Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus


  • This topic is locked This topic is locked
14 replies to this topic

#1 EQSK4ever

EQSK4ever

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 17 October 2014 - 04:45 PM

I have noticed multiple .exe processes running in task manager. The names of the .exe processes keep changing - it was dllhost.exe that said COM Surrogate in the description, there were like 8 of them and it was eating up all of my RAM with nothing else open. I have run Malwarebytes several times in the last few days and it keeps coming up with Trojans like FakeGoogle and FakeMS Chrome update etc. and the last time I ran it, it found a backdoor bot. But the multiple .exe processes continue - at the moment I have several kvkqbous.exe *32 that say Google Chrome in the description. Please help me and Thanks in advance. I have downloaded FRST and just ran my first scan. Below is the log it gave me.

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 16-10-2014
Ran by Owner (administrator) on OWNER-PC on 17-10-2014 16:11:16
Running from C:\Users\Owner\Downloads
Loaded Profile: Owner (Available profiles: Owner)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
( ) C:\Windows\System32\lxdncoms.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TECO\TecoService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(PortableApps.com) C:\Users\Owner\AppData\Local\Temp\366c\AppData\Local\Microsoft\Vcdyfhbfxexr.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
(Google Inc.) C:\Program Files (x86)\Google\Update \1.3.24.15\GoogleUpdateOnDemand.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Farbar) C:\Users\Owner\Downloads\FRST64 (1).exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe
(Google Inc.) C:\Users\Owner\AppData\LocalLow\Adobe\dwogzsoygfn\szlfjri\kvkqbous.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [506208 2009-10-29] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [707416 2009-11-10] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-11-05] (TOSHIBA Corporation)
HKLM\...\Run: [ThpSrv] => "C:\windows\system32\thpsrv" /logon
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1482592 2009-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8312352 2009-11-02] (Realtek Semiconductor)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2328944 2011-01-07] (Microsoft Corporation)
HKLM\...\Run: [HSON] => C:\Program Files\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [911160 2009-10-26] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [34648 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [595816 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] => C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [2991856 2013-02-20] (Logitech, Inc.)
HKLM-x32\...\Run: [TWebCamera] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2446648 2009-11-05] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-2218131425-529296336-2652917792-1000\...\Run: [iLivid] => "C:\Program Files (x86)\iLivid\iLivid.exe" -autorun
HKU\S-1-5-21-2218131425-529296336-2652917792-1000\...\Run: [Vcdyfhbfxexr] => C:\Users\Owner\AppData\Local\Temp\366c\AppData\Local\Microsoft\Vcdyfhbfxexr.exe [222208 2014-10-17] (PortableApps.com) <===== ATTENTION
HKU\S-1-5-21-2218131425-529296336-2652917792-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-2218131425-529296336-2652917792-1000\...\MountPoints2: {0e487b13-a5b1-11e0-877a-00266c435fc2} - E:\VZAccess_Manager.exe /z detect
HKU\S-1-5-21-2218131425-529296336-2652917792-1000\...\MountPoints2: {52fb7c2b-900c-11e2-b146-00266c435fc2} - E:\TL-Bootstrap.exe
HKU\S-1-5-21-2218131425-529296336-2652917792-1000\...\MountPoints2: {9e0a2da4-16e4-11e3-9e0d-0026b6d63608} - E:\Setup.exe
HKU\S-1-5-21-2218131425-529296336-2652917792-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
IFEO\browsemngr.exe: [Debugger] tasklist.exe
IFEO\browsermngr.exe: [Debugger] tasklist.exe
IFEO\cltmngsvc.exe: [Debugger]
IFEO\delta babylon.exe: [Debugger] tasklist.exe
IFEO\delta tb.exe: [Debugger] tasklist.exe
IFEO\delta2.exe: [Debugger] tasklist.exe
IFEO\deltainstaller.exe: [Debugger] tasklist.exe
IFEO\deltasetup.exe: [Debugger] tasklist.exe
IFEO\deltatb_2501-c733154b.exe: [Debugger] tasklist.exe
IFEO\iminentsetup.exe: [Debugger] tasklist.exe
IFEO\rjatydimofu.exe: [Debugger] tasklist.exe
IFEO\sweetimsetup.exe: [Debugger] tasklist.exe
IFEO\tbdelta.exetoolbar783881609.exe: [Debugger] tasklist.exe
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3050 J610 series.lnk
ShortcutTarget: Monitor Ink Alerts - HP Deskjet 3050 J610 series.lnk -> C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {6B78A880-15CA-468f-8422-A7960AD6FBB9} => C:\Program Files (x86)\Webroot\Security\current\plugins\sync\WebRootShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {4EE7A346-5845-471e-9FAB-002EAF83F8B0} => C:\Program Files (x86)\Webroot\Security\current\plugins\sync\WebRootShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {53DABC15-4F29-44ad-B09A-E0D0F9A3D075} => C:\Program Files (x86)\Webroot\Security\current\plugins\sync\WebRootShellExt_x64.dll No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {493FC96E-B938-4924-9B38-C4088E9B8AC2} => C:\Program Files (x86)\Webroot\Security\current\plugins\sync\WebRootShellExt_x64.dll No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/ig?brand=TSNA&bmod=TSNA
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =
URLSearchHook: HKCU - Default Value = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
URLSearchHook: HKCU - (No Name) - {b2bf7b3f-bf0b-4c48-aec6-f92c51be63e1} - No File
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {19C40AE1-FBF9-4127-A870-623869155388} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=157&systemid=406&v=a11465-225&apn_uid=1135507619454851&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z7xdm118CRus&ptnrS=Z7xdm118CRus&si=5085&ptb=75136B45-E277-40AD-A651-1022441BD4A5&psa=&ind=2012061023&st=sb&n=77ed9d5f&searchfor={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=157&systemid=406&v=a11465-225&apn_uid=1135507619454851&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKLM-x32 - {D9638DBF-5FFD-4E60-BA1D-8FAC95DF595E} URL = http://www.startsearcher.com/?q={searchTerms}&src=IETB
SearchScopes: HKLM-x32 - {E0D77E76-E25A-4BAD-B4A7-29EE2AE84A11} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKCU - DefaultScope {19C40AE1-FBF9-4127-A870-623869155388} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {19C40AE1-FBF9-4127-A870-623869155388} URL =
SearchScopes: HKCU - {73ccfd25-abe2-4bdf-ac5d-28a470a4d234} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
SearchScopes: HKCU - {D9638DBF-5FFD-4E60-BA1D-8FAC95DF595E} URL = http://www.startsearcher.com/?q={searchTerms}&src=IE
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20120938,0,0,0,0
SearchScopes: HKCU - {E0D77E76-E25A-4BAD-B4A7-29EE2AE84A11} URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll (Logitech, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll (Logitech, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SingleInstance Class -> {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -> C:\PROGRA~2\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll No File
Toolbar: HKLM - No Name - !{D7E97865-918F-41E4-9CD0-25AB1C574CE8} -  No File
Toolbar: HKLM-x32 - No Name - !{D7E97865-918F-41E4-9CD0-25AB1C574CE8} -  No File
Toolbar: HKLM-x32 - Yahoo Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
Toolbar: HKCU - No Name - {B2BF7B3F-BF0B-4C48-AEC6-F92C51BE63E1} -  No File
DPF: HKLM-x32 {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: HKLM-x32 {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: HKLM-x32 {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: 54.235.90.58 hjjjegfhiceggepdokloeepnhlfnedkk
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{70A171E6-8BC1-4768-9113-EB958933A49A}: [NameServer] 208.67.222.222,208.67.220.220

