Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Cannot remove Win32/Zbot, keeps re-installing itself

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 16th, 2014, 5:19 pm

Hello this is Stephen Clark. I have two Windows 7/64 AMD-based machines which are virtually identical in configuration, one for me, and one for my wife. They are connected to a home network, and the router with cable modem.

My wife recently opened a fake What'sAp email, which infected her computer with several Trojans, among them was Win32/Kuluoz.B, Win32/CeeInject.gen!KK, Win64/Rovnix.gen!C, Win32/Upatre.B, and Win32/Zbot.Gen!AP. Microsoft Security Essentials detects and quarantines all of these but is unable to remove Zbot.

I have tried Windows Defender Offline as advised by Microsoft, but as soon as I reboot, the Trojan re-appears. Microsoft Security Essentials detects it, quarantines it, then asks for a reboot. When you reboot, Z-bot appears again, and on and on and on. I have tried Z-bot killers from AVG, Kaspersky, Malwarebytes, and Microsoft programs Malicious Software Removal Tool, Safety Scanner, Windows Defender Offline multiple times. I have deleted Microsoft Backup Files where I know they are hiding in zip files. I have used Windows 7/64 Disc to repair startup files, and fix the boot sector.

Each time I reboot, MSE finds Zbot again, and cleans it, and requires a reboot. Also a pop-up asks if I want to install AdobeFlashPlayer Update? I never click YES on this because I know it is Zbot trying to steal passwords. We have changed all my wife's passwords as a precaution.

I could really use some help here, as I am out of options other than a clean install of Windows on her machine, and re-installing all of her applications and files from clean backups. Or maybe that would be the best course? I appreciate your advise/counsel.

I am an IT professional, and proficient in Windows, and I have used your service before with great success. Now I need you again!

Stephen Clark

BTW, when I downloaded DDS from your link, I got dds.scr.txt which does not execute and is full of gibberish. I had to download DDS from another site to create the following logs:

DDS.TXT:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521
Run by Kitty Clark at 16:10:52 on 2014-03-16
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.804 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Core Temp\Core Temp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe
C:\Program Files\Windows Sidebar\sidebar.exe
svchost.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\splwow64.exe
C:\Windows\system32\taskeng.exe
svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\SysWOW64\cmd.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
TB: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
uRun: [TWC.Win7] C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [obbnnwkp] "C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe"
uRun: [phqogutl] "C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe"
uRun: [Buleodliyg] "C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe"
uRun: [qjbjbfct] "C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe"
uRun: [Afwoynunylo] "C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe"
uRun: [Idalebd] "C:\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe"
uRun: [qxuucbke] "C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe"
uRun: [Abgypakeilicyp] "C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [CanonSolutionMenuEx] C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Buleodliyg] "C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe"
mRun: [Afwoynunylo] "C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe"
mRun: [Idalebd] "C:\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe"
mRun: [Abgypakeilicyp] "C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstall ... 0EtSzZIVTk"&"inst=NzctNzExNTI1MDAxLVhPMTArMTEtTElDKzItVklQKzEtRkwxMCsxLVRVRyszLUREVCs2MTYwMy1ERDEwRisxLVNUMTBGQVBQKzEtU1QxMkZPSSsxLUVVTEErMS1TVDEyRkFQUCsx"&"prod=90"&"ver=2012.0.1809"&"mid=ec2ba82855f747d6a39abdb90fe5910e-473b8ab7618aadb6b0f68fdc49d2c8fec08d808c
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{B238F230-1086-475C-9FF8-8E85232E8E4E} : DHCPNameServer = 75.75.76.76 75.75.75.75
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
Hosts: 127.0.0.1 http://www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?gl=us&ned= ... ebook.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF - component: C:\Documents and Settings\Kitty Clark.KITTY3\Application Data\Mozilla\Firefox\Profiles\hwi43x7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Documents and Settings\Kitty Clark.KITTY3\Application Data\Mozilla\Firefox\Profiles\hwi43x7r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox\components\avgssff.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R1 SBRE;SBRE;C:\Windows\System32\drivers\SBREDrv.sys [2011-4-11 55384]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-7-29 202752]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2011-4-18 21992]
R2 ES lite Service;ES lite Service for program management.;C:\Program Files (x86)\Gigabyte\EasySaver\essvr.exe [2011-4-11 68136]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2013-10-30 15125280]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-10-21 3921880]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-10-21 1042272]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-10-21 171416]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-10-23 414496]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2013-10-30 39200]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-3-1 187392]
R3 SrvHsfPCI;SrvHsfPCI;C:\Windows\System32\drivers\VSTBS26.SYS [2009-7-13 411136]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
R3 UsbFltr;WayTech USB Filter Driver;C:\Windows\System32\drivers\UsbFltr.sys [2007-4-9 12288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-4-11 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-3-11 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-27 19456]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011.SP1a\RpcAgentSrv.exe [2011-4-13 93848]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-13 56832]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-4-10 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-03-16 20:36:06 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{801453A7-A87A-48E2-9B34-826E70529E18}\offreg.dll
2014-03-16 20:33:30 10536864 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{801453A7-A87A-48E2-9B34-826E70529E18}\mpengine.dll
2014-03-16 20:14:45 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Wuaxax
2014-03-16 20:12:41 155648 ----a-w- C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe
2014-03-16 20:11:38 114692 ----a-w- C:\Users\Kitty Clark\AppData\Local\uimafqjw.exe
2014-03-16 04:22:41 208216 ----a-w- C:\Windows\System32\drivers\26609797.sys
2014-03-15 21:41:31 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Izcailfo
2014-03-15 20:05:48 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-15 20:03:42 148992 ----a-w- C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe
2014-03-15 20:00:22 10536864 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-03-15 05:37:43 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Ovepca
2014-03-15 02:47:32 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-14 22:13:45 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9106129A-BBFE-4095-A575-1FFA4761E3FC}\gapaengine.dll
2014-03-14 22:12:58 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2014-03-14 22:12:56 -------- d-----w- C:\Program Files\Microsoft Security Client
2014-03-14 22:02:55 146944 ----a-w- C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe
2014-03-14 01:43:51 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Aqcainxi
2014-03-13 23:25:07 147968 ----a-w- C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe
2014-03-13 22:26:47 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Zypaiq
2014-03-13 17:27:49 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Diurekys
2014-03-13 10:34:21 -------- d-----w- C:\Windows\Microsoft Antimalware
2014-03-13 05:47:48 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Ofezmuan
2014-03-13 03:12:22 -------- d-----w- C:\Users\Kitty Clark\AppData\Roaming\Nugyug
2014-03-11 22:51:25 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-03-11 22:51:25 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-02-26 23:18:10 -------- d-----w- C:\Program Files\iPod
2014-02-26 23:18:09 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-26 23:18:09 -------- d-----w- C:\Program Files\iTunes
2014-02-26 23:18:09 -------- d-----w- C:\Program Files (x86)\iTunes
2014-02-26 23:13:10 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2014-02-26 23:13:10 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2014-02-26 23:13:10 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2014-02-26 23:13:10 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2014-02-26 23:13:10 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2014-02-26 19:57:49 6574592 ----a-w- C:\Windows\System32\mstscax.dll
2014-02-26 19:57:49 5694464 ----a-w- C:\Windows\SysWow64\mstscax.dll
.
==================== Find3M ====================
.
2014-03-16 05:52:02 25640 ----a-w- C:\Windows\gdrv.sys
2014-03-12 19:50:21 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-12 19:50:21 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-03-01 05:17:02 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-03-01 05:16:26 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-01 04:52:55 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-01 04:51:59 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-01 04:33:52 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-01 04:33:34 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-01 04:32:59 708608 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-01 04:23:49 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-01 04:11:20 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-03-01 03:54:33 5768704 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-01 03:52:43 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-01 03:37:35 553472 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-01 03:35:11 2041856 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-01 03:14:15 4244480 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-01 03:10:28 2334208 ----a-w- C:\Windows\System32\wininet.dll
2014-03-01 03:00:08 1964032 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-01-29 02:32:18 484864 ----a-w- C:\Windows\System32\wer.dll
2014-01-29 02:06:47 381440 ----a-w- C:\Windows\SysWow64\wer.dll
2014-01-28 02:32:46 228864 ----a-w- C:\Windows\System32\wwansvc.dll
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-01-17 22:24:12 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2014-01-17 22:24:12 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2014-01-16 20:16:03 108968 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-12-24 23:09:41 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2013-12-24 22:48:32 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2013-12-21 09:53:45 548864 ----a-w- C:\Windows\System32\vbscript.dll
2013-12-21 08:56:47 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll
.
============= FINISH: 16:13:32.69 ===============




Attach.TXT:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2011 8:53:01 PM
System Uptime: 3/16/2014 3:06:06 PM (1 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA785GM-US2H
Processor: AMD Athlon(tm) II X2 245 Processor | Socket M2 | 2900/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 93.856 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 232.052 GiB free.
E: is FIXED (NTFS) - 233 GiB total, 94.55 GiB free.
F: is CDROM (UDF)
G: is CDROM ()
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
Adobe Flash Player 12 ActiveX
Adobe Flash Player 12 Plugin
Adobe Reader XI (11.0.06)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASUS nVidia Driver
Bonjour
Canon Easy-PhotoPrint EX
Canon Easy-WebPrint EX
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 4.0
Canon MP280 series MP Drivers
Canon MP280 series User Registration
Canon My Printer
Canon Solution Menu EX
Core Temp 1.0 RC2
CPUID CPU-Z 1.58
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DVD Profiler Version 3.8.2
EasyBCD 2.0
EasySaver B9.0904.1
eReg
ERUNT 1.1j
GeForce Experience NvStream Client Components
iTunes
Java 7 Update 51 (64-bit)
Logitech SetPoint 6.32
Malwarebytes Anti-Malware version 1.75.0.1300
Mesh Runtime
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Outlook Social Connector Provider for Facebook 32-bit
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 27.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA 3D Vision Controller Driver
NVIDIA 3D Vision Controller Driver 331.65
NVIDIA 3D Vision Driver 331.65
NVIDIA Control Panel 331.65
NVIDIA Display Control Panel
NVIDIA GeForce Experience 1.7.1
NVIDIA Graphics Driver 331.65
NVIDIA HD Audio Driver 1.3.26.4
NVIDIA Install Application
NVIDIA LED Visualizer 1.0
NVIDIA PhysX
NVIDIA PhysX System Software 9.13.0725
NVIDIA ShadowPlay 9.3.21
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 9.3.21
NVIDIA Update Components
NVIDIA Virtual Audio 1.2.9
PlayReady PC Runtime x86
PVSonyDll
QuickTime 7
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
SHIELD Streaming
SiSoftware Sandra Lite 2011.SP1a
Spybot - Search & Destroy
The Weather Channel App
The Weather Channel Desktop 6
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2878227) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2008 x64 Redistributables
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
3/16/2014 3:36:19 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid= ... 2147682349 Name: PWS:Win32/Zbot.gen!AP ID: 2147682349 Severity: Severe Category: Password Stealer Path: process:_pid:1596;process:_pid:3908;process:_pid:4356;process:_pid:4652;process:_pid:5912;process:_pid:6568;process:_pid:6712 Detection Origin: Unknown Detection Type: Heuristics Detection Source: User User: Kitty4\Kitty Clark Process Name: C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe Action: Quarantine Action Status: To finish removing malware and other potentially unwanted software, restart the computer. Error Code: 0x8007054f Error description: An internal error occurred. Signature Version: AV: 1.167.2104.0, AS: 1.167.2104.0, NIS: 110.21.0.0 Engine Version: AM: 1.1.10302.0, NIS: 2.1.10302.0
3/16/2014 3:29:21 PM, Error: srv [2017] - The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
3/15/2014 3:04:40 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
3/14/2014 4:58:52 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.167.1905.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.10302.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
3/14/2014 4:52:44 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
3/14/2014 4:52:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
3/14/2014 4:52:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
3/14/2014 4:52:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
3/14/2014 4:52:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
3/14/2014 4:52:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/14/2014 4:52:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
3/14/2014 4:52:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
3/14/2014 4:52:18 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The Microsoft Network Inspection System service depends on the Microsoft Malware Protection Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2014 4:52:17 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
3/14/2014 10:31:29 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.
3/14/2014 10:31:29 PM, Error: Service Control Manager [7000] - The Spybot-S&D 2 Scanner Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/13/2014 1:58:11 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk0\DR0.
.
==== End Of File ===========================
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm
Advertisement
Register to Remove

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 17th, 2014, 2:05 am

looking over your logs, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 17th, 2014, 2:29 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Infected? Virus, malware, adware, ransomware, oh my!" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi StephenClark

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • As you're using Windows 7, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Please disconnect both of your machines from your Network until we can get them both clean, as it's possible that one may be re-infecting the other. Now connect the first of the machines we need to work on, and do the following ....

