Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Com surrogate 32 and malicious chrome virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 godlikesanta

godlikesanta

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 25 November 2014 - 04:23 PM

Hello,

my name I s kyle and for the last moth or so ive been getting the com surrogate issue here and there and though it was initially fixed by spy hunter; however few weeks later my computer locked up and crashed due to many instances of com surrogate running. Today I was looking over another forum on how to fix this issue and was instructed to do various scans while in safe mode with networking. I ran the scans and id a few things here and there but it seems to have gotten progressively worse in just an hour. Now com surrogate is accompanied by a fictitious google chrome that is falling under the name nylfllbfufa. both are making around 6-9 instances of themselves and causing 100% cpu usage. I do not watch pornography or go to malicious sites in fact I usually use this computer to play world of warcraft. Due to me being a technological imbecile I would love ay possible support. PLEASE HELP ME!!



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:09 AM

Posted 25 November 2014 - 06:21 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1
logo.png
Please download Powelikscleaner (by ESET) and save it to your Desktop.
  • Double-click the 3.png to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • The tool will produce a log in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
1.png
2.png

Step 2

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.
Step 3

Please download 51a612a8b27e2-Zoek.pngZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    process;
    services-list;
    systemspecs;
    startupall;
    filesrcm;
    
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 godlikesanta

godlikesanta
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 25 November 2014 - 10:54 PM

Hello again!

this is the log I got from frst

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-11-2014 01
Ran by kyle at 2014-11-25 20:52:03
Running from C:\Users\kyle\AppData\Local\Microsoft\Windows\INetCache\Content.IE5\URPNHJQL
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton 360 (Disabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
AS: Norton 360 (Enabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton 360 (Enabled) {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 12 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
Curse Client (HKU\S-1-5-21-659371098-2153080505-1789008132-1007\...\101a9f93b8f0bb6f) (Version: 5.1.1.820 - Curse)
CyberLink Media Suite Essentials (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 10.0 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dekaron (HKLM-x32\...\GlobalDK) (Version:  - )
Dell Digital Delivery (HKLM-x32\...\{D9ED3EFC-AB00-4CE0-ADED-80EE6B1158A7}) (Version: 2.2.2000.0 - Dell Products, LP)
Dell KM713 Wireless Keyboard software (HKLM-x32\...\{AF6CD1CF-11E8-4C9F-9644-1A469A499E50}) (Version: 1.0.3.120608 - Dell)
Dell Product Registration (HKLM-x32\...\{2A0F2CC5-3065-492C-8380-B03AA7106B1A}) (Version: 1.16.1 - Dell Inc.)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
DELLOSD (HKLM-x32\...\{C36F2D21-38ED-49DB-8923-9A60EDDEF011}) (Version: 1.0.0.15 - DELL)
Diablo III (HKLM-x32\...\Diablo III) (Version:  - Blizzard Entertainment)
Dota 2 (HKLM-x32\...\Steam App 570) (Version:  - Valve)
Guild Wars 2 (HKLM-x32\...\Guild Wars 2) (Version:  - NCsoft Corporation, Ltd.)
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
Heroes of Newerth (HKLM-x32\...\hon) (Version: 2.3.0 - S2 Games)
Hi-Rez Studios Authenticate and Update Service (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}) (Version: 3.0.0.0 - Hi-Rez Studios)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.232 - SurfRight B.V.)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1008 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3345 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.6.0.1030 - Intel Corporation)
League of Legends (HKLM-x32\...\League of Legends 3.0.0) (Version: 3.0.0 - Riot Games)
League of Legends (x32 Version: 3.0.0 - Riot Games) Hidden
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 15.0.4667.1002 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4667.1002 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-659371098-2153080505-1789008132-1007\...\OneDriveSetup.exe) (Version: 17.3.1171.0714 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
MSVCRT110_amd64 (Version: 16.4.1109.0912 - Microsoft) Hidden
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
Norton 360 (HKLM-x32\...\N360) (Version: 21.6.0.32 - Symantec Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4667.1002 - Microsoft Corporation) Hidden
Pando Media Booster (HKLM-x32\...\{980A182F-E0A2-4A40-94C1-AE0C1235902E}) (Version: 2.6.0.7 - Pando Networks Inc.)
Photo Common (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Photo Gallery (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.206 - Qualcomm Atheros Communications)
RaidCall (HKLM-x32\...\RaidCall) (Version: 7.2.8-1.0.8500.20 - raidcall.com)
Razer Core (HKLM-x32\...\Razer Core) (Version: 1.0.1.66 - Razer Inc)
Razer Synapse 2.0 (HKLM-x32\...\{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}) (Version: 1.18.17.22533 - Razer Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6673 - Realtek Semiconductor Corp.)
RuneScape Launcher 1.2.3 (HKLM-x32\...\{FAE99C85-0732-4C58-9C6B-10B5B12FA2E9}) (Version: 1.2.3 - Jagex Ltd)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 6.18 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.18.105 - Skype Technologies S.A.)
Smite (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF017}) (Version: 1.0.2247.4 - Hi-Rez Studios)
Spore (HKLM-x32\...\Steam App 17390) (Version:  - Maxis™)
SpyHunter 4 (HKLM-x32\...\SpyHunter) (Version: 4.18.9.4384 - Enigma Software Group, LLC)
StarCraft II (HKLM-x32\...\StarCraft II) (Version:  - Blizzard Entertainment)
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
VLC media player 2.1.2 (HKLM-x32\...\VLC media player) (Version: 2.1.2 - VideoLAN)
Warcraft III (HKLM-x32\...\Warcraft III) (Version:  - Blizzard Entertainment)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)
World of Warcraft Public Test (HKLM-x32\...\World of Warcraft Public Test) (Version:  - Blizzard Entertainment)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-659371098-2153080505-1789008132-1007_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\kyle\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-659371098-2153080505-1789008132-1007_Classes\CLSID\{b84e5001-b41e-49ad-94a9-e01b725890f6}\InprocServer32 -> C:\windows\system32\dfshim.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-659371098-2153080505-1789008132-1007_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\kyle\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-659371098-2153080505-1789008132-1007_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\kyle\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-659371098-2153080505-1789008132-1007_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\kyle\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-659371098-2153080505-1789008132-1007_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\kyle\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Restore Points  =========================