FireFox:
========
FF ProfilePath: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ta1nrlwl.default
FF SearchEngineOrder.1: Search Results
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1206147.dll (Adobe Systems, Inc.)
FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50917.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Owner\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF user.js: detected! => C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ta1nrlwl.default\user.js
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ta1nrlwl.default\searchplugins\askcom.xml
FF SearchPlugin: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ta1nrlwl.default\searchplugins\mywebsearch.xml
FF Extension: No Name - C:\Users\Owner\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\text_links@arcadeweb.com [2012-12-21]
FF Extension: cosstminn - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ta1nrlwl.default\Extensions\e7rdkk@yeeoyu.edu [2014-10-05]
FF Extension: Yahoo! Toolbar - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ta1nrlwl.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2014-10-05]
FF Extension: Webroot - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ta1nrlwl.default\Extensions\{8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} [2011-04-11]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2013-04-27]

Chrome:
=======
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (No Name) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgailgaldchajpkkmbjdlbimhdnmmgld [2012-07-21]
CHR Extension: (cosstminn) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb [2014-08-03]
CHR HKLM-x32\...\Chrome\Extension: [edaibbiobngpbmeonadpbfafbkimjbdd] - C:\ProgramData\Logitech\LogiSmoothChromeExt.crx [2013-04-27]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2428088 2014-08-12] (Microsoft Corporation)
R2 LMS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe [262144 2009-09-30] (Intel Corporation) [File not signed]
R2 lxdn_device; C:\windows\system32\lxdncoms.exe [1039872 2007-11-28] ( ) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 UNS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2314240 2009-09-30] (Intel Corporation) [File not signed]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 lxdd_device; C:\windows\system32\lxddcoms.exe -service [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S3 sscdserd; C:\Windows\System32\DRIVERS\sscdserd.sys [141384 2010-11-11] (MCCI Corporation)
S1 dzkzetku; \??\C:\windows\system32\drivers\dzkzetku.sys [X]
S3 wrssweep; \??\C:\PROGRA~2\Webroot\Security\Current\plugins\cleanup\wrssweep.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-17 16:06 - 2014-10-17 16:06 - 02112000 _____ (Farbar) C:\Users\Owner\Downloads\FRST64 (1).exe
2014-10-17 12:37 - 2014-10-17 12:46 - 00001956 _____ () C:\Users\Owner\Desktop\Rkill.txt
2014-10-17 12:37 - 2014-10-17 12:37 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\Owner\Downloads\rkill.exe
2014-10-17 12:37 - 2014-10-17 12:37 - 01063160 _____ (Bleeping Computer, LLC) C:\Users\Owner\Downloads\rkill64.exe
2014-10-15 22:36 - 2014-10-15 22:39 - 00043976 _____ () C:\Users\Owner\Downloads\Addition.txt
2014-10-15 22:34 - 2014-10-17 16:11 - 00024635 _____ () C:\Users\Owner\Downloads\FRST.txt
2014-10-15 22:33 - 2014-10-17 16:11 - 00000000 ____D () C:\FRST
2014-10-15 22:31 - 2014-10-15 22:31 - 02111488 _____ (Farbar) C:\Users\Owner\Downloads\FRST64.exe
2014-10-15 22:28 - 2014-10-17 11:58 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-13 22:12 - 2014-10-13 22:12 - 00008226 _____ () C:\Users\Owner\Downloads\DECRYPT_INSTRUCTION.HTML
2014-10-13 22:12 - 2014-10-13 22:12 - 00004158 _____ () C:\Users\Owner\Downloads\DECRYPT_INSTRUCTION.TXT
2014-10-13 22:12 - 2014-10-13 22:12 - 00000278 _____ () C:\Users\Owner\Downloads\DECRYPT_INSTRUCTION.URL
2014-10-13 22:11 - 2014-10-13 22:11 - 00008226 _____ () C:\Users\Owner\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-13 22:11 - 2014-10-13 22:11 - 00004158 _____ () C:\Users\Owner\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-13 22:11 - 2014-10-13 22:11 - 00000278 _____ () C:\Users\Owner\Documents\DECRYPT_INSTRUCTION.URL
2014-10-13 21:06 - 2014-10-13 21:06 - 00008226 _____ () C:\Users\Owner\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-13 21:06 - 2014-10-13 21:06 - 00008226 _____ () C:\Users\Owner\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-13 21:06 - 2014-10-13 21:06 - 00004158 _____ () C:\Users\Owner\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-13 21:06 - 2014-10-13 21:06 - 00004158 _____ () C:\Users\Owner\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-13 21:06 - 2014-10-13 21:06 - 00000278 _____ () C:\Users\Owner\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-10-13 21:06 - 2014-10-13 21:06 - 00000278 _____ () C:\Users\Owner\AppData\DECRYPT_INSTRUCTION.URL
2014-10-13 21:04 - 2014-10-13 21:04 - 00008226 _____ () C:\Users\Owner\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-13 21:04 - 2014-10-13 21:04 - 00004158 _____ () C:\Users\Owner\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-13 21:04 - 2014-10-13 21:04 - 00000278 _____ () C:\Users\Owner\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-10-13 20:14 - 2014-10-13 20:14 - 00000000 _____ () C:\Users\Owner\AppData\Roaming\nxvyon.dll
2014-10-13 20:13 - 2014-10-13 20:13 - 00008224 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-13 20:13 - 2014-10-13 20:13 - 00004156 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-13 20:13 - 2014-10-13 20:13 - 00000276 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL
2014-10-13 20:12 - 2014-10-17 11:16 - 00001368 _____ () C:\ProgramData\@system.att
2014-10-13 20:11 - 2014-10-17 11:16 - 00001104 ____H () C:\ProgramData\@system2.att
2014-10-13 20:11 - 2014-10-13 20:11 - 00081408 _____ () C:\Users\Owner\AppData\Roaming\aeqnt.dll
2014-10-13 20:11 - 2014-10-13 20:11 - 00004038 _____ () C:\windows\System32\Tasks\{5A796B9E-9DD8-B4E6-DD1F-4AA8E728EDE6}
2014-10-13 20:11 - 2014-10-13 20:11 - 00000448 ____H () C:\Users\Owner\AppData\Roaming\麽鎒駓覜
2014-10-13 20:11 - 2014-10-13 20:11 - 00000000 ___HD () C:\02f9f03
2014-10-13 20:10 - 2014-10-13 20:10 - 00047104 _____ () C:\Users\Owner\AppData\Roaming\rgsmm.dll
2014-10-13 20:10 - 2014-10-13 20:10 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-05 20:46 - 2014-10-05 20:47 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-01 05:03 - 2014-09-24 21:08 - 00371712 _____ (Microsoft Corporation) C:\windows\system32\qdvd.dll
2014-10-01 05:03 - 2014-09-24 20:40 - 00519680 _____ (Microsoft Corporation) C:\windows\SysWOW64\qdvd.dll
2014-09-23 13:32 - 2014-09-09 17:11 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2014-09-23 13:32 - 2014-09-09 16:47 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-17 16:07 - 2011-09-06 21:57 - 00000928 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2218131425-529296336-2652917792-1000UA.job
2014-10-17 16:07 - 2011-09-06 21:57 - 00000906 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2218131425-529296336-2652917792-1000Core.job
2014-10-17 15:49 - 2013-12-04 07:50 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-10-17 15:45 - 2010-01-22 18:47 - 01291897 _____ () C:\windows\WindowsUpdate.log
