Poweliks trojan & dllhost.exe 32 COM Surrogate virus

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-11-2014
Ran by FredricJLowe at 2014-11-12 07:41:47 Run:2
Running from C:\Users\FredricJLowe\Desktop\Virus Tools
Loaded Profile: FredricJLowe (Available profiles: FredricJLowe & UpdatusUser & Administrator)
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
CloseProcesses:
HKLM Group Policy restriction on software: C:\Program Files (x86)\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
SearchScopes: HKLM-x32 - {8fe8d013-c3fd-4802-af48-79274e9f969e} URL = http://search.tb.ask.com/search/GGm...02609&st=sb&n=77fd8211&searchfor={searchTerms}
SearchScopes: HKCU - {8fe8d013-c3fd-4802-af48-79274e9f969e} URL = http://search.tb.ask.com/search/GGm...02609&st=sb&n=77fd8211&searchfor={searchTerms}
SearchScopes: HKCU - {AC9B848C-BA35-4606-A535-CA0671C0C735} URL = http://websearch.ask.com/redirect?c...pn_sauid=C1CFE429-A36B-4C12-836C-A9C5C4EC1BF6
FF Extension: No Name - C:\Users\FredricJLowe\AppData\Roaming\Mozilla\Firefox\Profiles\nzm0n0ik.default\extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8} [Not Found]
C:\ProgramData\LutkAlsi
C:\ProgramData\IewwEcap
Emptytemp:
*****************
Processes closed successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8fe8d013-c3fd-4802-af48-79274e9f969e}" => Key not found.
"HKCR\Wow6432Node\CLSID\{8fe8d013-c3fd-4802-af48-79274e9f969e}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8fe8d013-c3fd-4802-af48-79274e9f969e}" => Key not found.
"HKCR\CLSID\{8fe8d013-c3fd-4802-af48-79274e9f969e}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AC9B848C-BA35-4606-A535-CA0671C0C735}" => Key not found.
"HKCR\CLSID\{AC9B848C-BA35-4606-A535-CA0671C0C735}" => Key not found.
C:\Users\FredricJLowe\AppData\Roaming\Mozilla\Firefox\Profiles\nzm0n0ik.default\extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8} not found.
"C:\ProgramData\LutkAlsi" => File/Directory not found.
"C:\ProgramData\IewwEcap" => File/Directory not found.
EmptyTemp: => Removed 60.2 MB temporary data.

The system needed a reboot.
==== End of Fixlog ====

will post AdW Cleaner log after it cleans.
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
# AdwCleaner v4.101 - Report created 12/11/2014 at 08:13:00
# Updated 09/11/2014 by Xplode
# Database : 2014-11-11.2 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : FredricJLowe - FREDLOWEDESKTOP
# Running from : C:\Users\FredricJLowe\Desktop\Virus Tools\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****
Service Deleted : webinstrNew
***** [ Files / Folders ] *****
File Deleted : C:\Windows\System32\drivers\webinstrNew.sys
***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.superfish.com
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17420

-\\ Mozilla Firefox v33.1 (x86 en-US)

-\\ Google Chrome v38.0.2125.122

*************************
AdwCleaner[R0].txt - [20450 octets] - [11/11/2014 07:42:16]
AdwCleaner[R1].txt - [22743 octets] - [12/11/2014 07:20:28]
AdwCleaner[R2].txt - [1281 octets] - [12/11/2014 08:01:03]
AdwCleaner[S0].txt - [22594 octets] - [12/11/2014 07:29:36]
AdwCleaner[S1].txt - [1210 octets] - [12/11/2014 08:13:00]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1270 octets] ##########
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
nothing has changed. I am getting this Ads A Better Deal popping up on Internet Explorer.