02-11-2014 04:59:27 Scheduled Checkpoint
11-11-2014 11:17:23 Scheduled Checkpoint
19-11-2014 16:39:45 Scheduled Checkpoint
25-11-2014 08:16:31 Norton_Power_Eraser_20141125011628777

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-25 22:26 - 2014-11-25 15:09 - 00000027 ____A C:\windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {042A595B-916D-4AEA-A61C-B56B902F4350} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-30] (Piriform Ltd)
Task: {2537D33B-E19B-488C-9CB8-2C31589BDDBD} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2014-10-07] (Microsoft Corporation)
Task: {2C31BE7D-3B45-45E9-A739-7603B63B5306} - System32\Tasks\Norton 360\Norton Error Analyzer => C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {2E67EEA7-B066-491D-870A-FE510EBEFA7F} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2014-10-07] (Microsoft Corporation)
Task: {5DBE0070-1383-403F-9126-F916D07FFA67} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-31] (PC-Doctor, Inc.)
Task: {6C0170A7-73B0-4894-B2DB-EBCD94B0FE60} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {8E9DBD0A-146F-4B65-81C6-583F6564EE4B} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2014-10-07] (Microsoft Corporation)
Task: {8EEB86DC-F4B1-4E21-86AF-142260DB3CBF} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2014-10-22] (Microsoft Corporation)
Task: {B2D460BA-5573-419B-A3EA-9439218428DE} - System32\Tasks\Norton 360\Norton Error Processor => C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {D0EDE722-31D0-4CAD-99C8-A8AA26332F53} - System32\Tasks\Dell\Dell System Registration => C:\Program Files (x86)\System Registration\prodreg.exe [2012-07-09] (Dell, Inc.)
Task: {D292DCEA-1C44-4C3E-84B2-9CF3C12D4325} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\My Dell\uaclauncher.exe [2014-01-31] (PC-Doctor, Inc.)
Task: {F3D7DC79-FAA2-4D5E-8C71-7C75C7DDE256} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\WSCStub.exe [2014-09-21] (Symantec Corporation)