2014-10-17 15:42 - 2009-07-13 23:45 - 00018736 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-17 15:42 - 2009-07-13 23:45 - 00018736 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-17 15:35 - 2010-09-03 01:02 - 00000892 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-17 15:35 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-10-17 15:34 - 2009-12-12 01:43 - 01077306 _____ () C:\windows\PFRO.log
2014-10-17 15:34 - 2009-07-13 23:51 - 00139835 _____ () C:\windows\setupact.log
2014-10-17 15:25 - 2010-09-03 01:02 - 00000896 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-17 12:49 - 2014-08-04 21:00 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-17 12:41 - 2010-07-14 03:55 - 00007606 _____ () C:\Users\Owner\AppData\Local\Resmon.ResmonCfg
2014-10-17 12:12 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\Speech
2014-10-13 23:08 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\L2Schemas
2014-10-13 22:13 - 2014-01-11 22:56 - 00000000 ___RD () C:\Users\Owner\MediaFire
2014-10-13 22:12 - 2014-07-23 21:02 - 00000000 ____D () C:\Users\Owner\Downloads\paystubs
2014-10-13 22:11 - 2013-09-10 19:35 - 00016152 _____ () C:\Users\Owner\Documents\Menu page 2.wps
2014-10-13 22:11 - 2013-09-10 13:45 - 00013592 _____ () C:\Users\Owner\Documents\Menu Page 1.wps
2014-10-13 22:11 - 2012-03-03 10:03 - 00000000 ____D () C:\Users\Owner\Downloads\Empire Earth 2 - full with crack&kg
2014-10-13 22:11 - 2010-09-24 00:21 - 00000000 ___SD () C:\Users\Owner\Documents\My Data Sources
2014-10-13 22:11 - 2010-05-30 20:00 - 00000000 ____D () C:\Users\Owner\Documents\My Stationery
2014-10-13 22:10 - 2014-01-16 22:16 - 00001048 _____ () C:\Users\Owner\Documents\DD_Advice_Slip_Stub_2337_131223_182307.txt
2014-10-13 22:10 - 2014-01-16 22:16 - 00001048 _____ () C:\Users\Owner\Documents\DD_Advice_Slip_Stub_2337_131217_135214.txt
2014-10-13 22:10 - 2014-01-16 22:15 - 00001048 _____ () C:\Users\Owner\Documents\DD_Advice_Slip_Stub_2337_131230_162749.txt
2014-10-13 22:10 - 2014-01-16 22:11 - 00001048 _____ () C:\Users\Owner\Documents\DD_Advice_Slip_Stub_2337_140107_134926.txt
2014-10-13 22:10 - 2014-01-16 22:10 - 00001048 _____ () C:\Users\Owner\Documents\DD_Advice_Slip_Stub_2337_140114_140752.txt
2014-10-13 22:10 - 2013-09-11 13:59 - 00102424 _____ () C:\Users\Owner\Documents\Menu Full.wps
2014-10-13 22:10 - 2013-09-04 16:03 - 00015640 _____ () C:\Users\Owner\Documents\EMPLOYEES OMLY.wps
2014-10-13 22:10 - 2013-08-26 13:34 - 00052504 _____ () C:\Users\Owner\Documents\Cypress Seafood Grocery List.wps
2014-10-13 22:10 - 2012-09-06 19:29 - 09183292 _____ () C:\Users\Owner\Documents\Document.odt
2014-10-13 22:10 - 2010-09-29 14:35 - 00000000 ____D () C:\Users\Owner\Documents\Fax
2014-10-13 22:10 - 2010-05-23 23:38 - 00000000 ____D () C:\Users\Owner\Documents\attachments_2010_05_23[1]
2014-10-13 22:05 - 2014-08-30 15:33 - 00000000 ____D () C:\Users\Owner\Desktop\New folder
2014-10-13 22:05 - 2013-04-24 13:52 - 00000000 ____D () C:\Users\Owner\Desktop\new eq maps
2014-10-13 22:03 - 2011-06-02 22:02 - 00000000 ____D () C:\Users\Owner\Desktop\macros
2014-10-13 22:01 - 2011-04-02 17:36 - 00000000 ____D () C:\Users\Owner\Desktop\everquest
2014-10-13 21:52 - 2013-04-27 19:30 - 00000000 ____D () C:\Users\Owner\Desktop\eq adds
2014-10-13 21:52 - 2011-11-05 19:05 - 00000000 ____D () C:\Users\Owner\Desktop\Dri Brite Pics
2014-10-13 21:13 - 2013-04-02 17:55 - 00000000 ____D () C:\Users\Owner\CS6 Design and Web Premium
2014-10-13 21:13 - 2011-04-02 17:14 - 00000000 ____D () C:\Users\Owner\Desktop\docs
2014-10-13 21:06 - 2013-04-18 20:02 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\TS3Client
2014-10-13 21:06 - 2010-09-03 01:02 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Skype
2014-10-13 21:06 - 2010-04-17 19:52 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Toshiba
2014-10-13 21:05 - 2013-04-02 17:51 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\com.adobe.downloadassistant.AdobeDownloadAssistant
2014-10-13 21:05 - 2012-09-19 21:51 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\MusicOasis
2014-10-13 21:05 - 2011-11-28 20:27 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\ooVoo Details
2014-10-13 21:05 - 2011-11-28 01:54 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\SecondLife
2014-10-13 21:05 - 2011-01-03 17:28 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\DriverCure
2014-10-13 21:05 - 2010-11-26 08:02 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Mozilla
2014-10-13 21:05 - 2010-10-20 07:31 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Singlesnet
2014-10-13 21:05 - 2010-05-22 14:29 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Adobe
2014-10-13 21:04 - 2014-07-27 19:32 - 00000280 _____ () C:\Users\Owner\AppData\Local\x-plane_install.txt
2014-10-13 21:04 - 2014-07-27 19:27 - 00000280 _____ () C:\Users\Owner\AppData\Local\X-Plane Installer.prf
2014-10-13 21:04 - 2013-03-13 07:28 - 00000000 ____D () C:\Users\Owner\AppData\Local\Sony Online Entertainment
2014-10-13 21:04 - 2011-04-03 08:29 - 00000000 ____D () C:\Users\Owner\AppData\Local\Microsoft Games
2014-10-13 21:04 - 2010-04-17 19:47 - 00000000 ____D () C:\Users\Owner\AppData\Local\VirtualStore
2014-10-13 20:55 - 2012-02-08 23:03 - 00000000 ____D () C:\TDOR
2014-10-13 20:55 - 2010-09-29 14:44 - 00000000 ____D () C:\lexmark
2014-10-13 20:54 - 2010-04-17 19:44 - 00000000 ____D () C:\Users\Owner
2014-10-13 20:54 - 2009-12-12 17:02 - 00008728 __RSH () C:\BOOTSECT.BAK
2014-10-13 20:15 - 2012-10-01 18:15 - 00000000 ____D () C:\Users\Owner\AppData\Local\iMesh
2014-10-13 20:15 - 2011-05-03 13:08 - 00000000 ____D () C:\Users\Owner\AppData\Local\MediaGet2
2014-10-13 20:13 - 2011-09-06 21:56 - 00000000 ____D () C:\Users\Owner\AppData\Local\Facebook
2014-10-13 20:13 - 2011-06-16 11:29 - 00000000 ____D () C:\Users\Owner\AppData\Local\HP
2014-10-13 20:13 - 2011-05-13 03:53 - 00000000 ____D () C:\ProgramData\Skype Extras
2014-10-13 20:13 - 2010-09-03 01:02 - 00000000 ____D () C:\Users\Owner\AppData\Local\Google
2014-10-13 20:13 - 2010-09-03 01:01 - 00000000 ____D () C:\ProgramData\Skype
2014-10-13 20:13 - 2010-01-22 19:28 - 00000000 ____D () C:\ProgramData\Sonic
2014-10-13 20:13 - 2009-12-12 01:27 - 00000000 ____D () C:\ProgramData\Toshiba
2014-10-13 20:12 - 2013-04-27 11:21 - 00000000 ____D () C:\ProgramData\Logishrd
2014-10-13 20:12 - 2012-09-06 22:33 - 00000000 ____D () C:\ProgramData\MumboJumbo
2014-10-13 20:11 - 2012-10-01 18:15 - 00000000 ____D () C:\ProgramData\21144
2014-10-13 20:08 - 2014-08-04 19:40 - 00070144 _____ () C:\windows\SysWOW64\tasks.dll
2014-10-12 17:20 - 2013-03-11 19:57 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-05 07:30 - 2010-11-26 08:02 - 00000000 ____D () C:\Users\Owner\AppData\Local\Mozilla
2014-10-04 22:48 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\rescache
2014-09-23 19:49 - 2013-12-04 07:50 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2014-09-23 19:49 - 2012-09-03 22:21 - 00701104 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2014-09-23 19:49 - 2011-06-04 08:33 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-23 05:45 - 2013-04-02 18:00 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-09-22 01:42 - 2010-04-17 20:05 - 00278152 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe

Files to move or delete:
====================
C:\Users\Owner\AppData\Local\Temp\366c\AppData\Local\Microsoft\Vcdyfhbfxexr.exe
C:\ProgramData\bnhv1ib.bxx
C:\ProgramData\bnhv1ib.fvv
C:\ProgramData\jlirrjfr.bxx
C:\ProgramData\jlirrjfr.fvv
C:\ProgramData\jlirrjfr.reg
C:\Users\Owner\jagex_runescape_preferences.dat
C:\Users\Owner\jagex_runescape_preferences2.dat

Some content of TEMP:
====================
C:\Users\Owner\AppData\Local\Temp\2hxemfah.4ke.exe
C:\Users\Owner\AppData\Local\Temp\ApnIC.dll
C:\Users\Owner\AppData\Local\Temp\ApnStub.exe
C:\Users\Owner\AppData\Local\Temp\ApnToolbarInstaller.exe
C:\Users\Owner\AppData\Local\Temp\bpuninstall.exe
C:\Users\Owner\AppData\Local\Temp\Delta.exe
C:\Users\Owner\AppData\Local\Temp\GLB1A2B.EXE
C:\Users\Owner\AppData\Local\Temp\GPUpd53FD31CC1.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd5404A0F51.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd5415C4781.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541715F21.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541715F62.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541867761.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541A3D241.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541B8C161.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541CD4821.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541CD4852.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541E1BFC1.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd541EFEF11.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd5420BD3C1.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd5420BD3E2.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd5422F6131.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd542444F21.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd5428CB811.exe
C:\Users\Owner\AppData\Local\Temp\GPUpd543601DC2.exe
C:\Users\Owner\AppData\Local\Temp\ICReinstall_internet-explorer-toDownload.exe
C:\Users\Owner\AppData\Local\Temp\iMesh_setup.exe
C:\Users\Owner\AppData\Local\Temp\installhelper.dll
C:\Users\Owner\AppData\Local\Temp\install_flash_player_ax.exe
C:\Users\Owner\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Owner\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Owner\AppData\Local\Temp\LMkRstPt.exe
C:\Users\Owner\AppData\Local\Temp\mediaget_installer.exe
C:\Users\Owner\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Owner\AppData\Local\Temp\Second Life Setup.exe
C:\Users\Owner\AppData\Local\Temp\SetupDataMngr_iMesh.exe
C:\Users\Owner\AppData\Local\Temp\SIntf16.dll
C:\Users\Owner\AppData\Local\Temp\SIntf32.dll
C:\Users\Owner\AppData\Local\Temp\SIntfNT.dll
C:\Users\Owner\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Owner\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\Owner\AppData\Local\Temp\tbedrs.dll
C:\Users\Owner\AppData\Local\Temp\tbProd.dll
C:\Users\Owner\AppData\Local\Temp\tbuTor.dll
C:\Users\Owner\AppData\Local\Temp\tempmessage.bfg
C:\Users\Owner\AppData\Local\Temp\Uninstaller-3844.exe
C:\Users\Owner\AppData\Local\Temp\Uninstaller-3856.exe
C:\Users\Owner\AppData\Local\Temp\WSSetup.exe
C:\Users\Owner\AppData\Local\Temp\xvidupdate.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-06 00:33

==================== End Of Log ============================


Edited by hamluis, 17 October 2014 - 05:02 PM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 17 October 2014 - 05:46 PM

20+ dllhost.exe *32 COM Surrogates at the moment and computer is VERY slow due to high RAM use.