Not sure what changed from last night when everything was working.
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    51a612a8b27e2-Zoek.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    Code:
    createsrpoint;
    emptyfolderscheck;delete
    Quickscan;
    autoclean;
    emptyalltemp;
    ipconfig /flushdns;b
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
Zoek.exe v5.0.0.0 Updated 11-November-2014
Tool run by FredricJLowe on Wed 11/12/2014 at 9:49:52.48.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\FredricJLowe\Desktop\Virus Tools\zoek.exe [Scan all users] [Script inserted]
==== System Restore Info ======================
11/12/2014 9:57:32 AM Zoek.exe System Restore Point Created Succesfully.
==== Empty Folders Check ======================
C:\PROGRA~2\Freemake deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\Nitro PDF deleted successfully
C:\PROGRA~2\COMMON~1\supportdotcom deleted successfully
C:\Program Files\PolderbitS deleted successfully
C:\PROGRA~3\boost_interprocess deleted successfully
C:\PROGRA~3\Freemake deleted successfully
C:\PROGRA~3\Local Settings deleted successfully
C:\PROGRA~3\Oracle deleted successfully
C:\PROGRA~3\Sage Software, Inc deleted successfully
C:\Users\FredricJLowe\AppData\Roaming\Download Manager deleted successfully
C:\Users\FredricJLowe\AppData\Roaming\Google deleted successfully
C:\Users\FredricJLowe\AppData\Roaming\PeerNetworking deleted successfully
C:\Users\FredricJLowe\AppData\Roaming\webex deleted successfully
C:\Users\FredricJLowe\AppData\Local\CUSTPDF Writer deleted successfully
C:\Users\FredricJLowe\AppData\Local\Jaksta_Technologies_Pty_L deleted successfully
C:\Users\FredricJLowe\AppData\Local\LogMeIn Rescue Applet deleted successfully
==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\YahooAUService deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\YahooAUService deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webinstrNew deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\webinstrNew deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\wbsvc deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbsvc deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\Application\wbsvc deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wbsvc deleted successfully
==== FireFox Fix ======================
ProfilePath: C:\Users\FREDRI~1\AppData\Roaming\Mozilla\Firefox\Profiles\nzm0n0ik.default
user.js not found
---- Lines nspdl removed from prefs.js ----
user_pref("extensions.nspdl.data.1c4755f318c6fdb260c47f26d0a24f0ca", "1");
user_pref("extensions.nspdl.data.activeDate", "20141111");
user_pref("extensions.nspdl.data.aliveDate", "20141111");
user_pref("extensions.nspdl.data.instlDate", "20141111");
user_pref("extensions.nspdl.data.ntopen", "23595662");
user_pref("extensions.nspdl.general.content", "favorites-e6489c2a413548420704ea3f4543d33f");
user_pref("extensions.nspdl.general.firstRun", false);
user_pref("extensions.nspdl.general.guid", "51660489-5681-40f5-bde4-d91eec2d5bf5");
user_pref("extensions.nspdl.general.version", "9.5.5");
---- FireFox user.js and prefs.js backups ----
prefs_20141112_1020_.backup
ProfilePath: C:\Users\FREDRI~1\AppData\Roaming\Thunderbird\Profiles\izpoojy7.default
user.js not found
---- Lines Search removed from prefs.js ----
user_pref("extensions.importexporttools.import.lastdir", "J:\\WindowsMailfoldersthrough12212011\\Imported Folder\\Search Fold 91a");
---- FireFox user.js and prefs.js backups ----
prefs_20141112_1020_.backup
==== Batch Command(s) Run By Tool======================
C:\Windows\system32\appdata deleted
==== Deleting Files \ Folders ======================
C:\Windows\syswow64\appdata deleted
C:\PROGRA~2\Mozilla Firefox\defaults\preferences\autoconfig.js deleted
C:\PROGRA~2\Yahoo! deleted
C:\PROGRA~2\MyFree Codec deleted
C:\Users\Administrator\AppData\Roaming\Yahoo! deleted
C:\Users\FredricJLowe\AppData\Roaming\Yahoo! deleted
C:\Users\FredricJLowe\AppData\Roaming\ICQ Search deleted
C:\PROGRA~3\Yahoo! deleted
C:\PROGRA~3\InstallSightSDK deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\FredricJLowe\AppData\Local\Wondershare deleted
C:\Windows\SysNative\config\systemprofile\AppData\Local\WebBar deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyFree Codec deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare deleted
C:\Windows\patsearch.bin deleted
C:\windows\SysNative\Tasks\BetterDeals Update deleted
C:\Windows\Tasks\BetterDeals Update.job deleted
C:\Users\Administrator\AppData\LocalLow\Yahoo! deleted
C:\Users\Administrator\AppData\LocalLow\Yahoo! Companion deleted
C:\Windows\wininit.ini deleted
C:\windows\SysNative\tasks\WebBarLaunchTask deleted
C:\windows\SysNative\tasks\WebBarUpdateTask deleted
C:\windows\SysNative\drivers\webinstrNew.sys deleted
C:\windows\SysNative\drivers\Msft_Kernel_webinstrNew_01009.Wdf deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\Windows\Syswow64\InstallUtil.InstallLog deleted
C:\Windows\SysWow64\AI_RecycleBin deleted
C:\Users\FredricJLowe\AppData\Roaming\act16hf4ss.exe deleted
C:\Users\FREDRI~1\AppData\Roaming\Mozilla\Firefox\Profiles\nzm0n0ik.default\nspdl deleted
"C:\Users\FredricJLowe\AppData\Local\{5C59B02A-96E2-428A-AC30-C53201E57E6B}" deleted
"C:\Users\FredricJLowe\AppData\Local\{9046AAD6-8520-48DB-9A36-BCBD1A232F97}" deleted
"C:\PROGRA~2\ver0BetterDeals\a3BetterDealsM73.exe" deleted
"C:\PROGRA~2\ver0BetterDeals\Sqlite3.dll" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact\CBSProducstInfo.dll" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact\DAQExp.dll" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact\WSHelper.exe" deleted
"C:\PROGRA~2\ver0BetterDeals" deleted
"C:\PROGRA~2\COMMON~1\Wondershare" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact" deleted
==== Files Recently Created / Modified ======================
====== C:\Windows ====
2014-11-11 23:06:46 F042EE4C8D66248D9B86DCF52ABAE416 256000 ----a-w- C:\Windows\PEV.exe
2014-11-11 23:06:46 9E05A9C264C8A908A8E79450FCBFF047 80412 ----a-w- C:\Windows\grep.exe
2014-11-11 23:06:46 5E832F4FAF5F481F2EAF3B3A48F603B8 68096 ----a-w- C:\Windows\zip.exe
2014-11-11 23:06:46 0297C72529807322B152F517FDB0A9FC 406528 ----a-w- C:\Windows\SWSC.exe
2014-11-11 23:06:46 0277C027A26428DB64EF4F64F52BB4FD 208896 ----a-w- C:\Windows\MBR.exe
====== C:\Users\FREDRI~1\AppData\Local\Temp ====
2014-11-08 08:47:13 5C73E64374D9BA37AC5569D1F7DE5C9B 665682 ----a-w- C:\Users\FredricJLowe\AppData\Local\Temp\sqlite3.dll
2014-11-08 08:33:34 7AAB90847C56E6F7E922BB29D5B3EA8A 601088 ----a-w- C:\Users\FredricJLowe\AppData\Local\Temp\Quarantine.exe
====== Java Cache =====
====== C:\Windows\SysWOW64 =====
2014-11-11 23:07:39 980EEEE8815DA7593708774D1225BD35 681984 ----a-w- C:\Windows\SysWOW64\adtschema.dll
2014-11-11 23:07:38 9AB39ADD28C7C1A685B1EA8C6A25CF08 146432 ----a-w- C:\Windows\SysWOW64\msaudite.dll
2014-11-11 23:07:38 9216ABFD53F5EC1F35C3554AD1A175DE 22016 ----a-w- C:\Windows\SysWOW64\secur32.dll
2014-11-11 23:07:38 13E5B1CD503A4B21E9F0A2D55A00198B 96768 ----a-w- C:\Windows\SysWOW64\sspicli.dll
2014-11-11 23:07:21 B6273619A3DF28F03B64E911E45A6AB2 30720 ----a-w- C:\Windows\SysWOW64\iernonce.dll
2014-11-11 23:07:21 A6E51BDCB8F4B84E874F918F0452763D 76288 ----a-w- C:\Windows\SysWOW64\mshtmled.dll
