27 - 00172888 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-10-05 22:01 - 2014-04-12 04:10 - 00578048 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-05 22:01 - 2014-04-12 04:09 - 01043968 _____ (Microsoft Corporation) C:\Windows\system32\usercpl.dll
2014-10-05 22:01 - 2014-04-12 04:09 - 00208896 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-10-05 22:01 - 2014-04-12 04:09 - 00094720 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-10-05 22:01 - 2014-04-12 04:08 - 00827904 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-10-05 22:01 - 2014-04-12 04:08 - 00318464 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-10-05 22:01 - 2014-04-12 04:07 - 00020480 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-10-05 22:01 - 2014-04-12 02:23 - 00961536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usercpl.dll
2014-10-05 22:01 - 2014-04-12 02:23 - 00273920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-10-05 22:01 - 2014-04-12 02:23 - 00178688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-10-05 22:01 - 2014-04-12 02:23 - 00076800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-10-05 22:01 - 2014-04-12 02:22 - 00666624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-10-05 22:01 - 2014-04-12 02:22 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-10-05 22:01 - 2014-04-12 01:58 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\workerdd.dll
2014-10-05 22:01 - 2014-03-28 03:23 - 19759104 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-10-05 22:01 - 2014-03-28 01:18 - 17562112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-10-05 22:01 - 2014-03-03 18:07 - 00570216 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2014-10-05 22:01 - 2013-09-13 17:36 - 00247296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ubpm.dll
2014-10-05 22:01 - 2013-09-13 17:33 - 00328192 _____ (Microsoft Corporation) C:\Windows\system32\ubpm.dll
2014-10-05 22:01 - 2013-08-30 00:43 - 00061784 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\crashdmp.sys
2014-10-05 22:01 - 2013-08-30 00:20 - 01173504 _____ (Microsoft Corporation) C:\Windows\system32\UIAutomationCore.dll
2014-10-05 22:01 - 2013-08-29 18:48 - 00914432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UIAutomationCore.dll
2014-10-05 22:01 - 2013-08-21 01:39 - 00465240 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fvevol.sys
2014-10-05 22:01 - 2013-08-10 01:30 - 00151896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tpm.sys
2014-10-05 22:01 - 2013-07-24 18:10 - 10799104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Xaml.dll
2014-10-05 22:01 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-10-05 21:56 - 2014-10-11 08:39 - 00000000 ____D () C:\AdwCleaner
2014-10-05 21:56 - 2014-10-05 21:56 - 01375089 _____ () C:\Users\wcmav_000\Downloads\adwcleaner_3.311.exe
2014-10-05 06:02 - 2013-10-01 18:37 - 01569280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2014-10-05 06:02 - 2013-10-01 18:26 - 01890816 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2014-10-05 05:50 - 2014-07-31 18:40 - 01287680 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2014-10-05 05:47 - 2014-05-28 23:04 - 00094552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2014-10-05 05:47 - 2014-05-07 20:34 - 00328024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Classpnp.sys
2014-10-05 05:46 - 2014-03-06 19:47 - 01419264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-10-05 05:46 - 2014-03-06 19:08 - 01845760 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-10-05 05:46 - 2013-11-01 00:38 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\msieftp.dll
2014-10-05 05:46 - 2013-10-31 22:49 - 00273408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msieftp.dll
2014-10-05 05:41 - 2014-05-29 17:24 - 00576512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-10-05 05:41 - 2013-12-08 19:45 - 00523776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-10-05 05:41 - 2013-12-08 18:59 - 00600064 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-10-05 05:40 - 2013-11-23 01:43 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2014-10-05 05:40 - 2013-11-23 00:05 - 00368640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2014-10-04 22:46 - 2014-10-04 22:53 - 123608824 _____ (Microsoft Corporation) C:\Users\wcmav_000\Downloads\msert.exe
2014-10-02 19:15 - 2014-10-02 19:15 - 00000226 _____ () C:\Users\wcmav_000\Desktop\Swedish Meatballs.txt
2014-10-02 16:23 - 2014-10-02 16:45 - 00000000 ____D () C:\Users\wcmav_000\Downloads\OC ReMix - 1 to 1000 [v20121012]
2014-10-02 16:18 - 2014-10-02 16:37 - 00000000 ____D () C:\Users\wcmav_000\Downloads\OC ReMix - 1001 to 2000 [v20121012]
