Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have CryptoWall 2.0 trojan RansomWare - need help!


  • This topic is locked This topic is locked
7 replies to this topic

#1 tbg37g

tbg37g

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 16 October 2014 - 05:16 PM

Mod Edit: Moved to appropriate forum ~~ boopme

Hello Friends!
 
I have done some the cleanup  I have removed what ESET found - I need assistance with FARBAR Recovery tool in creating the fixlist.txt file. Any help would be greatly appreciated.
 
Thanks,
 
Todd
 
 
 
 
 
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 2.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)


What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.


How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.


What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.


For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1.https://paytordmbdekmizq.tor4pay.com/1ds6pNd
2.https://paytordmbdekmizq.pay2tor.com/1ds6pNd
3.https://paytordmbdekmizq.tor2pay.com/1ds6pNd
4.https://paytordmbdekmizq.pay4tor.com/1ds6pNd

If for some reasons the addresses are not available, follow these steps:
1.Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2.After a successful installation, run the browser and wait for initialization.
3.Type in the address bar: paytordmbdekmizq.onion/1ds6pNd
4.Follow the instructions on the site.


IMPORTANT INFORMATION:
Your personal page: https://paytordmbdekmizq.tor4pay.com/1ds6pNd
Your personal page (using TOR): paytordmbdekmizq.onion/1ds6pNd
Your personal identification number (if you open the site (or TOR 's) directly): 1ds6pNd
 
 
Hello Friends!
I have done most of the cleanup - I need assistance with FARBAR Recovery tool in creating the fixlist.txt file. Any help would be greatly appreciated.
 
Thanks,
 
Todd
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-10-2014
Ran by enez7ov (administrator) on ACNU2529VN5 on 16-10-2014 17:12:43
Running from C:\Users\enez7ov\Desktop
Loaded Profile: enez7ov (Available profiles: enez7ov & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Autonomy Corporation plc) C:\Program Files (x86)\Iron Mountain\Connected BackupPC\AgentService.exe
(Juniper Networks) C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
() C:\Windows\System32\enstart64.exe
(McAfee, Inc.) C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe
() C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe
(McAfee Inc.) C:\Program Files\McAfee\DLP\Agent\fcags.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
(McAfee, Inc.) C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\MfeFfCoreService.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
(McAfee, Inc.) C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\MfeFfProxy32.exe
(SAP AG) C:\Program Files (x86)\SAP\SapSetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe
() C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radexecd.exe
() C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\Plugins\usage\discusge.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radsched.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\Radstgms.exe
(Knoa Software Inc.) C:\Program Files (x86)\Knoa\KnoaAgent\tKnoa.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee Inc.) C:\Program Files\McAfee\DLP\Agent\fcagswd.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(McAfee Inc.) C:\Program Files\McAfee\DLP\Agent\fcag.exe
(McAfee Inc.) C:\Program Files\McAfee\DLP\Agent\fcagte.exe
(McAfee Inc.) C:\Program Files\McAfee\DLP\Agent\fcagte.exe
(McAfee Inc.) C:\Program Files\McAfee\DLP\Agent\fcagte.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\saHookMain.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\x64\saHookMain.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcMonitor.exe
(McAfee, Inc.) C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\MfeFfCore.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(McAfee, Inc.) C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\MfeFfProxy32.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Knoa Software Inc.) C:\Program Files (x86)\Knoa\KnoaAgent\tKnoa.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(SAP AG) C:\Program Files (x86)\SAP\SapSetup\setup\Updater\NwSapSetupUserNotificationTool.exe
(Autonomy Corporation plc) C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
() C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\Plugins\usage\discfcsn.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
() C:\Users\enez7ov\AppData\Roaming\OAS\oas.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\Users\enez7ov\AppData\Roaming\OAS\mcc.exe
(Awesomium Technologies) C:\Users\enez7ov\AppData\Roaming\OAS\oas-module


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-06-26] (IDT, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3011824 2013-01-10] (Synaptics Incorporated)
HKLM\...\Run: [MfeEpePcMonitor] => C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcMonitor.exe [243304 2012-07-16] ()
HKLM\...\Run: [MfeFfCore] => C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\MfeFfCore.exe [646688 2013-07-22] (McAfee, Inc.)
HKLM\...\Run: [McAfee Host Intrusion Prevention Tray] => C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [239328 2013-12-18] (McAfee, Inc.)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5595848 2014-09-22] (ESET)
HKLM-x32\...\Run: [C:\Program Files (x86)\Knoa\KnoaAgent\] => C:\Program Files (x86)\Knoa\KnoaAgent\tKnoa.exe [360448 2009-10-08] (Knoa Software Inc.)
HKLM-x32\...\Run: [Communicator] => C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5164712 2013-04-10] (Microsoft Corporation)
HKLM-x32\...\Run: [QLBController] => C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe [334240 2012-09-12] (Hewlett-Packard Company)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [290688 2012-10-24] (Intel Corporation)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395656 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [SAP_WUS_UNT] => C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapSetupUserNotificationTool.exe [125584 2011-08-24] (SAP AG)
HKLM-x32\...\Run: [AgentUiRunKey] => C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe [299856 2012-05-17] (Autonomy Corporation plc)
HKLM-x32\...\Run: [EDFcsn] => C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\Plugins\usage\discfcsn.exe [163128 2013-03-14] ()
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ShStatEXE] => C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE [243560 2014-01-15] (McAfee, Inc.)
HKLM-x32\...\Run: [McAfeeUpdaterUI] => C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [337440 2013-12-04] (McAfee, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153992 2013-10-01] (Citrix Systems, Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKLM\...\Policies\Explorer: [UseDefaultTile] 1
HKU\S-1-5-21-1627927489-3529874470-1830650990-21923\...\Run: [Online Ad Scanner] => C:\Users\enez7ov\AppData\Roaming\OAS\oasupd.exe [28672 2014-09-23] ()
HKU\S-1-5-21-1627927489-3529874470-1830650990-21923\...\Policies\Explorer: [ForceStartMenuLogOff] 1
Lsa: [Notification Packages] EpePcNp64 scecli
ShellIconOverlayIdentifiers: [CeDesktopIntegration] -> {3CEC3E6D-ECF2-4B49-8A41-3B16DF8B9C3F} => C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\MfeFfDesktopIntegration.dll (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mcknet.mckesson.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20140306112741.dll (McAfee, Inc.)
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\x64\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20140306112741.dll (McAfee, Inc.)
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - McKNet Toolbar - {c9a6357b-25cc-4bcf-96c1-78736985d412} - C:\windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - RSA Toolbar - {749F8452-7D28-4658-A903-9B047E5A2CE8} - c:\Program Files (x86)\RSA Security\RSA SecurID Toolbar Token\RsaToolbar.dll (RSA, the Security Division of EMC)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
DPF: HKLM {AA570693-00E2-4907-B6F1-60A1199B030C} https://juniper.net/dana-cached/sc/JuniperSetupClient64.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T28L10NSP12_CP1-16851/webex/ieatgpc1.cab
DPF: HKLM-x32 {E734BF43-7194-4E3A-832F-307606DDF665} https://ds.na.collabserv.com/components/WDPLUGIN.CAB
DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\x64\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\x64\McIEPlg.dll (McAfee, Inc.)
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} -  No File
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} -  No File
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll (SAP, Walldorf)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\enez7ov\AppData\Roaming\Mozilla\Firefox\Profiles\ss3lqp9o.default-1412894256345
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_11_9_900_117.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: saba.com/SabaMeetingPlugin -> C:\Users\enez7ov\AppData\Roaming\Centra\App\bin\npSabaMeetingPlugin3.dll (Saba)
FF Extension: McAfee SiteAdvisor Enterprise - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{B7082FAA-CB62-4872-9106-E42DD88EDE45} [2014-10-16]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: No Name - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2014-01-14]