2014-11-11 23:07:21 5D5640C34C4A97467F77489DBB157568 47616 ----a-w- C:\Windows\SysWOW64\ieetwproxystub.dll
2014-11-11 23:07:20 FB56C76FEA44693752BD99D7D9930ABA 341168 ----a-w- C:\Windows\SysWOW64\iedkcs32.dll
2014-11-11 23:07:20 93074C4FA92A8399404D032F6AF72C1B 19781632 ----a-w- C:\Windows\SysWOW64\mshtml.dll
2014-11-11 23:07:20 843BD9DAF03ABB6761DEE6D155301F28 60416 ----a-w- C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-11-11 23:07:20 66F4FFDBCD501260ABC198317D2B0D10 285696 ----a-w- C:\Windows\SysWOW64\dxtrans.dll
2014-11-11 23:07:20 4772DB007FFBD4BBE3F526704BCA67FE 1310208 ----a-w- C:\Windows\SysWOW64\urlmon.dll
2014-11-11 23:07:20 26EE6C9780A8FC872C60F9E35D7EBD4B 688640 ----a-w- C:\Windows\SysWOW64\msfeeds.dll
2014-11-11 23:07:19 5E01004CBC35A78FE2AB4016CCAD4760 708096 ----a-w- C:\Windows\SysWOW64\ieapfltr.dll
2014-11-11 23:07:19 5972510EF1C6097D9C14C17387A5EDB2 2724864 ----a-w- C:\Windows\SysWOW64\mshtml.tlb
2014-11-11 23:07:19 19D68FDEE62519C5A0387EB4E88A01EF 62464 ----a-w- C:\Windows\SysWOW64\iesetup.dll
2014-11-11 23:07:18 FA310BD4A5DE904445DDDE54C5A654F2 2277376 ----a-w- C:\Windows\SysWOW64\iertutil.dll
2014-11-11 23:07:18 8A46404AC1AEB22AA2D4C906D0FC86C2 620032 ----a-w- C:\Windows\SysWOW64\jscript9diag.dll
2014-11-11 23:07:18 7748B3DDDC92C7FC11F7462DB872E8E7 2051072 ----a-w- C:\Windows\SysWOW64\inetcpl.cpl
2014-11-11 23:07:18 6DDC0F44A70976C492CB1666BA9A7912 47104 ----a-w- C:\Windows\SysWOW64\jsproxy.dll
2014-11-11 23:07:17 A1A2EE55A2C69F79AED00973E604B9C4 418304 ----a-w- C:\Windows\SysWOW64\dxtmsft.dll
2014-11-11 23:07:17 8585BC27224F97458C186AA085B754A7 478208 ----a-w- C:\Windows\SysWOW64\ieui.dll
2014-11-11 23:07:17 4F8CD74CD69A94ED1A5D7E837A356F4E 115712 ----a-w- C:\Windows\SysWOW64\ieUnatt.exe
2014-11-11 23:07:17 36EE0A2A981617610F921BCBB997DB06 12819456 ----a-w- C:\Windows\SysWOW64\ieframe.dll
2014-11-11 23:07:15 AE39939F1E25401B9A4952A7A8D372AC 4298240 ----a-w- C:\Windows\SysWOW64\jscript9.dll
2014-11-11 23:07:15 9ED3132B7F0D36FA9911721E8B2CB968 501248 ----a-w- C:\Windows\SysWOW64\vbscript.dll
2014-11-11 23:07:15 755D0A90CFC4BCB178D7070B0351F0AE 64000 ----a-w- C:\Windows\SysWOW64\MshtmlDac.dll
2014-11-11 23:07:15 6DD7D61A8EF3DFEC4FAEFEB395E77424 1892864 ----a-w- C:\Windows\SysWOW64\wininet.dll
2014-11-11 23:07:15 4169C6A6613856D69224498620F0C2B5 1155072 ----a-w- C:\Windows\SysWOW64\mshtmlmedia.dll
2014-11-11 23:07:15 139E85C4E5DF322AE1BF6544D8C32B0A 168960 ----a-w- C:\Windows\SysWOW64\msrating.dll
2014-11-11 23:06:19 537184E7306E06BB22C5B93D2AFA4DF8 1237504 ----a-w- C:\Windows\SysWOW64\msxml3.dll
2014-11-11 23:06:19 09FA271EE1F9AD68B2D1C1C210F4B71F 2048 ----a-w- C:\Windows\SysWOW64\msxml3r.dll
2014-11-11 23:06:13 5FDBDEECA34E73325D87C5ACD16A3EEC 701440 ----a-w- C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-11 23:06:09 8D338464B851DDD76E2B876A3E09EB70 442880 ----a-w- C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-11 23:06:08 FD79B005E849DF3D7E9B5EB7A637C528 374784 ----a-w- C:\Windows\SysWOW64\AudioEng.dll
2014-11-11 23:06:08 AA7325057A1E1CC401798C0B1238E182 195584 ----a-w- C:\Windows\SysWOW64\AudioSes.dll
2014-11-11 23:05:52 8CFAEFCD7F1E004950FCAE870A501B3E 248832 ----a-w- C:\Windows\SysWOW64\schannel.dll
2014-11-11 23:05:51 8FE6AB488ECDC60930CE973A7051B0D4 221184 ----a-w- C:\Windows\SysWOW64\ncrypt.dll
2014-11-11 23:05:49 B580A6B9932669DE703001AEE66D5BB1 259584 ----a-w- C:\Windows\SysWOW64\msv1_0.dll
2014-11-11 23:05:49 3B3B8BA16DC999EA17D075D2F1064DE4 550912 ----a-w- C:\Windows\SysWOW64\kerberos.dll
2014-11-11 23:05:49 37BC079204BF9B087D6DE6B728908B4B 172032 ----a-w- C:\Windows\SysWOW64\wdigest.dll
2014-11-11 23:05:48 9CEA80FFC617E6B6DD7B52E6225C0D38 65536 ----a-w- C:\Windows\SysWOW64\TSpkg.dll
2014-11-11 23:05:48 8205E55DFB11809E5F2AAD1C48840535 17408 ----a-w- C:\Windows\SysWOW64\credssp.dll
2014-11-11 23:03:02 0F39AC3274312EFFD03928291E8BA7CA 67584 ----a-w- C:\Windows\SysWOW64\packager.dll
2014-11-11 23:02:46 CB55B9AAB060C803BE4AD229AA0FEC28 2363904 ----a-w- C:\Windows\SysWOW64\msi.dll
2014-11-11 23:01:20 EDA54D2E17C0271D2CDA946ABE344110 571904 ----a-w- C:\Windows\SysWOW64\oleaut32.dll
====== C:\Windows\SysWOW64\drivers =====
====== C:\Windows\Sysnative =====
2014-11-11 23:07:46 F992AAE3F2DF1D7D2A75B681B0C5280E 304640 ----a-w- C:\Windows\Sysnative\generaltel.dll
2014-11-11 23:07:45 9F1FA4F36406693C77CC5779AA7E532D 228864 ----a-w- C:\Windows\Sysnative\aepdu.dll
2014-11-11 23:07:45 6021CF6A11DE9B5FC1BD210B6855C497 424448 ----a-w- C:\Windows\Sysnative\aeinv.dll
2014-11-11 23:07:40 008CD4EBFABCF78D0F19B3778492648C 683520 ----a-w- C:\Windows\Sysnative\termsrv.dll
2014-11-11 23:07:39 58F87BF5659C8EBC61EB439C916F2F9A 681984 ----a-w- C:\Windows\Sysnative\adtschema.dll
2014-11-11 23:07:38 C4C1B73FC2FF151BA08E1EAFDE2A2FAF 1460736 ----a-w- C:\Windows\Sysnative\lsasrv.dll
2014-11-11 23:07:38 7184AEACDA13E64B10F84E9DD79C8A01 146432 ----a-w- C:\Windows\Sysnative\msaudite.dll
2014-11-11 23:07:21 854B230F5D77486B67D809FFB8A10C7E 2724864 ----a-w- C:\Windows\Sysnative\mshtml.tlb
2014-11-11 23:07:21 7293701905DF1F40760C851F20DDC9EC 114688 ----a-w- C:\Windows\Sysnative\ieetwcollector.exe
2014-11-11 23:07:21 4E47ABA3C6C5032446A2AF7EFD026037 716800 ----a-w- C:\Windows\Sysnative\ie4uinit.exe
2014-11-11 23:07:21 1F3794CE1AEA5DA12ACF90210EAE4ECB 48640 ----a-w- C:\Windows\Sysnative\ieetwproxystub.dll
2014-11-11 23:07:20 33098C85B789630865CD3F5D22FB0DFC 77824 ----a-w- C:\Windows\Sysnative\JavaScriptCollectionAgent.dll
2014-11-11 23:07:20 26BC4EC95E363DD59171710E22108F15 34304 ----a-w- C:\Windows\Sysnative\iernonce.dll
2014-11-11 23:07:18 E17C34BECCD1388E9B386A9F82F01222 4096 ----a-w- C:\Windows\Sysnative\ieetwcollectorres.dll
2014-11-11 23:07:18 56651A76C63DAF2C593F1F767FC8A856 1550336 ----a-w- C:\Windows\Sysnative\urlmon.dll
2014-11-11 23:07:18 1C216980E7D21100A357B52B3C45F78D 388272 ----a-w- C:\Windows\Sysnative\iedkcs32.dll
2014-11-11 23:07:17 C6A719FD0B07B2DD0ADACD07636F4BAD 968704 ----a-w- C:\Windows\Sysnative\MsSpellCheckingFacility.exe
2014-11-11 23:07:17 6507CA9349500A535AF70670F248E525 66560 ----a-w- C:\Windows\Sysnative\iesetup.dll
2014-11-11 23:07:17 2A1A7F17C906941334C6A67E935F214B 316928 ----a-w- C:\Windows\Sysnative\dxtrans.dll
2014-11-11 23:07:17 1E30BECF0DB35481588FB72C9CF97CA2 800768 ----a-w- C:\Windows\Sysnative\msfeeds.dll
2014-11-11 23:07:16 BD708EBEDB35E474F1A19747154ACC47 799232 ----a-w- C:\Windows\Sysnative\ieapfltr.dll
2014-11-11 23:07:16 BA4EC6139B8830BBA9CC5D065CA5796C 2884096 ----a-w- C:\Windows\Sysnative\iertutil.dll
2014-11-11 23:07:16 5C9D58591D0091630452B04F35527240 2124288 ----a-w- C:\Windows\Sysnative\inetcpl.cpl
2014-11-11 23:07:15 31F2A5ECFD2C75F970A3007ACD5627C7 54784 ----a-w- C:\Windows\Sysnative\jsproxy.dll
2014-11-11 23:07:15 08BCDD6C9E23D00309F359620461DFE8 144384 ----a-w- C:\Windows\Sysnative\ieUnatt.exe
2014-11-11 23:07:14 69602F6259598A7837CB83D3608FE293 633856 ----a-w- C:\Windows\Sysnative\ieui.dll
2014-11-11 23:07:14 277A4735954F1BF29EE3D138A5251BFE 490496 ----a-w- C:\Windows\Sysnative\dxtmsft.dll
2014-11-11 23:07:14 154B8555A118BCFD95F358390E418B00 14390272 ----a-w- C:\Windows\Sysnative\ieframe.dll
2014-11-11 23:07:13 F208D7FB40FD80EA9F123BABF687359C 6040064 ----a-w- C:\Windows\Sysnative\jscript9.dll