2014-10-02 16:18 - 2014-10-02 16:18 - 00082162 _____ () C:\Users\wcmav_000\Downloads\OC_ReMix_-_1_to_1000_[v20121012].torrent
2014-10-02 16:13 - 2014-10-02 16:13 - 00102849 _____ () C:\Users\wcmav_000\Downloads\OC_ReMix_-_1001_to_2000_[v20121012].torrent
2014-10-02 16:13 - 2014-10-02 16:13 - 00080384 _____ () C:\Users\wcmav_000\AppData\Roaming\tynfwc.dll
2014-10-02 16:13 - 2014-10-02 16:13 - 00004076 _____ () C:\Windows\System32\Tasks\{4BD58B4D-2FE7-F7EF-26AE-E99DBD6E99BD}
2014-10-02 16:13 - 2014-10-02 16:13 - 00000000 _____ () C:\Users\wcmav_000\AppData\Roaming\smsyr.dll
2014-10-02 16:07 - 2014-10-02 16:13 - 00000000 ____D () C:\Users\wcmav_000\Downloads\OC ReMix - 2001 to 2500 [v20121012]
2014-10-02 16:00 - 2014-10-02 16:00 - 00054576 _____ () C:\Users\wcmav_000\Downloads\OC_ReMix_-_2001_to_2500_[v20121012].torrent
2014-10-02 14:59 - 2014-10-06 15:52 - 00000385 _____ () C:\Users\wcmav_000\Desktop\Smash Bros 3DS.txt
2014-10-01 14:46 - 2014-10-01 14:46 - 00002779 _____ () C:\Users\Public\Desktop\Schoolhouse Test 4.lnk
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wcmav_000\Documents\Schoolhouse Technologies
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\Schoolhouse Technologies
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Schoolhouse Technologies
2014-10-01 14:46 - 2014-10-01 14:46 - 00000000 ____D () C:\Program Files (x86)\Schoolhouse Technologies
2014-10-01 14:45 - 2014-10-01 14:45 - 22410344 _____ (Schoolhouse Technologies) C:\Users\wcmav_000\Downloads\SchoolhouseTest4EvaluationSetup.exe
2014-09-30 14:33 - 2014-09-30 14:33 - 00010472 _____ () C:\ProgramData\regid.2002-03.com.schoolhousetech_25E9AB98-8909-46D8-8DB6-EDCF1F32EB56.swidtag
2014-09-30 10:26 - 2014-09-30 10:27 - 113849512 _____ () C:\Users\wcmav_000\Downloads\EL Texture Pack 1.24.ftl
2014-09-30 10:26 - 2014-09-30 10:26 - 39117762 _____ () C:\Users\wcmav_000\Downloads\CE Additional Music Addon 1.248.ftl
2014-09-30 10:26 - 2014-09-30 10:26 - 02364521 _____ () C:\Users\wcmav_000\Downloads\CE Endless Loot Addon for CE Infinite 1.25c.ftl
2014-09-30 10:26 - 2014-09-30 10:26 - 00395571 _____ () C:\Users\wcmav_000\Downloads\CE Infinite Addon 1.25.ftl
2014-09-30 10:25 - 2014-09-30 10:25 - 82459960 _____ () C:\Users\wcmav_000\Downloads\CE Resource Pack 1.25.ftl
2014-09-30 10:25 - 2014-09-30 10:25 - 02077137 _____ () C:\Users\wcmav_000\Downloads\FTL Captains Edition 1.25.ftl
2014-09-30 10:20 - 2014-09-30 10:20 - 00000000 ____D () C:\Users\wcmav_000\Desktop\Slipstream Mod Manager v1.4-Win
2014-09-30 10:19 - 2014-09-30 10:19 - 02685565 _____ () C:\Users\wcmav_000\Downloads\Slipstream Mod Manager v1.4-Win.zip
2014-09-25 15:51 - 2014-10-09 06:59 - 00000000 ____D () C:\Users\wcmav_000\Documents\My Kindle Content
2014-09-25 15:51 - 2014-09-25 15:51 - 00002265 _____ () C:\Users\wcmav_000\Desktop\Kindle.lnk
2014-09-25 15:51 - 2014-09-25 15:51 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
2014-09-25 15:51 - 2014-09-25 15:51 - 00000000 ____D () C:\Users\wcmav_000\AppData\Local\Amazon
2014-09-25 15:50 - 2014-09-25 15:51 - 38157960 _____ (Amazon.com) C:\Users\wcmav_000\Downloads\KindleForPC-installer.exe
2014-09-23 20:32 - 2014-09-23 20:32 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\Arrowhead
2014-09-22 21:00 - 2014-09-22 21:00 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\RotMG.Production
2014-09-18 18:28 - 2014-09-18 18:28 - 00000000 ____D () C:\Users\wcmav_000\Citrix
2014-09-18 18:09 - 2014-09-18 18:10 - 93379512 _____ (Ingram Content Group) C:\Users\wcmav_000\Downloads\BookshelfSetup.exe
2014-09-18 18:04 - 2014-09-18 18:04 - 00007880 _____ () C:\Users\wcmav_000\Downloads\calcMortgage.zip
2014-09-17 12:55 - 2014-09-17 12:55 - 00440320 _____ () C:\Users\wcmav_000\Downloads\NoCAB (1).tar
2014-09-17 12:54 - 2014-09-17 12:54 - 00440320 _____ () C:\Users\wcmav_000\Downloads\NoCAB.tar
2014-09-16 00:44 - 2014-09-18 23:55 - 00000000 ____D () C:\Users\wcmav_000\Documents\OpenTTD
2014-09-16 00:44 - 2014-09-16 00:44 - 00000803 _____ () C:\Users\Public\Desktop\OpenTTD.lnk
2014-09-16 00:44 - 2014-09-16 00:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenTTD
2014-09-16 00:43 - 2014-09-16 00:44 - 00000000 ____D () C:\Program Files\OpenTTD
2014-09-16 00:43 - 2014-09-16 00:43 - 07780242 _____ (OpenTTD Developers) C:\Users\wcmav_000\Downloads\openttd-1.4.2-windows-win64.exe
2014-09-15 07:34 - 2014-09-15 13:30 - 00000000 ____D () C:\Program Files (x86)\ClearThink
2014-09-15 07:33 - 2014-09-15 07:33 - 00781968 _____ ( ) C:\Users\wcmav_000\Downloads\3DS1031 - Dairantou Smash Brothers for Nintendo 3DS.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-11 08:43 - 2014-05-22 01:08 - 00000000 ____D () C:\Users\wcmav_000\AppData\Local\HTC MediaHub