First ...

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Spybot - Search & Destroy


... as this may interfere with any fix we may make. You can re-install it when we're finished, but please not before then.

Reboot your computer once it has been uninstalled.

Next ...

  • Download FRST64 to your Desktop.
  • Double click Frst64.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press the Scan button.
    • When finished scanning 2 logs will open on your Desktop, FRST.txt and Addition.txt
    • Please post them in your next reply.

Next ...

Download TDSSKiller.zip and extract it to your Desktop.
  • Double click on TDSSKiller.exe to launch it.
    • If using Vista or Windows7, when prompted by UAC allow the prompt.
  • Click on Start Scan
  • The scan will run.
  • When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
  • Now click on Report to open the log file created by TDSSKiller in your root directory C:\
  • Post the contents in your next reply please.
  • DO NOT TRY TO FIX ANYTHING AT THIS POINT

Summary of the logs I need from you in your next post:
  • FRST.txt
  • Addition.txt
  • TDSSKiller log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 4:09 am

Hello Gary, Thanks for your quick reply. Here we go!
I turned off my machine( incidentally I gave my machine STEPHEN5 a full scan with MSE and it is clean), then on KITTY4:
Running all downloads as Administrator.
1. Backup registry - Successful
2. Uninstall Spybot S&D - uninstalled and restarted, Verified that it was uninstalled. FYI: Noticed that Adobe Flash Player 12 Active X, and Adobe Flash Player 12 Plugin were installed 3/12/14. That is the day that my wife clicked on the bogus email. And, each is only 6.0mb.The version shown is 12.0.0.77, which is the correct current version.
3. Dowloaded and ran FRST64. FRST.txt follows:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Kitty Clark (administrator) on KITTY4 on 17-03-2014 02:58:24
Running from C:\Users\Kitty Clark\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/downloa ... ool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/downloa ... ool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files\Core Temp\Core Temp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
() C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
() C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
(CANON INC.) C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
() C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
() C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
() C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2726728 2010-03-24] (CANON INC.)
HKLM\...\Run: [EvtMgr6] - C:\Program Files\Logitech\SetPointP\SetPoint.exe [1744152 2011-10-07] (Logitech, Inc.)
HKLM\...\Run: [Nvtmru] - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1028384 2013-11-08] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] - C:\Windows\system32\nvspcap64.dll [1064224 2013-11-08] (NVIDIA Corporation)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [CanonSolutionMenuEx] - C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2011-08-24] ()
HKLM-x32\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2012-09-30] ()
HKLM-x32\...\Run: [Idalebd] - C:\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe [279739 2012-09-15] ()
HKLM-x32\...\Run: [Abgypakeilicyp] - C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [288469 2012-03-16] ()
HKLM-x32\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstall ... 0EtSzZIVTk"&"inst=NzctNzExNTI1MDAxLVhPMTArMTEtTElDKzItVklQKzEtRkwxMCsxLVRVRyszLUREVCs2MTYwMy1ERDEwRisxLVNUMTBGQVBQKzEtU1QxMkZPSSsxLUVVTEErMS1TVDEyRkFQUCsx"&"prod=90"&"ver=2012.0.1809"&"mid=ec2ba82855f747d6a39abdb90fe5910e-473b8ab7618aadb6b0f68fdc49d2c8fec08d808c [X]
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [OfficeSyncProcess] - C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [TWC.Win7] - C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe [47616 2014-02-24] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [obbnnwkp] - C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe [147968 2014-03-13] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [phqogutl] - C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe [146944 2014-03-14] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2011-08-24] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [qjbjbfct] - C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe [148992 2014-03-15] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2012-09-30] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Idalebd] - C:\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe [279739 2012-09-15] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [qxuucbke] - C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe [155648 2014-03-16] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Abgypakeilicyp] - C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [288469 2012-03-16] ()

==================== Internet (Whitelisted) ====================

ProxyServer: localhost:8080
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x852AE58D4AD3CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 - DefaultScope {71C63272-91A7-436a-843D-A1C641D1C626} URL =
SearchScopes: HKLM-x32 - {71C63272-91A7-436a-843D-A1C641D1C626} URL =
SearchScopes: HKCU - DefaultScope {EE75487F-9D0B-41ff-A092-FEA18652EC33} URL = http://www.google.com/cse?cx=partner-pu ... 8615334&q={searchTerms}
SearchScopes: HKCU - {37374783-29CB-453B-9367-3B54C4EC63E4} URL = http://search.avg.com/route/?d=4da276ee ... =chrome&q={searchTerms}&lng={language}&iy=&ychte=us
SearchScopes: HKCU - {71C63272-91A7-436a-843D-A1C641D1C626} URL =
SearchScopes: HKCU - {87F70B1E-6CCD-4BE6-9A0D-428B28668895} URL = http://search.avg.com/route/?d=4da276ee ... =chrome&q={searchTerms}&lng={language}&iy=&ychte=us
SearchScopes: HKCU - {EE75487F-9D0B-41ff-A092-FEA18652EC33} URL = http://www.google.com/cse?cx=partner-pu ... 8615334&q={searchTerms}
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75

FireFox:
========
FF ProfilePath: C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default
FF DefaultSearchEngine: Yahoo! Search
FF Homepage: hxxp://news.google.com/nwshp?gl=us&ned= ... ebook.com/
FF Keyword.URL: hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @canon.com/EPPEX - C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Add-on Compatibility Reporter - C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default\Extensions\compatibility@addons.mozilla.org.xpi [2011-08-31]
FF Extension: Apollo Bookmark/Tab/History Sync add-on - C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default\Extensions\ffsync@apollobrowser.com.xpi [2011-11-01]

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR HKLM-x32\...\Chrome\Extension: [defdhglnppeioeflggkmglipcecffkhk] - C:\Program Files (x86)\AutocompletePro\chrome\autocompleteprochrome.crx []

==================== Services (Whitelisted) =================

R2 ES lite Service; C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE [68136 2009-08-24] ()
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [116104 2010-04-05] ()
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15125280 2013-11-08] (NVIDIA Corporation)
S3 SandraAgentSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011.SP1a\RpcAgentSrv.exe [93848 2009-08-10] (SiSoftware)

==================== Drivers (Whitelisted) ====================

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-09-27] (NVIDIA Corporation)
R1 SBRE; C:\Windows\system32\drivers\SBREdrv.sys [55384 2011-06-28] (Sunbelt Software)
R3 ALSysIO; \??\C:\Users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz134; \??\C:\Users\STEPHE~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S1 mbabgdve; \??\C:\Windows\system32\drivers\mbabgdve.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-17 02:58 - 2014-03-17 03:00 - 00015273 _____ () C:\Users\Kitty Clark\Downloads\FRST.txt
2014-03-17 02:56 - 2014-03-17 02:58 - 00000000 ____D () C:\FRST
2014-03-17 02:56 - 2014-03-17 02:56 - 02157056 _____ (Farbar) C:\Users\Kitty Clark\Downloads\FRST64.exe
2014-03-17 02:35 - 2014-03-17 02:57 - 00000596 _____ () C:\Users\Kitty Clark\Desktop\Gary Reply.txt
2014-03-17 02:32 - 2014-03-17 02:32 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-KITTY4-Microsoft-Windows-7-Professional-(64-bit).dat
2014-03-17 02:31 - 2014-03-17 02:31 - 00000000 ____D () C:\RegBackup
2014-03-17 02:30 - 2014-03-17 02:30 - 00002245 _____ () C:\Users\Kitty Clark\Desktop\Tweaking.com - Registry Backup.lnk
2014-03-17 02:30 - 2014-03-17 02:30 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-03-17 02:29 - 2014-03-17 02:29 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2014-03-17 02:28 - 2014-03-17 03:00 - 00000838 _____ () C:\Windows\Tasks\Security Center Update - 2788898635.job
2014-03-17 02:28 - 2014-03-17 02:28 - 03944112 _____ () C:\Users\Kitty Clark\Downloads\tweaking.com_registry_backup_setup.exe
2014-03-17 02:28 - 2014-03-17 02:28 - 00003858 _____ () C:\Windows\System32\Tasks\Security Center Update - 2788898635
2014-03-17 02:28 - 2014-03-17 02:28 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Laavyfu
2014-03-17 02:25 - 2014-03-17 02:25 - 00081924 _____ () C:\Users\Kitty Clark\AppData\Local\sgilcetr.exe
2014-03-16 16:49 - 2014-03-17 03:00 - 00000842 _____ () C:\Windows\Tasks\Security Center Update - 2881837955.job
2014-03-16 16:49 - 2014-03-16 16:49 - 00003862 _____ () C:\Windows\System32\Tasks\Security Center Update - 2881837955
2014-03-16 16:49 - 2014-03-16 16:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi
2014-03-16 16:13 - 2014-03-16 16:13 - 00022982 _____ () C:\Users\Kitty Clark\Desktop\dds.txt
2014-03-16 16:13 - 2014-03-16 16:13 - 00014698 _____ () C:\Users\Kitty Clark\Desktop\attach.txt
2014-03-16 16:09 - 2014-03-16 16:10 - 00688992 ____R (Swearware) C:\Users\Kitty Clark\Downloads\dds.com
2014-03-16 15:55 - 2014-03-16 16:02 - 00001821 _____ () C:\Users\Kitty Clark\Desktop\MalwareRemoval.txt
2014-03-16 15:14 - 2014-03-17 03:00 - 00000836 _____ () C:\Windows\Tasks\Security Center Update - 1251265320.job
2014-03-16 15:14 - 2014-03-16 15:14 - 00003856 _____ () C:\Windows\System32\Tasks\Security Center Update - 1251265320
2014-03-16 15:14 - 2014-03-16 15:14 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Wuaxax
2014-03-16 15:12 - 2014-03-16 15:12 - 00155648 _____ () C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe
2014-03-16 15:11 - 2014-03-16 15:11 - 00114692 _____ () C:\Users\Kitty Clark\AppData\Local\uimafqjw.exe
2014-03-15 23:22 - 2014-03-15 23:22 - 00208216 _____ (Kaspersky Lab, GERT) C:\Windows\system32\Drivers\26609797.sys
2014-03-15 23:18 - 2014-03-15 23:18 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Kitty Clark\Downloads\iexplore.exe.exe
2014-03-15 22:31 - 2014-03-15 22:31 - 00237056 _____ (SC BitDefender , Romania) C:\Users\Kitty Clark\Downloads\ZbotRemovalTool.exe
2014-03-15 16:41 - 2014-03-15 16:41 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Izcailfo
2014-03-15 16:01 - 2014-03-15 16:01 - 03640880 _____ () C:\Users\Kitty Clark\Downloads\avg_remover_zbot.exe
2014-03-15 15:05 - 2014-03-15 15:05 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-15 15:03 - 2014-03-15 15:03 - 00148992 _____ () C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe
2014-03-15 00:37 - 2014-03-15 00:37 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ovepca
2014-03-14 21:47 - 2014-03-14 21:47 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-14 21:36 - 2014-03-14 21:36 - 00003560 ____N () C:\bootsqm.dat
2014-03-14 17:35 - 2014-03-14 17:36 - 104233240 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\msert(1).exe
2014-03-14 17:12 - 2014-03-14 17:13 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-03-14 17:12 - 2014-03-14 17:12 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-03-14 17:07 - 2014-03-14 17:08 - 13670584 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\mseinstall(1).exe
2014-03-14 17:02 - 2014-03-14 17:02 - 00146944 _____ () C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe
2014-03-13 22:08 - 2014-03-13 22:08 - 00000000 _____ () C:\Windows\system32\config\SOFTWARE53e04c1c
2014-03-13 20:43 - 2014-03-15 05:09 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Aqcainxi
2014-03-13 20:19 - 2014-03-13 20:19 - 00122976 _____ (Kaspersky Lab ZAO) C:\Users\Kitty Clark\Downloads\zbotkiller.exe
2014-03-13 20:07 - 2014-03-13 20:07 - 26437344 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\Windows-KB890830-x64-V5.10(1).exe
2014-03-13 18:25 - 2014-03-13 18:25 - 00147968 _____ () C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe
2014-03-13 17:28 - 2014-03-13 17:28 - 00068465 _____ () C:\Users\Kitty Clark\AppData\Local\hphpmunt
2014-03-13 17:26 - 2014-03-15 05:09 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Zypaiq
2014-03-13 12:27 - 2014-03-15 01:25 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Diurekys
2014-03-13 05:34 - 2014-03-15 18:33 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-03-13 01:52 - 2014-03-13 01:55 - 00001890 _____ () C:\Windows\diagwrn.xml
2014-03-13 01:52 - 2014-03-13 01:52 - 00001890 _____ () C:\Windows\diagerr.xml
2014-03-13 00:47 - 2014-03-13 05:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ofezmuan
2014-03-12 22:12 - 2014-03-13 05:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Nugyug
2014-03-12 15:13 - 2014-03-12 15:13 - 00012326 _____ () C:\Users\Kitty Clark\AppData\Local\rfdvugjw
2014-03-12 15:12 - 2014-03-12 15:12 - 00068161 _____ () C:\Users\Kitty Clark\AppData\Local\iglnxanr
2014-03-12 15:11 - 2014-03-12 15:11 - 00000000 _____ () C:\Users\Kitty Clark\AppData\Roaming\SharedSettings.ccs
2014-03-11 17:52 - 2014-03-01 01:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-11 17:52 - 2014-03-01 00:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-11 17:52 - 2014-03-01 00:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-11 17:52 - 2014-02-28 23:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-11 17:52 - 2014-02-28 23:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-11 17:52 - 2014-02-28 23:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-11 17:52 - 2014-02-28 23:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-11 17:52 - 2014-02-28 23:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-11 17:52 - 2014-02-28 23:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-11 17:52 - 2014-02-28 23:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-11 17:52 - 2014-02-28 23:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-11 17:52 - 2014-02-28 23:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-11 17:52 - 2014-02-28 23:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-11 17:52 - 2014-02-28 23:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-11 17:52 - 2014-02-28 23:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-11 17:52 - 2014-02-28 23:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-11 17:52 - 2014-02-28 23:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-11 17:52 - 2014-02-28 22:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-11 17:52 - 2014-02-28 22:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-11 17:52 - 2014-02-28 22:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-11 17:52 - 2014-02-28 22:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-11 17:52 - 2014-02-28 22:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-11 17:52 - 2014-02-28 22:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-11 17:52 - 2014-02-28 22:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-11 17:52 - 2014-02-28 22:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-11 17:52 - 2014-02-28 22:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-11 17:52 - 2014-02-28 22:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-11 17:52 - 2014-02-28 22:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-11 17:52 - 2014-02-28 22:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-11 17:52 - 2014-02-28 22:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-11 17:52 - 2014-02-28 22:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-11 17:52 - 2014-02-28 22:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-11 17:52 - 2014-02-28 22:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-11 17:52 - 2014-02-28 22:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-11 17:52 - 2014-02-28 21:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-11 17:52 - 2014-02-28 21:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-11 17:52 - 2014-02-28 21:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-11 17:52 - 2014-02-28 21:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-11 17:52 - 2014-02-28 21:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-11 17:52 - 2014-02-28 21:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-11 17:52 - 2014-02-06 20:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-11 17:52 - 2014-02-03 21:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-11 17:52 - 2014-02-03 21:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-11 17:52 - 2014-01-28 21:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-11 17:52 - 2014-01-28 21:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-11 17:52 - 2014-01-27 21:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-11 17:51 - 2014-02-03 21:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-11 17:51 - 2014-02-03 21:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files\iTunes
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files\iPod
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-02-26 18:12 - 2014-02-26 18:13 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-02-26 14:57 - 2014-01-08 21:22 - 05694464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-02-26 14:57 - 2014-01-03 17:44 - 06574592 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll

==================== One Month Modified Files and Folders =======

2014-03-17 03:00 - 2014-03-17 02:58 - 00015273 _____ () C:\Users\Kitty Clark\Downloads\FRST.txt
2014-03-17 03:00 - 2014-03-17 02:28 - 00000838 _____ () C:\Windows\Tasks\Security Center Update - 2788898635.job
2014-03-17 03:00 - 2014-03-16 16:49 - 00000842 _____ () C:\Windows\Tasks\Security Center Update - 2881837955.job
2014-03-17 03:00 - 2014-03-16 15:14 - 00000836 _____ () C:\Windows\Tasks\Security Center Update - 1251265320.job
2014-03-17 03:00 - 2011-04-10 22:37 - 01425889 _____ () C:\Windows\WindowsUpdate.log
2014-03-17 02:58 - 2014-03-17 02:56 - 00000000 ____D () C:\FRST
2014-03-17 02:57 - 2014-03-17 02:35 - 00000596 _____ () C:\Users\Kitty Clark\Desktop\Gary Reply.txt
2014-03-17 02:56 - 2014-03-17 02:56 - 02157056 _____ (Farbar) C:\Users\Kitty Clark\Downloads\FRST64.exe
2014-03-17 02:52 - 2009-07-13 23:45 - 00025552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-17 02:52 - 2009-07-13 23:45 - 00025552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-17 02:50 - 2012-04-07 15:30 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-17 02:43 - 2011-05-04 23:41 - 00000148 _____ () C:\service.log
2014-03-17 02:42 - 2013-10-21 17:18 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-03-17 02:42 - 2011-10-16 17:28 - 00005941 _____ () C:\Windows\setupact.log
2014-03-17 02:42 - 2011-09-24 11:19 - 00269378 _____ () C:\Windows\PFRO.log
2014-03-17 02:42 - 2011-04-25 21:06 - 00025640 _____ (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys
2014-03-17 02:42 - 2010-02-28 13:39 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-03-17 02:42 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-17 02:39 - 2011-05-12 16:36 - 00000197 _____ () C:\Windows\wininit.ini
2014-03-17 02:32 - 2014-03-17 02:32 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-KITTY4-Microsoft-Windows-7-Professional-(64-bit).dat
2014-03-17 02:31 - 2014-03-17 02:31 - 00000000 ____D () C:\RegBackup
2014-03-17 02:30 - 2014-03-17 02:30 - 00002245 _____ () C:\Users\Kitty Clark\Desktop\Tweaking.com - Registry Backup.lnk
2014-03-17 02:30 - 2014-03-17 02:30 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-03-17 02:29 - 2014-03-17 02:29 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2014-03-17 02:28 - 2014-03-17 02:28 - 03944112 _____ () C:\Users\Kitty Clark\Downloads\tweaking.com_registry_backup_setup.exe
2014-03-17 02:28 - 2014-03-17 02:28 - 00003858 _____ () C:\Windows\System32\Tasks\Security Center Update - 2788898635
2014-03-17 02:28 - 2014-03-17 02:28 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Laavyfu
2014-03-17 02:25 - 2014-03-17 02:25 - 00081924 _____ () C:\Users\Kitty Clark\AppData\Local\sgilcetr.exe
2014-03-16 16:49 - 2014-03-16 16:49 - 00003862 _____ () C:\Windows\System32\Tasks\Security Center Update - 2881837955
2014-03-16 16:49 - 2014-03-16 16:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi
2014-03-16 16:13 - 2014-03-16 16:13 - 00022982 _____ () C:\Users\Kitty Clark\Desktop\dds.txt
2014-03-16 16:13 - 2014-03-16 16:13 - 00014698 _____ () C:\Users\Kitty Clark\Desktop\attach.txt
2014-03-16 16:10 - 2014-03-16 16:09 - 00688992 ____R (Swearware) C:\Users\Kitty Clark\Downloads\dds.com
2014-03-16 16:02 - 2014-03-16 15:55 - 00001821 _____ () C:\Users\Kitty Clark\Desktop\MalwareRemoval.txt
2014-03-16 15:14 - 2014-03-16 15:14 - 00003856 _____ () C:\Windows\System32\Tasks\Security Center Update - 1251265320
2014-03-16 15:14 - 2014-03-16 15:14 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Wuaxax
2014-03-16 15:12 - 2014-03-16 15:12 - 00155648 _____ () C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe
2014-03-16 15:11 - 2014-03-16 15:11 - 00114692 _____ () C:\Users\Kitty Clark\AppData\Local\uimafqjw.exe
2014-03-16 15:11 - 2013-10-03 20:15 - 00000338 _____ () C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2014-03-16 15:11 - 2013-10-03 20:14 - 00000352 _____ () C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2014-03-15 23:48 - 2011-11-28 17:15 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-15 23:22 - 2014-03-15 23:22 - 00208216 _____ (Kaspersky Lab, GERT) C:\Windows\system32\Drivers\26609797.sys
2014-03-15 23:18 - 2014-03-15 23:18 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Kitty Clark\Downloads\iexplore.exe.exe
2014-03-15 22:31 - 2014-03-15 22:31 - 00237056 _____ (SC BitDefender , Romania) C:\Users\Kitty Clark\Downloads\ZbotRemovalTool.exe
2014-03-15 18:33 - 2014-03-13 05:34 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-03-15 16:41 - 2014-03-15 16:41 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Izcailfo
2014-03-15 16:01 - 2014-03-15 16:01 - 03640880 _____ () C:\Users\Kitty Clark\Downloads\avg_remover_zbot.exe
2014-03-15 15:05 - 2014-03-15 15:05 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-15 15:04 - 2009-07-14 00:13 - 00786538 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-15 15:03 - 2014-03-15 15:03 - 00148992 _____ () C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe
2014-03-15 05:09 - 2014-03-13 20:43 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Aqcainxi
2014-03-15 05:09 - 2014-03-13 17:26 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Zypaiq
2014-03-15 01:25 - 2014-03-13 12:27 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Diurekys
2014-03-15 00:37 - 2014-03-15 00:37 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ovepca
2014-03-14 22:20 - 2009-07-14 00:08 - 00032558 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-14 21:47 - 2014-03-14 21:47 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-14 21:36 - 2014-03-14 21:36 - 00003560 ____N () C:\bootsqm.dat
2014-03-14 17:36 - 2014-03-14 17:35 - 104233240 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\msert(1).exe
2014-03-14 17:13 - 2014-03-14 17:12 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-03-14 17:13 - 2011-09-26 12:35 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-03-14 17:12 - 2014-03-14 17:12 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-03-14 17:08 - 2014-03-14 17:07 - 13670584 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\mseinstall(1).exe
2014-03-14 17:02 - 2014-03-14 17:02 - 00146944 _____ () C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe
2014-03-13 22:08 - 2014-03-13 22:08 - 00000000 _____ () C:\Windows\system32\config\SOFTWARE53e04c1c
2014-03-13 20:19 - 2014-03-13 20:19 - 00122976 _____ (Kaspersky Lab ZAO) C:\Users\Kitty Clark\Downloads\zbotkiller.exe
2014-03-13 20:07 - 2014-03-13 20:07 - 26437344 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\Windows-KB890830-x64-V5.10(1).exe
2014-03-13 18:25 - 2014-03-13 18:25 - 00147968 _____ () C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe
2014-03-13 17:28 - 2014-03-13 17:28 - 00068465 _____ () C:\Users\Kitty Clark\AppData\Local\hphpmunt
2014-03-13 05:49 - 2014-03-13 00:47 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ofezmuan
2014-03-13 05:49 - 2014-03-12 22:12 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Nugyug
2014-03-13 01:55 - 2014-03-13 01:52 - 00001890 _____ () C:\Windows\diagwrn.xml
2014-03-13 01:52 - 2014-03-13 01:52 - 00001890 _____ () C:\Windows\diagerr.xml
2014-03-13 01:52 - 2011-09-24 11:19 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-13 00:52 - 2013-11-23 22:29 - 00064512 ___SH () C:\Users\Kitty Clark\Desktop\Thumbs.db
2014-03-12 15:13 - 2014-03-12 15:13 - 00012326 _____ () C:\Users\Kitty Clark\AppData\Local\rfdvugjw
2014-03-12 15:12 - 2014-03-12 15:12 - 00068161 _____ () C:\Users\Kitty Clark\AppData\Local\iglnxanr
2014-03-12 15:11 - 2014-03-12 15:11 - 00000000 _____ () C:\Users\Kitty Clark\AppData\Roaming\SharedSettings.ccs
2014-03-12 14:50 - 2012-04-07 15:30 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-12 14:50 - 2012-04-07 15:30 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-12 14:50 - 2011-06-02 15:44 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-11 19:27 - 2009-07-13 23:45 - 00420360 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-11 19:26 - 2012-05-08 18:32 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-11 19:26 - 2012-05-08 18:32 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-11 19:25 - 2011-08-26 14:36 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-03-11 18:04 - 2010-02-05 02:50 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-11 18:00 - 2013-07-16 18:37 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-02 14:05 - 2011-04-10 21:52 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-01 01:05 - 2014-03-11 17:52 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-01 00:17 - 2014-03-11 17:52 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-01 00:16 - 2014-03-11 17:52 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-02-28 23:58 - 2014-03-11 17:52 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-28 23:52 - 2014-03-11 17:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-28 23:51 - 2014-03-11 17:52 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-02-28 23:42 - 2014-03-11 17:52 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-28 23:40 - 2014-03-11 17:52 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-28 23:37 - 2014-03-11 17:52 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-28 23:33 - 2014-03-11 17:52 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-28 23:33 - 2014-03-11 17:52 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-02-28 23:32 - 2014-03-11 17:52 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-02-28 23:30 - 2014-03-11 17:52 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-28 23:23 - 2014-03-11 17:52 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-02-28 23:17 - 2014-03-11 17:52 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-28 23:11 - 2014-03-11 17:52 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-28 23:02 - 2014-03-11 17:52 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-28 22:54 - 2014-03-11 17:52 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-28 22:52 - 2014-03-11 17:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 22:51 - 2014-03-11 17:52 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 22:47 - 2014-03-11 17:52 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 22:43 - 2014-03-11 17:52 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 22:43 - 2014-03-11 17:52 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 22:42 - 2014-03-11 17:52 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-28 22:40 - 2014-03-11 17:52 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 22:38 - 2014-03-11 17:52 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 22:37 - 2014-03-11 17:52 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 22:35 - 2014-03-11 17:52 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-28 22:18 - 2014-03-11 17:52 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-28 22:16 - 2014-03-11 17:52 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 22:14 - 2014-03-11 17:52 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 22:10 - 2014-03-11 17:52 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-28 22:03 - 2014-03-11 17:52 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 22:00 - 2014-03-11 17:52 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 21:57 - 2014-03-11 17:52 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 21:38 - 2014-03-11 17:52 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-28 21:32 - 2014-03-11 17:52 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 21:27 - 2014-03-11 17:52 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 21:25 - 2014-03-11 17:52 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-28 21:25 - 2014-03-11 17:52 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-28 12:31 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-02-26 18:19 - 2012-09-13 15:10 - 00001793 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files\iTunes
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files\iPod
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-02-26 18:13 - 2014-02-26 18:12 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-02-24 00:02 - 2009-07-13 21:34 - 00450811 ____R () C:\Windows\system32\Drivers\etc\hosts.20140307-173755.backup
2014-02-21 11:05 - 2012-04-29 14:24 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service