2014-11-11 23:07:13 B6DC4597FF946B0C8B29650A71F52D4E 580096 ----a-w- C:\Windows\Sysnative\vbscript.dll
2014-11-11 23:07:13 98088A13F65BE35DA3693F264740CEEC 1359360 ----a-w- C:\Windows\Sysnative\mshtmlmedia.dll
2014-11-11 23:07:13 7EE5FBD190BF5B27F7977EA6CBF0DCAC 92160 ----a-w- C:\Windows\Sysnative\mshtmled.dll
2014-11-11 23:07:13 7EC80DB959695D4F927D2D601DA59F35 814080 ----a-w- C:\Windows\Sysnative\jscript9diag.dll
2014-11-11 23:07:13 6FC2819A4F80AAB2DADEDFC1EFEE3C3F 2365440 ----a-w- C:\Windows\Sysnative\wininet.dll
2014-11-11 23:07:12 EE3592B010E3F69D141323E592C01A1A 199680 ----a-w- C:\Windows\Sysnative\msrating.dll
2014-11-11 23:07:12 BBD6A636AAA65D874F3863280CD8373D 25110016 ----a-w- C:\Windows\Sysnative\mshtml.dll
2014-11-11 23:07:12 4B6D9AB2ECD11AF5F6B1C42D938E0A85 88064 ----a-w- C:\Windows\Sysnative\MshtmlDac.dll
2014-11-11 23:06:19 D005697F0467BBDDAB7638496DA5DB52 2048 ----a-w- C:\Windows\Sysnative\msxml3r.dll
2014-11-11 23:06:19 364ECFF4ABD9D575F4F7CF7EB7928EF3 1882624 ----a-w- C:\Windows\Sysnative\msxml3.dll
2014-11-11 23:06:13 1FEBD408F32DFC523882E7DA5AC57819 878080 ----a-w- C:\Windows\Sysnative\IMJP10K.DLL
2014-11-11 23:06:10 9383B21A4B77C130940262DDC5F3F49B 500224 ----a-w- C:\Windows\Sysnative\AUDIOKSE.dll
2014-11-11 23:06:09 DE3E38431B00C2EA247C53675DCF01A0 680960 ----a-w- C:\Windows\Sysnative\audiosrv.dll
2014-11-11 23:06:09 B1BB7B91C3C878FDB2874138CE81C4EF 284672 ----a-w- C:\Windows\Sysnative\EncDump.dll
2014-11-11 23:06:09 A2C9E45F4069A002E985D1563D16813B 440832 ----a-w- C:\Windows\Sysnative\AudioEng.dll
2014-11-11 23:06:08 FAFCB80D42A65964B6F4945283B8C10F 296448 ----a-w- C:\Windows\Sysnative\AudioSes.dll
2014-11-11 23:05:53 A71B81AC2C14ABA013CCF1225D9E3E36 342016 ----a-w- C:\Windows\Sysnative\schannel.dll
2014-11-11 23:05:53 109CC0DF72CC07A6CB59D2995255A1DA 309760 ----a-w- C:\Windows\Sysnative\ncrypt.dll
2014-11-11 23:05:49 DF30FC54FFF79BC744B22A4850A3CF92 86528 ----a-w- C:\Windows\Sysnative\TSpkg.dll
2014-11-11 23:05:49 55F0CF40479A1FC89CFA578909A540F2 210944 ----a-w- C:\Windows\Sysnative\wdigest.dll
2014-11-11 23:05:49 47C48C705F4F1EFC99B50B43AE4301FE 314880 ----a-w- C:\Windows\Sysnative\msv1_0.dll
2014-11-11 23:05:49 028D99F83CBB31DB7995530B89EA13CF 728064 ----a-w- C:\Windows\Sysnative\kerberos.dll
2014-11-11 23:05:48 336BA030AB7B05300CB0B5C6AFB27176 22016 ----a-w- C:\Windows\Sysnative\credssp.dll
2014-11-11 23:03:02 934735F508E297504460935B71E99F0B 77824 ----a-w- C:\Windows\Sysnative\packager.dll
2014-11-11 23:02:58 93C055B6AAD76360A60CB7E59A491531 3198976 ----a-w- C:\Windows\Sysnative\win32k.sys
2014-11-11 23:02:47 2720C94ADCC1727A66365CCB1CE456C4 3241984 ----a-w- C:\Windows\Sysnative\msi.dll
2014-11-11 23:01:20 B938AF16A521C913791C6F7AFF032757 861696 ----a-w- C:\Windows\Sysnative\oleaut32.dll
====== C:\Windows\Sysnative\drivers =====
2014-11-11 23:07:39 41774FF331F609EF442B7398EE6202B1 155064 ----a-w- C:\Windows\Sysnative\drivers\ksecpkg.sys
2014-11-10 04:27:24 975F2CAA23B9CF4420EAB6439BE4D233 37624 ----a-w- C:\Windows\Sysnative\drivers\TrueSight.sys
2014-11-09 16:48:10 17D683EEA9FFD741A1ED8731ABBC23D1 131800 ----a-w- C:\Windows\Sysnative\drivers\MBAMSwissArmy.sys
2014-11-09 16:47:49 95EF63A7827D4E3A229CBBCB42619E93 63704 ----a-w- C:\Windows\Sysnative\drivers\mwac.sys
2014-11-09 16:47:49 5C3669B71657F22E67A1D4BD49D2CBE7 25816 ----a-w- C:\Windows\Sysnative\drivers\mbam.sys
2014-11-09 16:47:49 3540DDFAC8A076B983F86EB2A79D8FBD 96472 ----a-w- C:\Windows\Sysnative\drivers\mbamchameleon.sys
2014-10-15 11:48:06 946010CDFA91469351B22E2620CEBCD8 663552 ----a-w- C:\Windows\Sysnative\drivers\PEAuth.sys
2014-10-15 11:48:04 80B9412C4DE09147581FC935FB4C97AB 61440 ----a-w- C:\Windows\Sysnative\drivers\appid.sys
2014-10-15 11:47:08 FE571E088C2D83619D2D48D4E961BF41 212480 ----a-w- C:\Windows\Sysnative\drivers\rdpwd.sys
2014-10-15 11:47:08 E232A3B43A894BB327FC161529BD9ED1 39936 ----a-w- C:\Windows\Sysnative\drivers\tssecsrv.sys
====== C:\Windows\Tasks ======
2014-11-11 23:58:53 FFF9AFFBB9C944B4A3B2E9E872715CDE 3234 ----a-w- C:\Windows\Sysnative\Tasks\SidebarExecute
2014-11-11 21:00:36 5D316417CAAD6E7369ED070517C9D982 3118 ----a-w- C:\Windows\Sysnative\Tasks\RPC
2014-11-06 16:41:39 -------- d-----w- C:\Windows\Sysnative\Tasks\Safer-Networking
====== C:\Windows\Temp ======
======= C:\Program Files =====
2014-11-11 21:04:09 -------- d-----w- C:\Program Files\WebBar
2014-10-19 18:38:01 -------- d-----w- C:\Program Files\iPod
2014-10-19 18:37:58 -------- d-----w- C:\Program Files\iTunes
======= C:\PROGRA~2 =====
2014-11-12 01:07:31 -------- d-----w- C:\PROGRA~2\Mozilla Maintenance Service
2014-11-11 21:01:25 -------- d-----w- C:\PROGRA~2\ospd_us_377
2014-11-09 20:17:23 -------- d-----w- C:\PROGRA~2\Sophos
2014-11-09 18:42:39 -------- d-----w- C:\PROGRA~2\Windows Resource Kits
2014-10-19 18:37:58 -------- d-----w- C:\PROGRA~2\iTunes
======= C: =====
====== C:\Users\FredricJLowe\AppData\Roaming ======
2014-11-11 23:44:43 -------- d-----w- C:\Users\UpdatusUser\AppData\Local\temp
2014-11-11 23:44:43 -------- d-----w- C:\Users\Public\AppData\Local\temp
2014-11-11 23:44:43 -------- d-----w- C:\Users\dub_cm_auto\AppData\Local\temp
2014-11-11 23:44:43 -------- d-----w- C:\Users\Default\AppData\Local\temp
2014-11-11 23:44:43 -------- d-----w- C:\Users\Default User\AppData\Local\temp
2014-11-11 23:44:43 -------- d-----w- C:\Users\Administrator\AppData\Local\temp
2014-11-10 21:16:04 -------- d-----w- C:\Users\Administrator\AppData\Local\Google
2014-11-09 20:17:32 -------- d-----w- C:\Users\FredricJLowe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2014-11-06 16:53:30 -------- d-sh--w- C:\Users\FredricJLowe\AppData\Locallow\EmieUserList
====== C:\Users\FredricJLowe ======
2014-11-12 01:10:21 035C0B5DA1CFE02625A814E7698B8CBE 1057488 ----a-w- C:\Users\FredricJLowe\Downloads\install_reader11_en_mssd_aaa_aih.exe
2014-11-12 01:06:07 77D0B05858A20DA07C533AC215CBB483 244088 ----a-w- C:\Users\FredricJLowe\Downloads\Firefox Setup Stub 33.1 (1).exe
2014-11-12 00:28:40 77D0B05858A20DA07C533AC215CBB483 244088 ----a-w- C:\Users\FredricJLowe\Downloads\Firefox Setup Stub 33.1.exe
2014-11-12 00:26:32 D41D8CD98F00B204E9800998ECF8427E 0 ----a-w- C:\Users\FredricJLowe\Downloads\FirefoxSetup.exe
2014-11-12 00:11:16 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
2014-11-12 00:09:09 6C24D159A6EA36C720D33883E5338E86 691112 ----a-w- C:\Users\FredricJLowe\Downloads\msgr11ph.exe
2014-11-12 00:03:42 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-11-11 23:44:43 -------- d-----w- C:\Users\Public\AppData
2014-11-11 23:44:43 -------- d-----w- C:\Users\dub_cm_auto\AppData
2014-11-11 21:02:44 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ONESOFTPERDAY
2014-11-11 20:59:02 CEA4EC1D5DF523AD10A88D6750371227 852328 ----a-w- C:\Users\FredricJLowe\Downloads\Firefox_Setup_34.0.exe
2014-11-10 04:27:10 -------- d-----w- C:\ProgramData\RogueKiller
2014-11-09 20:19:32 -------- d-----w- C:\ProgramData\Sophos
2014-11-09 18:54:52 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite
2014-11-09 18:54:43 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utilities
2014-11-09 03:26:58 33398D340008A0577507FCA7FD443622 19828376 ----a-w- C:\Users\FredricJLowe\Downloads\mbam-setup-2.0.3.1025 (3).exe
2014-11-09 03:26:50 33398D340008A0577507FCA7FD443622 19828376 ----a-w- C:\Users\FredricJLowe\Downloads\mbam-setup-2.0.3.1025 (2).exe