2014-10-11 08:43 - 2013-04-25 17:52 - 00000934 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-11 08:43 - 2013-04-25 17:52 - 00000930 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-11 08:41 - 2013-01-09 06:45 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-10-11 08:41 - 2013-01-09 06:14 - 00066900 _____ () C:\Windows\PFRO.log
2014-10-11 08:41 - 2012-07-26 02:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-11 08:40 - 2013-04-26 08:34 - 01620163 _____ () C:\Windows\WindowsUpdate.log
2014-10-11 08:40 - 2012-07-26 00:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2014-10-11 08:35 - 2013-11-02 11:04 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\ClassicShell
2014-10-11 08:35 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\system32\sru
2014-10-11 02:29 - 2013-04-25 17:54 - 00003600 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2694031944-2303888784-2672762269-1002
2014-10-10 20:39 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\rescache
2014-10-10 20:12 - 2012-07-26 03:12 - 00000000 ___RD () C:\Windows\ToastData
2014-10-10 20:12 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\WinStore
2014-10-10 20:11 - 2013-10-25 16:39 - 00000000 ____D () C:\Users\wcmav_000\AppData\Local\Battle.net
2014-10-09 23:53 - 2013-04-26 09:37 - 00000000 ____D () C:\Users\wcmav_000\Documents\StarCraft II
2014-10-08 15:52 - 2013-05-02 12:41 - 01754112 ___SH () C:\Users\wcmav_000\Desktop\Thumbs.db
2014-10-08 01:24 - 2014-07-30 21:07 - 00000000 ____D () C:\Users\wcmav_000\Downloads\Old Video
2014-10-08 00:27 - 2013-05-20 17:05 - 00000000 ____D () C:\Users\wcmav_000\Documents\SavedGames
2014-10-07 19:56 - 2012-07-26 02:59 - 00000000 ____D () C:\Windows\CbsTemp
2014-10-07 19:38 - 2013-10-25 16:39 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2014-10-06 15:27 - 2013-05-20 16:06 - 00000000 ___RD () C:\Users\wcmav_000\Desktop\EADM
2014-10-06 12:45 - 2013-04-25 17:46 - 00000000 ____D () C:\Users\wcmav_000
2014-10-06 05:19 - 2012-07-26 02:28 - 00848230 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-06 05:12 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-10-06 05:12 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2014-10-06 05:12 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-10-06 05:12 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2014-10-06 05:12 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files\Windows Defender
2014-10-06 05:12 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2014-10-06 05:12 - 2012-07-26 02:52 - 00000000 ____D () C:\Program Files\Windows Journal
2014-10-06 05:10 - 2012-07-26 00:38 - 00000000 ____D () C:\Windows\system32\oobe
2014-10-06 05:09 - 2013-07-12 19:43 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-10-06 05:08 - 2013-07-12 19:43 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-10-06 00:24 - 2013-10-19 16:47 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-06 00:20 - 2012-07-26 00:26 - 00000269 _____ () C:\Windows\win.ini
2014-10-06 00:06 - 2013-07-12 19:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-10-06 00:01 - 2013-09-24 15:50 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-05 22:13 - 2013-11-17 12:50 - 00000000 ____D () C:\ProgramData\Oracle
2014-10-05 22:12 - 2013-06-22 21:20 - 00000000 ____D () C:\Program Files (x86)\Java
2014-10-05 21:23 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\system32\SecureBootUpdates
2014-10-05 05:08 - 2012-10-28 19:35 - 00086742 _____ () C:\Users\Public\Documents\Cox PC HealthCheck Report.log
2014-10-04 23:04 - 2013-06-18 15:04 - 00000000 ____D () C:\Users\wcmav_000\Downloads\BBF
2014-10-04 23:04 - 2013-05-29 00:48 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\vlc
2014-10-04 22:11 - 2013-04-25 17:51 - 00000000 ____D () C:\Users\wcmav_000\AppData\Local\Google
2014-10-02 16:13 - 2012-07-26 00:38 - 00000000 ____D () C:\Windows\system32\Sysprep
2014-10-01 16:22 - 2013-04-25 18:21 - 00000314 _____ () C:\Windows\Tasks\DLL-Files.Com Fixer_MONTHLY.job
2014-09-25 15:42 - 2013-05-15 20:29 - 00000000 ____D () C:\Users\wcmav_000\AppData\Roaming\Skype
2014-09-25 15:42 - 2013-05-04 09:57 - 00013105 _____ () C:\Users\wcmav_000\Documents\GameDevTycoon.ods
2014-09-25 14:17 - 2013-08-31 10:42 - 00000000 ____D () C:\Users\wcmav_000\AppData\Local\Game Dev Tycoon - Steam
2014-09-22 19:26 - 2013-10-25 16:40 - 00000000 ____D () C:\Program Files (x86)\Hearthstone
2014-09-22 01:42 - 2013-04-27 10:02 - 00278152 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-09-21 22:41 - 2014-02-15 15:24 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-09-20 16:21 - 2013-04-25 18:21 - 00000330 _____ () C:\Windows\Tasks\DLL-Files.Com Fixer_Updates.job
2014-09-15 07:49 - 2012-07-26 00:26 - 00262144 ___SH () C:\Windows\system32\config\ELAM
 