Some content of TEMP:
====================
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_29f69f7a.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_67ccf922.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_7e6c0ff8.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_d2aedb75.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_d334b44b.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_dd79834d.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_fade0e4f.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-10 15:27

==================== End Of Log ============================
Last edited by StephenClark on March 17th, 2014, 4:23 am, edited 1 time in total.
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 4:11 am

FRST Addition.txt follows:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-03-2014
Ran by Kitty Clark at 2014-03-17 03:02:00
Running from C:\Users\Kitty Clark\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

Adobe Flash Player 12 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ASUS nVidia Driver (x32 Version: 1.00.0000 - ASUSTek) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Canon Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version: - )
Canon Easy-WebPrint EX (HKLM-x32\...\Easy-WebPrint EX) (Version: - )
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: - )
Canon MP Navigator EX 4.0 (HKLM-x32\...\MP Navigator EX 4.0) (Version: - )
Canon MP280 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP280_series) (Version: - )
Canon MP280 series User Registration (HKLM-x32\...\Canon MP280 series User Registration) (Version: - )
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: - )
Canon Solution Menu EX (HKLM-x32\...\CanonSolutionMenuEX) (Version: - )
Core Temp 1.0 RC2 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.0 - Alcpu)
CPUID CPU-Z 1.58 (HKLM\...\CPUID CPU-Z_is1) (Version: - )
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{92C42EDD-6524-4577-B2EB-6C68C63B6D4A}) (Version: - Microsoft)
DVD Profiler Version 3.8.2 (HKLM-x32\...\InvelosDVDProfiler_is1) (Version: - )
EasyBCD 2.0 (HKLM-x32\...\EasyBCD) (Version: 2.0 - NeoSmart Technologies)
EasySaver B9.0904.1 (HKLM-x32\...\{07300F01-89CA-4CF8-92BD-2A605EB83C95}) (Version: 1.00.0000 - Gigabyte)
eReg (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version: - Lars Hederer)
GeForce Experience NvStream Client Components (Version: 1.6.28 - NVIDIA Corporation) Hidden
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
Java 7 Update 51 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417051FF}) (Version: 7.0.510 - Oracle)
Logitech SetPoint 6.32 (HKLM\...\sp6) (Version: 6.32.20 - Logitech)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook Connector (HKLM-x32\...\{95140000-007A-0409-0000-0000000FF1CE}) (Version: 14.0.5118.5000 - Microsoft Corporation)
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Outlook Social Connector Provider for Facebook 32-bit (HKLM-x32\...\{95140000-007C-0409-0000-0000000FF1CE}) (Version: 14.0.6114.5003 - Microsoft Corporation)
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit (HKLM-x32\...\{95140000-007D-0409-0000-0000000FF1CE}) (Version: 14.0.5120.5000 - Microsoft Corporation)
Microsoft Security Client (Version: 4.4.0304.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (HKLM\...\{EE936C7A-EA40-31D5-9B65-8E3E089C3828}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 27.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 27.0.1 (x86 en-US)) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 27.0.1 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NVIDIA 3D Vision Controller Driver (x32 Version: 280.19 - NVIDIA Corporation) Hidden
NVIDIA 3D Vision Controller Driver 331.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 331.65 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 331.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 331.65 - NVIDIA Corporation)
NVIDIA Control Panel 331.65 (Version: 331.65 - NVIDIA Corporation) Hidden
NVIDIA Display Control Panel (HKLM\...\NVIDIA Display Control Panel) (Version: 6.14.11.9745 - NVIDIA Corporation)
NVIDIA GeForce Experience 1.7.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 1.7.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 331.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 331.65 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.26.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.26.4 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.141.953 - NVIDIA Corporation) Hidden
NVIDIA LED Visualizer 1.0 (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.13.0725 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.13.0725 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.0725 - NVIDIA Corporation)
NVIDIA ShadowPlay 9.3.21 (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.13.3165 - NVIDIA Corporation) Hidden
NVIDIA Update 9.3.21 (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Update Components (Version: 9.3.21 - NVIDIA Corporation) Hidden
NVIDIA Virtual Audio 1.2.9 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_VirtualAudio.Driver) (Version: 1.2.9 - NVIDIA Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
PVSonyDll (Version: 1.00.0001 - NVIDIA Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version: - Microsoft) Hidden
SHIELD Streaming (Version: 1.6.53 - NVIDIA Corporation) Hidden
SiSoftware Sandra Lite 2011.SP1a (HKLM\...\{C3113E55-7BCB-4de3-8EBF-60E6CE6B2296}_is1) (Version: 17.43.2011.4 - SiSoftware)
The Weather Channel App (HKLM-x32\...\{167158CE-1637-4167-8A1C-C2549EEA966A}) (Version: 1.00.0000 - The Weather Channel)
The Weather Channel App (HKLM-x32\...\The Weather Channel App) (Version: - )
The Weather Channel Desktop 6 (HKLM-x32\...\The Weather Channel Desktop 6) (Version: - )
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.7.0 - Tweaking.com)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version: - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version: - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{3FCFD88F-4D13-4F38-8625-ABABEA7F61EA}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{BA610006-2C39-4419-9834-CF61AB24810A}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUSR_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUSR_{5E8EB600-8B94-429E-873E-98369C6DC1BC}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{83B1B530-7D9E-4C6A-907F-E979CEE9C295}) (Version: - Microsoft)
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{EFF5EBA3-40AD-4859-85E7-3C1CF4F297EB}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version: - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (HKLM-x32\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUSR_{DA2F7ECE-6629-4A80-9CDE-EC95261B75E2}) (Version: - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2775360) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{80F56E3F-1D47-4E45-B6E0-FEF4E919F4F9}) (Version: - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.PROPLUSR_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version: - Microsoft)
Update for Microsoft Visio 2010 (KB2878227) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{5D357893-40BA-4323-86BA-D97C66CD72F4}) (Version: - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{8C55AA83-54C2-4236-A622-78440A411DC5}) (Version: - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{E78E2B68-8FD1-42EE-BB74-99A4D9E6222D}) (Version: - Microsoft)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (x32 Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM-x32\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Family Safety (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

==================== Restore Points =========================

17-03-2014 07:30:06 Windows Backup

==================== Hosts content: ==========================

2009-07-13 21:34 - 2014-03-07 18:37 - 00450811 ____R C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============

Task: {04E54DD8-72DB-4873-96C5-0B6BE6354E98} - System32\Tasks\Security Center Update - 2881837955 => C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi\ahytxi.exe [2011-10-01] () <==== ATTENTION
Task: {0AA09166-4C6D-4D6A-A4B7-64D1E37E6109} - System32\Tasks\Core Temp Autostart Stephen Clark => C:\Program Files\Core Temp\Core Temp.exe [2011-09-02] ()
Task: {1CCAF1D1-87F0-4F68-B108-18A775D26EC3} - \Security Center Update - 2841809425 No Task File
Task: {2F2BC4D8-95F2-4213-9EFF-1A421D1FF950} - \Security Center Update - 1962907878 No Task File
Task: {352A4730-4409-4101-A024-0483ADE65582} - System32\Tasks\Ad-Aware Update (Daily 4) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {42549D4B-AD5F-4545-9E2A-09B37E367474} - System32\Tasks\Security Center Update - 1251265320 => C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [2012-03-16] () <==== ATTENTION
Task: {4A84D423-0977-49FB-863B-8ADC07398630} - System32\Tasks\Core Temp Autostart Kitty Clark => C:\Program Files\Core Temp\Core Temp.exe [2011-09-02] ()
Task: {5620A767-8460-4D73-B969-FBB49F57EA49} - \Security Center Update - 2960897610 No Task File
Task: {5DC18D57-52E1-4089-B60F-D7FE6F1F1246} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {75822CBE-3CC0-4481-9EF5-8C98A4CF4D2B} - System32\Tasks\Ad-Aware Update (Daily 2) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {8030BCA4-A939-46E1-9961-CB29ECCE51BD} - System32\Tasks\SmartDefrag_Startup => C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
Task: {87392479-CA7F-4D46-9AA7-5AE260D355C7} - System32\Tasks\Ad-Aware Scan (Weekly Full Scan) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {9E24D99B-F16C-477E-8F8A-5A3A80826755} - System32\Tasks\Ad-Aware Update (Daily 3) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {A4E5041A-A107-47E2-8036-085B28110EFA} - \Security Center Update - 4238123442 No Task File
Task: {B9632049-70BE-43D6-BBEF-F1D5AC730139} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-12] (Adobe Systems Incorporated)
Task: {BAF385D1-C8E5-49CD-94C0-340BC35C2D90} - \Security Center Update - 463384363 No Task File
Task: {C12097D3-7668-40DC-99AE-E42555C16BEB} - System32\Tasks\Spybot - Search & Destroy Updater - Scheduled Task => C:\Program Files (x86)\Spybot - Search &amp; Destroy\SDUpdate.exe
Task: {C3D15DB6-0E59-4A73-9B74-FD7BC98A55B0} - System32\Tasks\Security Center Update - 2788898635 => C:\Users\Kitty Clark\AppData\Roaming\Laavyfu\arfuiz.exe [2013-09-23] () <==== ATTENTION
Task: {CEC3CFF9-D46A-47C2-A1F3-2D5ED7398B71} - System32\Tasks\Spybot - Search & Destroy - Scheduled Task => C:\Program Files (x86)\Spybot - Search &amp; Destroy\SpybotSD.exe
Task: {D5A4F8CB-03BA-4DEC-8552-CB17A73D7D03} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {FBD02650-9D9C-4D86-A525-89F8F4CA5DED} - System32\Tasks\Ad-Aware Update (Daily 1) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Security Center Update - 1251265320.job => C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
Task: C:\Windows\Tasks\Security Center Update - 2788898635.job => C:\Users\Kitty Clark\AppData\Roaming\Laavyfu\arfuiz.exe
Task: C:\Windows\Tasks\Security Center Update - 2881837955.job => C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi\ahytxi.exe
Task: C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job => C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
Task: C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job => C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdate.exe