2014-11-09 03:25:26 33398D340008A0577507FCA7FD443622 19828376 ----a-w- C:\Users\FredricJLowe\Downloads\mbam-setup-2.0.3.1025 (1).exe
2014-11-09 03:25:20 33398D340008A0577507FCA7FD443622 19828376 ----a-w- C:\Users\FredricJLowe\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-09 03:20:08 430A389AE785F228F28234D7C161D351 3778560 ----a-w- C:\Users\FredricJLowe\Downloads\RogueKillerX64.exe
2014-11-09 03:17:19 E1BA8EE229676CDCE0D85D2661719BB5 796616 ----a-w- C:\Users\FredricJLowe\Downloads\Free_Download_Setup (3).exe
2014-11-09 03:15:55 E1BA8EE229676CDCE0D85D2661719BB5 796616 ----a-w- C:\Users\FredricJLowe\Downloads\Free_Download_Setup (2).exe
2014-11-09 03:15:06 E1BA8EE229676CDCE0D85D2661719BB5 796616 ----a-w- C:\Users\FredricJLowe\Downloads\Free_Download_Setup (1).exe
2014-11-09 03:13:26 E1BA8EE229676CDCE0D85D2661719BB5 796616 ----a-w- C:\Users\FredricJLowe\Downloads\Free_Download_Setup.exe
2014-11-06 13:43:08 0DE7C31D176F9DDEBBB052C654B9806B 3060320 ------w- C:\Users\FredricJLowe\Downloads\NPE.exe
2014-10-19 18:39:23 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-10-19 18:37:58 -------- d-----w- C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
====== C: exe-files ==
2014-11-12 15:00:46 E0E2FE836FD209FBE336DE720032DA99 96768 ----a-w- C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe
2014-11-12 15:00:46 8B4A087962B4411D7FF2A91F6CAE1EBA 54432 ----a-w- C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe
2014-11-12 15:00:46 8B4A087962B4411D7FF2A91F6CAE1EBA 54432 ----a-w- C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe
2014-11-12 15:00:46 41094C32DD59E2E56EE7AFCB0AB917B3 130208 ----a-w- C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe
2014-11-12 15:00:46 37EBCD76164A25F87E61D2158145FA42 59392 ----a-w- C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\template.exe
2014-11-12 01:07:35 42570D7A89870B2845ACCB5E975060B5 103588 ----a-w- C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
2014-11-12 01:07:31 DEA022193DF8C88F6E2B3E33D148A5DB 114288 ----a-w- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
2014-11-12 00:03:29 D804A4D7DF4228FC0C6105933EEAD715 41093712 ----a-w- C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\38.0.2125.122\38.0.2125.122_chrome_installer.exe
2014-11-11 23:07:21 B569522A58F9B53B20D16516D26E0DD8 221184 ----a-w- C:\Program Files (x86)\Internet Explorer\ielowutil.exe
2014-11-11 23:07:19 B5724D61C7CB3FC9BACD9F8E58A77A03 468992 ----a-w- C:\Program Files (x86)\Internet Explorer\ieinstal.exe
2014-11-11 23:07:19 2E1CAA313AAE151B8D6E81C0075DE88C 222720 ----a-w- C:\Program Files\Internet Explorer\ielowutil.exe
2014-11-11 23:07:18 591C6FD1541BAFAEEE82B1F5831C8532 815280 ----a-w- C:\Program Files (x86)\Internet Explorer\iexplore.exe
2014-11-11 23:07:16 0A2FA344ABBE0D160CE9773256A42B21 484352 ----a-w- C:\Program Files\Internet Explorer\ieinstal.exe
2014-11-11 23:07:15 F00FC8AF1B04C4611F92BC3DA01A2F49 813744 ----a-w- C:\Program Files\Internet Explorer\iexplore.exe
2014-11-11 21:04:09 52DA99DDA2FB639DF5B2816E3CEA2B35 37872 ----a-w- C:\Program Files\WebBar\wbsvc.exe
2014-11-11 21:04:09 4715C6647ED495C85502CB12634B9B5F 737475 ----a-w- C:\Program Files\WebBar\unins000.exe
2014-11-11 21:04:09 2331C427456CF4F198F9FF7CC7B34D7F 211952 ----a-w- C:\Program Files\WebBar\2.0.5422.19599\wb.exe
2014-11-11 21:02:44 C36DCD635909A8DA650FD35931CD2AA4 3268552 ----a-w- C:\Program Files (x86)\ospd_us_377\onesoftperday_widget.exe
2014-11-11 21:02:43 27A736F969B658F984346D145006AB91 393640 ----a-w- C:\Program Files (x86)\ospd_us_377\predm.exe
2014-11-11 21:01:25 E2BA020483C4E62EAF049ECEF90B5B3F 993264 ----a-w- C:\Program Files (x86)\ospd_us_377\unins000.exe
2014-11-11 21:01:25 221432589701A137AF228E8F316AC6D5 3977672 ----a-w- C:\Program Files (x86)\ospd_us_377\ospd_us_377.exe
=== C: other files ==
2014-11-12 15:22:30 8A80554C91D9FCA8ACB82F023DE02F11 3 ----a-w- C:\Users\FredricJLowe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6B0M60ZP\www.google[1].com
2014-11-12 15:17:31 8A80554C91D9FCA8ACB82F023DE02F11 3 ----a-w- C:\Users\FredricJLowe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6B0M60ZP\app.noproblemppc[1].com
2014-11-12 14:57:42 8A80554C91D9FCA8ACB82F023DE02F11 3 ----a-w- C:\Users\FredricJLowe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3JJB9AZF\www.bleepingcomputer[1].com
2014-11-12 14:31:15 8A80554C91D9FCA8ACB82F023DE02F11 3 ----a-w- C:\Users\FredricJLowe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3JJB9AZF\www.producersweb[1].com
2014-11-12 14:25:06 8A80554C91D9FCA8ACB82F023DE02F11 3 ----a-w- C:\Users\FredricJLowe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6B0M60ZP\MalwareTips[1].com
==== Startup Registry Enabled ======================
[HKEY_USERS\S-1-5-21-3225944584-185484181-3065989196-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun"
"rn5.exe"="C:\Program Files (x86)\ActiveTracker\rn5.exe"
"GoogleDriveSync"="C:\Program Files (x86)\Google\Drive\googledrivesync.exe /autostart"
"GoogleChromeAutoLaunch_70FA2A021BD990B422754CDCA3624AEA"="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --no-startup-window"
"Messenger (Yahoo\PROGRA~2\Yahoo\Messenger\YahooMessenger.exe -quiet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
"BrStsMon00"="C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN"
"AcronisTimounterMonitor"="C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe"
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"TkBellExe"="C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe -osboot"
"Act.Outlook.Service"="C:\Program Files (x86)\ACT\Act for Windows\Act.Outlook.Service.exe"
"Act\Program Files (x86)\ACT\Act for Windows\Act.exe -preload"
"ACTSchedulerUI"="C:\Program Files (x86)\ACT\Act for Windows\Act.Scheduler.UI.exe -Dfalse"
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe -atboottime"
"Wondershare Helper Compact.exe"="C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe"
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe"
"ospd_us_377"="C:\Program Files (x86)\ospd_us_377\ospd_us_377.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe /autoRun"
"rn5.exe"="C:\Program Files (x86)\ActiveTracker\rn5.exe"
"GoogleDriveSync"="C:\Program Files (x86)\Google\Drive\googledrivesync.exe /autostart"
"GoogleChromeAutoLaunch_70FA2A021BD990B422754CDCA3624AEA"="C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --no-startup-window"
"Messenger (Yahoo\PROGRA~2\Yahoo\Messenger\YahooMessenger.exe -quiet"
==== Startup Registry Enabled x64 ======================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service"="C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
"mylbx"="C:\Program Files\My Lockbox\mylbx.exe /a"
"MFNetworkScanUtility"="C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE"
==== Startup Registry Disabled x64 ======================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe ARM]
"key"="SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Adobe ARM"
"hkey"="HKLM"
"command"="\"C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ICQ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQ"
"hkey"="HKCU"
"command"="\"C:\\Program Files (x86)\\ICQ7.7\\ICQ.exe\" silent loginmode=4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\YahooAUService]