==================== Loaded Modules (whitelisted) =============

2014-03-25 03:01 - 2014-05-20 09:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2013-01-22 15:46 - 2012-07-12 16:50 - 00122880 ____R () C:\Program Files (x86)\DELL\DELLOSD\DellOSDService.exe
2013-01-22 15:49 - 2012-04-24 19:43 - 00254512 _____ () C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
2013-01-22 15:09 - 2012-11-01 15:43 - 00175008 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16.4.4396.1016_x64__8wekyb3d8bbwe\ModernShared\ErrorReporting\ErrorReporting.dll
2012-08-08 15:11 - 2012-08-08 15:11 - 00384128 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ContactsApi.dll
2013-01-22 15:10 - 2012-09-17 18:23 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-01-22 15:46 - 2011-08-26 03:37 - 00049152 ____R () C:\Program Files (x86)\DELL\DELLOSD\FastUserSwitching.exe
2014-10-09 23:06 - 2014-10-09 23:06 - 00016384 ____N () C:\Users\kyle\AppData\Local\Apps\2.0\RB28YRBT.E9Y\NTJO2GBX.YAK\curs..tion_9e9e83ddf3ed3ead_0005.0001_36a9b62a0ea0a2ec\Curse.CurseClient.WowDb.dll
2014-02-04 01:57 - 2014-02-04 01:57 - 00035840 _____ () C:\Users\kyle\AppData\Local\Apps\2.0\RB28YRBT.E9Y\NTJO2GBX.YAK\curs..tion_9e9e83ddf3ed3ead_0005.0001_36a9b62a0ea0a2ec\Curse.Advertising.dll
2014-10-09 23:06 - 2014-10-09 23:06 - 00099840 ____N () C:\Users\kyle\AppData\Local\Apps\2.0\RB28YRBT.E9Y\NTJO2GBX.YAK\curs..tion_9e9e83ddf3ed3ead_0005.0001_36a9b62a0ea0a2ec\Curse.CurseClient.CMOD2.dll
2013-01-22 15:46 - 2011-10-07 10:57 - 00412672 _____ () C:\Program Files (x86)\DELL\Dell KM713 Wireless Keyboard software\CDCtr.exe
2014-11-21 14:06 - 2014-09-23 06:36 - 08897696 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2013-01-22 15:46 - 2011-08-22 11:15 - 00028672 _____ () C:\Program Files (x86)\DELL\Dell KM713 Wireless Keyboard software\CDCTR.DLL
2013-01-22 15:48 - 2012-06-07 20:34 - 00627216 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2012-06-08 12:34 - 2012-06-08 12:34 - 00016400 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
2013-01-22 15:46 - 2013-01-22 15:46 - 00017920 _____ () C:\windows\assembly\NativeImages_v4.0.30319_32\PSIClient\2a87eb344d4aa5ad4e8360d799271e32\PSIClient.ni.dll
2013-01-22 15:41 - 2012-06-26 02:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\CHAS\SkyDrive:ms-properties

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-659371098-2153080505-1789008132-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-659371098-2153080505-1789008132-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-659371098-2153080505-1789008132-1005 - Limited - Enabled)
kyle (S-1-5-21-659371098-2153080505-1789008132-1007 - Administrator - Enabled) => C:\Users\kyle

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/25/2014 08:48:12 PM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -1073415161

Error: (11/25/2014 03:46:30 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: WmiApRplC:\windows\system32\wbem\wmiaprpl.dll8

Error: (11/25/2014 03:46:29 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: MSDTCC:\windows\system32\msdtcuiu.DLL8

Error: (11/25/2014 03:46:29 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: LsaC:\Windows\System32\Secur32.dll8

Error: (11/25/2014 03:46:29 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: ESENTC:\windows\system32\esentprf.dll8

Error: (11/25/2014 03:46:28 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\windows\System32\bitsperf.dll8

Error: (11/25/2014 03:02:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NircmdB.exe, version: 2.3.5.189, time stamp: 0x49ec5532
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505aaa82
Exception code: 0xc0000005
Fault offset: 0x00059450
Faulting process id: 0xe58
Faulting application start time: 0xNircmdB.exe0
Faulting application path: NircmdB.exe1
Faulting module path: NircmdB.exe2
Report Id: NircmdB.exe3
Faulting package full name: NircmdB.exe4
Faulting package-relative application ID: NircmdB.exe5

Error: (11/25/2014 03:02:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NIRCMD.exe, version: 2.3.5.189, time stamp: 0x49ec5532
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505aaa82
Exception code: 0xc0000005
Fault offset: 0x00059450
Faulting process id: 0x664
Faulting application start time: 0xNIRCMD.exe0
Faulting application path: NIRCMD.exe1
Faulting module path: NIRCMD.exe2
Report Id: NIRCMD.exe3
Faulting package full name: NIRCMD.exe4
Faulting package-relative application ID: NIRCMD.exe5

Error: (11/25/2014 03:01:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NIRKMD.3XE, version: 2.3.5.189, time stamp: 0x49ec5532
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505aaa82
Exception code: 0xc0000005
Fault offset: 0x00059450
Faulting process id: 0x408
Faulting application start time: 0xNIRKMD.3XE0
Faulting application path: NIRKMD.3XE1
Faulting module path: NIRKMD.3XE2
Report Id: NIRKMD.3XE3
Faulting package full name: NIRKMD.3XE4
Faulting package-relative application ID: NIRKMD.3XE5

Error: (11/25/2014 03:01:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NirCmdC.3XE, version: 2.3.5.189, time stamp: 0x49ec5521
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505aaa82
Exception code: 0xc0000005
Fault offset: 0x00059450
Faulting process id: 0x13fc
Faulting application start time: 0xNirCmdC.3XE0
Faulting application path: NirCmdC.3XE1
Faulting module path: NirCmdC.3XE2
Report Id: NirCmdC.3XE3
Faulting package full name: NirCmdC.3XE4
Faulting package-relative application ID: NirCmdC.3XE5

System errors:
=============
Error: (11/25/2014 03:09:15 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (11/25/2014 03:08:31 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\ComboFix\catchme.sys