Files to move or delete:
====================
C:\ProgramData\hash.dat
C:\Users\wcmav_000\jagex_cl_runescape_LIVE.dat
C:\Users\wcmav_000\random.dat
 
 
Some content of TEMP:
====================
C:\Users\wcmav_000\AppData\Local\Temp\bridj.dll6202910825017277389.dll
C:\Users\wcmav_000\AppData\Local\Temp\bridj.dll7669273495829818976.dll
C:\Users\wcmav_000\AppData\Local\Temp\bstrapInstall.exe
C:\Users\wcmav_000\AppData\Local\Temp\converter.exe
C:\Users\wcmav_000\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\wcmav_000\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\wcmav_000\AppData\Local\Temp\msxml6-KB927977-enu-amd64.exe
C:\Users\wcmav_000\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\wcmav_000\AppData\Local\Temp\nvSCPAPI64.dll
C:\Users\wcmav_000\AppData\Local\Temp\nvSCPAPISvr.exe
C:\Users\wcmav_000\AppData\Local\Temp\nvStInst.exe
C:\Users\wcmav_000\AppData\Local\Temp\OfficeSetup.exe
C:\Users\wcmav_000\AppData\Local\Temp\ose00000.exe
C:\Users\wcmav_000\AppData\Local\Temp\Quarantine.exe
C:\Users\wcmav_000\AppData\Local\Temp\Setup_Downloader_3.5.2_stable.exe
C:\Users\wcmav_000\AppData\Local\Temp\Setup_Downloader_3.6.0_stable.exe
C:\Users\wcmav_000\AppData\Local\Temp\SkypeSetup.exe
C:\Users\wcmav_000\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll
C:\Users\wcmav_000\AppData\Local\Temp\tmp74AE.tmp.exe
C:\Users\wcmav_000\AppData\Local\Temp\utt709F.tmp.exe
C:\Users\wcmav_000\AppData\Local\Temp\uttA78B.tmp.exe
C:\Users\wcmav_000\AppData\Local\Temp\uttC28F.tmp.exe
C:\Users\wcmav_000\AppData\Local\Temp\vlc-2.0.8-win32.exe
C:\Users\wcmav_000\AppData\Local\Temp\xmlUpdater.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-10-05 06:37
 