Chrome:
=======
CHR Profile: C:\Users\enez7ov\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\enez7ov\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-21]
CHR Extension: (Google Drive) - C:\Users\enez7ov\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-21]
CHR Extension: (YouTube) - C:\Users\enez7ov\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-21]
CHR Extension: (Google Search) - C:\Users\enez7ov\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-21]
CHR Extension: (McAfee SiteAdvisor Enterprise) - C:\Users\enez7ov\AppData\Local\Google\Chrome\User Data\Default\Extensions\feobgjncdknhelkhjpiejdbpliekmfaj [2014-07-21]
CHR Extension: (Google Wallet) - C:\Users\enez7ov\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-21]
CHR Extension: (Gmail) - C:\Users\enez7ov\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-21]
CHR HKLM\...\Chrome\Extension: [feobgjncdknhelkhjpiejdbpliekmfaj] - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McChPlg.crx [2013-06-10]
CHR HKLM-x32\...\Chrome\Extension: [feobgjncdknhelkhjpiejdbpliekmfaj] - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McChPlg.crx [2013-06-10]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AgentService; C:\Program Files (x86)\Iron Mountain\Connected BackupPC\AgentService.exe [6775632 2012-05-17] (Autonomy Corporation plc)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1350112 2014-09-16] (ESET)
R2 enstart64; C:\windows\system32\enstart64.exe [1593344 2013-11-08] () [File not signed]
R2 enterceptAgent; C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [611152 2013-12-18] (McAfee, Inc.)
S2 HipMgmt; C:\Program Files (x86)\McAfee\Host Intrusion Prevention\HipMgmt.exe [153832 2013-12-18] (McAfee, Inc.)
R2 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe [523680 2012-09-12] (Hewlett-Packard Company)
R2 McAfee Endpoint Encryption Agent; C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe [1713768 2012-07-16] ()
R2 McAfee SiteAdvisor Enterprise Service; C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe [160800 2013-06-10] (McAfee, Inc.)
S2 McAfeeAuditManager; C:\Program Files (x86)\McAfee\Policy Auditor Agent\AuditManagerService.exe [332288 2013-09-05] (McAfee, Inc.) [File not signed]
R2 McAfeeDLPAgentService; C:\Program Files\McAfee\DLP\Agent\fcags.exe [9397824 2012-04-01] (McAfee Inc.)
R2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [127520 2013-12-04] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [242448 2014-03-06] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [208416 2014-01-15] (McAfee, Inc.)
R2 MfeFfCoreService; C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\MfeFfCoreService.exe [205856 2013-07-22] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2013-12-17] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [185280 2014-03-06] (McAfee, Inc.)
R2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe [139416 2011-08-24] (SAP AG)
R2 prgnDiscAgent; C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe [846648 2013-03-14] ()
R2 Radexecd; C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radexecd.exe [346160 2012-11-22] (Hewlett-Packard)
R2 Radsched; C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\radsched.exe [247856 2012-11-22] (Hewlett-Packard)
R2 Radstgms; C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\Radstgms.exe [378928 2012-11-22] (Hewlett-Packard)
R2 tKnoa-sm-72D8FD37; C:\Program Files (x86)\Knoa\KnoaAgent\tKnoa.exe [360448 2009-10-08] (Knoa Software Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 A2DDA; C:\EEK\BIN\a2ddax64.sys [26176 2014-10-09] (Emsisoft GmbH)
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [31872 2012-06-15] (Advanced Micro Devices, Inc.)
S3 cleanhlp; C:\EEK\bin\cleanhlp64.sys [57024 2014-10-09] (Emsisoft GmbH)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [243440 2014-08-18] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [241368 2014-08-18] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [169280 2014-08-18] (ESET)
R1 enstart64_; C:\windows\system32\enstart64_.sys [66112 2013-11-08] (Guidance Software Inc.)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [158968 2014-09-18] (ESET)
R3 FireNfcp; C:\Windows\System32\drivers\FireNfcp.sys [53728 2014-08-12] (McAfee, Inc.)
R3 hdlpctrl; C:\Windows\System32\drivers\hdlpctrl.sys [37704 2012-04-01] (McAfee Inc.)
R3 hdlpdbk; C:\Windows\System32\drivers\hdlpdbk.sys [27976 2012-04-01] (McAfee Inc.)
R3 hdlpevnt; C:\Windows\System32\drivers\hdlpevnt.sys [24904 2012-04-01] (McAfee Inc.)
R1 hdlpflt; C:\Windows\System32\DRIVERS\hdlpflt.sys [128840 2012-04-01] (McAfee Inc.)
S4 hdlpnetf; C:\Windows\System32\drivers\hdlpnetf.sys [43848 2012-04-01] (McAfee Inc.)
R3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [200616 2013-12-18] (McAfee, Inc.)
R2 LV_Tracker; C:\Windows\System32\DRIVERS\LV_Tracker64.sys [54824 2012-05-17] ()
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [180272 2014-03-06] (McAfee, Inc.)
U3 mfeapfk01; No ImagePath
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311600 2014-03-06] (McAfee, Inc.)
U3 mfeavfk01; No ImagePath
R0 MfeEEAlg; C:\Windows\System32\Drivers\MfeEEAlg.sys [71016 2012-02-22] (McAfee, Inc.)
R0 MfeEEFF; C:\Windows\System32\Drivers\MfeEEFF.sys [693288 2013-07-22] (McAfee, Inc.)
R0 MfeEEFFA; C:\Windows\System32\Drivers\MfeEEFFA.sys [71208 2013-07-04] (McAfee, Inc.)
S3 MfeEEFFCd; C:\Windows\System32\Drivers\MfeEEFFCd.sys [136488 2013-07-22] (McAfee, Inc.)
R0 MfeEEFFV; C:\Windows\System32\Drivers\MfeEEFFV.sys [45864 2013-07-22] (McAfee, Inc.)
R0 MfeEERM; C:\Windows\System32\Drivers\MfeEERM.sys [184616 2013-07-22] (McAfee, Inc.)
R0 MfeEpeOpal; C:\Windows\System32\Drivers\MfeEpeOpal.sys [87632 2012-07-16] (McAfee, Inc.)
R0 MfeEpePc; C:\Windows\System32\Drivers\MfeEpePc.sys [141552 2012-07-16] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [520056 2013-12-17] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782968 2014-03-06] (McAfee, Inc.)
R1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [78960 2013-12-17] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [107032 2014-03-06] (McAfee, Inc.)
R3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [77880 2012-01-04] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [344176 2014-03-06] (McAfee, Inc.)
R3 RadiaMsi; C:\Windows\System32\DRIVERS\radiamsi.sys [42808 2012-11-22] (Hewlett-Packard)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 SmbDrv; C:\Windows\system32\drivers\Smb_driver_AMDASF.sys [28400 2013-01-10] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [32496 2013-01-10] (Synaptics Incorporated)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-10-09] ()
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] ()
S3 Firehk; system32\DRIVERS\firehk.sys [X]
S3 FirehkMP; system32\DRIVERS\firehk.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-16 17:12 - 2014-10-16 17:13 - 00027317 _____ () C:\Users\enez7ov\Desktop\FRST.txt
2014-10-16 17:12 - 2014-10-16 17:12 - 00000000 ____D () C:\FRST
2014-10-16 17:03 - 2014-10-16 17:03 - 00000000 ____D () C:\Users\enez7ov\Downloads\ComSurrogate and Malware Whack-a-Mole - Page 3 - Virus, Trojan, Spyware, and Malware Removal Logs_files
2014-10-16 16:49 - 2014-10-16 16:48 - 02112000 _____ (Farbar) C:\Users\enez7ov\Desktop\FRST64.exe
2014-10-16 16:48 - 2014-10-16 16:48 - 02112000 _____ (Farbar) C:\Users\enez7ov\Downloads\FRST64.exe
2014-10-16 14:18 - 2014-10-16 14:18 - 00000000 ____D () C:\Users\enez7ov\AppData\Local\ESET
2014-10-16 14:14 - 2014-10-16 14:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2014-10-16 14:14 - 2014-10-16 14:14 - 00000000 ____D () C:\ProgramData\ESET
2014-10-16 14:14 - 2014-10-16 14:14 - 00000000 ____D () C:\Program Files\ESET
2014-10-16 14:09 - 2014-10-16 14:09 - 01761992 _____ (ESET) C:\Users\enez7ov\Downloads\eset_nod32_antivirus_live_installer.exe
2014-10-16 14:06 - 2014-10-16 13:31 - 02347384 _____ (ESET) C:\Users\enez7ov\Desktop\esetsmartinstaller_enu.exe
2014-10-16 13:47 - 2014-10-16 13:47 - 00415232 _____ (Farbar) C:\Users\enez7ov\Downloads\FSS.exe
2014-10-16 13:31 - 2014-10-16 13:31 - 02347384 _____ (ESET) C:\Users\enez7ov\Downloads\esetsmartinstaller_enu.exe
2014-10-16 13:31 - 2014-10-16 13:31 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-10-16 12:52 - 2014-10-16 12:52 - 00000046 _____ () C:\Users\enez7ov\AppData\Roaming\WB.CFG
2014-10-16 11:51 - 2014-10-16 17:10 - 00000000 ____D () C:\Users\enez7ov\AppData\Roaming\DigitalSites
2014-10-16 11:36 - 2014-10-16 11:36 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\enez7ov\Downloads\iExplore.exe
2014-10-16 11:34 - 2014-10-16 11:35 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\enez7ov\Downloads\tdsskiller.exe
2014-10-16 10:10 - 2014-10-16 10:10 - 00000278 _____ () C:\Users\Default\AppData\Local\INSTALL_TOR.URL
2014-10-16 10:10 - 2014-10-16 10:10 - 00000278 _____ () C:\Users\Default\AppData\INSTALL_TOR.URL
2014-10-16 10:10 - 2014-10-16 10:10 - 00000278 _____ () C:\Users\Default User\AppData\Local\INSTALL_TOR.URL
2014-10-16 10:10 - 2014-10-16 10:10 - 00000278 _____ () C:\Users\Default User\AppData\INSTALL_TOR.URL
2014-10-16 10:10 - 2014-10-16 10:10 - 00000278 _____ () C:\Users\Administrator\AppData\Roaming\INSTALL_TOR.URL
2014-10-16 10:10 - 2014-10-16 10:10 - 00000278 _____ () C:\Users\Administrator\AppData\Local\INSTALL_TOR.URL
2014-10-16 10:10 - 2014-10-16 10:10 - 00000278 _____ () C:\Users\Administrator\AppData\INSTALL_TOR.URL
2014-10-10 05:09 - 2014-10-16 17:04 - 00000000 ____D () C:\Users\enez7ov\AppData\Local\CrashDumps
2014-10-10 03:01 - 2014-07-06 22:06 - 01462272 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2014-10-10 03:01 - 2014-07-06 22:06 - 00729088 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2014-10-10 03:01 - 2014-07-06 22:06 - 00463872 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2014-10-10 03:01 - 2014-07-06 22:06 - 00341504 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2014-10-10 03:01 - 2014-07-06 21:40 - 00551424 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2014-10-10 03:01 - 2014-07-06 21:40 - 00342528 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2014-10-10 03:01 - 2014-07-06 21:40 - 00247808 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2014-10-10 03:01 - 2014-07-06 21:40 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2014-10-10 03:01 - 2014-07-06 21:39 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2014-10-09 18:59 - 2014-10-09 18:59 - 00001296 _____ () C:\Users\enez7ov\Desktop\JRT.txt
2014-10-09 18:53 - 2014-10-09 18:53 - 00000000 ____D () C:\windows\ERUNT
2014-10-09 18:42 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\windows\SysWOW64\sqlite3.dll
2014-10-09 18:40 - 2014-10-16 15:33 - 00000000 ____D () C:\AdwCleaner
2014-10-09 16:21 - 2014-10-09 16:21 - 00007282 _____ () C:\EamClean.log
2014-10-09 15:20 - 2014-10-16 15:33 - 00000000 ____D () C:\EEK
2014-10-09 15:20 - 2014-10-09 15:20 - 00000743 _____ () C:\Users\enez7ov\Desktop\Start Emsisoft Emergency Kit.lnk
2014-10-09 14:57 - 2014-10-09 15:19 - 157240008 _____ () C:\Users\enez7ov\Downloads\EmsisoftEmergencyKit.exe
2014-10-09 14:46 - 2014-10-09 14:46 - 00410912 _____ () C:\Users\enez7ov\AppData\Roaming\temp7377.txt
2014-10-09 14:25 - 2014-10-16 17:12 - 00000000 ____D () C:\Users\enez7ov\AppData\Roaming\OAS
2014-10-09 14:25 - 2014-10-09 14:25 - 00003590 _____ () C:\windows\System32\Tasks\SMWUpd
2014-10-09 14:24 - 2014-10-09 14:24 - 00000000 ____H () C:\windows\system32\Drivers\Msft_Kernel_webinstrNew_01009.Wdf
2014-10-09 14:24 - 2014-10-09 14:24 - 00000000 ____D () C:\Users\enez7ov\AppData\Local\CrashRpt
2014-10-09 14:15 - 2014-10-09 14:15 - 00000000 ____D () C:\Program Files\HitmanPro
2014-10-09 13:48 - 2014-10-09 14:07 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-10-09 13:16 - 2014-10-09 13:16 - 00034808 _____ () C:\windows\system32\Drivers\TrueSight.sys
2014-10-09 13:16 - 2014-10-09 13:16 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-09 12:24 - 2014-10-16 11:38 - 00003136 _____ () C:\Users\enez7ov\Desktop\Rkill.txt