==================== Loaded Modules (whitelisted) =============

2012-04-10 17:21 - 2013-10-23 03:20 - 00102176 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-09-05 01:17 - 2013-09-05 01:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2011-04-11 00:07 - 2011-09-02 00:29 - 00826832 _____ () C:\Program Files\Core Temp\Core Temp.exe
2011-04-11 01:02 - 2009-08-24 14:38 - 00068136 _____ () C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
2011-08-26 14:45 - 2010-04-05 14:55 - 00116104 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2011-10-07 04:39 - 2011-10-07 04:39 - 01304856 _____ () C:\Program Files\Logitech\SetPointP\Macros\MacroCore.dll
2014-02-24 19:01 - 2014-02-24 19:01 - 00047616 _____ () C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe
2014-02-24 19:01 - 2014-02-24 19:01 - 01154560 _____ () C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.UI.dll
2014-02-24 19:01 - 2014-02-24 19:01 - 00246272 _____ () C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.Services.dll
2014-02-24 19:01 - 2014-02-24 19:01 - 00109056 _____ () C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.Models.dll
2011-08-24 12:06 - 2011-08-24 12:06 - 00279739 _____ () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
2012-09-30 13:24 - 2012-09-30 13:24 - 00285835 _____ () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
2014-02-12 21:58 - 2014-02-12 21:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 21:58 - 2014-02-12 21:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2011-04-11 01:02 - 2009-03-13 11:30 - 00109096 _____ () C:\Program Files (x86)\Gigabyte\EasySaver\YCC.DLL
2014-02-14 21:57 - 2014-02-14 21:57 - 03578992 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2013-09-05 01:14 - 2013-09-05 01:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

==================== Safe Mode (whitelisted) ===================


==================== Disabled items from MSCONFIG ==============

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/17/2014 02:44:06 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 02:44:01 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 02:33:09 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-795659118-149470603-1855162921-1003.bak). hr = 0x80070539, The security ID structure is invalid.
.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {06f2bb7f-3ee3-428c-84c0-266a1fd1e695}

Error: (03/17/2014 02:31:21 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-795659118-149470603-1855162921-1003.bak). hr = 0x80070539, The security ID structure is invalid.
.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {06f2bb7f-3ee3-428c-84c0-266a1fd1e695}

Error: (03/17/2014 02:30:07 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-795659118-149470603-1855162921-1003.bak). hr = 0x80070539, The security ID structure is invalid.
.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {06f2bb7f-3ee3-428c-84c0-266a1fd1e695}

Error: (03/17/2014 02:20:37 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/17/2014 02:20:36 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (03/16/2014 03:14:18 PM) (Source: Application Error) (User: )
Description: Faulting application name: laubycy.exe, version: 0.0.0.0, time stamp: 0x5305ede8
Faulting module name: Flash32_12_0_0_77.ocx, version: 12.0.0.77, time stamp: 0x5314f58e
Exception code: 0xc0000005
Fault offset: 0x005b3449
Faulting process id: 0x176c
Faulting application start time: 0xlaubycy.exe0
Faulting application path: laubycy.exe1
Faulting module path: laubycy.exe2
Report Id: laubycy.exe3

Error: (03/16/2014 03:11:37 PM) (Source: Application) (User: )
Description: Value cannot be null.
Parameter name: key

Error: (03/16/2014 00:56:15 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7052


System errors:
=============
Error: (03/16/2014 05:06:21 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 05:06:01 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 04:41:41 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 03:36:19 PM) (Source: Microsoft Antimalware) (User: )
Description: %PWS:Win32/Zbot.gen!AP60 has encountered a critical error when taking action on malware or other potentially unwanted software.

For more information please see the following:
%PWS:Win32/Zbot.gen!AP603

Name: PWS:Win32/Zbot.gen!AP

ID: 2147682349

Severity: %PWS:Win32/Zbot.gen!AP600

Category: %PWS:Win32/Zbot.gen!AP602

Path: 4.4.0304.02

Detection Origin: 4.4.0304.04

Detection Type: 4.4.0304.08

Detection Source: %PWS:Win32/Zbot.gen!AP608

User: {AA428B84-9D8B-46BC-A567-8EA63F3153E7}9

Process Name: %PWS:Win32/Zbot.gen!AP609

Action: {AA428B84-9D8B-46BC-A567-8EA63F3153E7}1

Action Status: {AA428B84-9D8B-46BC-A567-8EA63F3153E7}8

Error Code: {AA428B84-9D8B-46BC-A567-8EA63F3153E7}3

Error description: {AA428B84-9D8B-46BC-A567-8EA63F3153E7}4

Signature Version: 2014-03-16T20:33:28.325Z1

Engine Version: 2014-03-16T20:33:28.325Z2

Error: (03/16/2014 03:29:21 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 03:28:41 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 03:28:21 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 03:27:41 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/16/2014 03:27:01 PM) (Source: srv) (User: )
Description: The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.

Error: (03/15/2014 11:50:25 PM) (Source: BROWSER) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{B238F230-1086-475C-9FF8-8E85232E8E4E}.
The backup browser is stopping.


Microsoft Office Sessions:
=========================
Error: (03/17/2014 02:44:06 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 02:44:01 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 02:33:09 AM) (Source: VSS)(User: )
Description: ConvertStringSidToSid(S-1-5-21-795659118-149470603-1855162921-1003.bak)0x80070539, The security ID structure is invalid.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {06f2bb7f-3ee3-428c-84c0-266a1fd1e695}

Error: (03/17/2014 02:31:21 AM) (Source: VSS)(User: )
Description: ConvertStringSidToSid(S-1-5-21-795659118-149470603-1855162921-1003.bak)0x80070539, The security ID structure is invalid.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {06f2bb7f-3ee3-428c-84c0-266a1fd1e695}

Error: (03/17/2014 02:30:07 AM) (Source: VSS)(User: )
Description: ConvertStringSidToSid(S-1-5-21-795659118-149470603-1855162921-1003.bak)0x80070539, The security ID structure is invalid.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {06f2bb7f-3ee3-428c-84c0-266a1fd1e695}

Error: (03/17/2014 02:20:37 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/17/2014 02:20:36 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files (x86)\Canon\Solution Menu EX\MFC80U.DLL

Error: (03/16/2014 03:14:18 PM) (Source: Application Error)(User: )
Description: laubycy.exe0.0.0.05305ede8Flash32_12_0_0_77.ocx12.0.0.775314f58ec0000005005b3449176c01cf41540e08520fC:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exeC:\Windows\SysWOW64\Macromed\Flash\Flash32_12_0_0_77.ocx8d3ccd6f-ad47-11e3-bf77-6cf0490178fd

Error: (03/16/2014 03:11:37 PM) (Source: Application)(User: )
Description: Value cannot be null.
Parameter name: key

Error: (03/16/2014 00:56:15 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7052


CodeIntegrity Errors:
===================================
Date: 2011-10-16 18:01:08.887
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 17:21:48.482
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 17:02:14.911
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 16:46:56.737
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\pcrelib.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 16:43:28.177
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 16:29:12.023
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\pcrelib.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 16:23:30.793
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 13:58:38.653
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 12:39:40.035
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.

Date: 2011-10-16 12:26:26.599
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDHook64.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 69%
Total physical RAM: 4093.55 MB
Available physical RAM: 1248.25 MB
Total Pagefile: 8185.29 MB
Available Pagefile: 4741.83 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (Local Disk) (Fixed) (Total:232.76 GB) (Free:92.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Backup Disk) (Fixed) (Total:232.76 GB) (Free:231.48 GB) NTFS
Drive e: (Archive & Media Disk) (Fixed) (Total:233.11 GB) (Free:94.55 GB) NTFS
Drive f: (Working Files K4) (CDROM) (Total:4.37 GB) (Free:3.8 GB) UDF
Drive i: (KITTY'S USB) (Removable) (Total:7.47 GB) (Free:0.11 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 00000001)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=466 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 4:21 am

4. Dowloaded and ran TDSSKiller - No threats found.

Looking forward to your reply. Thank you for accepting my case!
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 17th, 2014, 9:32 am

OK, lets remove the stuff that's showing in your logs and see where that gets us.

First ...