==================== End Of Log ============================
 
The computer is still having the same problems. The only item ADW Cleaner found and removed was something Malwarebytes claimed to have quarantined. 

 

Attached Files


Edited by mistercoleman, 11 October 2014 - 08:57 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 11 October 2014 - 09:37 AM


I identified a bad Poweliks infection.

Frist please run this tool.

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Restart the computer normally and execute the following instructions

Clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
  • ===

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

    In Windows 7 and 8.
    Press the [Windows Icon + R] and enter "notepad" in the box to open Notepad

    start
    
    HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
    CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3322295&octid=EB_ORIGINAL_CTID&ISID=MBB37C17B-5812-4D9E-96E0-6D7C59DCDA8A&SearchSource=55&CUI=&UM=6&UP=SP433F4686-94C8-476E-9A91-E9D0CC8C8DEE&SSPV="
    S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
    S1 knydzssc; \??\C:\Windows\system32\drivers\knydzssc.sys [X]
    S3 MSICDSetup; \??\D:\CDriver64.sys [X]
    
    end
    

    Save the files as fixlist.txt in to the same folder as FRST

    Run FRST and click Fix only once and wait.

    Restart the computer to reset the registry.

    The tool will create a log (Fixlog.txt) please post it to your reply.

    ====

    Post the logs and let me know what problem persists.





#5 mistercoleman

mistercoleman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 11 October 2014 - 12:02 PM

RogueKiller V10.0.1.0 (x64) [Oct 10 2014] by Adlice Software
 
Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : wcmav_000 [Administrator]
Mode : Delete -- Date : 10/11/2014  10:03:48
 
¤¤¤ Processes : 2 ¤¤¤
[Proc.Svchost] svchost.exe -- C:\Windows\system32\svchost.exe[-] -> Killed [TermProc]
[Proc.Svchost] svchost.exe -- C:\Windows\SysWow64\svchost.exe[-] -> Killed [TermThr]
 