2014-10-09 11:07 - 2014-10-16 11:38 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-09 11:07 - 2014-10-09 11:07 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-09 11:07 - 2014-10-09 11:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-09 11:06 - 2014-10-09 11:07 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-09 11:06 - 2014-10-09 11:06 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-09 11:06 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-10-09 11:06 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2014-10-09 11:06 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2014-10-09 11:02 - 2014-10-09 11:05 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\enez7ov\Downloads\mbam-setup-2.0.2.1012.exe
2014-10-09 10:11 - 2014-10-09 10:11 - 00177446 _____ () C:\Users\enez7ov\Downloads\download (1)
2014-10-09 10:10 - 2014-10-09 10:10 - 00105204 _____ () C:\Users\enez7ov\Downloads\download
2014-10-08 13:19 - 2014-10-09 18:43 - 00001053 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-10-08 13:19 - 2014-10-09 14:32 - 00001163 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-10-08 13:19 - 2014-10-08 13:19 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-04 13:22 - 2014-10-04 13:25 - 00000000 ____D () C:\Program Files\Unlocker
2014-10-04 13:22 - 2014-10-04 13:22 - 00000000 ____D () C:\Users\enez7ov\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2014-10-02 17:53 - 2014-10-16 15:33 - 00000000 ____D () C:\Users\enez7ov\Desktop\NEWYORK
2014-09-25 19:15 - 2014-10-16 17:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-09-25 14:41 - 2014-08-17 00:00 - 02239488 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-09-25 14:41 - 2014-08-17 00:00 - 00051712 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-09-25 14:41 - 2014-08-16 23:59 - 19280384 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-09-25 14:41 - 2014-08-16 23:59 - 01407488 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-09-25 14:41 - 2014-08-16 23:59 - 00603136 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-09-25 14:41 - 2014-08-16 23:59 - 00197120 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-09-25 14:41 - 2014-08-16 23:59 - 00097280 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 15399424 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 03959296 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 02655232 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 01508864 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-09-25 14:41 - 2014-08-16 23:58 - 00855552 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 00526336 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 00451584 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 00281600 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 00255488 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 00136704 _____ (Microsoft Corporation) C:\windows\system32\iesysprep.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 00067072 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 00053248 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-09-25 14:41 - 2014-08-16 23:58 - 00039936 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 14369280 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 13757440 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 02861568 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 02055168 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 01766400 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 01440768 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-09-25 14:41 - 2014-08-16 23:57 - 01180672 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00493056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00391168 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00357888 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00226816 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00226816 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00163840 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00109056 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesysprep.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00080384 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00061440 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00039424 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-09-25 14:41 - 2014-08-16 23:57 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-09-25 14:41 - 2014-08-16 03:25 - 02706432 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-09-25 14:41 - 2014-08-16 02:43 - 02706432 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-09-25 14:41 - 2014-08-16 02:34 - 00089600 _____ (Microsoft Corporation) C:\windows\system32\RegisterIEPKEYs.exe
2014-09-25 14:41 - 2014-08-16 01:53 - 00071680 _____ (Microsoft Corporation) C:\windows\SysWOW64\RegisterIEPKEYs.exe
2014-09-25 14:40 - 2014-06-15 22:10 - 00985536 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2014-09-25 14:38 - 2014-08-22 22:07 - 00404480 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2014-09-25 14:38 - 2014-08-22 21:45 - 00311808 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll
2014-09-25 14:38 - 2014-08-22 20:59 - 03166720 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2014-09-25 13:23 - 2014-09-25 13:23 - 00719330 _____ () C:\Users\enez7ov\Desktop\inq.out
2014-09-18 13:57 - 2014-09-18 13:56 - 00004720 _____ () C:\Users\enez7ov\Desktop\setup_ssh_keys.txt
2014-09-18 12:38 - 2014-09-18 12:38 - 00158968 _____ (ESET) C:\windows\system32\Drivers\epfwwfpr.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-16 17:10 - 2013-11-08 16:11 - 00000000 ____D () C:\Users\enez7ov\Tracing
2014-10-16 17:08 - 2010-11-20 23:47 - 00032904 _____ () C:\windows\PFRO.log
2014-10-16 17:08 - 2009-07-14 01:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-10-16 17:08 - 2009-07-14 00:51 - 00035424 _____ () C:\windows\setupact.log
2014-10-16 17:08 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\L2Schemas
2014-10-16 17:06 - 2010-11-20 22:52 - 01354782 _____ () C:\windows\WindowsUpdate.log
2014-10-16 17:04 - 2014-08-18 08:59 - 00000000 ____D () C:\Users\enez7ov\AppData\Roaming\Centra
2014-10-16 17:04 - 2013-11-09 12:03 - 00000000 ____D () C:\Users\enez7ov\AppData\Roaming\Mozilla
2014-10-16 17:04 - 2013-11-09 12:03 - 00000000 ____D () C:\Users\enez7ov\AppData\Local\Mozilla
2014-10-16 17:04 - 2013-11-08 18:19 - 00000000 ____D () C:\Users\enez7ov\AppData\Local\RSA Security
2014-10-16 17:04 - 2013-11-08 16:11 - 00000000 ____D () C:\Users\enez7ov\AppData\Roaming\McAfee
2014-10-16 16:47 - 2013-11-08 16:38 - 00000000 ____D () C:\Hbocdata
2014-10-16 16:47 - 2013-02-05 10:08 - 00000000 ____D () C:\Users\enez7ov\Desktop\Pst
2014-10-16 15:52 - 2013-11-15 14:36 - 00000000 ____D () C:\ProgramData\Reflection
2014-10-16 15:52 - 2013-11-10 00:41 - 00000000 ____D () C:\ProgramData\WebEx
2014-10-16 15:52 - 2013-11-08 16:33 - 00000000 ____D () C:\ProgramData\Email Backup Optimization
2014-10-16 15:52 - 2013-11-08 16:12 - 00000000 ____D () C:\ProgramData\Citrix
2014-10-16 15:52 - 2013-11-08 15:10 - 00000000 ____D () C:\ProgramData\McAfee
2014-10-16 15:33 - 2014-08-18 10:03 - 00000000 ____D () C:\Users\enez7ov\Desktop\VBLOCK
2014-10-16 15:33 - 2014-08-05 18:07 - 00000000 ____D () C:\Users\enez7ov\Desktop\resume
2014-10-16 15:33 - 2014-08-03 19:58 - 00000000 ____D () C:\Users\enez7ov\Desktop\tv
2014-10-16 15:33 - 2014-07-25 23:10 - 00000000 ____D () C:\Users\enez7ov\Desktop\liz
2014-10-16 15:33 - 2014-07-15 11:08 - 00000000 ____D () C:\Users\enez7ov\Desktop\monitoring
2014-10-16 15:33 - 2013-11-08 16:09 - 00000000 ____D () C:\Users\enez7ov
2014-10-16 15:33 - 2013-11-08 15:07 - 00000000 ____D () C:\local_cache
2014-10-16 15:33 - 2013-11-08 14:46 - 00000000 ____D () C:\DoNOTDelete
2014-10-16 15:33 - 2013-11-08 14:45 - 00000000 ____D () C:\Users\Administrator
2014-10-16 15:33 - 2013-03-20 16:43 - 00000000 ____D () C:\Users\enez7ov\Documents\My Received Files
2014-10-16 15:33 - 2013-02-02 21:35 - 00000000 ____D () C:\Users\enez7ov\Documents\Amazon MP3
2014-10-16 15:33 - 2012-09-03 19:42 - 00000000 ____D () C:\Users\enez7ov\Desktop\HLands
2014-10-16 15:33 - 2011-02-09 09:51 - 00000000 ____D () C:\Users\enez7ov\Desktop\IBM docs
2014-10-16 15:33 - 2010-11-10 12:18 - 00000000 ___SD () C:\Users\enez7ov\Documents\SharePoint Drafts
2014-10-16 15:33 - 2009-08-09 14:50 - 00000000 ____D () C:\Users\enez7ov\Documents\08092009pics
2014-10-16 15:33 - 2009-07-03 23:57 - 00000000 ____D () C:\Users\enez7ov\Documents\Zoo
2014-10-16 15:33 - 2009-04-11 15:00 - 00000000 ____D () C:\Users\enez7ov\Documents\Vail
2014-10-16 15:33 - 2009-03-31 10:17 - 00000000 ____D () C:\Users\enez7ov\Desktop\DR recovery
2014-10-16 15:33 - 2009-01-22 00:50 - 00000000 ____D () C:\Users\enez7ov\Documents\01212009 pics
2014-10-16 15:33 - 2008-12-16 14:13 - 00000000 ____D () C:\Users\enez7ov\Documents\Attachmate
2014-10-16 15:33 - 2008-11-10 10:54 - 00000000 ____D () C:\Users\enez7ov\Desktop\pacheck
2014-10-16 15:33 - 2008-11-04 23:02 - 00000000 ____D () C:\Users\enez7ov\Documents\entctr
2014-10-16 15:33 - 2008-10-08 01:40 - 00000000 ____D () C:\Users\enez7ov\Documents\atl_hw
2014-10-16 15:33 - 2008-08-19 20:40 - 00000000 ____D () C:\Users\enez7ov\Documents\bev
2014-10-16 15:33 - 2008-08-01 05:29 - 00000000 ____D () C:\Users\enez7ov\Documents\08012008
2014-10-16 15:33 - 2008-07-30 15:12 - 00000000 ____D () C:\Users\enez7ov\Documents\zzzzzzzzzz
2014-10-16 15:33 - 2008-07-30 15:12 - 00000000 ____D () C:\Users\enez7ov\Documents\old pc stuff
2014-10-16 15:33 - 2008-07-30 11:10 - 00000000 ____D () C:\Users\enez7ov\Documents\Todds pics
2014-10-16 15:33 - 2008-07-30 10:38 - 00000000 ____D () C:\Users\enez7ov\Documents\Todds new pics
2014-10-16 15:33 - 2008-07-30 10:38 - 00000000 ____D () C:\Users\enez7ov\Documents\Talent review
2014-10-16 15:33 - 2008-07-30 10:38 - 00000000 ____D () C:\Users\enez7ov\Documents\Reflection
2014-10-16 15:33 - 2008-07-30 10:38 - 00000000 ____D () C:\Users\enez7ov\Documents\Providence Upgrades
2014-10-16 15:33 - 2008-07-29 14:08 - 00000000 ____D () C:\Users\enez7ov\Documents\doNOTdelete
2014-10-16 15:33 - 2008-07-29 13:53 - 00000000 ____D () C:\Users\enez7ov\Documents\vegas
2014-10-16 15:33 - 2008-07-29 13:51 - 00000000 ____D () C:\Users\enez7ov\Desktop\Unixrun
2014-10-16 15:21 - 2013-11-08 19:38 - 00000000 ____D () C:\Users\enez7ov\AppData\Roaming\Juniper Networks
2014-10-16 15:21 - 2013-11-08 16:11 - 00000000 ____D () C:\Users\enez7ov\AppData\Roaming\Adobe
2014-10-16 14:58 - 2014-07-21 13:56 - 00000000 ____D () C:\Users\enez7ov\AppData\Local\Google
2014-10-16 14:54 - 2014-07-21 08:01 - 00000000 ____D () C:\Users\enez7ov\AppData\Local\68102a
2014-10-16 14:52 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-10-16 14:49 - 2013-11-08 15:13 - 00000000 ____D () C:\Users\Administrator\AppData\Local\RSA Security
2014-10-16 14:49 - 2013-11-08 15:10 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\McAfee
2014-10-16 13:12 - 2014-07-21 07:39 - 00000000 ____D () C:\Quarantine
2014-10-16 11:56 - 2010-09-28 08:56 - 00002042 _____ () C:\Users\enez7ov\Documents\Default.rdp
2014-10-16 11:15 - 2009-07-14 01:13 - 00785794 _____ () C:\windows\system32\PerfStringBackup.INI
2014-10-16 10:42 - 2013-11-08 15:37 - 00005464 _____ () C:\windows\system32\config\netlogon.ftl
2014-10-16 10:27 - 2013-11-08 16:09 - 00002114 __RSH () C:\Users\enez7ov\ntuser.pol
2014-10-16 10:27 - 2013-11-08 15:38 - 00027049 __RSH () C:\ProgramData\ntuser.pol
2014-10-12 22:33 - 2009-07-14 00:45 - 00018928 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-12 22:33 - 2009-07-14 00:45 - 00018928 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-10 23:16 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\rescache
2014-10-10 03:06 - 2013-11-08 15:00 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-10 03:04 - 2013-11-08 14:52 - 00778408 _____ () C:\windows\SysWOW64\PerfStringBackup.INI
2014-10-09 16:21 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\System
2014-10-09 14:32 - 2013-11-08 16:09 - 00001417 _____ () C:\Users\enez7ov\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-10-08 17:43 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\NDF
2014-10-04 13:27 - 2009-07-14 01:08 - 00024426 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2014-09-26 07:43 - 2009-07-14 00:45 - 00422680 _____ () C:\windows\system32\FNTCACHE.DAT
2014-09-22 11:04 - 2013-11-11 15:26 - 01392640 _____ () C:\windows\HP DDM Inventory Agent (x86) 9.32.001.1155.msi
2014-09-22 11:04 - 2013-11-11 15:26 - 00180224 _____ () C:\windows\ovedagentinstaller.exe

Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\Temp\HPSWF.EXE
C:\Users\Administrator\AppData\Local\Temp\InstallAX64.exe
C:\Users\Administrator\AppData\Local\Temp\SWHelperQueryW.dll
C:\Users\enez7ov\AppData\Local\Temp\dsHostCheckerSetup.exe
C:\Users\enez7ov\AppData\Local\Temp\i4jdel0.exe
C:\Users\enez7ov\AppData\Local\Temp\install.exe
C:\Users\enez7ov\AppData\Local\Temp\InstHelper.exe
C:\Users\enez7ov\AppData\Local\Temp\libeay32.dll
C:\Users\enez7ov\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\enez7ov\AppData\Local\Temp\NrMs6.exe
C:\Users\enez7ov\AppData\Local\Temp\rPKc9.dll
C:\Users\enez7ov\AppData\Local\Temp\rPKc9.exe
C:\Users\enez7ov\AppData\Local\Temp\ssleay32.dll
C:\Users\enez7ov\AppData\Local\Temp\tu17p84.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-06 17:49

==================== End Of Log ============================
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16-10-2014
Ran by enez7ov at 2014-10-16 17:14:41
Running from C:\Users\enez7ov\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee VirusScan Enterprise (Enabled - Out of date) {86355677-4064-3EA7-ABB3-1B136EB04637}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee VirusScan Enterprise Antispyware Module (Enabled - Out of date) {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Host Intrusion Prevention Firewall (Disabled) {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 Update for Microsoft Office 2007 (KB2508958) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0C5823AA-7B6F-44E1-8D5B-8FD1FF0E6438}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 3 (SP3) (x32 Version:  - Microsoft) Hidden
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.9.900.152 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.9.900.117 - Adobe Systems Incorporated)
Adobe Reader X (10.1.8) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.8 - Adobe Systems Incorporated)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Authentication Manager (x32 Version: 5.1.0.62606 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (Web) (x32 Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix Receiver (HDX Flash Redirection) (x32 Version: 14.1.0.0 - Citrix Systems, Inc.) Hidden
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 14.1.0.0 - Citrix Systems, Inc.)
Citrix Receiver Inside (x32 Version: 4.1.0.56471 - Citrix Systems, Inc.) Hidden
Citrix Receiver Updater (x32 Version: 4.1.0.56461 - Citrix Systems, Inc.) Hidden
Citrix Receiver(Aero) (x32 Version: 14.1.0.0 - Citrix Systems, Inc.) Hidden
Citrix Receiver(DV) (x32 Version: 14.1.0.0 - Citrix Systems, Inc.) Hidden
Citrix Receiver(USB) (x32 Version: 14.1.0.0 - Citrix Systems, Inc.) Hidden
Connected Backup/PC/ON-PREM Agent (HKLM-x32\...\{393E4C89-67E9-43BF-AD29-94D19F7624F7}) (Version: 8.6.2 - Autonomy Corporation plc)
ESET NOD32 Antivirus (HKLM\...\{F793B4B8-6FFF-45FD-A371-64B98B34534F}) (Version: 8.0.301.0 - ESET, spol s r. o.)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Extended Update (HKCU\...\Digital Sites) (Version:  - Extended Update) <==== ATTENTION
HP Client Automation Application Manager Agent (HKLM-x32\...\{71C1542A-0767-4731-B4C9-119073501295}) (Version: 9.00.0000 - Hewlett-Packard Company)
HP DDM Inventory Agent (x86) 9.32.001.1155 (HKLM-x32\...\{B7643B11-A60E-4A33-A465-263FEB32113A}) (Version: 9.32.001.1155 - Hewlett-Packard Development Company, L.P.)
HP Hotkey Support (HKLM-x32\...\{C97CC14E-4789-4FC5-BC75-79191F7CE009}) (Version: 4.6.11.2 - Hewlett-Packard Company)
HP Software Framework (HKLM-x32\...\{886D1141-25E5-431F-8326-C3DB6FFCCAF0}) (Version: 4.0.96.1 - Hewlett-Packard Company)
IBM Accessibility Speech Interface v1.2 (HKLM-x32\...\{4E381AF8-4B14-46C7-941E-8BA5FFA804CF}) (Version: 1.2.0000 - IBM)
IBM ViaVoice TTS Runtime v6.740 -  US English (HKLM-x32\...\{C1A6B23C-438E-4D08-B508-4E830CA8F335}) (Version:  - )
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.6.245 - Intel Corporation)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217051FF}) (Version: 7.0.670 - Oracle)
Java Auto Updater (x32 Version: 2.1.67.1 - Oracle, Inc.) Hidden
Juniper Networks Host Checker (HKCU\...\Neoteris_Host_Checker) (Version: 7.3.0.24657 - Juniper Networks)
Juniper Networks Network Connect 7.1.8 (HKLM-x32\...\Juniper Network Connect 7.1.8) (Version: 7.1.8.20737 - Juniper Networks)
Juniper Networks Network Connect 7.3.0 (HKLM-x32\...\Juniper Network Connect 7.3.0) (Version: 7.3.0.24657 - Juniper Networks)
Juniper Networks, Inc. Setup Client (HKCU\...\Juniper_Setup_Client) (Version: 7.3.5.34907 - Juniper Networks, Inc.)
Juniper Networks, Inc. Setup Client 64-bit Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.)
Juniper Networks, Inc. Setup Client Activex Control (HKLM-x32\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.)
KnoaAgent (HKLM-x32\...\{511492AC-13AA-4396-95B7-F69F5ECB208F}) (Version: 5.5.19806 - Knoa Software, Inc.)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
McAfee Agent (HKLM-x32\...\{EBF3D65F-011E-44D2-8F4F-C74B52682EDD}) (Version: 4.8.0.1500 - McAfee, Inc.)
McAfee Application Inventory Agent (HKLM-x32\...\{762D0B10-3F21-4998-8FE1-4FFF278C8B1F}) (Version: 2.7.2.112 - McAfee, Inc.)
McAfee DLP Endpoint (HKLM\...\{D3FB5CA6-3651-48D2-8CF1-B7825CC46092}) (Version: 9.2.100.36 - McAfee)
McAfee Endpoint Encryption Agent (Version: 1.2.1.315 - McAfee, Inc.) Hidden
McAfee Endpoint Encryption for Files and Folders (Version: 4.2.0.164 - McAfee) Hidden
McAfee Endpoint Encryption for PC v6 (Version: 6.2.1.315 - McAfee, Inc.) Hidden
McAfee Host Intrusion Prevention (HKLM\...\{D2B9C003-A3CD-44A0-9DE5-52FE986C03E5}_Uninst) (Version: 8.00.0402 - McAfee, Inc.)
McAfee Host Intrusion Prevention (Version: 8.00.0402 - McAfee, Inc.) Hidden
McAfee Policy Auditor Agent (HKLM-x32\...\{48804885-8367-42B0-A425-DA558F5CCD04}) (Version: 6.2.0.231 - McAfee, Inc.)
McAfee SiteAdvisor Enterprise (HKLM-x32\...\{C44506FC-B846-4782-AC2B-8C30236CE075}) (Version: 3.5.0.1121 - McAfee, Inc.)
McAfee VirusScan Enterprise (HKLM-x32\...\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}) (Version: 8.8.04001 - McAfee, Inc.)
McKNet ToolBar (HKLM-x32\...\{CB3D4AD3-A4BD-4CE2-9C4D-6628F1F872E1}) (Version: 1.9.0 - McKesson Corp)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5 (Version: 4.5.50709 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Communicator 2007 R2 (HKLM-x32\...\{0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4}) (Version: 3.5.6907.268 - Microsoft Corporation)
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office InfoPath MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft redistributable runtime DLLs VS2005 SP1(x86) (HKLM-x32\...\{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 8.0.50727.4053 - SAP)
Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32\...\{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visio Viewer 2010 (HKLM-x32\...\{95140000-0052-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.51106 (Version: 11.0.51106 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.51106 (Version: 11.0.51106 - Microsoft Corporation) Hidden
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 32.0.3 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
OAS (HKCU\...\Online Ad Scanner) (Version: 1.00 - OAS Corp)
Online Plug-in (x32 Version: 14.1.0.0 - Citrix Systems, Inc.) Hidden
Password Safe 3.20 for Windows (HKLM-x32\...\{C2A02857-D138-446B-B181-442DEE20C8E6}) (Version: 3.20 - Rony Shapiro)
Putty (HKLM-x32\...\{C0DBBB3D-BC48-48F7-B903-95462EB6E5D7}) (Version: 0.60 - Putty)
RSA SecurID Toolbar 1.4.2 for Internet Explorer (HKLM-x32\...\{6D1BB556-DFEE-4E84-81B0-B7D1419F6102}) (Version: 1.4.2.0 - RSA, The Security Division of EMC)
Saba Meeting App (HKCU\...\SabaMeetingApp) (Version: 8.3.1.004 - Saba)
SAP Business Explorer (HKLM-x32\...\SAPBI) (Version: 7.20 - SAP AG)
SAP GUI for Windows 7.20 (HKLM-x32\...\SAPGUI710) (Version: 7.20 Compilation 3 - SAP)
SAPSetup Automatic Workstation Update Service (HKLM-x32\...\SAP_WUS) (Version:  - SAP AG)
Self-service Plug-in (x32 Version: 4.1.0.41738 - Citrix Systems, Inc.) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.3.9.0 - Synaptics Incorporated)
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for Microsoft .NET Framework 4.5 (KB2750147) (HKLM-x32\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB2750147) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4.5 (KB2805221) (HKLM-x32\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB2805221) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4.5 (KB2805226) (HKLM-x32\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB2805226) (Version: 1 - Microsoft Corporation)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{90120000-002A-0000-1000-0000000FF1CE}_PROPLUS_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{ED38F8A3-4F61-494E-8BCA-E3AC7760C924}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{53DEC068-4690-4F6B-9946-7D21EF02236B}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2889914) 32-Bit Edition (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{F3F83933-75FC-4B60-84F2-3F8FA63D042E}) (Version:  - Microsoft)
Web-based System Manager Remote Client (HKLM-x32\...\dbd22105c7f7ea1354d4a7606bd7cfdf) (Version:  - )
WRQ Reflection Multi-Host, Standard 11.0  (HKLM-x32\...\{5599F7A6-34D3-4289-B0E9-39C13DA5E990}) (Version: 11.0.0100 - WRQ, Inc.)
WRQ Reflection Suite for X 10.0  (HKLM-x32\...\{807B1E66-FF69-4170-A835-E4B2C8A1D389}) (Version: 10.0.010 - WRQ, Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2014-10-16 11:53 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2E719514-A6FF-49A3-8F78-C4E01FA95C35} - System32\Tasks\SMWUpd => C:\Program Files\Common Files\Goobzo\GBUpdate\updater.exe <==== ATTENTION
Task: {A5695C5F-2DD5-4CD4-A45F-1D648F632222} - System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update3 <==== ATTENTION
Task: {D8536322-A798-48C2-A65E-663BF009B07F} - System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update2 <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2012-07-16 18:42 - 2012-07-16 18:42 - 02215016 _____ () C:\windows\system32\EpePcNp64.DLL
2013-11-08 15:09 - 2013-11-08 15:09 - 01593344 _____ () C:\windows\system32\enstart64.exe
2012-07-16 17:55 - 2012-07-16 17:55 - 01713768 _____ () C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeHost.exe
2013-07-04 00:38 - 2013-07-04 00:38 - 00777504 _____ () C:\Program Files\McAfee\Endpoint Encryption for Files and Folders\mfecc64.dll
2013-03-14 15:36 - 2013-03-14 15:36 - 00846648 _____ () C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
2013-03-14 15:36 - 2013-03-14 15:36 - 00538936 _____ () C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\Plugins\usage\discusge.exe
2012-04-01 22:24 - 2012-04-01 22:24 - 00008192 _____ () C:\Program Files\McAfee\DLP\Agent\en\fcag.resources.dll
2013-11-08 17:18 - 2012-06-15 15:20 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-07-16 18:33 - 2012-07-16 18:33 - 00243304 _____ () C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcMonitor.exe
2013-03-14 15:36 - 2013-03-14 15:36 - 00163128 _____ () C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\Plugins\usage\discfcsn.exe
2014-09-22 07:36 - 2014-09-22 07:36 - 00177152 _____ () C:\Users\enez7ov\AppData\Roaming\oas\oas.exe
2014-09-23 03:09 - 2014-09-23 03:09 - 00007168 _____ () C:\Users\enez7ov\AppData\Roaming\oas\mcc.exe
2012-07-16 17:54 - 2012-07-16 17:54 - 01828456 _____ () C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeCoreEncryptionPlugin.dll
2012-07-16 17:55 - 2012-07-16 17:55 - 02111080 _____ () C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeProductDetectionPlugin.dll
2012-07-16 17:54 - 2012-07-16 17:54 - 03638888 _____ () C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpeEpoPlugin.dll
2012-07-16 18:33 - 2012-07-16 18:33 - 02516584 _____ () C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpePcEncryptionProviderPlugin.dll
2012-02-22 16:52 - 2012-02-22 16:52 - 00606460 _____ () C:\Program Files\McAfee\Endpoint Encryption for PC v6\Extensions\MfeEpeCrypto.dll
2012-07-16 18:32 - 2012-07-16 18:32 - 02737768 _____ () C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpeOpalEncryptionProviderPlugin.dll
2012-07-16 18:35 - 2012-07-16 18:35 - 00058984 _____ () C:\Program Files\McAfee\Endpoint Encryption for PC v6\EpeOpalATASec4Sata.dll
2007-04-18 19:30 - 2007-04-18 19:30 - 00393216 _____ () C:\Program Files (x86)\McAfee\Common Framework\cryptocme2.dll
2007-04-18 19:30 - 2007-04-18 19:30 - 00471040 _____ () C:\Program Files (x86)\McAfee\Common Framework\ccme_base.dll
2012-11-22 19:32 - 2012-11-22 19:32 - 00141184 _____ () C:\Program Files (x86)\Hewlett-Packard\HPCA\Agent\expat.dll
2013-09-05 08:51 - 2013-09-05 08:51 - 00051232 _____ () C:\Program Files (x86)\McAfee\Policy Auditor Agent\Plugins\PolicyAuditorPlugin.dll
2014-03-28 16:59 - 2014-03-28 16:59 - 01100784 _____ () C:\Users\enez7ov\AppData\Roaming\oas\avcodec-53.dll
2014-03-28 16:59 - 2014-03-28 16:59 - 00124400 _____ () C:\Users\enez7ov\AppData\Roaming\oas\avutil-51.dll
2014-03-28 16:59 - 2014-03-28 16:59 - 00191984 _____ () C:\Users\enez7ov\AppData\Roaming\oas\avformat-53.dll
2014-07-08 12:31 - 2014-07-08 12:31 - 17029808 _____ () C:\Users\enez7ov\AppData\Roaming\oas\plugins\NPSWF32_14_0_0_145.dll