Error: (11/25/2014 03:06:30 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (11/25/2014 02:55:19 PM) (Source: DCOM) (EventID: 10010) (User: Dell27)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (11/25/2014 02:54:34 PM) (Source: DCOM) (EventID: 10010) (User: Dell27)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (11/25/2014 02:47:35 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Dell Digital Delivery Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/25/2014 02:45:37 PM) (Source: DCOM) (EventID: 10016) (User: Dell27)
Description: application-specificLocalLaunch{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}Dell27kyleS-1-5-21-659371098-2153080505-1789008132-1007LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/25/2014 02:45:37 PM) (Source: DCOM) (EventID: 10016) (User: Dell27)
Description: application-specificLocalLaunch{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}Dell27kyleS-1-5-21-659371098-2153080505-1789008132-1007LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/25/2014 02:45:37 PM) (Source: DCOM) (EventID: 10016) (User: Dell27)
Description: application-specificLocalLaunch{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}Dell27kyleS-1-5-21-659371098-2153080505-1789008132-1007LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/25/2014 02:45:37 PM) (Source: DCOM) (EventID: 10016) (User: Dell27)
Description: application-specificLocalLaunch{7022A3B3-D004-4F52-AF11-E9E987FEE25F}{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}Dell27kyleS-1-5-21-659371098-2153080505-1789008132-1007LocalHost (Using LRPC)UnavailableUnavailable

Microsoft Office Sessions:
=========================
Error: (11/25/2014 08:48:12 PM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -1073415161

Error: (11/25/2014 03:46:30 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: WmiApRplC:\windows\system32\wbem\wmiaprpl.dll8

Error: (11/25/2014 03:46:29 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: MSDTCC:\windows\system32\msdtcuiu.DLL8

Error: (11/25/2014 03:46:29 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: LsaC:\Windows\System32\Secur32.dll8

Error: (11/25/2014 03:46:29 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: ESENTC:\windows\system32\esentprf.dll8

Error: (11/25/2014 03:46:28 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\windows\System32\bitsperf.dll8

Error: (11/25/2014 03:02:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: NircmdB.exe2.3.5.18949ec5532ntdll.dll6.2.9200.16420505aaa82c000000500059450e5801d008fb85a2c6d6C:\ComboFix\NircmdB.exeC:\windows\SYSTEM32\ntdll.dllc3552f23-74ee-11e4-bea0-f4b7e24ae3f6

Error: (11/25/2014 03:02:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: NIRCMD.exe2.3.5.18949ec5532ntdll.dll6.2.9200.16420505aaa82c00000050005945066401d008fb8466a184C:\windows\NIRCMD.exeC:\windows\SYSTEM32\ntdll.dllc217030f-74ee-11e4-bea0-f4b7e24ae3f6

Error: (11/25/2014 03:01:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: NIRKMD.3XE2.3.5.18949ec5532ntdll.dll6.2.9200.16420505aaa82c00000050005945040801d008fb50336dfeC:\ComboFix\NIRKMD.3XEC:\windows\SYSTEM32\ntdll.dll8de42421-74ee-11e4-bea0-f4b7e24ae3f6

Error: (11/25/2014 03:01:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: NirCmdC.3XE2.3.5.18949ec5521ntdll.dll6.2.9200.16420505aaa82c00000050005945013fc01d008fb4cc03704C:\ComboFix\NirCmdC.3XEC:\windows\SYSTEM32\ntdll.dll8a842850-74ee-11e4-bea0-f4b7e24ae3f6

CodeIntegrity Errors:
===================================
  Date: 2014-11-25 15:08:31.376
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Core™ i5-3330S CPU @ 2.70GHz
Percentage of memory in use: 36%
Total physical RAM: 6030.86 MB
Available physical RAM: 3812.46 MB
Total Pagefile: 8030.86 MB
Available Pagefile: 5687.42 MB
Total Virtual: 8192 MB
Available Virtual: 8191.78 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:921.71 GB) (Free:726.72 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 9613EB3A)

Partition: GPT Partition Type.

==================== End Of Log ============================



#4 godlikesanta

godlikesanta
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 25 November 2014 - 11:01 PM

this was the result form zoek

 

oek.exe v5.0.0.0 Updated 25-11-2014
Tool run by kyle on Tue 11/25/2014 at 20:56:11.93.
Microsoft Windows 8 6.2.9200  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\kyle\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

11/25/2014 8:56:51 PM Zoek.exe System Restore Point Created Succesfully.