¤¤¤ Registry : 29 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\etdrv (\??\C:\Windows\etdrv.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gdrv (\??\C:\Windows\gdrv.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GVTDrv64 (\??\C:\Windows\GVTDrv64.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\etdrv (\??\C:\Windows\etdrv.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gdrv (\??\C:\Windows\gdrv.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GVTDrv64 (\??\C:\Windows\GVTDrv64.sys) -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Not selected
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Not selected
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Not selected
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1  -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56058;https=127.0.0.1:56058  -> Not selected
[PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56058;https=127.0.0.1:56058  -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56058;https=127.0.0.1:56058  -> Not selected
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56058;https=127.0.0.1:56058  -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56058;https=127.0.0.1:56058  -> Not selected
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:56058;https=127.0.0.1:56058  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.12 68.105.29.12 68.105.28.11  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.12 68.105.29.12 68.105.28.11  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9A584BFF-F5E9-49D6-8BFB-98F20344698E} | DhcpNameServer : 68.105.28.12 68.105.29.12 68.105.28.11  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F6F5E705-C80F-408D-92C6-6A0062712DC4} | DhcpNameServer : 68.105.28.12 68.105.29.12 68.105.28.11  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9A584BFF-F5E9-49D6-8BFB-98F20344698E} | DhcpNameServer : 68.105.28.12 68.105.29.12 68.105.28.11  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{F6F5E705-C80F-408D-92C6-6A0062712DC4} | DhcpNameServer : 68.105.28.12 68.105.29.12 68.105.28.11  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[Tr.Poweliks] (X64) HKEY_USERS\S-1-5-21-2694031944-2303888784-2672762269-1002\Software\classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32 -> Deleted
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 256ad6ce4e6abddf24f173fd4181a1a4
[BSP] 2a48db0ee41127c95bd2cafc59c6ad37 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 450 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 923648 | Size: 1902277 MB
2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): -398180352 | Size: 5000 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1:  +++++
--- User ---
[MBR] 953d77f855006d764a42e9800bb6e108
[BSP] 43c39fda942a5c5d5a3b07a6fe210047 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907727 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_10112014_100105.log
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-10-2014
Ran by wcmav_000 at 2014-10-11 11:36:25 Run:1
Running from C:\Users\wcmav_000\Desktop
Loaded Profile: wcmav_000 (Available profiles: wcmav_000)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3322295&octid=EB_ORIGINAL_CTID&ISID=MBB37C17B-5812-4D9E-96E0-6D7C59DCDA8A&SearchSource=55&CUI=&UM=6&UP=SP433F4686-94C8-476E-9A91-E9D0CC8C8DEE&SSPV="
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
S1 knydzssc; \??\C:\Windows\system32\drivers\knydzssc.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
 
end
*****************
 
"HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key not found.
"HKU\S-1-5-21-2694031944-2303888784-2672762269-1002\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
Chrome StartupUrls deleted successfully.
AppleChargerSrv => Service deleted successfully.
knydzssc => Service deleted successfully.
MSICDSetup => Service deleted successfully.
 
==== End of Fixlog ====
 
COM Surrogate processes have stopped (I Think). Frequent outbound attempts to connect to malicious websites are still happening.

All seem to be from C:\Windows\SysWOW64\svchost.exe now. Before there were also some from dllhost but not anymore (that I've seen).


Edited by mistercoleman, 11 October 2014 - 12:03 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 11 October 2014 - 01:31 PM

Please download Malwarebytes Anti-Rootkit here.
  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as administrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.


#7 mistercoleman

mistercoleman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 12 October 2014 - 12:46 AM

It came up empty. I assume these are the two logs:
 

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org
 
Database version: v2014.10.11.09
 
Windows 8 x64 NTFS
Internet Explorer 10.0.9200.17088
wcmav_000 :: COLEMAN-AVATAR [administrator]
 
10/11/2014 2:17:51 PM
mbar-log-2014-10-11 (14-17-51).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 326080
Time elapsed: 10 minute(s), 59 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.2.9200 Windows 8 x64
 
Account is Administrative
 
Internet Explorer version: 10.0.9200.17088
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 4.000000 GHz
Memory total: 17177272320, free: 14622248960
 
Downloaded database version: v2014.10.11.09
Downloaded database version: v2014.10.08.01
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 9942558E
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 921600
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 923648  Numsec = 3895863296
 
    Partition 2 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3896786944  Numsec = 10240000
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 2000398934016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-3907009168-3907029168)...
Done!
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 93B4CA5B
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3907024896
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 2000398934016 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.2.9200 Windows 8 x64
 
Account is Administrative
 
Internet Explorer version: 10.0.9200.17088
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 4.000000 GHz
Memory total: 17177272320, free: 14593794048
 
Downloaded database version: v2014.10.12.01
Downloaded database version: v2014.10.11.01
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 9942558E
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 921600
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 923648  Numsec = 3895863296
 
    Partition 2 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3896786944  Numsec = 10240000
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 2000398934016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-3907009168-3907029168)...
Done!
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 93B4CA5B
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3907024896
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 2000398934016 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished
 
So nothing.

All the outbound attempts are through svchost.exe on seemingly random port numbers to the same IP address every time.

Edited by mistercoleman, 12 October 2014 - 12:58 AM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 12 October 2014 - 09:14 AM



Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

While I check your logs run this online scan.