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 PM

Posted 18 October 2014 - 06:06 AM


Hello EQSK4ever

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 October 2014 - 08:22 AM

I had already downloaded AdwCleaner and have run it several times. here is the last scan log that I just ran.

# AdwCleaner v4.000 - Report created 18/10/2014 at 08:17:30
# DB v2014-10-17.9
# Updated 12/10/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Owner - OWNER-PC
# Running from : C:\Users\Owner\Desktop\Adw Cleaner\adwcleaner_4.000.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17280


-\\ Mozilla Firefox v


-\\ Google Chrome v


*************************

AdwCleaner[R0].txt - [67064 octets] - [17/10/2014 17:11:42]
AdwCleaner[R1].txt - [67125 octets] - [17/10/2014 17:47:44]
AdwCleaner[R2].txt - [1222 octets] - [17/10/2014 18:02:54]
AdwCleaner[R3].txt - [1324 octets] - [17/10/2014 19:45:51]
AdwCleaner[R4].txt - [1384 octets] - [18/10/2014 08:14:49]
AdwCleaner[S0].txt - [66088 octets] - [17/10/2014 17:57:19]
AdwCleaner[S1].txt - [1025 octets] - [17/10/2014 18:05:31]
AdwCleaner[S2].txt - [1049 octets] - [18/10/2014 08:17:30]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1109 octets] ##########

#5 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 October 2014 - 08:50 AM

Here is the first scan and log from jrt.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.14.2014:1)
OS: Windows 7 Home Premium x64
Ran by Owner on Sat 10/18/2014 at  8:23:11.30
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\babylon_cartoonly_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\babylon_cartoonly_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\babylon_cartoonly_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\babylon_cartoonly_RASMANCS
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D9638DBF-5FFD-4E60-BA1D-8FAC95DF595E}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{D9638DBF-5FFD-4E60-BA1D-8FAC95DF595E}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\best buy pc app"
Successfully deleted: [Folder] "C:\Users\Owner\appdata\local\best buy pc app"
Failed to delete: [Folder] "C:\Program Files (x86)\gamingwonderlandei"
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{04B55B88-4812-4E74-9359-C902E55DDAE2}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{0B74C695-4CC3-4703-9B70-650D5D26C6B5}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{0D3A894B-CC4D-48E2-8757-043AB2FD93DF}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{0E392A20-A403-4CB6-8EAA-4ACFE665DD08}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{117CFE08-4155-484F-8BC9-322410987543}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{128A23E9-6BF0-43FD-BC50-C80BB9E5D4CE}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{1825473E-7433-404F-8E72-F8D6E1A0972F}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{1A3EF346-4003-4F29-9911-BCFFD4F1A131}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{1A8C2E23-65A1-40C0-BB8D-0BD1B3B69296}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{25E1E5F1-F63E-4BB8-AD4D-1876800095D8}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{2D27FDD8-2842-4CE0-A50C-2FE9666ED573}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{340BB2C3-C3EC-4A08-A630-6F19E7242996}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{34FB253A-6CBA-45B8-BBE8-6C029B32AE0D}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{355BDB58-D5EB-41CF-9872-FA84C94505A2}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{36510783-9556-4C2E-8B95-F9538B900DE1}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{37E24CC3-FB01-49FF-81EE-D4B8A5F2229E}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{38AEB5B5-A79C-4187-9DF8-8198F27B1A9F}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{3B0EDE3E-EA37-4A4A-A441-920621B64178}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{3F0F7438-76C9-489E-9F00-6DA15ECF175F}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{3F56EE5C-EC00-47AF-AE19-C1D128D82AEE}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{42D4B0A3-971A-414D-8356-15992BD68454}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{47A0A64A-7E40-4303-A568-3E9A34459D4E}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{4CC00374-78F9-4363-8FE7-5AC8059941F7}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{517DEB7B-AA83-449B-A8E0-3B60FB7C4A39}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{5870F7B7-5661-4937-B8BA-E2C6A3C394EB}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{593658DB-7A83-4DF0-88F1-622C4668BF82}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{5B61281D-89E0-4EBC-A060-24E5DE27385D}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{63B302FA-BA05-42C4-B9F7-E14F3F368A45}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{651B32FF-FFBE-4B37-AFCE-C79E3C224BEF}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{651C5992-9A39-49EF-945A-B86543937B4B}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{6946C886-F648-4983-B18F-D5ABC9950736}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{698D0D6F-428D-4F70-943F-FD84D9FE11B8}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{6F2529CB-6E4D-4CB1-B82E-91B8A4E33DF4}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{6FD8C866-43F3-4DEC-AF9A-2C2831B43057}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{71D850B0-250C-46EC-BACE-121A0178C5F5}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{737A4648-0E5F-47C0-A92D-13B80FFED222}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{77BC87B3-9809-4952-8A60-11FEB1A72A7E}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{7A8D9EEB-027D-4BDA-8712-002A21616DF8}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{7D08FE9B-B56A-41D0-9427-F9E27CA51D13}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{829A5DAA-44D7-43F6-BC08-B0AB3A87A413}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{849D7C12-B1F2-4ACF-8DC5-63DDDB1FEF7D}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{8624B1F1-5ECA-4814-BF86-11D76A8D3B82}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{87BE8501-CCC7-461B-B90D-BBA49A876ADF}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{8895ED76-3EB7-42A3-8707-D86A19B9E31B}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{8C52699E-4F78-44AC-A6A3-119149F152AF}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{8D5A5640-7B10-4B02-A145-444181BE792E}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{90DE640A-C5BC-45DA-BFC7-1396ACFAAEF3}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{9581F6D8-4593-46FD-897D-0F672EECCF2F}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{973AE122-D264-439F-820E-B3FF328F4D12}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{97AD37FD-4AF6-41E5-81AF-564A6E3EDC53}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{97F12AEC-628D-4CD7-8632-05AE9D99055D}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{9B10B804-16FF-4661-A355-11839D63CFD9}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{A0CC21CF-5F6D-4F52-947F-627D7D94274B}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{A45F67EB-8466-4A06-9D57-10D1CF7F424F}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{A60A071B-0FE1-4CA8-83D8-87841F8279B5}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{A862D852-DE5B-4F0C-BB74-387880A31822}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{AA11B2B5-DE12-4B6A-B1A4-4C6B8688A10F}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{ACCD4835-E4D7-4E7B-912A-12FA69FBDB9B}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{B4A2E612-89F9-487B-BEF2-477D7006F4E0}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{B4D8CEB5-8ACC-4DDB-9631-49866091D68A}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{B570572F-94A7-4BAB-A8C6-880D4E2433AC}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{BFCDF42B-C0B6-4331-8599-D39E295BE8F0}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{C48C0F09-6FF2-4C09-8CC6-10974A5F32C8}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{C4DDD122-B4B1-4B88-BBE6-2D44016B2576}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{C5F9B978-AF30-4B1A-8ABD-EC73FE439AE5}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{C7057AA0-7D1C-4EF8-A5DF-197DF3DD4417}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{CB01ED96-2CD6-4AF6-BB7A-B24284DED23F}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{CBB505A5-F15F-4043-90F8-7ECDD7331BD2}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{CC6DADD7-F56A-4042-B714-2EA9A9008965}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{D2A312F5-85D2-457D-B0CC-751967901981}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{D30375F0-02E2-4AC5-8FFB-9B7980132C48}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{D319DF44-575A-4698-8981-7926C207DADB}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{D6B68A76-8DE5-4B71-928C-58C9AF2C90A4}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{D73B9696-7AAA-4EBE-BA1F-C9386146B058}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{D7400B81-E8A1-4D08-A45D-A16431BBD3DF}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{D7529382-4A09-4372-96F2-C7138CCAABAF}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{D8D7FF46-27FD-411B-BDB7-EE47DB5693A9}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{DBA18303-E111-4B2E-9E22-AD044745C374}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{DE9964AE-AAE5-4820-B8A0-B4317E663D4E}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{DF753575-96C5-4B0D-9AF8-D0E7675DB156}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{E2A3AA1C-51A9-4633-8CCB-738C19DC2FDA}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{E327A098-838F-4038-B8C7-CE3BFFE0ACC2}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{E57E6E36-3B5D-487C-9497-D039F1AEACF4}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{E791D0F3-F0AB-426B-92C1-8D1B0F26E4A8}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{E89FF4BE-9E38-41AE-BCAF-3012BDF582BB}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{EACA414A-CB98-4210-B221-A1BF4D806366}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{EFE4FBBA-5DB8-491A-BED3-3BFC89F5922E}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{F11B7EAA-1002-48AB-9505-C526A8538DC1}
Successfully deleted: [Empty Folder] C:\Users\Owner\appdata\local\{F7E3D710-060D-4D11-8E0B-24F7B1BF69D9}