  • Click Start
  • Type notepad.exe in the search programs and files box and clcik Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad. (don't include Code: Select all)
Code: Select all
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
HKLM-x32\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2011-08-24] ()
HKLM-x32\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2012-09-30] ()
HKLM-x32\...\Run: [Idalebd] - C:\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe [279739 2012-09-15] ()
HKLM-x32\...\Run: [Abgypakeilicyp] - C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [288469 2012-03-16] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [obbnnwkp] - C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe [147968 2014-03-13] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [phqogutl] - C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe [146944 2014-03-14] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2011-08-24] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [qjbjbfct] - C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe [148992 2014-03-15] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2012-09-30] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Idalebd] - C:\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe [279739 2012-09-15] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [qxuucbke] - C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe [155648 2014-03-16] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Abgypakeilicyp] - C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [288469 2012-03-16] ()
SearchScopes: HKLM-x32 - DefaultScope {71C63272-91A7-436a-843D-A1C641D1C626} URL =
SearchScopes: HKLM-x32 - {71C63272-91A7-436a-843D-A1C641D1C626} URL =
SearchScopes: HKCU - {71C63272-91A7-436a-843D-A1C641D1C626} URL =
FF Extension: Apollo Bookmark/Tab/History Sync add-on - C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default\Extensions\ffsync@apollobrowser.com.xpi [2011-11-01]
R3 ALSysIO; \??\C:\Users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz134; \??\C:\Users\STEPHE~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S1 mbabgdve; \??\C:\Windows\system32\drivers\mbabgdve.sys [X]
2014-03-17 02:28 - 2014-03-17 03:00 - 00000838 _____ () C:\Windows\Tasks\Security Center Update - 2788898635.job
2014-03-17 02:28 - 2014-03-17 02:28 - 00003858 _____ () C:\Windows\System32\Tasks\Security Center Update - 2788898635
2014-03-17 02:28 - 2014-03-17 02:28 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Laavyfu
2014-03-17 02:25 - 2014-03-17 02:25 - 00081924 _____ () C:\Users\Kitty Clark\AppData\Local\sgilcetr.exe
2014-03-16 16:49 - 2014-03-17 03:00 - 00000842 _____ () C:\Windows\Tasks\Security Center Update - 2881837955.job
2014-03-16 16:49 - 2014-03-16 16:49 - 00003862 _____ () C:\Windows\System32\Tasks\Security Center Update - 2881837955
2014-03-16 16:49 - 2014-03-16 16:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi
2014-03-16 15:14 - 2014-03-17 03:00 - 00000836 _____ () C:\Windows\Tasks\Security Center Update - 1251265320.job
2014-03-16 15:14 - 2014-03-16 15:14 - 00003856 _____ () C:\Windows\System32\Tasks\Security Center Update - 1251265320
2014-03-16 15:14 - 2014-03-16 15:14 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Wuaxax
2014-03-16 15:12 - 2014-03-16 15:12 - 00155648 _____ () C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe
2014-03-16 15:11 - 2014-03-16 15:11 - 00114692 _____ () C:\Users\Kitty Clark\AppData\Local\uimafqjw.exe
2014-03-15 23:22 - 2014-03-15 23:22 - 00208216 _____ (Kaspersky Lab, GERT) C:\Windows\system32\Drivers\26609797.sys
2014-03-15 16:41 - 2014-03-15 16:41 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Izcailfo
2014-03-15 15:05 - 2014-03-15 15:05 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-15 15:03 - 2014-03-15 15:03 - 00148992 _____ () C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe
2014-03-15 00:37 - 2014-03-15 00:37 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ovepca
2014-03-14 21:47 - 2014-03-14 21:47 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-14 17:02 - 2014-03-14 17:02 - 00146944 _____ () C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe
2014-03-13 22:08 - 2014-03-13 22:08 - 00000000 _____ () C:\Windows\system32\config\SOFTWARE53e04c1c
2014-03-13 20:43 - 2014-03-15 05:09 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Aqcainxi
2014-03-13 18:25 - 2014-03-13 18:25 - 00147968 _____ () C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe
2014-03-13 17:28 - 2014-03-13 17:28 - 00068465 _____ () C:\Users\Kitty Clark\AppData\Local\hphpmunt
2014-03-13 17:26 - 2014-03-15 05:09 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Zypaiq
2014-03-13 12:27 - 2014-03-15 01:25 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Diurekys
2014-03-13 01:52 - 2014-03-13 01:55 - 00001890 _____ () C:\Windows\diagwrn.xml
2014-03-13 01:52 - 2014-03-13 01:52 - 00001890 _____ () C:\Windows\diagerr.xml
2014-03-13 00:47 - 2014-03-13 05:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ofezmuan
2014-03-12 22:12 - 2014-03-13 05:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Nugyug
2014-03-12 15:13 - 2014-03-12 15:13 - 00012326 _____ () C:\Users\Kitty Clark\AppData\Local\rfdvugjw
2014-03-12 15:12 - 2014-03-12 15:12 - 00068161 _____ () C:\Users\Kitty Clark\AppData\Local\iglnxanr
2014-03-12 15:11 - 2014-03-12 15:11 - 00000000 _____ () C:\Users\Kitty Clark\AppData\Roaming\SharedSettings.ccs
2014-03-17 02:42 - 2013-10-21 17:18 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-03-16 15:11 - 2013-10-03 20:15 - 00000338 _____ () C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2014-03-16 15:11 - 2013-10-03 20:14 - 00000352 _____ () C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_29f69f7a.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_67ccf922.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_7e6c0ff8.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_d2aedb75.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_d334b44b.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_dd79834d.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_fade0e4f.exe
Task: {04E54DD8-72DB-4873-96C5-0B6BE6354E98} - System32\Tasks\Security Center Update - 2881837955 => C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi\ahytxi.exe [2011-10-01] () <==== ATTENTION
Task: {1CCAF1D1-87F0-4F68-B108-18A775D26EC3} - \Security Center Update - 2841809425 No Task File
Task: {2F2BC4D8-95F2-4213-9EFF-1A421D1FF950} - \Security Center Update - 1962907878 No Task File
Task: {42549D4B-AD5F-4545-9E2A-09B37E367474} - System32\Tasks\Security Center Update - 1251265320 => C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [2012-03-16] () <==== ATTENTION
Task: {5620A767-8460-4D73-B969-FBB49F57EA49} - \Security Center Update - 2960897610 No Task File
Task: {A4E5041A-A107-47E2-8036-085B28110EFA} - \Security Center Update - 4238123442 No Task File
Task: {BAF385D1-C8E5-49CD-94C0-340BC35C2D90} - \Security Center Update - 463384363 No Task File
Task: {C12097D3-7668-40DC-99AE-E42555C16BEB} - System32\Tasks\Spybot - Search & Destroy Updater - Scheduled Task => C:\Program Files (x86)\Spybot - Search &amp; Destroy\SDUpdate.exe
Task: {C3D15DB6-0E59-4A73-9B74-FD7BC98A55B0} - System32\Tasks\Security Center Update - 2788898635 => C:\Users\Kitty Clark\AppData\Roaming\Laavyfu\arfuiz.exe [2013-09-23] () <==== ATTENTION
Task: {CEC3CFF9-D46A-47C2-A1F3-2D5ED7398B71} - System32\Tasks\Spybot - Search & Destroy - Scheduled Task => C:\Program Files (x86)\Spybot - Search &amp; Destroy\SpybotSD.exe
Task: C:\Windows\Tasks\Security Center Update - 1251265320.job => C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
Task: C:\Windows\Tasks\Security Center Update - 2788898635.job => C:\Users\Kitty Clark\AppData\Roaming\Laavyfu\arfuiz.exe
Task: C:\Windows\Tasks\Security Center Update - 2881837955.job => C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi\ahytxi.exe
Task: C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job => C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
Task: C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job => C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdate.exe
2011-08-24 12:06 - 2011-08-24 12:06 - 00279739 _____ () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
2012-09-30 13:24 - 2012-09-30 13:24 - 00285835 _____ () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
CMD: ipconfig /flushdns

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe.

Next ....

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on Run ESET Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed click on Start to start the scan.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Click on the List of found threats link
    • Click on Export to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.

Next ....

Let’s try to Reset your Router to its default configuration.
  • This can be done by inserting something like an opened paper clip into a small hole labeled Reset that's usually found at the back of the router (some routers have a reset button on the front).
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know your router's default password, you can look it up. HERE
  • You will need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to ask your Internet Service Provider (ISP) which DNS servers your network should be using.

Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This should help to stop your router from being hijacked again.

Summary of the logs I need from you in your next post:
  • fixlog.txt
  • eset.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 3:37 pm

Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Kitty Clark at 2014-03-17 14:35:18 Run:1
Running from C:\Users\Kitty Clark\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
HKLM-x32\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2011-08-24] ()
HKLM-x32\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2012-09-30] ()
HKLM-x32\...\Run: [Idalebd] - C:\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe [279739 2012-09-15] ()
HKLM-x32\...\Run: [Abgypakeilicyp] - C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [288469 2012-03-16] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [obbnnwkp] - C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe [147968 2014-03-13] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [phqogutl] - C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe [146944 2014-03-14] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2011-08-24] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [qjbjbfct] - C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe [148992 2014-03-15] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2012-09-30] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Idalebd] - C:\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe [279739 2012-09-15] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [qxuucbke] - C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe [155648 2014-03-16] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Abgypakeilicyp] - C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [288469 2012-03-16] ()
SearchScopes: HKLM-x32 - DefaultScope {71C63272-91A7-436a-843D-A1C641D1C626} URL =
SearchScopes: HKLM-x32 - {71C63272-91A7-436a-843D-A1C641D1C626} URL =
SearchScopes: HKCU - {71C63272-91A7-436a-843D-A1C641D1C626} URL =
FF Extension: Apollo Bookmark/Tab/History Sync add-on - C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default\Extensions\ffsync@apollobrowser.com.xpi [2011-11-01]
R3 ALSysIO; \??\C:\Users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys [X]
S3 cpuz134; \??\C:\Users\STEPHE~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S1 mbabgdve; \??\C:\Windows\system32\drivers\mbabgdve.sys [X]
2014-03-17 02:28 - 2014-03-17 03:00 - 00000838 _____ () C:\Windows\Tasks\Security Center Update - 2788898635.job
2014-03-17 02:28 - 2014-03-17 02:28 - 00003858 _____ () C:\Windows\System32\Tasks\Security Center Update - 2788898635
2014-03-17 02:28 - 2014-03-17 02:28 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Laavyfu
2014-03-17 02:25 - 2014-03-17 02:25 - 00081924 _____ () C:\Users\Kitty Clark\AppData\Local\sgilcetr.exe
2014-03-16 16:49 - 2014-03-17 03:00 - 00000842 _____ () C:\Windows\Tasks\Security Center Update - 2881837955.job
2014-03-16 16:49 - 2014-03-16 16:49 - 00003862 _____ () C:\Windows\System32\Tasks\Security Center Update - 2881837955
2014-03-16 16:49 - 2014-03-16 16:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi
2014-03-16 15:14 - 2014-03-17 03:00 - 00000836 _____ () C:\Windows\Tasks\Security Center Update - 1251265320.job
2014-03-16 15:14 - 2014-03-16 15:14 - 00003856 _____ () C:\Windows\System32\Tasks\Security Center Update - 1251265320
2014-03-16 15:14 - 2014-03-16 15:14 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Wuaxax
2014-03-16 15:12 - 2014-03-16 15:12 - 00155648 _____ () C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe
2014-03-16 15:11 - 2014-03-16 15:11 - 00114692 _____ () C:\Users\Kitty Clark\AppData\Local\uimafqjw.exe
2014-03-15 23:22 - 2014-03-15 23:22 - 00208216 _____ (Kaspersky Lab, GERT) C:\Windows\system32\Drivers\26609797.sys
2014-03-15 16:41 - 2014-03-15 16:41 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Izcailfo
2014-03-15 15:05 - 2014-03-15 15:05 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-15 15:03 - 2014-03-15 15:03 - 00148992 _____ () C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe
2014-03-15 00:37 - 2014-03-15 00:37 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ovepca
2014-03-14 21:47 - 2014-03-14 21:47 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-14 17:02 - 2014-03-14 17:02 - 00146944 _____ () C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe
2014-03-13 22:08 - 2014-03-13 22:08 - 00000000 _____ () C:\Windows\system32\config\SOFTWARE53e04c1c
2014-03-13 20:43 - 2014-03-15 05:09 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Aqcainxi
2014-03-13 18:25 - 2014-03-13 18:25 - 00147968 _____ () C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe
2014-03-13 17:28 - 2014-03-13 17:28 - 00068465 _____ () C:\Users\Kitty Clark\AppData\Local\hphpmunt
2014-03-13 17:26 - 2014-03-15 05:09 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Zypaiq
2014-03-13 12:27 - 2014-03-15 01:25 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Diurekys
2014-03-13 01:52 - 2014-03-13 01:55 - 00001890 _____ () C:\Windows\diagwrn.xml
2014-03-13 01:52 - 2014-03-13 01:52 - 00001890 _____ () C:\Windows\diagerr.xml
2014-03-13 00:47 - 2014-03-13 05:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Ofezmuan
2014-03-12 22:12 - 2014-03-13 05:49 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Nugyug
2014-03-12 15:13 - 2014-03-12 15:13 - 00012326 _____ () C:\Users\Kitty Clark\AppData\Local\rfdvugjw
2014-03-12 15:12 - 2014-03-12 15:12 - 00068161 _____ () C:\Users\Kitty Clark\AppData\Local\iglnxanr
2014-03-12 15:11 - 2014-03-12 15:11 - 00000000 _____ () C:\Users\Kitty Clark\AppData\Roaming\SharedSettings.ccs
2014-03-17 02:42 - 2013-10-21 17:18 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-03-16 15:11 - 2013-10-03 20:15 - 00000338 _____ () C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2014-03-16 15:11 - 2013-10-03 20:14 - 00000352 _____ () C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_29f69f7a.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_67ccf922.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_7e6c0ff8.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_d2aedb75.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_d334b44b.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_dd79834d.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_fade0e4f.exe
Task: {04E54DD8-72DB-4873-96C5-0B6BE6354E98} - System32\Tasks\Security Center Update - 2881837955 => C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi\ahytxi.exe [2011-10-01] () <==== ATTENTION
Task: {1CCAF1D1-87F0-4F68-B108-18A775D26EC3} - \Security Center Update - 2841809425 No Task File
Task: {2F2BC4D8-95F2-4213-9EFF-1A421D1FF950} - \Security Center Update - 1962907878 No Task File
Task: {42549D4B-AD5F-4545-9E2A-09B37E367474} - System32\Tasks\Security Center Update - 1251265320 => C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe [2012-03-16] () <==== ATTENTION
Task: {5620A767-8460-4D73-B969-FBB49F57EA49} - \Security Center Update - 2960897610 No Task File
Task: {A4E5041A-A107-47E2-8036-085B28110EFA} - \Security Center Update - 4238123442 No Task File
Task: {BAF385D1-C8E5-49CD-94C0-340BC35C2D90} - \Security Center Update - 463384363 No Task File
Task: {C12097D3-7668-40DC-99AE-E42555C16BEB} - System32\Tasks\Spybot - Search & Destroy Updater - Scheduled Task => C:\Program Files (x86)\Spybot - Search &amp; Destroy\SDUpdate.exe
Task: {C3D15DB6-0E59-4A73-9B74-FD7BC98A55B0} - System32\Tasks\Security Center Update - 2788898635 => C:\Users\Kitty Clark\AppData\Roaming\Laavyfu\arfuiz.exe [2013-09-23] () <==== ATTENTION
Task: {CEC3CFF9-D46A-47C2-A1F3-2D5ED7398B71} - System32\Tasks\Spybot - Search & Destroy - Scheduled Task => C:\Program Files (x86)\Spybot - Search &amp; Destroy\SpybotSD.exe
Task: C:\Windows\Tasks\Security Center Update - 1251265320.job => C:\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe
Task: C:\Windows\Tasks\Security Center Update - 2788898635.job => C:\Users\Kitty Clark\AppData\Roaming\Laavyfu\arfuiz.exe
Task: C:\Windows\Tasks\Security Center Update - 2881837955.job => C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi\ahytxi.exe
Task: C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job => C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
Task: C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job => C:\Program Files (x86)\Spybot - Search & Destroy\SDUpdate.exe
2011-08-24 12:06 - 2011-08-24 12:06 - 00279739 _____ () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
2012-09-30 13:24 - 2012-09-30 13:24 - 00285835 _____ () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
CMD: ipconfig /flushdns
*****************