==== Running Processes ======================

C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Program Files (x86)\DELL\DELLOSD\DellOSDService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe
C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\DELL\DELLOSD\FastUserSwitching.exe
C:\Program Files (x86)\DELL\Dell KM713 Wireless Keyboard software\CDCtr.exe
C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Users\kyle\Desktop\zoek.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\SysWOW64\cmd.exe

==== System Specs ======================

Windows: Windows Version 6.2 (Build 9200)
Memory (RAM): 6031 MB
CPU Info: Intel® Core™ i5-3330S CPU @ 2.70GHz
CPU Speed: 2694.2 MHz
Sound Card: Speakers (Realtek High Definiti |
Realtek Digital Output (Realtek |
Display Adapters: Intel® HD Graphics | Intel® HD Graphics | Intel® HD Graphics
Monitors: 1x; Generic PnP Monitor |
Screen Resolution: 2560 X 1440 - 32 bit
Network: Network Present
Network Adapters: Bluetooth Device (Personal Area Network) | Microsoft Wi-Fi Direct Virtual Adapter | Dell Wireless 1703 802.11b/g/n (2.4GHz) | Qualcomm Atheros AR8161 PCI-E Gigabit Ethernet Controller (NDIS 6.30)
CD / DVD Drives: 1x (D: | ) D: HL-DT-STDVD+-RW GA31N
Ports: COM1 LPT Port NOT Present.
Mouse: 5 Button Wheel Mouse Present
Hard Disks: C:  921.7GB
Hard Disks - Free: C:  726.7GB
Manufacturer *: Dell Inc.
BIOS Info: AT/AT COMPATIBLE |  | DELL   - 1072009
Time Zone: US Mountain Standard Time
Motherboard *: Dell Inc. 0G17RR
Country: United States
Language: ENU

==== System Specs (Software) ======================

Anti-Virus: Windows Defender On-access scanning disabled (Outdated)
Anti-Virus: Norton 360 On-access scanning disabled (Outdated)
Anti-Spyware: Norton 360 disabled (Outdated)
Anti-Spyware: Windows Defender disabled (Outdated)
Firewall: Norton 360 disabled
Internet Explorer Version: 10.0.9200.16384
Flash Player version: 12.0.0.70

==== Files Recently Created / Modified ======================

====== C:\windows ====
2014-11-25 22:01:07 F042EE4C8D66248D9B86DCF52ABAE416 256000 ----a-w- C:\windows\PEV.exe
2014-11-25 22:01:07 9E05A9C264C8A908A8E79450FCBFF047 80412 ----a-w- C:\windows\grep.exe
2014-11-25 22:01:07 5E832F4FAF5F481F2EAF3B3A48F603B8 68096 ----a-w- C:\windows\zip.exe
2014-11-25 22:01:07 0297C72529807322B152F517FDB0A9FC 406528 ----a-w- C:\windows\SWSC.exe
2014-11-25 22:01:07 0277C027A26428DB64EF4F64F52BB4FD 208896 ----a-w- C:\windows\MBR.exe
====== C:\Users\kyle\AppData\Local\Temp ====
====== Java Cache =====
====== C:\windows\SysWOW64 =====
====== C:\windows\SysWOW64\drivers =====
====== C:\windows\Sysnative =====
====== C:\windows\Sysnative\drivers =====
2014-11-25 05:19:24 26C43960C99EE861A5D0EDC4DCF3B1C3 129752 ----a-w- C:\windows\Sysnative\drivers\MBAMSwissArmy.sys
2014-11-25 05:19:09 D3311B31C470E7681B14D9B014CBF9ED 93400 ----a-w- C:\windows\Sysnative\drivers\mbamchameleon.sys
2014-11-25 05:19:09 D1F2D4DF0A5D3B700794E26356A55B44 64216 ----a-w- C:\windows\Sysnative\drivers\mwac.sys
2014-11-25 05:19:09 5C3669B71657F22E67A1D4BD49D2CBE7 25816 ----a-w- C:\windows\Sysnative\drivers\mbam.sys
2014-11-09 12:41:39 3B32CAA07D672F8A2E0DF5CB3A873F45 22704 ----a-w- C:\windows\Sysnative\drivers\EsgScanner.sys
====== C:\windows\Tasks ======
====== C:\windows\Temp ======
======= C:\Program Files =====
2014-11-21 22:32:32 -------- d-----w- C:\Program Files\HitmanPro
2014-11-09 12:41:33 -------- d-----w- C:\Program Files\Enigma Software Group
======= C:\PROGRA~2 =====
======= C: =====
2014-11-09 12:42:18 D41D8CD98F00B204E9800998ECF8427E 0 ----a-w- C:\autoexec.bat
====== C:\Users\kyle\AppData\Roaming ======
2014-11-25 22:10:55 -------- d-----w- C:\Users\Public\AppData\Local\temp
2014-11-25 22:10:55 -------- d-----w- C:\Users\Default\AppData\Local\temp
2014-11-25 22:10:55 -------- d-----w- C:\Users\CHAS\AppData\Local\temp
2014-11-25 22:10:55 -------- d-----w- C:\Users\Administrator\AppData\Local\temp
2014-11-25 21:49:54 -------- d-----r- C:\Users\kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2014-11-25 21:43:54 -------- d-----w- C:\windows\serviceprofiles\Localservice\AppData\Local\CrashDumps
2014-11-25 08:07:11 -------- d-----w- C:\Users\kyle\AppData\Local\NPE
2014-11-25 05:18:50 -------- d-----w- C:\Users\kyle\AppData\Local\Programs
2014-11-25 05:05:56 -------- d-----w- C:\Users\kyle\AppData\Local\ElevatedDiagnostics
2014-11-09 12:42:03 -------- d-----w- C:\Users\kyle\AppData\Roaming\Enigma Software Group
2014-11-09 12:42:01 -------- d-----w- C:\Users\kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2014-11-02 07:38:26 -------- d-----w- C:\Users\kyle\AppData\Local\Blizzard
====== C:\Users\kyle ======
2014-11-26 03:55:35 7AEDDC1A55682B74EA03E81C1527D8F7 2118144 ----a-w- C:\Users\kyle\Desktop\FRST64.exe
2014-11-26 03:48:24 7650EF7FFE338A50ADE28288FB601B7A 186568 ----a-w- C:\Users\kyle\Downloads\ESETPoweliksCleaner.exe
2014-11-25 22:10:55 -------- d-----w- C:\Users\Public\AppData
2014-11-21 22:32:33 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-11-21 22:30:17 -------- d-----w- C:\ProgramData\HitmanPro
2014-11-20 05:20:09 -------- d--h--w- C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}