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 10/18/2014 at  8:47:08.67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#6 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 October 2014 - 09:07 AM

OK I restarted my computer about 10 minutes ago and as of yet I don't see any of the dllhost.exe *32 processes running, and ram usage is low. These may have fixed it, but I will post again if they pop up again. Thank you so much Gringo for all your help.



#7 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 October 2014 - 09:46 AM

Still clear. Also I just ran MBAM and it came up clean also. Looks like that took care of my problems. Again thank you Gringo for your help!



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 PM

Posted 18 October 2014 - 05:44 PM


Hello EQSK4ever

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 October 2014 - 07:40 PM

Well its back with a vengeance. I just ended 15+ processes of the same dllhost.exe *32 COM Surrogates that were using up 95% of my RAM. I am currently downloading combofix as instructed and will run it and post results.



#10 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 October 2014 - 09:02 PM

Just finished running Combofix. 

 

ComboFix 14-10-15.01 - Owner 10/18/2014  20:10:14.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3895.2530 [GMT -5:00]
Running from: c:\users\Owner\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\wrnhoah.tmp
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\background.html
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\content.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\Gkd3HX.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\lsdb.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\background.html
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\content.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\Gkd3HX.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\manifest.json
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\background.html
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\content.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\Gkd3HX.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\lsdb.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\background.html
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\content.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\Gkd3HX.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\background.html
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\content.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\Gkd3HX.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\Gkd3HX.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\manifest.json
c:\users\Owner\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb
c:\users\Owner\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\background.html
c:\users\Owner\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\content.js
c:\users\Owner\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\Gkd3HX.js
c:\users\Owner\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\lsdb.js
c:\users\Owner\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\manifest.json
c:\users\Owner\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb
c:\users\Owner\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\background.html
c:\users\Owner\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\content.js
c:\users\Owner\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\Gkd3HX.js
c:\users\Owner\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\lsdb.js
c:\users\Owner\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mcobdpohakbllboceibpbkbjoknflhpb\2.0\manifest.json
c:\users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Owner\AppData\Roaming\aeqnt.dll
c:\users\Owner\AppData\Roaming\rgsmm.dll
c:\users\Owner\videos\nPlayWMV_City_Island.exe
.
.
CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.
You should verify if current CLSID data is correct: 
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
    (Default)    REG_SZ    Thumbnail Cache Class Factory for Out of Proc Server
    AppID    REG_SZ    {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
.
HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32
    (Default)    REG_SZ    c:\windows\system32\thumbcache.dll
    ThreadingModel    REG_SZ    Apartment
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-19 to 2014-10-19  )))))))))))))))))))))))))))))))
.
.
2014-10-19 01:55 . 2014-10-19 01:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-18 13:49 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{90C8F455-F789-445D-A463-B3719FA64879}\mpengine.dll
2014-10-18 13:23 . 2014-10-18 13:23 -------- d-----w- c:\windows\ERUNT
2014-10-18 01:45 . 2013-07-14 13:24 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2014-10-18 01:45 . 2013-07-14 13:24 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
2014-10-18 01:43 . 2014-10-18 01:43 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-10-18 01:42 . 2014-10-18 01:46 -------- d-----w- c:\programdata\Oracle
2014-10-17 22:07 . 2014-10-18 13:17 -------- d-----w- C:\AdwCleaner
2014-10-16 03:33 . 2014-10-18 00:49 -------- d-----w- C:\FRST
2014-10-14 01:14 . 2014-10-14 01:14 0 ----a-w- c:\users\Owner\AppData\Roaming\nxvyon.dll
2014-10-14 01:11 . 2014-10-14 01:11 -------- d-----w- C:\02f9f03
2014-10-12 13:27 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-02 02:20 . 2014-09-17 03:16 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{19522032-78FD-4472-BC52-EC209EB397B2}\gapaengine.dll
2014-10-01 10:03 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-10-01 10:03 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-23 18:32 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-23 18:32 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-18 14:12 . 2014-08-05 02:00 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-18 01:42 . 2013-07-14 13:24 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-17 22:21 . 2014-07-22 02:36 163504 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-10-14 01:08 . 2014-08-05 00:40 70144 ----a-w- c:\windows\SysWow64\tasks.dll
2014-09-24 00:49 . 2012-09-04 03:21 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-09-24 00:49 . 2011-06-04 13:33 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-23 10:43 . 2013-04-02 23:12 590536 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-09-22 06:42 . 2010-04-18 01:05 278152 ------w- c:\windows\system32\MpSigStub.exe