C:\Users\Kitty Clark\AppData\Roaming\Omvutyg => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Buleodliyg => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Afwoynunylo => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Idalebd => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Abgypakeilicyp => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\obbnnwkp => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\phqogutl => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Buleodliyg => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\qjbjbfct => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Afwoynunylo => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Idalebd => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\qxuucbke => Value deleted successfully.
HKU\S-1-5-21-795659118-149470603-1855162921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Abgypakeilicyp => Value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{71C63272-91A7-436a-843D-A1C641D1C626} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{71C63272-91A7-436a-843D-A1C641D1C626} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{71C63272-91A7-436a-843D-A1C641D1C626} => Key deleted successfully.
HKCR\CLSID\{71C63272-91A7-436a-843D-A1C641D1C626} => Key not found.
C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default\Extensions\ffsync@apollobrowser.com.xpi => Moved successfully.
ALSysIO => Service stopped successfully.
ALSysIO => Service deleted successfully.
cpuz134 => Service deleted successfully.
mbabgdve => Service deleted successfully.
C:\Windows\Tasks\Security Center Update - 2788898635.job => Moved successfully.
C:\Windows\System32\Tasks\Security Center Update - 2788898635 => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Laavyfu => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\sgilcetr.exe => Moved successfully.
C:\Windows\Tasks\Security Center Update - 2881837955.job => Moved successfully.
C:\Windows\System32\Tasks\Security Center Update - 2881837955 => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Ezkorawi => Moved successfully.
C:\Windows\Tasks\Security Center Update - 1251265320.job => Moved successfully.
C:\Windows\System32\Tasks\Security Center Update - 1251265320 => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Wuaxax => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\uimafqjw.exe => Moved successfully.
C:\Windows\system32\Drivers\26609797.sys => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Izcailfo => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\kquxiuqo.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Ovepca => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\rfexcbap.exe => Moved successfully.
C:\Windows\system32\config\SOFTWARE53e04c1c => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Aqcainxi => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\hphpmunt => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Zypaiq => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Diurekys => Moved successfully.
C:\Windows\diagwrn.xml => Moved successfully.
C:\Windows\diagerr.xml => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Ofezmuan => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Nugyug => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\rfdvugjw => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\iglnxanr => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\SharedSettings.ccs => Moved successfully.
C:\Program Files (x86)\Spybot - Search & Destroy 2 => Moved successfully.
"C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job" => File/Directory not found.
"C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job" => File/Directory not found.
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_29f69f7a.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_67ccf922.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_7e6c0ff8.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_d2aedb75.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_d334b44b.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_dd79834d.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_fade0e4f.exe => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{04E54DD8-72DB-4873-96C5-0B6BE6354E98} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04E54DD8-72DB-4873-96C5-0B6BE6354E98} => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2881837955 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2881837955 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1CCAF1D1-87F0-4F68-B108-18A775D26EC3} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1CCAF1D1-87F0-4F68-B108-18A775D26EC3} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2841809425 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2F2BC4D8-95F2-4213-9EFF-1A421D1FF950} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2F2BC4D8-95F2-4213-9EFF-1A421D1FF950} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1962907878 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{42549D4B-AD5F-4545-9E2A-09B37E367474} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{42549D4B-AD5F-4545-9E2A-09B37E367474} => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 1251265320 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 1251265320 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5620A767-8460-4D73-B969-FBB49F57EA49} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5620A767-8460-4D73-B969-FBB49F57EA49} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2960897610 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A4E5041A-A107-47E2-8036-085B28110EFA} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4E5041A-A107-47E2-8036-085B28110EFA} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 4238123442 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BAF385D1-C8E5-49CD-94C0-340BC35C2D90} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF385D1-C8E5-49CD-94C0-340BC35C2D90} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 463384363 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C12097D3-7668-40DC-99AE-E42555C16BEB} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C12097D3-7668-40DC-99AE-E42555C16BEB} => Key deleted successfully.
C:\Windows\System32\Tasks\Spybot - Search & Destroy Updater - Scheduled Task not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Spybot - Search & Destroy Updater - Scheduled Task => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C3D15DB6-0E59-4A73-9B74-FD7BC98A55B0} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C3D15DB6-0E59-4A73-9B74-FD7BC98A55B0} => Key deleted successfully.
C:\Windows\System32\Tasks\Security Center Update - 2788898635 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Security Center Update - 2788898635 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CEC3CFF9-D46A-47C2-A1F3-2D5ED7398B71} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CEC3CFF9-D46A-47C2-A1F3-2D5ED7398B71} => Key deleted successfully.
C:\Windows\System32\Tasks\Spybot - Search & Destroy - Scheduled Task not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Spybot - Search & Destroy - Scheduled Task => Key not found.
C:\Windows\Tasks\Security Center Update - 1251265320.job not found.
C:\Windows\Tasks\Security Center Update - 2788898635.job not found.
C:\Windows\Tasks\Security Center Update - 2881837955.job not found.
C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job not found.
C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job not found.
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe => Moved successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


==== End of Fixlog ====
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 17th, 2014, 6:08 pm

Looking good so far, please post the e-set log as soon as you have it.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 6:33 pm

Progress so far:
6. Disabled MSE Real-Time Protection. Computer rebooted.
7. Ran ESET on-line scanner. Found new threats Win32/Krptik.BWXA, Win32/Toolbar.widgi, Win32/Bundledtoolbar.ask, Win32/Injector.AZYA These have not shown up in any of my previous scans. During the scan, I stopped the download of two script files of unknown origin.
They are: dpx.js from i.simpli.fi(4.39kb) and bkrcoretag from tags.bkrtx.com(27.4kb). Had to disconnect from internet during scan to stop repeated requests to download these files.
Scan projected to take about six hours.

Happy Saint Pat's Day!
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 7:03 pm

Scan took less time than I thought.

8. Re-enabled MSE Real-time protection. Computer rebooted.
9. Scan results below. Working on resetting router.


ESET.txt:

C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\cnxsaiwv.exe.xBAD a variant of Win32/Kryptik.BXBS trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\kfnqnjmn.exe.xBAD a variant of Win32/Kryptik.BXBS trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\kquxiuqo.exe.xBAD a variant of Win32/Kryptik.BXBS trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\rfexcbap.exe.xBAD a variant of Win32/Kryptik.BXBS trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\sgilcetr.exe.xBAD a variant of Win32/Injector.AZWP trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\uimafqjw.exe.xBAD a variant of Win32/Injector.AZVQ trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_29f69f7a.exe.xBAD a variant of Win32/Injector.AZVQ trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_fade0e4f.exe.xBAD Win32/Rovnix.F trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Ezkorawi\ahytxi.exe a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Izcailfo\alodxab.exe a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Laavyfu\arfuiz.exe a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe.xBAD a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Omvutyg\Omvutyg\laubycy.exe a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Ovepca\ypzeif.exe a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe.xBAD a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Vyoqti\Vyoqti\ygotoxu.exe a variant of Win32/Kryptik.BWXA trojan
C:\FRST\Quarantine\C\Users\Kitty Clark\AppData\Roaming\Wuaxax\nutyhau.exe a variant of Win32/Kryptik.BWXA trojan
C:\My Downloads Archive\Install Files\asc-setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\My Downloads Archive\Install Files\coretemp_1236.exe a variant of Win32/InstallIQ.A potentially unwanted application
C:\My Downloads Archive\Install Files\cpu-z_1.58-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\My Downloads Archive\Install Files\defragsetup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\My Downloads Archive\Install Files\imf-setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\My Downloads Archive\Install Files\is360setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\My Downloads Archive\Install Files\sd2-setup220.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\My Downloads Archive\Install Files\unlocker-setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
C:\Users\Kitty Clark\AppData\Local\gvupnbox.exe a variant of Win32/Injector.AZYA trojan
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_6edee315.exe a variant of Win32/Injector.AZYA trojan
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe a variant of Win32/Kryptik.BWXA trojan
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe a variant of Win32/Kryptik.BWXA trojan
C:\Users\Kitty Clark\AppData\Roaming\Zoakow\olemfu.exe a variant of Win32/Kryptik.BWXA trojan
E:\Archive\Old Downloads Archive\Install Files\asc-setup(1).exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\asc-setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\Core-Temp-setup.exe probably a variant of Win32/Complitly.A potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\coretemp_1236.exe a variant of Win32/InstallIQ.A potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.55-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.57.1-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.58-setup-en.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
E:\Archive\Old Downloads Archive\Install Files\defragsetup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\imf-setup(1).exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\imf-setup(2).exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\imf-setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\is360setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\sd2-setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\sd2-setup220.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\unlocker-setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application
E:\Archive\Old Downloads Archive\Install Files\zlsSetup_70_483_000_en.exe a variant of Win32/AdInstaller potentially unwanted application
Operating memory multiple threats
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 17th, 2014, 7:19 pm

  • Click Start
  • Type notepad.exe in the search programs and files box and clcik Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).
Code: Select all
C:\My Downloads Archive\Install Files\asc-setup.exe
C:\My Downloads Archive\Install Files\coretemp_1236.exe
C:\My Downloads Archive\Install Files\cpu-z_1.58-setup-en.exe
C:\My Downloads Archive\Install Files\defragsetup.exe
C:\My Downloads Archive\Install Files\imf-setup.exe
C:\My Downloads Archive\Install Files\is360setup.exe
C:\My Downloads Archive\Install Files\sd2-setup220.exe
C:\My Downloads Archive\Install Files\unlocker-setup.exe
C:\Users\Kitty Clark\AppData\Local\gvupnbox.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_6edee315.exe
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
C:\Users\Kitty Clark\AppData\Roaming\Zoakow\olemfu.exe
E:\Archive\Old Downloads Archive\Install Files\asc-setup(1).exe
E:\Archive\Old Downloads Archive\Install Files\asc-setup.exe
E:\Archive\Old Downloads Archive\Install Files\Core-Temp-setup.exe
E:\Archive\Old Downloads Archive\Install Files\coretemp_1236.exe
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.55-setup-en.exe
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.57.1-setup-en.exe
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.58-setup-en.exe
E:\Archive\Old Downloads Archive\Install Files\defragsetup.exe
E:\Archive\Old Downloads Archive\Install Files\imf-setup(1).exe
E:\Archive\Old Downloads Archive\Install Files\imf-setup(2).exe
E:\Archive\Old Downloads Archive\Install Files\imf-setup.exe
E:\Archive\Old Downloads Archive\Install Files\is360setup.exe
E:\Archive\Old Downloads Archive\Install Files\sd2-setup.exe
E:\Archive\Old Downloads Archive\Install Files\sd2-setup220.exe
E:\Archive\Old Downloads Archive\Install Files\unlocker-setup.exe
E:\Archive\Old Downloads Archive\Install Files\zlsSetup_70_483_000_en.exe
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
C:\Users\Kitty Clark\AppData\Roaming\Zoakow

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe.