==== Task Scheduler Jobs ======================
C:\Windows\tasks\Adobe Flash Player Updater.job --a------ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [11/12/2014 09:35 AM]
C:\Windows\tasks\G2MUpdateTask-S-1-5-21-3225944584-185484181-3065989196-1000.job --a------ C:\Program Files (x86)\C:itrix\GoToMeeting\1865\g2mupdate.exe []
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job --a------ C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [10/23/2014 01:00 AM]
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job --a------ C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [10/23/2014 01:00 AM]
==== Other Scheduled Tasks ======================
"C:\Windows\SysNative\tasks\Adobe Flash Player Updater" [C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe]
"C:\Windows\SysNative\tasks\G2MUpdateTask-S-1-5-21-3225944584-185484181-3065989196-1000" [C:\Program Files (x86)\Citrix\GoToMeeting\1865\g2mupdate.exe]
"C:\Windows\SysNative\tasks\GoogleUpdateTaskMachineCore" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]
"C:\Windows\SysNative\tasks\GoogleUpdateTaskMachineUA" [C:\Program Files (x86)\Google\Update\GoogleUpdate.exe]
"C:\Windows\SysNative\tasks\JetBoost_Startup" [C:\Program Files (x86)\BlueSprig\JetBoost\JetBoostTray.exe]
"C:\Windows\SysNative\tasks\Norton WSC Integration" ["C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\WSCStub.exe"]
"C:\Windows\SysNative\tasks\RealUpgradeLogonTaskS-1-5-21-3225944584-185484181-3065989196-1000" [C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe]
"C:\Windows\SysNative\tasks\RealUpgradeScheduledTaskS-1-5-21-3225944584-185484181-3065989196-1000" [C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe]
"C:\Windows\SysNative\tasks\RPC" [C:\Program Files (x86)\RPC\Reg Pro Cleaner\RegProCleaner.exe]
"C:\Windows\SysNative\tasks\SidebarExecute" [C:\Program Files\Windows Sidebar\sidebar.exe]
"C:\Windows\SysNative\tasks\{72804138-9FD9-4888-A1E9-A32D689899FA}" [C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe]
"C:\Windows\SysNative\tasks\{952C5732-59DD-40A1-81F9-C5213DBBBF3E}" ["C:\Program Files\Internet Explorer\iexplore.exe" http://ui.skype.com/ui/0/6.3.0.107/en/go/help.faq.installer?LastError=1603]
"C:\Windows\SysNative\tasks\{97A0805E-6B42-4778-9C68-CA81B5E4D6D0}" ["C:\Program Files\Internet Explorer\iexplore.exe" http://ui.skype.com/ui/0/6.3.0.107/en/go/help.faq.installer?LastError=1603]
"C:\Windows\SysNative\tasks\{B10C07A1-940F-4985-8D4B-C609B9FE0243}" ["C:\Program Files\Internet Explorer\iexplore.exe" http://ui.skype.com/ui/0/6.3.0.107/en/go/help.faq.installer?LastError=1603]
"C:\Windows\SysNative\tasks\{F69CB7A8-2AC0-4C5C-9F7A-F8C62FA6AC4A}" [C:\Users\FredricJLowe\Desktop\ICSolutions13-4.exe]
"C:\Windows\SysNative\tasks\Apple\AppleSoftwareUpdate" [C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe]
"C:\Windows\SysNative\tasks\NCH Software\ExpressZipSevenDays" [C:\Program Files (x86)\NCH Software\ExpressZip\ExpressZip.exe]
"C:\Windows\SysNative\tasks\Norton Security Suite\Norton Error Analyzer" [C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\SymErr.exe]
"C:\Windows\SysNative\tasks\Norton Security Suite\Norton Error Processor" [C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\SymErr.exe]
==== Firefox Extensions Registry ======================
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn" [11/12/2014 09:31 AM]
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"{1D8CE494-1FA3-156A-5998-9E64EAE0C898}"="C:\Program Files (x86)\ver0BetterDeals\182.xpi" []
==== Firefox Extensions ======================
ProfilePath: C:\Users\FREDRI~1\AppData\Roaming\Mozilla\Firefox\Profiles\nzm0n0ik.default
- Undetermined - alertbox@ajitk.com
- Undetermined - exif_viewer@mozilla.doslash.org
- Undetermined - {1D8CE494-1FA3-156A-5998-9E64EAE0C898}
- Distill Web Monitor - AlertBox - %ProfilePath%\extensions\alertbox@ajitk.com.xpi
- Exif Viewer - %ProfilePath%\extensions\exif_viewer@mozilla.doslash.org.xpi
ProfilePath: C:\Users\FREDRI~1\AppData\Roaming\Thunderbird\Profiles\izpoojy7.default
- pmth@readnotify.com - C:\Program Files (x86)\ActiveTracker\plugins\thunderbird\pmth
- pmth@readnotify.com - %ProfilePath%\extensions\pmth@readnotify.com
- ImportExportTools - %ProfilePath%\extensions\{3ed8cc52-86fc-4613-9026-c1ef969da4c3}.xpi
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
==== Firefox Plugins ======================
Profilepath: C:\Users\FredricJLowe\AppData\Roaming\Mozilla\Firefox\Profiles\nzm0n0ik.default
DFC9460CC37E5C414DC4680B10C19E7A - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll - Shockwave Flash
6A03609A79D8C5ACECB66EED53F3A0AB - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll - RealNetworks(tm) Chrome Background Extension Plug-In (32-bit)
70677064555D2EB816249ABB0150951F - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll - RealPlayer(tm) HTML5VideoShim Plug-In (32-bit)