2014-09-17 03:16 . 2013-03-12 17:36 1188440 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-09-13 19:21 . 2010-04-18 01:06 101694776 ----a-w- c:\windows\system32\MRT.exe
2014-09-05 02:10 . 2014-09-12 23:57 578048 ----a-w- c:\windows\system32\aepdu.dll
2014-09-05 02:05 . 2014-09-12 23:57 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-08-23 02:07 . 2014-08-28 02:44 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-28 02:44 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-23 00:59 . 2014-08-28 02:44 3163648 ----a-w- c:\windows\system32\win32k.sys
2014-08-19 18:05 . 2014-09-13 19:33 374968 ----a-w- c:\windows\system32\iedkcs32.dll
2014-08-18 23:01 . 2014-09-13 19:33 23591424 ----a-w- c:\windows\system32\mshtml.dll
2014-08-18 22:29 . 2014-09-13 19:33 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-08-18 22:29 . 2014-09-13 19:33 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-08-18 22:20 . 2014-09-13 19:33 2793984 ----a-w- c:\windows\system32\iertutil.dll
2014-08-18 22:19 . 2014-09-13 19:33 5833728 ----a-w- c:\windows\system32\jscript9.dll
2014-08-18 22:15 . 2014-09-13 19:33 547328 ----a-w- c:\windows\system32\vbscript.dll
2014-08-18 22:15 . 2014-09-13 19:33 66048 ----a-w- c:\windows\system32\iesetup.dll
2014-08-18 22:14 . 2014-09-13 19:33 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-08-18 22:14 . 2014-09-13 19:33 83968 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-08-18 22:08 . 2014-09-13 19:33 51200 ----a-w- c:\windows\system32\jsproxy.dll
2014-08-18 22:08 . 2014-09-13 19:33 4232704 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-08-18 22:08 . 2014-09-13 19:33 33792 ----a-w- c:\windows\system32\iernonce.dll
2014-08-18 22:05 . 2014-09-13 19:33 596480 ----a-w- c:\windows\system32\ieui.dll
2014-08-18 22:03 . 2014-09-13 19:33 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-08-18 22:03 . 2014-09-13 19:33 111616 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-08-18 22:03 . 2014-09-13 19:33 758272 ----a-w- c:\windows\system32\jscript9diag.dll
2014-08-18 21:57 . 2014-09-13 19:33 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-08-18 21:56 . 2014-09-13 19:33 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-08-18 21:51 . 2014-09-13 19:33 446464 ----a-w- c:\windows\system32\dxtmsft.dll
2014-08-18 21:46 . 2014-09-13 19:33 454656 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-08-18 21:45 . 2014-09-13 19:33 61952 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-08-18 21:45 . 2014-09-13 19:33 72704 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-08-18 21:44 . 2014-09-13 19:33 51200 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2014-08-18 21:44 . 2014-09-13 19:33 61952 ----a-w- c:\windows\SysWow64\MshtmlDac.dll
2014-08-18 21:40 . 2014-09-13 19:33 195584 ----a-w- c:\windows\system32\msrating.dll
2014-08-18 21:39 . 2014-09-13 19:33 85504 ----a-w- c:\windows\system32\mshtmled.dll
2014-08-18 21:38 . 2014-09-13 19:33 289280 ----a-w- c:\windows\system32\dxtrans.dll
2014-08-18 21:36 . 2014-09-13 19:33 112128 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-08-18 21:35 . 2014-09-13 19:33 597504 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2014-08-18 21:25 . 2014-09-13 19:33 727040 ----a-w- c:\windows\system32\msfeeds.dll
2014-08-18 21:25 . 2014-09-13 19:33 707072 ----a-w- c:\windows\system32\ie4uinit.exe
2014-08-18 21:23 . 2014-09-13 19:33 2104832 ----a-w- c:\windows\system32\inetcpl.cpl
2014-08-18 21:23 . 2014-09-13 19:33 1249280 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-08-18 21:22 . 2014-09-13 19:33 60416 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-08-18 21:16 . 2014-09-13 19:33 13588480 ----a-w- c:\windows\system32\ieframe.dll
2014-08-18 21:15 . 2014-09-13 19:33 2310656 ----a-w- c:\windows\system32\wininet.dll
2014-08-18 21:08 . 2014-09-13 19:33 2014208 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-08-18 21:07 . 2014-09-13 19:33 1068032 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2014-08-18 20:55 . 2014-09-13 19:33 1447424 ----a-w- c:\windows\system32\urlmon.dll
2014-08-18 20:46 . 2014-09-13 19:33 1812992 ----a-w- c:\windows\SysWow64\wininet.dll
2014-08-18 20:38 . 2014-09-13 19:33 775168 ----a-w- c:\windows\system32\ieapfltr.dll
2014-08-01 11:53 . 2014-09-12 23:57 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-08-01 11:35 . 2014-09-12 23:57 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-07-25 07:35 . 2014-07-25 07:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-25 04:47 . 2014-07-25 04:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-04-02 23:29 220632 ----a-w- c:\users\Owner\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-04-02 23:29 220632 ----a-w- c:\users\Owner\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-04-02 23:29 220632 ----a-w- c:\users\Owner\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-11-05 2446648]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Deskjet 3050 J610 series.lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Deskjet 3050 J610 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN1423B0MK05HX;CONNECTION=USB;MONITOR=1; [2009-7-13 45568]
Send to OneNote.lnk - c:\program files\Microsoft Office 15\root\office15\ONENOTEM.EXE /tsr [2014-9-23 195240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAStorIcon]
2009-10-02 21:26 284696 ----a-w- c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
2009-10-06 17:23 1294136 ----a-w- c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
.
R1 dzkzetku;dzkzetku;c:\windows\system32\drivers\dzkzetku.sys;c:\windows\SYSNATIVE\drivers\dzkzetku.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe;c:\windows\SYSNATIVE\lxddcoms.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys;c:\windows\SYSNATIVE\DRIVERS\LEqdUsb.Sys [x]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys;c:\windows\SYSNATIVE\DRIVERS\LHidEqd.Sys [x]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys;c:\windows\SYSNATIVE\DRIVERS\ManyCam_x64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 wrssweep;Webroots Volume Access Driver;c:\progra~2\Webroot\Security\Current\plugins\cleanup\wrssweep.sys;c:\progra~2\Webroot\Security\Current\plugins\cleanup\wrssweep.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys;c:\windows\SYSNATIVE\DRIVERS\thpdrv.sys [x]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS;c:\windows\SYSNATIVE\DRIVERS\Thpevm.SYS [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys;c:\windows\SYSNATIVE\DRIVERS\tos_sps64.sys [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe;c:\windows\SYSNATIVE\lxdncoms.exe [x]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys;c:\windows\SYSNATIVE\DRIVERS\rimspe64.sys [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys;c:\windows\SYSNATIVE\DRIVERS\risdpe64.sys [x]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys;c:\windows\SYSNATIVE\DRIVERS\rixdpe64.sys [x]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe;c:\program files\TOSHIBA\TECO\TecoService.exe [x]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys;c:\windows\SYSNATIVE\DRIVERS\TVALZFL.sys [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys;c:\windows\SYSNATIVE\DRIVERS\FwLnk.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-18 19:12 1089352 ----a-w- c:\program files (x86)\Google\Chrome\Application\38.0.2125.104\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-07-14 01:14 126464 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-04 00:49]