====== C: exe-files ==
2014-11-26 03:55:35 7AEDDC1A55682B74EA03E81C1527D8F7 2118144 ----a-w- C:\Users\kyle\Desktop\FRST64.exe
2014-11-26 03:50:48 7AEDDC1A55682B74EA03E81C1527D8F7 2118144 ----a-w- C:\Users\kyle\AppData\Local\Microsoft\Windows\INetCache\Content.IE5\URPNHJQL\FRST64.exe
2014-11-26 03:48:24 7650EF7FFE338A50ADE28288FB601B7A 186568 ----a-w- C:\Users\kyle\Downloads\ESETPoweliksCleaner.exe
2014-11-25 22:01:07 F042EE4C8D66248D9B86DCF52ABAE416 256000 ----a-w- C:\Windows\PEV.exe
2014-11-25 22:01:07 9E05A9C264C8A908A8E79450FCBFF047 80412 ----a-w- C:\Windows\grep.exe
2014-11-25 22:01:07 5E832F4FAF5F481F2EAF3B3A48F603B8 68096 ----a-w- C:\Windows\zip.exe
2014-11-25 22:01:07 0297C72529807322B152F517FDB0A9FC 406528 ----a-w- C:\Windows\SWSC.exe
2014-11-25 22:01:07 0277C027A26428DB64EF4F64F52BB4FD 208896 ----a-w- C:\Windows\MBR.exe
2014-11-25 20:21:54 30A9BA6BDB2927E3E222629880BF03DE 1912136 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\36.0.1985.143\delegate_execute.exe
2014-11-25 20:21:54 0BDAE865738D27A4D84D50591C8C9D2D 860488 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\nylfllbfufa.exe
2014-11-25 20:21:54 037B1E7798960E0420003D05BB577EE6 33280 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\rundll32.exe
2014-11-25 20:21:54 007E8B07E512FDA381C0BED5CF8BA6E6 1936712 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\36.0.1985.143\nacl64.exe
2014-11-21 22:32:32 00FD7C6BEDEE9B24B0DB02B68B07AD54 11222744 ----a-w- C:\Program Files\HitmanPro\HitmanPro.exe
2014-11-21 21:06:35 20BC802CA54ACFD48435C9176441C13A 7764184 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE15\cmigrate.exe
2014-11-21 21:06:34 106021B1146952B8EC9FCBFEA7A7F277 705184 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\DCF\SPREADSHEETCOMPARE.EXE
2014-11-21 21:06:33 A0597F9C38BFADA73C0062874761A43C 550584 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\msosqm.exe
2014-11-21 21:06:33 9A80F562E89B3D98EBBE7EDD9E75FFAC 39576 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\appsharinghookcontroller64.exe
2014-11-21 21:06:33 4F417B68A6EB97998C4E9156D053900A 1092816 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\olicenseheartbeat.exe
2014-11-21 21:06:33 1CFBCB7748780D39C7209EFC929B126B 842440 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\dw20.exe
2014-11-21 21:06:33 1B7AF1B851A7A8763103FA63E8514CD6 207016 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\msoxmled.exe
2014-11-21 21:06:31 CC5C101D61539A7379AA9BC3282FD408 5680856 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\cmigrate.exe
2014-11-21 21:06:31 175B3D01AD19B310238B5C29846D2891 81640 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\csisyncclient.exe
2014-11-21 21:06:30 98A2C1C05D59593050C67B739CA6C0B0 217760 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE15\msoxmled.exe
2014-11-21 21:06:30 6447C60B47195C983BBBDAD6A2C22A99 474336 ----a-w- C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\dwtrig20.exe
2014-11-21 21:06:30 1A72E641E2C77131030DA60B7B71F66C 528576 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\vpreview.exe
2014-11-21 21:06:28 36995A650174CC354F6E4C417C6D5625 1923224 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\winword.exe
2014-11-21 21:06:28 14EC450D656FCCA98383830B711DAB89 18947744 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\outlook.exe
2014-11-21 21:06:25 8A59C5C5747DCDB8EA2B77C981E62AA7 665240 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\ucmapi.exe
2014-11-21 21:06:24 E80F15DCA53E1ECD433CFE042400DF97 40672 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\scanpst.exe
2014-11-21 21:06:24 1F9754F230A2BA24A961A7502135120E 480976 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\selfcert.exe
2014-11-21 21:06:23 33022E733887D50D1F796135A4C4E7C3 873648 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\protocolhandler.exe
2014-11-21 21:06:22 203718811BE4463ACE59C09A7DDFF4E8 517352 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\iecontentservice.exe
2014-11-21 21:06:21 2A057DD0B0AA74B7B9B1FC94E8EB82C9 569584 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\orgchart.exe
2014-11-21 21:06:19 5EDC8FCE400CA9CDA27EFFC4AF4D7275 1765024 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\onenote.exe
2014-11-21 21:06:18 D7E4EB3AA8CEEBB14DCA08D3B7AE41BD 87232 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\namecontrolserver.exe