==== Chromium Look ======================
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
fbpdhkpnhljiimdoalmapnaombjlcgja - C:\Program Files (x86)\OApps\chrome-sl.crx[]
iikflkcanblccfahdhdonehdalibjnif - No path found[]
jfmjfhklogoienhpfnppmbcbjfjnkonk - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx[07/04/2012 05:48 AM]
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
apdfllckaahabafndbhieahigkjlhalf - C:\Users\FREDRI~1\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx[05/30/2014 10:16 AM]
lmjegmlicamnimmfhcmpkclmigmmcbeh - No path found[]
Google Slides - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek
Google Docs - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
Google Drive - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
Google Voice Search Hotword (Beta) - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
YouTube - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
Google Search - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
Google Sheets - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap
Norton Identity Safe - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif
RealPlayer HTML5Video Downloader Extension - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk
Google Drive App Launcher - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh
Google Wallet - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Readnotify.com Web Plugin - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\nofmhkiliplhcecdhmfndhjbppbmoegk
Gmail - FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia
==== Chromium Fix ======================
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx deleted successfully
C:\Users\FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif deleted successfully
C:\Users\FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh deleted successfully
C:\Users\FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk deleted successfully
==== Set IE to Default ======================
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
No DefaultScope Set For HKCU
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
==== All HKCU SearchScopes ======================
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Unknown Url="Not_Found"
==== Deleting CLSID Registry Keys ======================
HKEY_USERS\S-1-5-21-3225944584-185484181-3065989196-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{62D3811C-4323-0D30-1FD1-468AFF19EB2A} deleted successfully
HKEY_USERS\S-1-5-21-3225944584-185484181-3065989196-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{62D3811C-4323-0D30-1FD1-468AFF19EB2A} deleted successfully
HKEY_USERS\S-1-5-21-3225944584-185484181-3065989196-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{62D3811C-4323-0D30-1FD1-468AFF19EB2A} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62D3811C-4323-0D30-1FD1-468AFF19EB2A} deleted successfully
==== Deleting CLSID Registry Values ======================
HKEY_USERS\S-1-5-21-3225944584-185484181-3065989196-1000\Software\Mozilla\Firefox\Extensions\{1D8CE494-1FA3-156A-5998-9E64EAE0C898} deleted successfully
==== Deleting Registry Keys ======================
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\fbpdhkpnhljiimdoalmapnaombjlcgja deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif deleted successfully
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0BCE8B0A-1E76-44E5-9909-3CF804D92E4D}_is1 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM deleted successfully
==== Empty IE Cache ======================
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\FredricJLowe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\FredricJLowe\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
==== Empty FireFox Cache ======================
No FireFox Cache found
==== Empty Chrome Cache ======================
C:\Users\FredricJLowe\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
==== Empty All Flash Cache ======================
Flash Cache Emptied Successfully
==== Empty All Java Cache ======================
Java Cache cleared successfully
==== C:\zoek_backup content ======================
C:\zoek_backup (files=138 folders=80 137874174 bytes)
==== Empty Temp Folders ======================
C:\Users\Administrator\AppData\Local\temp emptied successfully
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\dub_cm_auto\AppData\Local\temp emptied successfully
C:\Users\FredricJLowe\AppData\Local\Temp will be emptied at reboot
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Users\UpdatusUser\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
==== After Reboot ======================
==== Empty Temp Folders ======================
C:\Windows\Temp successfully emptied
C:\Users\FREDRI~1\AppData\Local\Temp successfully emptied
==== Empty Recycle Bin ======================
C:\$RECYCLE.BIN successfully emptied
==== Deleting Files / Folders ======================
"C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\FXSSVCDebugLogFile.txt" not deleted
"C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp\FXSTIFFDebugLogFile.txt" not deleted
==== EOF on Wed 11/12/2014 at 10:51:27.24 ======================