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#9 mistercoleman

mistercoleman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 13 October 2014 - 04:51 PM

I keep getting a post too long error with the TDSS report so I had to archive and attach it.

Here are the others:

 

aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-10-12 10:33:44
-----------------------------
10:33:44.226    OS Version: Windows x64 6.2.9200 
10:33:44.226    Number of processors: 8 586 0x200
10:33:44.226    ComputerName: COLEMAN-AVATAR  UserName: wcmav_000
10:33:47.190    Initialize success
10:33:47.253    VM: initialized successfully
10:33:47.268    VM: Amd CPU supported 
10:33:49.422    VM: supported disk I/O storport.sys
10:33:55.365    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000035
10:33:55.367    Disk 0 Vendor: ST2000DM001-1CH164 CC26 Size: 1907729MB BusType: 11
10:33:55.369    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000036
10:33:55.371    Disk 1 Vendor: WDC_WD20EARX-00PASB0 51.0AB51 Size: 1907729MB BusType: 11
10:33:55.591    Disk 0 MBR read successfully
10:33:55.598    Disk 0 MBR scan
10:33:55.603    Disk 0 Windows 7 default MBR code
10:33:55.611    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          450 MB offset 2048
10:33:55.625    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS      1902277 MB offset 923648
10:33:55.657    Disk 0 Partition 3 00     27 Hidden NTFS WinRE NTFS         5000 MB offset 3896786944
10:33:55.703    Disk 0 scanning C:\Windows\system32\drivers
10:34:05.462    Service scanning
10:34:18.953    Modules scanning
10:34:18.953    Disk 0 trace - called modules:
10:34:18.984    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys storahci.sys hal.dll 
10:34:18.984    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800ea16060]
10:34:19.000    3 CLASSPNP.SYS[fffff88001913e0a] -> nt!IofCallDriver -> \Device\00000035[0xfffffa800d74f060]
10:34:19.000    Scan finished successfully
10:34:43.216    Disk 0 MBR has been saved successfully to "C:\Users\wcmav_000\Desktop\MBR.dat"
10:34:43.243    The log file has been saved successfully to "C:\Users\wcmav_000\Desktop\aswMBR.txt"

 

ESETScan:

C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir a variant of Win64/Systweak.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Windows\System32\drivers\{c5e48979-bd7f-4cf7-9b73-2482a67a4f37}Gw64.sys.vir a variant of Win64/Riskware.NetFilter.F application cleaned by deleting - quarantined
C:\Program Files (x86)\Cheat Engine 6.4\standalonephase1.dat a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application deleted - quarantined
C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe a variant of Win32/Systweak potentially unwanted application deleted - quarantined
C:\Users\wcmav_000\AppData\Roaming\tynfwc.dll a variant of MSIL/Injector.FQA trojan cleaned by deleting - quarantined
C:\Users\wcmav_000\AppData\Roaming\dll-files.com\Fixer\Version 1.0\productSetup_Setup_3_29_2014.exe a variant of Win32/Systweak potentially unwanted application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\CheatEngine64.exe a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\dffsetup-msvcp100.exe a variant of Win32/Systweak potentially unwanted application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\DTLite4481-0347.exe Win32/DownWare.L potentially unwanted application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\FotoSketcher242dm.exe Win32/Toolbar.Conduit.M potentially unwanted application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\FreeZipOpener_Install.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\openofficesuite-setup.exe Win32/DownloadAdmin.G potentially unwanted application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\SoftonicDownloader_for_mushroom-kingdom-fusion.exe Win32/SoftonicDownloader.E potentially unwanted application deleted - quarantined
C:\Users\wcmav_000\Downloads\Old Application\vlc.codec.pack.v2.0.5.1.setup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application deleted - quarantined
D:\Windows.old\Program Files\Cheat Engine 6.1\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB potentially unsafe application deleted - quarantined
D:\Windows.old\Program Files\Conduit\Community Alerts\Alert.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
D:\Windows.old\Program Files\Conduit\Community Alerts\Alert0.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
D:\Windows.old\Program Files\Freecorder\Freecorder.xpi Win32/Toolbar.Conduit.A potentially unwanted application deleted - quarantined
D:\Windows.old\Program Files\Freecorder\freecorder_ie.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
D:\Windows.old\Program Files\Freecorder\tbFree.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\askToolbarInstaller.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\jar_cache6445725049174111223.tmp a variant of J2ME/Agent.AA trojan cleaned by deleting - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\stub.exe Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\tbBro0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\utt2C71.tmp.exe a variant of Win32/Bundled.Toolbar.Ask.A potentially unsafe application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\ct2776682\chLogic.exe Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\ct2776682\CT2776682.xpi Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\ct2776682\ffLogic.exe Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\ct2776682\ieLogic.exe Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\ct2776682\statisticsStub.exe Win32/Toolbar.Conduit potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\ICReinstall\cnet_Read_Aloud_3_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\is1598539481\blekkotb_031.exe a variant of Win32/Toolbar.Visicom.C potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\AppData\Local\Temp\is1598539481\BuzzdockSetup-Silent.exe multiple threats cleaned by deleting - quarantined
D:\Windows.old\Users\Coleman\Documents\Downloads\FCTBSetup.exe Win32/Toolbar.Conduit.A potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\Downloads\Zygor Guide MOP Horde and Alliance_secure.exe Win32/TopMedia.A potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\Downloads\OldDownloads\CheatEngine61.exe Win32/Somoto.F potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\Downloads\OldDownloads\cnet_Read_Aloud_3_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\Downloads\OldDownloads\gimp_958.exe a variant of Win32/InstallIQ.A potentially unwanted application deleted - quarantined
D:\Windows.old\Users\Coleman\Downloads\OldDownloads\NaturalReader_V9_5_Professional_Version-umer24434.exe Win32/Adware.1ClickDownload.G application cleaned by deleting - quarantined
D:\Windows.old\Users\Coleman\Downloads\OldDownloads\NaturalReader_v9_5_Professional_Version_umer24434.exe Win32/Adware.1ClickDownload.G application cleaned by deleting - quarantined
D:\Windows.old\Users\Coleman\Downloads\Stuff\ebook_computer_security_handbook_pdf.exe a variant of Win32/MediaGet potentially unwanted application deleted - quarantined
D:\Windows.old\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG72MAPY\search-update-b[1] Win32/Toolbar.Zugo.D potentially unwanted application deleted - quarantined
D:\Windows.old\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JUB2WUGQ\search-update-b[1] Win32/Toolbar.Zugo.D potentially unwanted application deleted - quarantined
D:\Windows.old\Windows\Temp\TBU002\ToolbarUpdate.exe a variant of Win32/Toolbar.Zugo potentially unwanted application deleted - quarantined
D:\Windows.old\Windows\Temp\TBU003\ToolbarUpdate.exe a variant of Win32/Toolbar.Zugo potentially unwanted application deleted - quarantined
D:\Windows.old\Windows\Temp\TBU004\ToolbarUpdate.exe Win32/Toolbar.Zugo.D potentially unwanted application deleted - quarantined
D:\Windows.old\Windows\Temp\TBU005\ToolbarUpdate.exe Win32/Toolbar.Zugo.D potentially unwanted application deleted - quarantined
 
The ESET Scan took 20 hours but it found a lot of things. Unfortunately the outbound problem is still continuing. I found two below normal priority processes from svchost.exe that have myself as the user instead of LOCAL SERVICE, SYSTEM, or NETWORK SERVICE like the others. If I stop them then the outbound connection attempts stop for a while but then the services start again.

The malicious svchost.exe process is the only one operating from C:\Windows\SysWOW64\svchost.exe. The other one that runs under my user name is from the same path as the others C:\Windows\system32\svchost.exe

Attached Files


Edited by mistercoleman, 13 October 2014 - 04:52 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 14 October 2014 - 07:58 AM

Try this and see if you can find what is draining your CPU.

How to Troubleshoot a Problem by Performing a Clean Boot in Windows 8 and 8.1
http://www.eightforums.com/tutorials/23382-troubleshoot-problem-clean-boot-windows-8-a.html

#11 mistercoleman

mistercoleman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 16 October 2014 - 09:24 AM

In clean boot the rogue svchost.exe processes don't happen and haven't happened for a couple days. I am not noticing any missing functionality from running my computer this way and am happy to continue doing so.

I looked through the list of processes with google as well as the start-up items and they are all legit so I can't figure out which one it is, but I'm good with things as they are.

Thank you for your help I'm good with considering this matter closed.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:10 PM

Posted 22 October 2014 - 10:28 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users