.
2014-10-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2218131425-529296336-2652917792-1000Core.job
- c:\users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-07 21:02]
.
2014-10-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2218131425-529296336-2652917792-1000UA.job
- c:\users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-07 21:02]
.
2014-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-10-18 19:12]
.
2014-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-10-18 19:12]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-04-02 23:29 244696 ----a-w- c:\users\Owner\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-04-02 23:29 244696 ----a-w- c:\users\Owner\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-04-02 23:29 244696 ----a-w- c:\users\Owner\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-09-23 10:44 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-09-23 10:44 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-09-23 10:44 2334416 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 709976]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-03 8312352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 408600]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 2328944]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 390168]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2013-02-21 2991856]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mDefault_Search_URL = www.google.com
mDefault_Page_URL = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = www.google.com
mSearchAssistant = hxxp://www.bing.com/search?q={searchTerms}
mCustomizeSearch = hxxp://www.bing.com/search?q={searchTerms}
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{70A171E6-8BC1-4768-9113-EB958933A49A}: NameServer = 208.67.222.222,208.67.220.220
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{b2bf7b3f-bf0b-4c48-aec6-f92c51be63e1} - (no file)
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe "c:\programdata\Best Buy pc app\Best Buy pc app.application"
MSConfigStartUp-TUSBSleepChargeSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
WebBrowser-{B2BF7B3F-BF0B-4C48-AEC6-F92C51BE63E1} - (no file)
ShellIconOverlayIdentifiers-{6B78A880-15CA-468f-8422-A7960AD6FBB9} - c:\program files (x86)\Webroot\Security\current\plugins\sync\WebRootShellExt_x64.dll
ShellIconOverlayIdentifiers-{4EE7A346-5845-471e-9FAB-002EAF83F8B0} - c:\program files (x86)\Webroot\Security\current\plugins\sync\WebRootShellExt_x64.dll
ShellIconOverlayIdentifiers-{53DABC15-4F29-44ad-B09A-E0D0F9A3D075} - c:\program files (x86)\Webroot\Security\current\plugins\sync\WebRootShellExt_x64.dll
ShellIconOverlayIdentifiers-{493FC96E-B938-4924-9B38-C4088E9B8AC2} - c:\program files (x86)\Webroot\Security\current\plugins\sync\WebRootShellExt_x64.dll
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{9D425283-D487-4337-BAB6-AB8354A81457}"=hex:51,66,7a,6c,4c,1d,38,12,ed,51,51,
   99,b5,9a,59,06,c5,a0,e8,c3,51,f6,50,43
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
   eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
   89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{97AB88EF-346B-4179-A0B1-7445896547A5}"=hex:51,66,7a,6c,4c,1d,38,12,81,8b,b8,
   93,59,7a,17,04,df,a7,37,05,8c,3b,03,b1
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
   06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}"=hex:51,66,7a,6c,4c,1d,38,12,5a,50,79,
   6b,db,36,f5,08,fe,94,c8,01,ef,d2,7d,fb
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9FDDE16B-836F-4806-AB1F-1455CBEFF289}"=hex:51,66,7a,6c,4c,1d,38,12,05,e2,ce,
   9b,5d,cd,68,0d,d4,09,57,15,ce,b1,b6,9d
"{C8D5D964-2BE8-4C5B-8CF5-6E975AA88504}"=hex:51,66,7a,6c,4c,1d,38,12,0a,da,c6,
   cc,da,65,35,09,f3,e3,2d,d7,5f,f6,c1,10
"{CCB69577-088B-4004-9ED8-FF5BCC83A039}"=hex:51,66,7a,6c,4c,1d,38,12,19,96,a5,
   c8,b9,46,6a,05,e1,ce,bc,1b,c9,dd,e4,2d
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
   d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{D93EC24D-8741-4D41-B83D-A5793B998416}"=hex:51,66,7a,6c,4c,1d,38,12,23,c1,2d,
   dd,73,c9,2f,08,c7,2b,e6,39,3e,c7,c0,02
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
   f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:4f,e0,4d,19,48,ae,cc,01
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_167.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet004\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-18  21:00:49
ComboFix-quarantined-files.txt  2014-10-19 02:00
.
Pre-Run: 365,406,920,704 bytes free
Post-Run: 376,477,069,312 bytes free
.
- - End Of File - - EAF536B6CA81E0E1AD872946020EFBBB
 
 
I will monitor how things run and let you know if it pops back up. Thanks again.

Edited by EQSK4ever, 18 October 2014 - 09:12 PM.


#11 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 October 2014 - 10:31 PM

It seems to be gone again, but it came back after several hours last time. Crossing my fingers it stays gone this time. Thanks again Gringo.



#12 EQSK4ever

EQSK4ever
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 19 October 2014 - 08:38 PM

Well it has been almost 24 hours, and it still hasn't come back. I think it may be gone for good this time! Many thanks to you Gringo for all of your help!



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 PM

Posted 20 October 2014 - 11:34 AM


Hello EQSK4ever

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 PM

Posted 27 October 2014 - 02:16 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:09 PM

Posted 21 November 2014 - 05:37 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users