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeDlpAgentService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McAfeeDlpAgentService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MfeFfCoreService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-3633047268-3615874067-1060844424-500 - Administrator - Enabled) => C:\Users\Administrator
mckesson user (S-1-5-21-3633047268-3615874067-1060844424-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (10/16/2014 05:10:02 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/16/2014 05:04:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 32.0.3.5379, time stamp: 0x54224e6b
Faulting module name: mozalloc.dll, version: 32.0.3.5379, time stamp: 0x54221b67
Exception code: 0x80000003
Fault offset: 0x0000141b
Faulting process id: 0x2a944
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/16/2014 04:40:34 PM) (Source: McLogEvent) (EventID: 259) (User: NAMCK)
Description: The scan found detections. Scan engine version 5600.1067 DAT version 7592.

Error: (10/16/2014 02:07:57 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (10/16/2014 02:07:04 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (10/16/2014 01:53:58 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (10/16/2014 01:31:43 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (10/16/2014 09:57:43 AM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and Name Coordinator is [0x80040154, Class not registered
].

Error: (10/16/2014 09:57:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 32.0.3.5379, time stamp: 0x54224e6b
Faulting module name: mozalloc.dll, version: 32.0.3.5379, time stamp: 0x54221b67
Exception code: 0x80000003
Fault offset: 0x0000141b
Faulting process id: 0x232e0
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/15/2014 09:44:07 PM) (Source: McLogEvent) (EventID: 5051) (User: NT AUTHORITY)
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 40000 ms to complete a request.

The process will be terminated.
Thread id : 188036 (0x2de84)

Thread address : 0x000000007764061A

Thread message :

 Build VSCORE.15.1.0.543 / 5600.1067
 Object being scanned = \Device\HarddiskVolume1\Users\enez7ov\AppData\Roaming\microsoft\Windows\Cookies\HZVT7YDK.txt
 by C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
 7011(62463)(0)
 93(62463)(0)
 5(62463)(0)
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)


System errors:
=============
Error: (10/16/2014 05:12:35 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Error: (10/16/2014 05:10:01 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NAMCK)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (10/16/2014 05:09:43 PM) (Source: LV_Tracker) (EventID: 68) (User: )
Description: \FileSystem\LV_TrackerFilter shutdown

Error: (10/16/2014 05:09:42 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Security with the following error:
%%5

Error: (10/16/2014 05:09:42 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Security with the following error:
%%5

Error: (10/16/2014 05:09:35 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the McAfee Audit Manager Service service to connect.

Error: (10/16/2014 05:09:16 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (10/16/2014 05:08:47 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain NAMCK due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (10/16/2014 05:07:31 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The McAfee McShield service did not shut down properly after receiving a preshutdown control.

Error: (10/16/2014 02:14:42 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The ESET Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.


Microsoft Office Sessions:
=========================
Error: (02/04/2014 09:09:10 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 438422 seconds with 14400 seconds of active time.  This session ended with a crash.

Error: (01/17/2014 06:41:38 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 32499 seconds with 4200 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2014-10-07 15:01:11.578
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\TGRAB.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-10-07 15:01:11.483
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\TGRAB.SYS because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i5-3427U CPU @ 1.80GHz
Percentage of memory in use: 54%
Total physical RAM: 3960.54 MB
Available physical RAM: 1818.6 MB
Total Pagefile: 8219.27 MB
Available Pagefile: 5946.07 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.76 GB) (Free:403.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

==================== End Of Log ============================

Edited by boopme, 16 October 2014 - 09:58 PM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 PM

Posted 17 October 2014 - 08:18 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please attach this file to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 tbg37g

tbg37g
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 18 October 2014 - 11:25 AM

Marius,

 

Thanks for your help!! :clapping:

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-10-18 12:23:08
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0  rev. 0.00MB
Running: 2qql81x2.exe; Driver: C:\Users\enez7ov\AppData\Local\Temp\kfldrpog.sys


---- Threads - GMER 2.1 ----

Thread   C:\windows\system32\lsm.exe [852:656]                                                                                                         000007fefddd0168
Thread   C:\windows\system32\svchost.exe [492:4708]                                                                                                    000007fefae52154
Thread   C:\windows\System32\svchost.exe [684:1348]                                                                                                    000007fefad1331c
Thread   C:\windows\System32\svchost.exe [684:1476]                                                                                                    000007fefa6659a0
Thread   C:\windows\System32\svchost.exe [684:3232]                                                                                                    000007fef7aaa2b0
Thread   C:\windows\System32\svchost.exe [684:4216]                                                                                                    000007fef8d588f8
Thread   C:\windows\System32\svchost.exe [684:4028]                                                                                                    000007fef87044e0
Thread   C:\windows\system32\svchost.exe [952:28596]                                                                                                   000007fef7b01ab0
Thread   C:\windows\System32\spoolsv.exe [1536:3832]                                                                                                   000007fef72d10c8
Thread   C:\windows\System32\spoolsv.exe [1536:3916]                                                                                                   000007fef7286144
Thread   C:\windows\System32\spoolsv.exe [1536:3936]                                                                                                   000007fef9075fd0
Thread   C:\windows\System32\spoolsv.exe [1536:1184]                                                                                                   000007fef7263438
Thread   C:\windows\System32\spoolsv.exe [1536:2124]                                                                                                   000007fef90763ec
Thread   C:\windows\System32\spoolsv.exe [1536:4012]                                                                                                   000007fef7385e5c
Thread   C:\windows\System32\spoolsv.exe [1536:2428]                                                                                                   000007fef7395090
Thread   C:\windows\system32\svchost.exe [1564:3796]                                                                                                   000007fef7492940
Thread   C:\windows\system32\svchost.exe [1564:4212]                                                                                                   000007fef6eb2888
Thread   C:\windows\system32\svchost.exe [1564:7676]                                                                                                   000007fef6eb2a40
Thread   C:\windows\System32\svchost.exe [1648:2808]                                                                                                   000007fef8e0bd88
Thread   C:\windows\System32\svchost.exe [1648:4088]                                                                                                   000007fef7c200cc
Thread   C:\windows\System32\svchost.exe [1648:692]                                                                                                    000007fef7c12a30
Thread   C:\windows\System32\svchost.exe [1648:1452]                                                                                                   000007fef7c1c5e0
Thread   C:\windows\System32\svchost.exe [1648:2292]                                                                                                   000007fef7675ab4
Thread   C:\windows\System32\svchost.exe [1648:1896]                                                                                                   000007fef767a7b0
Thread   C:\windows\System32\svchost.exe [1648:3428]                                                                                                   000007fef769a8d8
Thread   C:\windows\System32\svchost.exe [1648:5672]                                                                                                   000007fef8da5124
Thread   C:\windows\System32\svchost.exe [1648:7760]                                                                                                   000007fef6b65170
Thread   C:\windows\System32\svchost.exe [1648:31368]                                                                                                  000007fef2cd83d8
Thread   C:\windows\System32\svchost.exe [1648:5800]                                                                                                   000007fef2cd83d8
Thread   C:\windows\System32\svchost.exe [1648:20424]                                                                                                  000007fef2cd83d8
Thread   C:\windows\System32\svchost.exe [1648:31412]                                                                                                  000007fef2cd83d8
Thread   C:\windows\System32\svchost.exe [1648:28344]                                                                                                  000007feed0b3f84
Thread   C:\windows\System32\svchost.exe [1648:31924]                                                                                                  000007fefa931a38
Thread   C:\windows\System32\svchost.exe [1648:27100]                                                                                                  000007fefa925388
Thread   C:\windows\System32\svchost.exe [1648:9964]                                                                                                   000007fef7ad7738
Thread   C:\windows\System32\svchost.exe [1648:32892]                                                                                                  000007fef7791f90
Thread   C:\windows\system32\svchost.exe [4064:928]                                                                                                    000007fefe05a808
Thread   C:\windows\system32\svchost.exe [4064:1080]                                                                                                   000007fef7996e5c
Thread   C:\windows\system32\svchost.exe [4064:3252]                                                                                                   000007fef7995708
Thread   C:\windows\system32\svchost.exe [3260:1268]                                                                                                   000007fefe05a808
Thread   C:\Windows\System32\WUDFHost.exe [3712:4788]                                                                                                  000007fef6e96998
Thread   C:\windows\system32\taskhost.exe [4116:4164]                                                                                                  000007fef6ef2740
Thread   C:\windows\system32\taskhost.exe [4116:4244]                                                                                                  000007fef6e61f38
Thread   C:\windows\system32\taskhost.exe [4116:4324]                                                                                                  000007fefb901010
Thread   C:\windows\system32\taskhost.exe [4116:6876]                                                                                                  000007fef6b65170
Thread   C:\Program Files\Windows Media Player\wmpnetwk.exe [5368:5728]                                                                                000007fefaff2bf8
Thread   C:\Program Files\Windows Media Player\wmpnetwk.exe [5368:2608]                                                                                000007fef8da5124
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:1164]                                                             000000006c152ab2
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:10584]                                                            00000000551f85a7
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:10720]                                                            00000000687a198a
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:4152]                                                             0000000068764fad
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:9648]                                                             0000000068764fad
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:10164]                                                            0000000068764fad
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:4084]                                                             0000000068764fad
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:8880]                                                             00000000687a198a
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:10988]                                                            00000000687562fa
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:9348]                                                             0000000068756312
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:10384]                                                            00000000687a198a
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:4768]                                                             00000000687a198a
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:16204]                                                            00000000735317a4
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:24388]                                                            000000006c152ab2
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:22032]                                                            000000006c152ab2
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:28848]                                                            000000006c152ab2
Thread   C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe [5404:21612]                                                            000000006c152ab2
Thread   C:\windows\SysWOW64\ntdll.dll [5620:5624]                                                                                                     0000000000408ed7
Thread   C:\Users\enez7ov\AppData\Roaming\oas\mcc.exe [6832:5144]                                                                                      000007fef225fd30
Thread   C:\Users\enez7ov\AppData\Roaming\oas\mcc.exe [6832:5136]                                                                                      000007fef222c690
Thread   C:\windows\system32\svchost.exe [5024:10200]                                                                                                  000007fefe05a808
Thread   C:\windows\system32\svchost.exe [29076:28280]                                                                                                 000007fefaae341c
Thread   C:\windows\system32\svchost.exe [29076:25368]                                                                                                 000007fefaae3a2c
Thread   C:\windows\system32\svchost.exe [29076:28300]                                                                                                 000007fefaae3768
Thread   C:\windows\system32\svchost.exe [29076:27052]                                                                                                 000007fefaae5c20
Thread   C:\windows\system32\svchost.exe [29076:16860]                                                                                                 000007fefaae3900
Thread   C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE [33132:31692]                                                                    00000000671f6b27
Thread   C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE [33132:644]                                                                      00000000102cbfe5
Thread   C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE [33132:31336]                                                                    00000000102cbfe5
Thread   C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE [33132:30528]                                                                    00000000102cbfe5
Thread   C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE [33132:10160]                                                                    00000000102cbfe5
Thread   C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE [33132:3460]                                                                     0000000065b42b22
Thread   C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE [33132:27500]                                                                    000000006557f1ac
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:31304]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:23048]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:33632]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:33232]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:28936]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:25480]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:23524]                                                                           00000000765c274c
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:28712]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:32300]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:23560]                                                                           000000007661a27b
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:25028]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:25400]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:26620]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [33764:27292]                                                                           000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:27884]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:24200]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:26880]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:29240]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:29484]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:24560]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:28224]                                                                            00000000765c274c
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:31252]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:27972]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:30796]                                                                            000000007661a27b
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:31728]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:24244]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:22368]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:19520]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:32268]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:23472]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:30608]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:30448]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:28164]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:29996]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:30944]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:30476]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:20640]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:26996]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:28260]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:13960]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:30264]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:32856]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:29724]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:22352]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:30688]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:21312]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:23860]                                                                            000000006a383143
Thread   C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [9920:23756]                                                                            000000006a383143
---- Processes - GMER 2.1 ----