2014-11-21 21:06:18 149A96C02F566E0D38026B409D9CDDBA 1296072 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\ocpubmgr.exe
2014-11-21 21:06:16 69439A00309B451605EBB90AB5B0E7E2 15518880 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\msaccess.exe
2014-11-21 21:06:15 F4C40708FC1C59FB5EB10B10AE23D348 33960 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\msoev.exe
2014-11-21 21:06:15 F2C596D99EFF8F337BF4A428767F10EA 497848 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\msouc.exe
2014-11-21 21:06:15 DE43B2666E374279165FEAD586A4BA2C 33968 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\msotd.exe
2014-11-21 21:06:15 A5A4E6BD8383533C82BFD99BAAD0B35D 10771104 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\mspub.exe
2014-11-21 21:06:14 F45A0DF110AAA1C48D1FA3009A671871 449208 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\msosync.exe
2014-11-21 21:06:14 50C11D73A9DB8543B2FA25B9563D3F2D 283312 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\msoia.exe
2014-11-21 21:06:14 05CFC10D672D10CB2F9096B642441D22 19051160 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\lync.exe
2014-11-21 21:06:12 9C9524FBE43E9593437BE11472872B0A 1783968 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\infopath.exe
2014-11-21 21:06:12 95F05B316E114B7B299DD0D57B1224F6 6484640 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\lynchtmlconv.exe
2014-11-21 21:06:11 CD86464906551942F410AEA5B735D762 8686264 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\groove.exe
2014-11-21 21:06:11 49B2D14B7D2F986BC83666851FD7C1C2 4522680 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\graph.exe
2014-11-21 21:06:09 9D8ED241EDD0EF87E4EA33E8536F3668 21934232 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\excelcnv.exe
2014-11-21 21:06:09 1265BCCDCD1C4585948DCA39AD78CF1A 991904 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\firstrun.exe
2014-11-21 21:06:07 B6B52C83F878E9F6BBB25FDC1B718B76 25643168 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\excel.exe
2014-11-21 21:06:05 4085A1C1A6B05EDCE72BE2837BEAFD7A 229048 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\clview.exe
2014-11-21 21:06:03 12482D31B8FA8DF122F78A138926A8A1 33432 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\appsharinghookcontroller.exe
2014-11-21 21:06:01 FDB0560C147FFB6E1FFC79ABBCCF48D3 590536 ----a-w- C:\Program Files\Microsoft Office 15\root\Integration\integrator.exe
2014-11-21 21:05:55 EDC36AE43B7FB8CE366540E729E342AA 281760 ----a-w- C:\Program Files\Microsoft Office 15\root\office15\DCF\DATABASECOMPARE.EXE
2014-11-21 21:05:52 8D03F2858035926F6B1E6EC34A0C0595 145056 ----a-w- C:\Program Files\Microsoft Office 15\root\client\AppVDllSurrogate64.exe
2014-11-21 21:05:52 27DB723A68AE52CF0BCBA8708A44E0CA 311544 ----a-w- C:\Program Files\Microsoft Office 15\root\client\AppVLP.exe
2014-11-21 21:05:52 098CA18BC23278B53C76C9F0D6BD7238 124064 ----a-w- C:\Program Files\Microsoft Office 15\root\client\AppVDllSurrogate32.exe
2014-11-21 21:05:35 D567C3DF56AC248EE82039DC0AF6D9E1 205472 ----a-w- C:\Program Files\Microsoft Office 15\ClientX64\AppVShNotify.exe
2014-11-21 21:05:35 288BD9FFEA8FB0D2176F22751E0D9F92 248992 ----a-w- C:\Program Files\Microsoft Office 15\ClientX64\mavinject32.exe
=== C: other files ==
2014-11-25 20:21:54 D2F6A1B11344D9AC7BCFB75900D4ADE1 23668 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\36.0.1985.143\default_apps\youtube.crx
2014-11-25 20:21:54 8AD223868AB9974F7746D0227730A0CC 26392 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\36.0.1985.143\default_apps\search.crx
2014-11-25 20:21:53 71E1283B8440F6264CEC99DF9AD81F5B 25561 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\36.0.1985.143\default_apps\drive.crx
2014-11-25 20:21:53 2E2E328E5BF6BE61203164B3E9EA8094 24040 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\36.0.1985.143\default_apps\gmail.crx
2014-11-25 20:21:53 2C71C49F991095A1848624907BACBB08 4578 ----a-w- C:\Users\kyle\AppData\LocalLow\rcru\Hwyxbnurrqan\Tzcpvpj\36.0.1985.143\default_apps\docs.crx
2014-11-25 05:19:24 26C43960C99EE861A5D0EDC4DCF3B1C3 129752 ----a-w- C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-11-25 05:19:09 D3311B31C470E7681B14D9B014CBF9ED 93400 ----a-w- C:\Windows\System32\Drivers\mbamchameleon.sys
2014-11-25 05:19:09 D1F2D4DF0A5D3B700794E26356A55B44 64216 ----a-w- C:\Windows\System32\Drivers\mwac.sys
2014-11-25 05:19:09 5C3669B71657F22E67A1D4BD49D2CBE7 25816 ----a-w- C:\Windows\System32\Drivers\mbam.sys