This has changed things and now I am not able to access Yahoo messenger and when I launch Thunderbird I am now getting this message. :
"Unable to write the email to the mailbox. Make sure the file system allows you write privileges, and you have enough disk space to copy the mailbox."

I hope we can reverse the changes that were made which made things worse than earlier this morning.
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
system restored successfully. Email and Yahoo are working.

Same issues remain from this morning:
1) Web bar encountered a problem and need to restart." I tried cliking "ok" but it kept coming back, so I hit canceled and everything loaded.

2) Windows Gadgets still doesn't load automatically. Yesterday after rebooting gadgets was loading perfectly fine.

3) Google Chrome and had the same issue when the dllhost.exe 32 COM Surrogate virus was still present. This is the same error message this mornng, "Google cannot read and write to this directory C:Users\FredricJLowe\AppData\Local\Google\Chrome\UserData" A

4) Firefox it said, "Your Firefox profile cannot be loaded. It may be missing or inaccessible."

The only thing I did last night was reinstall and run Spybot Search and Destroy and it found and deleted 15 tracking cookies. This morning prior to running your scan with ZOEK, I uninstalled it as you asked to turn off Antispyware. But the issues persisted.

But last night all of the above were working. What could have changed overnight when I rebooted this morning to cause them from being able to be accessed. I even noticed a few shortcut website icons changed as well and are not able to open. But last night, their normal icons were fixed on these 2 and opened. So somehow this is all related. But ACT! works fine, as does Microsoft Office, both of which were not yesterday when the viruses were still present.
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Re-run MBAM antirootkit
and

Download ESET Poweliks Cleaner
http://download.eset.com/special/ESETPoweliksCleaner.exe

When the download is complete, navigate to your Desktop, double-click ESETPoweliksCleaner.exe.
Read the terms of the End-user license agreement and click Agree if you agree to them.

The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed.
Press any key to exit the tool.

After removing an infection we highly recommend that you restart your computer. The infection should now be removed and you should be able to access the web content that was being blocked.
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
Same issues remain from this morning:
1) Web bar encountered a problem and need to restart." I tried cliking "ok" but it kept coming back, so I hit canceled and everything loaded.

2) Windows Gadgets still doesn't load automatically. Yesterday after rebooting gadgets was loading perfectly fine.

3) Google Chrome and had the same issue when the dllhost.exe 32 COM Surrogate virus was still present. This is the same error message this mornng, "Google cannot read and write to this directory C:Users\FredricJLowe\AppData\Local\Google\Chrome\UserData" A

4) Firefox it said, "Your Firefox profile cannot be loaded. It may be missing or inaccessible."

The only thing I did last night was reinstall and run Spybot Search and Destroy and it found and deleted 15 tracking cookies. This morning prior to running your scan with ZOEK, I uninstalled it as you asked to turn off Antispyware. But the issues persisted.

But last night all of the above were working. What could have changed overnight when I rebooted this morning to cause them from being able to be accessed. I even noticed a few shortcut website icons changed as well and are not able to open. But last night, their normal icons were fixed on these 2 and opened. So somehow this is all related. But ACT! works fine, as does Microsoft Office, both of which were not yesterday when the viruses were still present.
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
Did all above. I reinstalled Chrome and Firefox but received the same error messages, I right cliked on each and finally they each loaded. In Control Panel I changed my account, Fredric J Lowe from Standard to Administrator. I also turned off User Account Settings and now Google Chrome and Mozilla Firefox are opening when cliked. Gadgets are also loading upon startup. The only issue remaining is this "Web bar encountered a problem and need to restart." I tried cliking "ok" but it kept coming back, so I hit canceled and everything loaded.

Last, I am not happy with Norton since it didn't block the Powelik's virus. Would you recommend AVG as an alternative or do you have another suggestion?

Thank you.
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
AVG, Avast Norton ... all they not block Poweliks.
I've tried everything, but malware always make the problem.



Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the
    51a5ce45263de-delfix.png
    icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
# DelFix v10.8 - Logfile created 12/11/2014 at 18:33:03
# Updated 29/07/2014 by Xplode
# Username : FredricJLowe - FREDLOWEDESKTOP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\zoek_backup
Deleted : C:\AdwCleaner
Deleted : C:\Users\FredricJLowe\Desktop\mbar
Deleted : C:\Program Files (x86)\Trend Micro\Hijackthis
Deleted : C:\ComboFix.txt
Deleted : C:\LOGF5IM7~error.txt~
Deleted : C:\zoek-results.log
Deleted : C:\Users\FredricJLowe\Downloads\RogueKillerX64.exe
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Cleaning system restore ...

Deleted : RP #338 [Installed Microsoft Fix it 50195 | 11/12/2014 21:18:57]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

Thank you again for all of your help. Hopefully everything we accomplished will remain in good working order now!!
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
adwcleaner_new.png
Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

  • Right-click on
    adwcleaner_new.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Follow the prompts and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.
Hello again,
All was working just fine. Last night as I was about to shut down the desktop, the screen went black for about 10 seconds and then everything was appearing. This morning when rebooting, I received a Windows error about high CPU usage by Windows services or something to that effect. I checked my CPU and it was running close to 0%. I saw System Idle Process running at 99% and tried to end the process but it wouldn't allow me to. I noticed there were about 10 Chrome.exe 32 processes running. I Googled this and it appears it must be malware. I didn't have Google Chrome open when I saw this appear. When I end the processes, they just reappear.

Hope you can assist again!

Thank you!!






FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • chrome.exe 32 multiple.pdf
    179.2 KB · Views: 23

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
# DelFix v10.8 - Logfile created 12/11/2014 at 18:33:03
# Updated 29/07/2014 by Xplode
# Username : FredricJLowe - FREDLOWEDESKTOP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\zoek_backup
Deleted : C:\AdwCleaner
Deleted : C:\Users\FredricJLowe\Desktop\mbar
Deleted : C:\Program Files (x86)\Trend Micro\Hijackthis
Deleted : C:\ComboFix.txt
Deleted : C:\LOGF5IM7~error.txt~
Deleted : C:\zoek-results.log
Deleted : C:\Users\FredricJLowe\Downloads\RogueKillerX64.exe
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Cleaning system restore ...

Deleted : RP #338 [Installed Microsoft Fix it 50195 | 11/12/2014 21:18:57]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

Thank you again for all of your help. Hopefully everything we accomplished will remain in good working order now!!
# DelFix v10.8 - Logfile created 12/11/2014 at 18:33:03
# Updated 29/07/2014 by Xplode
# Username : FredricJLowe - FREDLOWEDESKTOP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\zoek_backup
Deleted : C:\AdwCleaner
Deleted : C:\Users\FredricJLowe\Desktop\mbar
Deleted : C:\Program Files (x86)\Trend Micro\Hijackthis
Deleted : C:\ComboFix.txt
Deleted : C:\LOGF5IM7~error.txt~
Deleted : C:\zoek-results.log
Deleted : C:\Users\FredricJLowe\Downloads\RogueKillerX64.exe
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Cleaning system restore ...

Deleted : RP #338 [Installed Microsoft Fix it 50195 | 11/12/2014 21:18:57]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

Thank you again for all of your help. Hopefully everything we accomplished will remain in good working order now!!
 

FredricJLowe

New Member
Thread author
Verified
Nov 11, 2014
43
Hello again,
All was working just fine. Last night as I was about to shut down the desktop, the screen went black for about 10 seconds and then everything was appearing. This morning when rebooting, I received a Windows error about high CPU usage by Windows services or something to that effect. I checked my CPU and it was running close to 0%. I saw System Idle Process running at 99% and tried to end the process but it wouldn't allow me to. I noticed there were about 10 Chrome.exe 32 processes running. I Googled this and it appears it must be malware. I didn't have Google Chrome open when I saw this appear. When I end the processes, they just reappear.
 

Attachments

  • chrome.exe 32 multiple.pdf
    179.2 KB · Views: 31

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top