Process  C:\Users\enez7ov\AppData\Roaming\oas\mcc.exe (*** suspicious ***) @ C:\Users\enez7ov\AppData\Roaming\oas\mcc.exe [6832](2014-09-23 07:09:28)  0000000000180000

---- Disk sectors - GMER 2.1 ----

Disk     \Device\Harddisk0\DR0                                                                                                                         unknown MBR code
Disk     \Device\Harddisk0\DR0                                                                                                                         sector 0: rootkit-like behavior

---- EOF - GMER 2.1 ----
 



#4 tbg37g

tbg37g
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 18 October 2014 - 11:30 AM

Marius,

 

I had run this before - I cannot remember it it initially found any threats - thx!

 

12:26:36.0614 0x3880  TDSS rootkit removing tool 3.0.0.40 Jul 10 2014 12:37:58
12:26:44.0008 0x3880  ============================================================
12:26:44.0008 0x3880  Current date / time: 2014/10/18 12:26:44.0008
12:26:44.0008 0x3880  SystemInfo:
12:26:44.0008 0x3880  
12:26:44.0008 0x3880  OS Version: 6.1.7601 ServicePack: 1.0
12:26:44.0008 0x3880  Product type: Workstation
12:26:44.0008 0x3880  ComputerName: ACNU2529VN5
12:26:44.0008 0x3880  UserName: enez7ov
12:26:44.0008 0x3880  Windows directory: C:\windows
12:26:44.0008 0x3880  System windows directory: C:\windows
12:26:44.0008 0x3880  Running under WOW64
12:26:44.0008 0x3880  Processor architecture: Intel x64
12:26:44.0008 0x3880  Number of processors: 4
12:26:44.0008 0x3880  Page size: 0x1000
12:26:44.0008 0x3880  Boot type: Normal boot
12:26:44.0008 0x3880  ============================================================
12:26:44.0554 0x3880  KLMD registered as C:\windows\system32\drivers\41898226.sys
12:26:45.0677 0x3880  System UUID: {5620A13F-0C48-876B-056C-93E5827CA2A7}
12:26:46.0956 0x3880  Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 ( 465.76 Gb ), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
12:26:46.0956 0x3880  ============================================================
12:26:46.0956 0x3880  \Device\Harddisk0\DR0:
12:26:46.0956 0x3880  MBR partitions:
12:26:46.0956 0x3880  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A385000
12:26:46.0956 0x3880  ============================================================
12:26:46.0988 0x3880  Initialize success
12:26:46.0988 0x3880  ============================================================
12:26:55.0427 0x6488  ============================================================
12:26:55.0427 0x6488  Scan started
12:26:55.0427 0x6488  Mode: Manual;
12:26:55.0427 0x6488  ============================================================
12:26:55.0427 0x6488  KSN ping started
12:27:11.0308 0x6488  KSN ping finished: true
12:27:11.0683 0x6488  ================ Scan system memory ========================
12:27:11.0683 0x6488  System memory - ok
12:27:11.0683 0x6488  ================ Scan services =============================
12:27:11.0729 0x6488  1394ohci - ok
12:27:11.0776 0x6488  A2DDA - ok
12:27:11.0776 0x6488  Accelerometer - ok
12:27:11.0792 0x6488  ACPI - ok
12:27:11.0792 0x6488  AcpiPmi - ok
12:27:11.0807 0x6488  AdobeARMservice - ok
12:27:11.0807 0x6488  adp94xx - ok
12:27:11.0823 0x6488  adpahci - ok
12:27:11.0839 0x6488  adpu320 - ok
12:27:11.0854 0x6488  AeLookupSvc - ok
12:27:11.0870 0x6488  AFD - ok
12:27:11.0885 0x6488  AgentService - ok
12:27:11.0885 0x6488  agp440 - ok
12:27:11.0885 0x6488  ALG - ok
12:27:11.0901 0x6488  aliide - ok
12:27:11.0901 0x6488  amdide - ok
12:27:11.0901 0x6488  AmdK8 - ok
12:27:11.0917 0x6488  amdkmpfd - ok
12:27:11.0917 0x6488  AmdPPM - ok
12:27:11.0932 0x6488  amdsata - ok
12:27:11.0932 0x6488  amdsbs - ok
12:27:11.0932 0x6488  amdxata - ok
12:27:11.0948 0x6488  AppID - ok
12:27:11.0948 0x6488  AppIDSvc - ok
12:27:11.0963 0x6488  Appinfo - ok
12:27:11.0963 0x6488  AppMgmt - ok
12:27:11.0979 0x6488  arc - ok
12:27:11.0979 0x6488  arcsas - ok
12:27:11.0995 0x6488  aspnet_state - ok
12:27:12.0010 0x6488  AsyncMac - ok
12:27:12.0010 0x6488  atapi - ok
12:27:12.0026 0x6488  AtiPcie - ok
12:27:12.0026 0x6488  AudioEndpointBuilder - ok
12:27:12.0026 0x6488  AudioSrv - ok
12:27:12.0041 0x6488  AxInstSV - ok
12:27:12.0041 0x6488  b06bdrv - ok
12:27:12.0057 0x6488  b57nd60a - ok
12:27:12.0073 0x6488  BDESVC - ok
12:27:12.0073 0x6488  Beep - ok
12:27:12.0088 0x6488  BFE - ok
12:27:12.0088 0x6488  BITS - ok
12:27:12.0104 0x6488  blbdrive - ok
12:27:12.0104 0x6488  bowser - ok
12:27:12.0119 0x6488  BrFiltLo - ok
12:27:12.0119 0x6488  BrFiltUp - ok
12:27:12.0135 0x6488  Browser - ok
12:27:12.0151 0x6488  Brserid - ok
12:27:12.0151 0x6488  BrSerWdm - ok
12:27:12.0151 0x6488  BrUsbMdm - ok
12:27:12.0166 0x6488  BrUsbSer - ok
12:27:12.0166 0x6488  BthEnum - ok
12:27:12.0182 0x6488  BTHMODEM - ok
12:27:12.0182 0x6488  BthPan - ok
12:27:12.0197 0x6488  BTHPORT - ok
12:27:12.0213 0x6488  bthserv - ok
12:27:12.0213 0x6488  BTHUSB - ok
12:27:12.0229 0x6488  btmhsf - ok
12:27:12.0229 0x6488  cdfs - ok
12:27:12.0244 0x6488  cdrom - ok
12:27:12.0260 0x6488  CertPropSvc - ok
12:27:12.0260 0x6488  circlass - ok
12:27:12.0275 0x6488  cleanhlp - ok
12:27:12.0275 0x6488  CLFS - ok
12:27:12.0291 0x6488  clr_optimization_v2.0.50727_32 - ok
12:27:12.0291 0x6488  clr_optimization_v2.0.50727_64 - ok
12:27:12.0307 0x6488  clr_optimization_v4.0.30319_32 - ok
12:27:12.0322 0x6488  clr_optimization_v4.0.30319_64 - ok
12:27:12.0322 0x6488  CmBatt - ok
12:27:12.0338 0x6488  cmdide - ok
12:27:12.0353 0x6488  CNG - ok
12:27:12.0353 0x6488  Compbatt - ok
12:27:12.0369 0x6488  CompositeBus - ok
12:27:12.0369 0x6488  COMSysApp - ok
12:27:12.0385 0x6488  cphs - ok
12:27:12.0400 0x6488  crcdisk - ok
12:27:12.0416 0x6488  CryptSvc - ok
12:27:12.0416 0x6488  CSC - ok
12:27:12.0431 0x6488  CscService - ok
12:27:12.0447 0x6488  ctxusbm - ok
12:27:12.0463 0x6488  DcomLaunch - ok
12:27:12.0463 0x6488  defragsvc - ok
12:27:12.0478 0x6488  DfsC - ok
12:27:12.0494 0x6488  Dhcp - ok
12:27:12.0494 0x6488  discache - ok
12:27:12.0509 0x6488  Disk - ok
12:27:12.0525 0x6488  dmvsc - ok
12:27:12.0541 0x6488  Dnscache - ok
12:27:12.0556 0x6488  dot3svc - ok
12:27:12.0572 0x6488  DPS - ok
12:27:12.0572 0x6488  drmkaud - ok
12:27:12.0587 0x6488  dsNcAdpt - ok
12:27:12.0603 0x6488  dsNcService - ok
12:27:12.0619 0x6488  DXGKrnl - ok
12:27:12.0619 0x6488  e1cexpress - ok
12:27:12.0650 0x6488  eamonm - ok
12:27:12.0650 0x6488  EapHost - ok
12:27:12.0665 0x6488  ebdrv - ok
12:27:12.0681 0x6488  EFS - ok
12:27:12.0697 0x6488  ehdrv - ok
12:27:12.0712 0x6488  ehRecvr - ok
12:27:12.0728 0x6488  ehSched - ok
12:27:12.0728 0x6488  ekrn - ok
12:27:12.0743 0x6488  elxstor - ok
12:27:12.0759 0x6488  enstart64 - ok
12:27:12.0775 0x6488  enstart64_ - ok
12:27:12.0790 0x6488  enterceptAgent - ok
12:27:12.0806 0x6488  epfwwfpr - ok
12:27:12.0806 0x6488  ErrDev - ok
12:27:12.0837 0x6488  EventSystem - ok
12:27:12.0853 0x6488  exfat - ok
12:27:12.0868 0x6488  fastfat - ok
12:27:12.0884 0x6488  Fax - ok
12:27:12.0899 0x6488  fdc - ok
12:27:12.0915 0x6488  fdPHost - ok
12:27:12.0931 0x6488  FDResPub - ok
12:27:12.0946 0x6488  FileInfo - ok
12:27:12.0962 0x6488  Filetrace - ok
12:27:12.0977 0x6488  Firehk - ok
12:27:12.0993 0x6488  FirehkMP - ok
12:27:13.0009 0x6488  FireNfcp - ok
12:27:13.0024 0x6488  flpydisk - ok
12:27:13.0040 0x6488  FltMgr - ok
12:27:13.0055 0x6488  FontCache - ok
12:27:13.0071 0x6488  FontCache3.0.0.0 - ok
12:27:13.0087 0x6488  FsDepends - ok
12:27:13.0102 0x6488  Fs_Rec - ok
12:27:13.0118 0x6488  fvevol - ok
12:27:13.0133 0x6488  gagp30kx - ok
12:27:13.0149 0x6488  gpsvc - ok
12:27:13.0165 0x6488  hcw85cir - ok
12:27:13.0211 0x6488  HDAudBus - ok
12:27:13.0211 0x6488  hdlpctrl - ok
12:27:13.0227 0x6488  hdlpdbk - ok
12:27:13.0243 0x6488  hdlpevnt - ok
12:27:13.0258 0x6488  hdlpflt - ok
12:27:13.0274 0x6488  hdlpnetf - ok
12:27:13.0274 0x6488  HidBatt - ok