==== Startup Registry Enabled ======================

[HKEY_USERS\S-1-5-21-659371098-2153080505-1789008132-1007\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files (x86)\Skype\Phone\Skype.exe /minimized /regrun"
"CCleaner Monitoring"="C:\Program Files\CCleaner\CCleaner64.exe /MONITOR"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe 60"
"DELLOSD"="C:\Program Files (x86)\DELL\DELLOSD\FastUserSwitching.exe"
"CDCtr"="C:\Program Files (x86)\Dell\Dell KM713 Wireless Keyboard software\CDCtr.exe"
"CLMLServer_For_P2G8"="C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe"
"CLVirtualDrive"="C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe /R"
"RemoteControl10"="C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
"Razer Synapse"="C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files (x86)\Skype\Phone\Skype.exe /minimized /regrun"
"CCleaner Monitoring"="C:\Program Files\CCleaner\CCleaner64.exe /MONITOR"

==== Startup Registry Enabled x64 ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s"
"RtHDVBg"="C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX4 "
"BtTray"="C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtTray.exe"
"BtvStack"="C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe"
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe"
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe"
"Persistence"="C:\WINDOWS\system32\igfxpers.exe"

==== Startup Folders ======================

2014-02-04 08:58:03 0 ----a-w- C:\Users\kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip

==== Other Scheduled Tasks ======================

"C:\windows\SysNative\tasks\CCleanerSkipUAC" ["C:\Program Files\CCleaner\CCleaner.exe"]
"C:\windows\SysNative\tasks\Norton WSC Integration" ["C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\WSCStub.exe"]
"C:\windows\SysNative\tasks\PCDEventLauncherTask" ["C:\Program Files\My Dell\sessionchecker.exe"]
"C:\windows\SysNative\tasks\PCDoctorBackgroundMonitorTask" ["C:\Program Files\My Dell\uaclauncher.exe"]
"C:\windows\SysNative\tasks\SystemToolsDailyTest" ["uaclauncher.exe"]
"C:\windows\SysNative\tasks\Dell\Dell System Registration" [C:\Program Files (x86)\System Registration\prodreg.exe]
"C:\windows\SysNative\tasks\Norton 360\Norton Error Analyzer" [C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\SymErr.exe]
"C:\windows\SysNative\tasks\Norton 360\Norton Error Processor" [C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\SymErr.exe]

==== C:\zoek_backup content ======================

C:\zoek_backup (files=0 folders=0 0 bytes)

==== EOF on Tue 11/25/2014 at 21:00:55.33 ======================



#5 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:09 AM

Posted 26 November 2014 - 03:36 AM

Hi,
please post the ESET-Log and the FRST.txt as well... :)
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:09 AM

Posted 29 November 2014 - 09:21 AM

Hi,

3 Day Inactivity

This is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 48 hours, this thread will be closed due to inactivity.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:09 AM

Posted 01 December 2014 - 07:37 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users