12:27:13.0289 0x6488  HidBth - ok
12:27:13.0305 0x6488  HidIr - ok
12:27:13.0321 0x6488  hidserv - ok
12:27:13.0336 0x6488  HidUsb - ok
12:27:13.0352 0x6488  HipMgmt - ok
12:27:13.0367 0x6488  HipShieldK - ok
12:27:13.0383 0x6488  hkmsvc - ok
12:27:13.0399 0x6488  HomeGroupListener - ok
12:27:13.0399 0x6488  HomeGroupProvider - ok
12:27:13.0414 0x6488  HPDrvMntSvc.exe - ok
12:27:13.0430 0x6488  hpdskflt - ok
12:27:13.0445 0x6488  hpHotkeyMonitor - ok
12:27:13.0461 0x6488  HpqKbFiltr - ok
12:27:13.0477 0x6488  hpqwmiex - ok
12:27:13.0477 0x6488  HpSAMD - ok
12:27:13.0492 0x6488  hpsrv - ok
12:27:13.0508 0x6488  HTTP - ok
12:27:13.0523 0x6488  hwpolicy - ok
12:27:13.0539 0x6488  i8042prt - ok
12:27:13.0555 0x6488  iaStor - ok
12:27:13.0570 0x6488  iaStorV - ok
12:27:13.0586 0x6488  iBtFltCoex - ok
12:27:13.0586 0x6488  idsvc - ok
12:27:13.0601 0x6488  igfx - ok
12:27:13.0617 0x6488  iirsp - ok
12:27:13.0633 0x6488  IKEEXT - ok
12:27:13.0664 0x6488  IntcDAud - ok
12:27:13.0679 0x6488  intelide - ok
12:27:13.0695 0x6488  intelppm - ok
12:27:13.0695 0x6488  IPBusEnum - ok
12:27:13.0711 0x6488  IpFilterDriver - ok
12:27:13.0726 0x6488  iphlpsvc - ok
12:27:13.0742 0x6488  IPMIDRV - ok
12:27:13.0757 0x6488  IPNAT - ok
12:27:13.0773 0x6488  IRENUM - ok
12:27:13.0789 0x6488  isapnp - ok
12:27:13.0820 0x6488  iScsiPrt - ok
12:27:13.0851 0x6488  iusb3hcs - ok
12:27:13.0867 0x6488  iusb3hub - ok
12:27:13.0882 0x6488  iusb3xhc - ok
12:27:13.0898 0x6488  JMCR - ok
12:27:13.0929 0x6488  kbdclass - ok
12:27:13.0945 0x6488  kbdhid - ok
12:27:13.0960 0x6488  KeyIso - ok
12:27:13.0976 0x6488  KSecDD - ok
12:27:13.0991 0x6488  KSecPkg - ok
12:27:14.0007 0x6488  ksthunk - ok
12:27:14.0023 0x6488  KtmRm - ok
12:27:14.0038 0x6488  LanmanServer - ok
12:27:14.0054 0x6488  LanmanWorkstation - ok
12:27:14.0085 0x6488  lltdio - ok
12:27:14.0101 0x6488  lltdsvc - ok
12:27:14.0116 0x6488  lmhosts - ok
12:27:14.0147 0x6488  LSI_FC - ok
12:27:14.0163 0x6488  LSI_SAS - ok
12:27:14.0179 0x6488  LSI_SAS2 - ok
12:27:14.0194 0x6488  LSI_SCSI - ok
12:27:14.0210 0x6488  luafv - ok
12:27:14.0225 0x6488  LV_Tracker - ok
12:27:14.0257 0x6488  MBAMSwissArmy - ok
12:27:14.0272 0x6488  McAfee Endpoint Encryption Agent - ok
12:27:14.0288 0x6488  McAfee SiteAdvisor Enterprise Service - ok
12:27:14.0303 0x6488  McAfeeAuditManager - ok
12:27:14.0319 0x6488  McAfeeDLPAgentService - ok
12:27:14.0335 0x6488  McAfeeFramework - ok
12:27:14.0350 0x6488  McShield - ok
12:27:14.0381 0x6488  McTaskManager - ok
12:27:14.0381 0x6488  Mcx2Svc - ok
12:27:14.0397 0x6488  megasas - ok
12:27:14.0428 0x6488  MegaSR - ok
12:27:14.0444 0x6488  MEIx64 - ok
12:27:14.0459 0x6488  mfeapfk - ok
12:27:14.0475 0x6488  mfeapfk01 - ok
12:27:14.0491 0x6488  mfeavfk - ok
12:27:14.0506 0x6488  mfeavfk01 - ok
12:27:14.0522 0x6488  MfeEEAlg - ok
12:27:14.0537 0x6488  MfeEEFF - ok
12:27:14.0553 0x6488  MfeEEFFA - ok
12:27:14.0569 0x6488  MfeEEFFCd - ok
12:27:14.0600 0x6488  MfeEEFFV - ok
12:27:14.0615 0x6488  MfeEERM - ok
12:27:14.0631 0x6488  MfeEpeOpal - ok
12:27:14.0647 0x6488  MfeEpePc - ok
12:27:14.0678 0x6488  MfeFfCoreService - ok
12:27:14.0693 0x6488  mfefire - ok
12:27:14.0709 0x6488  mfefirek - ok
12:27:14.0725 0x6488  mfehidk - ok
12:27:14.0740 0x6488  mfenlfk - ok
12:27:14.0771 0x6488  mferkdet - ok
12:27:14.0787 0x6488  mfesmfk - ok
12:27:14.0803 0x6488  mfevtp - ok
12:27:14.0834 0x6488  mfewfpk - ok
12:27:14.0849 0x6488  MMCSS - ok
12:27:14.0865 0x6488  Modem - ok
12:27:14.0881 0x6488  monitor - ok
12:27:14.0896 0x6488  mouclass - ok
12:27:14.0927 0x6488  mouhid - ok
12:27:14.0943 0x6488  mountmgr - ok
12:27:14.0974 0x6488  MozillaMaintenance - ok
12:27:14.0990 0x6488  mpio - ok
12:27:15.0021 0x6488  mpsdrv - ok
12:27:15.0052 0x6488  MpsSvc - ok
12:27:15.0068 0x6488  MRxDAV - ok
12:27:15.0099 0x6488  mrxsmb - ok
12:27:15.0115 0x6488  mrxsmb10 - ok
12:27:15.0130 0x6488  mrxsmb20 - ok
12:27:15.0146 0x6488  msahci - ok
12:27:15.0177 0x6488  msdsm - ok
12:27:15.0193 0x6488  MSDTC - ok
12:27:15.0317 0x6488  Msfs - ok
12:27:15.0333 0x6488  mshidkmdf - ok
12:27:15.0364 0x6488  msisadrv - ok
12:27:15.0395 0x6488  MSiSCSI - ok
12:27:15.0427 0x6488  msiserver - ok
12:27:15.0458 0x6488  MSKSSRV - ok
12:27:15.0489 0x6488  MSPCLOCK - ok
12:27:15.0520 0x6488  MSPQM - ok
12:27:15.0536 0x6488  MsRPC - ok
12:27:15.0583 0x6488  mssmbios - ok
12:27:15.0614 0x6488  MSTEE - ok
12:27:15.0629 0x6488  MTConfig - ok
12:27:15.0645 0x6488  Mup - ok
12:27:15.0661 0x6488  napagent - ok
12:27:15.0692 0x6488  NativeWifiP - ok
12:27:15.0723 0x6488  NDIS - ok
12:27:15.0739 0x6488  NdisCap - ok
12:27:15.0754 0x6488  NdisTapi - ok
12:27:15.0785 0x6488  Ndisuio - ok
12:27:15.0801 0x6488  NdisWan - ok
12:27:15.0817 0x6488  NDProxy - ok
12:27:15.0848 0x6488  NetBIOS - ok
12:27:15.0863 0x6488  NetBT - ok
12:27:15.0895 0x6488  Netlogon - ok
12:27:15.0910 0x6488  Netman - ok
12:27:15.0926 0x6488  NetMsmqActivator - ok
12:27:15.0941 0x6488  NetPipeActivator - ok
12:27:15.0973 0x6488  netprofm - ok
12:27:16.0004 0x6488  NetTcpActivator - ok
12:27:16.0019 0x6488  NetTcpPortSharing - ok
12:27:16.0035 0x6488  NETwNs64 - ok
12:27:16.0066 0x6488  nfrd960 - ok
12:27:16.0082 0x6488  NlaSvc - ok
12:27:16.0113 0x6488  Npfs - ok
12:27:16.0144 0x6488  nsi - ok
12:27:16.0160 0x6488  nsiproxy - ok
12:27:16.0207 0x6488  Ntfs - ok
12:27:16.0222 0x6488  Null - ok
12:27:16.0253 0x6488  nvraid - ok
12:27:16.0300 0x6488  nvstor - ok
12:27:16.0331 0x6488  nv_agp - ok
12:27:16.0347 0x6488  NWSAPAutoWorkstationUpdateSvc - ok
12:27:16.0363 0x6488  odserv - ok
12:27:16.0394 0x6488  ohci1394 - ok
12:27:16.0409 0x6488  ose - ok
12:27:16.0456 0x6488  p2pimsvc - ok
12:27:16.0472 0x6488  p2psvc - ok
12:27:16.0487 0x6488  Parport - ok
12:27:16.0519 0x6488  partmgr - ok
12:27:16.0534 0x6488  PcaSvc - ok
12:27:16.0550 0x6488  pci - ok
12:27:16.0581 0x6488  pciide - ok
12:27:16.0597 0x6488  pcmcia - ok
12:27:16.0612 0x6488  pcw - ok
12:27:16.0643 0x6488  PEAUTH - ok
12:27:16.0659 0x6488  PeerDistSvc - ok
12:27:16.0706 0x6488  PerfHost - ok
12:27:16.0784 0x6488  pla - ok
12:27:16.0862 0x6488  PlugPlay - ok
12:27:16.0877 0x6488  PNRPAutoReg - ok
12:27:16.0893 0x6488  PNRPsvc - ok
12:27:16.0924 0x6488  PolicyAgent - ok
12:27:16.0955 0x6488  Power - ok
12:27:16.0987 0x6488  PptpMiniport - ok
12:27:17.0018 0x6488  prgnDiscAgent - ok
12:27:17.0033 0x6488  Processor - ok
12:27:17.0065 0x6488  ProfSvc - ok
12:27:17.0080 0x6488  ProtectedStorage - ok
12:27:17.0127 0x6488  Psched - ok
12:27:17.0158 0x6488  ql2300 - ok
12:27:17.0189 0x6488  ql40xx - ok
12:27:17.0221 0x6488  QWAVE - ok
12:27:17.0252 0x6488  QWAVEdrv - ok
12:27:17.0267 0x6488  Radexecd - ok
12:27:17.0299 0x6488  RadiaMsi - ok
12:27:17.0314 0x6488  Radsched - ok
12:27:17.0345 0x6488  Radstgms - ok
12:27:17.0361 0x6488  RasAcd - ok
12:27:17.0392 0x6488  RasAgileVpn - ok
12:27:17.0423 0x6488  RasAuto - ok
12:27:17.0439 0x6488  Rasl2tp - ok
12:27:17.0455 0x6488  RasMan - ok
12:27:17.0486 0x6488  RasPppoe - ok
12:27:17.0517 0x6488  RasSstp - ok
12:27:17.0533 0x6488  rdbss - ok
12:27:17.0564 0x6488  rdpbus - ok
12:27:17.0579 0x6488  RDPCDD - ok
12:27:17.0626 0x6488  RDPDR - ok
12:27:17.0689 0x6488  RDPENCDD - ok
12:27:17.0735 0x6488  RDPREFMP - ok
12:27:17.0767 0x6488  RDPWD - ok
12:27:17.0798 0x6488  rdyboost - ok
12:27:17.0813 0x6488  RemoteAccess - ok
12:27:17.0845 0x6488  RemoteRegistry - ok
12:27:17.0876 0x6488  RFCOMM - ok
12:27:17.0907 0x6488  RpcEptMapper - ok
12:27:17.0923 0x6488  RpcLocator - ok
12:27:17.0954 0x6488  RpcSs - ok
12:27:17.0985 0x6488  rspndr - ok
12:27:18.0001 0x6488  s3cap - ok
12:27:18.0032 0x6488  SamSs - ok
12:27:18.0047 0x6488  sbp2port - ok
12:27:18.0079 0x6488  SCardSvr - ok
12:27:18.0094 0x6488  scfilter - ok
12:27:18.0125 0x6488  Schedule - ok
12:27:18.0157 0x6488  SCPolicySvc - ok
12:27:18.0188 0x6488  SDRSVC - ok
12:27:18.0203 0x6488  secdrv - ok
12:27:18.0250 0x6488  seclogon - ok
12:27:18.0297 0x6488  SENS - ok
12:27:18.0313 0x6488  SensrSvc - ok
12:27:18.0344 0x6488  Serenum - ok
12:27:18.0359 0x6488  Serial - ok
12:27:18.0391 0x6488  sermouse - ok
12:27:18.0484 0x6488  SessionEnv - ok
12:27:18.0515 0x6488  sffdisk - ok
12:27:18.0531 0x6488  sffp_mmc - ok
12:27:18.0562 0x6488  sffp_sd - ok
12:27:18.0578 0x6488  sfloppy - ok
12:27:18.0609 0x6488  SharedAccess - ok
12:27:18.0640 0x6488  ShellHWDetection - ok
12:27:18.0656 0x6488  SiSRaid2 - ok
12:27:18.0687 0x6488  SiSRaid4 - ok
12:27:18.0718 0x6488  Smb - ok
12:27:18.0734 0x6488  SmbDrv - ok
12:27:18.0765 0x6488  SmbDrvI - ok
12:27:18.0874 0x6488  SNMPTRAP - ok
12:27:18.0890 0x6488  spldr - ok
12:27:18.0921 0x6488  Spooler - ok
12:27:18.0952 0x6488  sppsvc - ok
12:27:18.0968 0x6488  sppuinotify - ok
12:27:18.0999 0x6488  srv - ok
12:27:19.0030 0x6488  srv2 - ok
12:27:19.0061 0x6488  srvnet - ok
12:27:19.0077 0x6488  SSDPSRV - ok
12:27:19.0108 0x6488  SstpSvc - ok
12:27:19.0186 0x6488  STacSV - ok
12:27:19.0233 0x6488  stexstor - ok
12:27:19.0280 0x6488  STHDA - ok
12:27:19.0295 0x6488  stisvc - ok
12:27:19.0342 0x6488  storflt - ok
12:27:19.0373 0x6488  StorSvc - ok
12:27:19.0405 0x6488  storvsc - ok
12:27:19.0436 0x6488  swenum - ok
12:27:19.0451 0x6488  swprv - ok
12:27:19.0483 0x6488  SynTP - ok
12:27:19.0514 0x6488  SysMain - ok
12:27:19.0545 0x6488  TabletInputService - ok
12:27:19.0561 0x6488  TapiSrv - ok
12:27:19.0592 0x6488  TBS - ok
12:27:19.0623 0x6488  Tcpip - ok
12:27:19.0654 0x6488  TCPIP6 - ok
12:27:19.0701 0x6488  tcpipreg - ok
12:27:19.0748 0x6488  TDPIPE - ok
12:27:19.0779 0x6488  TDTCP - ok
12:27:19.0810 0x6488  tdx - ok
12:27:19.0841 0x6488  TermDD - ok
12:27:19.0873 0x6488  TermService - ok
12:27:19.0904 0x6488  Themes - ok
12:27:19.0935 0x6488  THREADORDER - ok
12:27:19.0966 0x6488  tKnoa-sm-72D8FD37 - ok
12:27:19.0997 0x6488  TPM - ok
12:27:20.0029 0x6488  TrkWks - ok
12:27:20.0091 0x6488  TrueSight - ok
12:27:20.0138 0x6488  TrustedInstaller - ok
12:27:20.0216 0x6488  tssecsrv - ok
12:27:20.0247 0x6488  TsUsbFlt - ok
12:27:20.0278 0x6488  TsUsbGD - ok
12:27:20.0309 0x6488  tunnel - ok
12:27:20.0325 0x6488  uagp35 - ok
12:27:20.0372 0x6488  udfs - ok
12:27:20.0465 0x6488  UI0Detect - ok
12:27:20.0497 0x6488  uliagpkx - ok
12:27:20.0528 0x6488  umbus - ok
12:27:20.0543 0x6488  UmPass - ok
12:27:20.0575 0x6488  UmRdpService - ok
12:27:20.0606 0x6488  UnlockerDriver5 - ok
12:27:20.0637 0x6488  upnphost - ok
12:27:20.0668 0x6488  usbccgp - ok
12:27:20.0699 0x6488  usbcir - ok
12:27:20.0715 0x6488  usbehci - ok
12:27:20.0746 0x6488  usbhub - ok
12:27:20.0777 0x6488  usbohci - ok
12:27:20.0809 0x6488  usbprint - ok
12:27:20.0840 0x6488  USBSTOR - ok
12:27:20.0871 0x6488  usbuhci - ok
12:27:20.0902 0x6488  usbvideo - ok
12:27:20.0933 0x6488  UxSms - ok
12:27:20.0965 0x6488  VaultSvc - ok
12:27:20.0996 0x6488  vdrvroot - ok
12:27:21.0027 0x6488  vds - ok
12:27:21.0058 0x6488  vga - ok
12:27:21.0074 0x6488  VgaSave - ok
12:27:21.0105 0x6488  vhdmp - ok
12:27:21.0136 0x6488  viaide - ok
12:27:21.0167 0x6488  vmbus - ok
12:27:21.0199 0x6488  VMBusHID - ok
12:27:21.0230 0x6488  volmgr - ok
12:27:21.0245 0x6488  volmgrx - ok
12:27:21.0277 0x6488  volsnap - ok
12:27:21.0308 0x6488  vsmraid - ok
12:27:21.0339 0x6488  VSS - ok
12:27:21.0370 0x6488  vwifibus - ok
12:27:21.0479 0x6488  vwififlt - ok
12:27:21.0526 0x6488  W32Time - ok
12:27:21.0589 0x6488  WacomPen - ok
12:27:21.0604 0x6488  WANARP - ok
12:27:21.0635 0x6488  Wanarpv6 - ok
12:27:21.0667 0x6488  wbengine - ok
12:27:21.0698 0x6488  WbioSrvc - ok
12:27:21.0729 0x6488  wcncsvc - ok
12:27:21.0760 0x6488  WcsPlugInService - ok
12:27:21.0791 0x6488  Wd - ok
12:27:21.0823 0x6488  Wdf01000 - ok
12:27:21.0854 0x6488  WdiServiceHost - ok
12:27:21.0885 0x6488  WdiSystemHost - ok
12:27:21.0916 0x6488  WebClient - ok
12:27:21.0947 0x6488  Wecsvc - ok
12:27:21.0963 0x6488  wercplsupport - ok
12:27:21.0994 0x6488  WerSvc - ok
12:27:22.0041 0x6488  WfpLwf - ok
12:27:22.0072 0x6488  WIMMount - ok
12:27:22.0103 0x6488  WinDefend - ok
12:27:22.0181 0x6488  WinHttpAutoProxySvc - ok
12:27:22.0213 0x6488  Winmgmt - ok
12:27:22.0259 0x6488  WinRM - ok
12:27:22.0337 0x6488  WinUSB - ok
12:27:22.0369 0x6488  Wlansvc - ok
12:27:22.0400 0x6488  WmiAcpi - ok
12:27:22.0462 0x6488  wmiApSrv - ok
12:27:22.0509 0x6488  WMPNetworkSvc - ok
12:27:22.0540 0x6488  WPCSvc - ok
12:27:22.0603 0x6488  WPDBusEnum - ok
12:27:22.0634 0x6488  ws2ifsl - ok
12:27:22.0665 0x6488  wscsvc - ok
12:27:22.0696 0x6488  WSearch - ok
12:27:22.0759 0x6488  wuauserv - ok
12:27:22.0806 0x6488  WudfPf - ok
12:27:22.0837 0x6488  WUDFRd - ok
12:27:22.0868 0x6488  wudfsvc - ok
12:27:22.0899 0x6488  WwanSvc - ok
12:27:23.0086 0x6488  ================ Scan global ===============================
12:27:23.0086 0x6488  [ Global ] - ok
12:27:23.0086 0x6488  ================ Scan MBR ==================================
12:27:23.0102 0x6488  [ 3DA7204C0957AA1AE07502934823D3A5 ] \Device\Harddisk0\DR0
12:27:23.0695 0x6488  \Device\Harddisk0\DR0 - ok
12:27:23.0695 0x6488  ================ Scan VBR ==================================
12:27:23.0695 0x6488  [ 246009B2CF4C841DD8ECE5FCF499D450 ] \Device\Harddisk0\DR0\Partition1
12:27:23.0695 0x6488  \Device\Harddisk0\DR0\Partition1 - ok
12:27:23.0695 0x6488  ================ Scan generic autorun ======================
12:27:23.0695 0x6488  IgfxTray - ok
12:27:23.0695 0x6488  HotKeysCmds - ok
12:27:23.0695 0x6488  Persistence - ok
12:27:23.0710 0x6488  SysTrayApp - ok
12:27:23.0710 0x6488  SynTPEnh - ok
12:27:23.0710 0x6488  MfeEpePcMonitor - ok
12:27:23.0710 0x6488  MfeFfCore - ok
12:27:23.0710 0x6488  McAfee Host Intrusion Prevention Tray - ok
12:27:23.0710 0x6488  egui - ok
12:27:23.0710 0x6488  C:\Program Files (x86)\Knoa\KnoaAgent\ - ok
12:27:23.0726 0x6488  Communicator - ok
12:27:23.0726 0x6488  QLBController - ok
12:27:23.0726 0x6488  Sidebar - ok
12:27:23.0726 0x6488  mctadmin - ok
12:27:23.0726 0x6488  Sidebar - ok
12:27:23.0726 0x6488  mctadmin - ok
12:27:23.0726 0x6488  Online Ad Scanner - ok
12:27:23.0742 0x6488  FlashPlayerUpdate - ok
12:27:24.0194 0x6488  AV detected via SS2: McAfee VirusScan Enterprise, C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe ( 8.8.0.0 ), 0x41010 ( enabled : outofdate )
12:27:24.0241 0x6488  FW detected via SS2: McAfee Host Intrusion Prevention Firewall,  (  ), 0x40010 ( disabled )
12:27:24.0412 0x6488  Win FW state via NFP2: disabled
12:27:27.0891 0x6488  ============================================================
12:27:27.0891 0x6488  Scan finished
12:27:27.0891 0x6488  ============================================================
12:27:27.0891 0x349c  Detected object count: 0
12:27:27.0891 0x349c  Actual detected object count: 0
 



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 PM

Posted 21 October 2014 - 07:03 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 tbg37g

tbg37g
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 22 October 2014 - 04:08 PM

I have McAfee on my computer and cannot turn it off as it is a corporate computer and the buttons are greyed out to stop it. Is there any other tool that can be used to finish cleaning my system - such as the output from FarBAR that I posted above.

 

Thanks,

 

Todd



#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:02 PM

Posted 29 October 2014 - 02:52 AM

Hi Todd,

 

Marius is not available at the moment, so I will work with you from now on.

 

 

as it is a corporate computer and the buttons are greyed out

The IT department knows that you are cleaning this system here in the forum? We need to disable McAfee for any kind of removal. And it would be best to double check with the IT department of your company if you are allowed to get help here.


regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:02 PM

Posted 10 November 2014 - 07:23 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users