Next ...

Reboot your computer.

Next ...

Run a new scan with FRST please and post me the logs it produces (FRST.txt, Addition.txt)
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 7:31 pm

Just discovered that her computer is sending out bogus emails - 456 in the last hour. Had to disconnect from internet to stop.
Will follow your current instructions and post results immediately.
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 8:01 pm

10. Ran FRST with your fixlist, fixlog below:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014
Ran by Kitty Clark at 2014-03-17 18:57:43 Run:2
Running from C:\Users\Kitty Clark\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\My Downloads Archive\Install Files\asc-setup.exe
C:\My Downloads Archive\Install Files\coretemp_1236.exe
C:\My Downloads Archive\Install Files\cpu-z_1.58-setup-en.exe
C:\My Downloads Archive\Install Files\defragsetup.exe
C:\My Downloads Archive\Install Files\imf-setup.exe
C:\My Downloads Archive\Install Files\is360setup.exe
C:\My Downloads Archive\Install Files\sd2-setup220.exe
C:\My Downloads Archive\Install Files\unlocker-setup.exe
C:\Users\Kitty Clark\AppData\Local\gvupnbox.exe
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_6edee315.exe
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe
C:\Users\Kitty Clark\AppData\Roaming\Zoakow\olemfu.exe
E:\Archive\Old Downloads Archive\Install Files\asc-setup(1).exe
E:\Archive\Old Downloads Archive\Install Files\asc-setup.exe
E:\Archive\Old Downloads Archive\Install Files\Core-Temp-setup.exe
E:\Archive\Old Downloads Archive\Install Files\coretemp_1236.exe
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.55-setup-en.exe
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.57.1-setup-en.exe
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.58-setup-en.exe
E:\Archive\Old Downloads Archive\Install Files\defragsetup.exe
E:\Archive\Old Downloads Archive\Install Files\imf-setup(1).exe
E:\Archive\Old Downloads Archive\Install Files\imf-setup(2).exe
E:\Archive\Old Downloads Archive\Install Files\imf-setup.exe
E:\Archive\Old Downloads Archive\Install Files\is360setup.exe
E:\Archive\Old Downloads Archive\Install Files\sd2-setup.exe
E:\Archive\Old Downloads Archive\Install Files\sd2-setup220.exe
E:\Archive\Old Downloads Archive\Install Files\unlocker-setup.exe
E:\Archive\Old Downloads Archive\Install Files\zlsSetup_70_483_000_en.exe
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
C:\Users\Kitty Clark\AppData\Roaming\Zoakow
*****************

C:\My Downloads Archive\Install Files\asc-setup.exe => Moved successfully.
C:\My Downloads Archive\Install Files\coretemp_1236.exe => Moved successfully.
C:\My Downloads Archive\Install Files\cpu-z_1.58-setup-en.exe => Moved successfully.
C:\My Downloads Archive\Install Files\defragsetup.exe => Moved successfully.
C:\My Downloads Archive\Install Files\imf-setup.exe => Moved successfully.
C:\My Downloads Archive\Install Files\is360setup.exe => Moved successfully.
C:\My Downloads Archive\Install Files\sd2-setup220.exe => Moved successfully.
C:\My Downloads Archive\Install Files\unlocker-setup.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\gvupnbox.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Local\Temp\UpdateFlashPlayer_6edee315.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Zoakow\olemfu.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\asc-setup(1).exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\asc-setup.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\Core-Temp-setup.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\coretemp_1236.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.55-setup-en.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.57.1-setup-en.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\cpu-z_1.58-setup-en.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\defragsetup.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\imf-setup(1).exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\imf-setup(2).exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\imf-setup.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\is360setup.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\sd2-setup.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\sd2-setup220.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\unlocker-setup.exe => Moved successfully.
E:\Archive\Old Downloads Archive\Install Files\zlsSetup_70_483_000_en.exe => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Omvutyg => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Vyoqti => Moved successfully.
C:\Users\Kitty Clark\AppData\Roaming\Zoakow => Moved successfully.

==== End of Fixlog ====
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 17th, 2014, 8:16 pm

11. Reboot
12. FRST Scan results:

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-03-2014
Ran by Kitty Clark (administrator) on KITTY4 on 17-03-2014 19:11:19
Running from C:\Users\Kitty Clark\Downloads
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/downloa ... ool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/downloa ... ool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files\Core Temp\Core Temp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE
() C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
() C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
(CANON INC.) C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
() C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2726728 2010-03-24] (CANON INC.)
HKLM\...\Run: [EvtMgr6] - C:\Program Files\Logitech\SetPointP\SetPoint.exe [1744152 2011-10-07] (Logitech, Inc.)
HKLM\...\Run: [Nvtmru] - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1028384 2013-11-08] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] - C:\Windows\system32\nvspcap64.dll [1064224 2013-11-08] (NVIDIA Corporation)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [BCSSync] - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [CanonSolutionMenuEx] - C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2014-03-17] ()
HKLM-x32\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2014-03-17] ()
HKLM-x32\...\Runonce: [AvgUninstallURL] - cmd.exe /c start http://www.avg.com/ww.special-uninstall ... 0EtSzZIVTk"&"inst=NzctNzExNTI1MDAxLVhPMTArMTEtTElDKzItVklQKzEtRkwxMCsxLVRVRyszLUREVCs2MTYwMy1ERDEwRisxLVNUMTBGQVBQKzEtU1QxMkZPSSsxLUVVTEErMS1TVDEyRkFQUCsx"&"prod=90"&"ver=2012.0.1809"&"mid=ec2ba82855f747d6a39abdb90fe5910e-473b8ab7618aadb6b0f68fdc49d2c8fec08d808c [X]
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [OfficeSyncProcess] - C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-22] (Microsoft Corporation)
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [TWC.Win7] - C:\Program Files (x86)\The Weather Channel\Desktop Weather\TWC.Win7.exe [47616 2014-02-24] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Buleodliyg] - C:\Users\Kitty Clark\AppData\Roaming\Omvutyg\laubycy.exe [279739 2014-03-17] ()
HKU\S-1-5-21-795659118-149470603-1855162921-1000\...\Run: [Afwoynunylo] - C:\Users\Kitty Clark\AppData\Roaming\Vyoqti\ygotoxu.exe [285835 2014-03-17] ()

==================== Internet (Whitelisted) ====================

ProxyServer: localhost:8080
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x852AE58D4AD3CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKCU - DefaultScope {EE75487F-9D0B-41ff-A092-FEA18652EC33} URL = http://www.google.com/cse?cx=partner-pu ... 8615334&q={searchTerms}
SearchScopes: HKCU - {37374783-29CB-453B-9367-3B54C4EC63E4} URL = http://search.avg.com/route/?d=4da276ee ... =chrome&q={searchTerms}&lng={language}&iy=&ychte=us
SearchScopes: HKCU - {87F70B1E-6CCD-4BE6-9A0D-428B28668895} URL = http://search.avg.com/route/?d=4da276ee ... =chrome&q={searchTerms}&lng={language}&iy=&ychte=us
SearchScopes: HKCU - {EE75487F-9D0B-41ff-A092-FEA18652EC33} URL = http://www.google.com/cse?cx=partner-pu ... 8615334&q={searchTerms}
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll No File
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/s ... wflash.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75

FireFox:
========
FF ProfilePath: C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default
FF DefaultSearchEngine: Yahoo! Search
FF Homepage: hxxp://news.google.com/nwshp?gl=us&ned= ... ebook.com/
FF Keyword.URL: hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @canon.com/EPPEX - C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Add-on Compatibility Reporter - C:\Users\Kitty Clark\AppData\Roaming\Mozilla\Firefox\Profiles\z49pdjoq.default\Extensions\compatibility@addons.mozilla.org.xpi [2011-08-31]

Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR HKLM-x32\...\Chrome\Extension: [defdhglnppeioeflggkmglipcecffkhk] - C:\Program Files (x86)\AutocompletePro\chrome\autocompleteprochrome.crx []

==================== Services (Whitelisted) =================

R2 ES lite Service; C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE [68136 2009-08-24] ()
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [116104 2010-04-05] ()
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [15125280 2013-11-08] (NVIDIA Corporation)
S3 SandraAgentSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2011.SP1a\RpcAgentSrv.exe [93848 2009-08-10] (SiSoftware)

==================== Drivers (Whitelisted) ====================

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-09-27] (NVIDIA Corporation)
R1 SBRE; C:\Windows\system32\drivers\SBREdrv.sys [55384 2011-06-28] (Sunbelt Software)
R3 ALSysIO; \??\C:\Users\KITTYC~1\AppData\Local\Temp\ALSysIO64.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-17 18:00 - 2014-03-17 18:00 - 00005845 _____ () C:\Users\Kitty Clark\Desktop\ESET.txt
2014-03-17 14:53 - 2014-03-17 14:53 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-17 14:52 - 2014-03-17 14:52 - 02347384 _____ (ESET) C:\Users\Kitty Clark\Downloads\esetsmartinstaller_enu.exe
2014-03-17 14:30 - 2014-03-17 19:00 - 00000834 _____ () C:\Windows\Tasks\Security Center Update - 11611984.job
2014-03-17 14:30 - 2014-03-17 14:30 - 00003854 _____ () C:\Windows\System32\Tasks\Security Center Update - 11611984
2014-03-17 03:14 - 2014-03-17 03:14 - 00000000 ____D () C:\Users\Kitty Clark\Downloads\tdsskiller
2014-03-17 03:13 - 2014-03-17 03:14 - 02218636 _____ () C:\Users\Kitty Clark\Downloads\tdsskiller.zip
2014-03-17 03:02 - 2014-03-17 03:05 - 00043902 _____ () C:\Users\Kitty Clark\Downloads\Addition.txt
2014-03-17 02:58 - 2014-03-17 19:12 - 00013397 _____ () C:\Users\Kitty Clark\Downloads\FRST.txt
2014-03-17 02:56 - 2014-03-17 19:11 - 00000000 ____D () C:\FRST
2014-03-17 02:56 - 2014-03-17 02:56 - 02157056 _____ (Farbar) C:\Users\Kitty Clark\Downloads\FRST64.exe
2014-03-17 02:35 - 2014-03-17 19:09 - 00000035 _____ () C:\Users\Kitty Clark\Desktop\Gary Reply.txt
2014-03-17 02:32 - 2014-03-17 02:32 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-KITTY4-Microsoft-Windows-7-Professional-(64-bit).dat
2014-03-17 02:31 - 2014-03-17 02:31 - 00000000 ____D () C:\RegBackup
2014-03-17 02:30 - 2014-03-17 02:30 - 00002245 _____ () C:\Users\Kitty Clark\Desktop\Tweaking.com - Registry Backup.lnk
2014-03-17 02:30 - 2014-03-17 02:30 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-03-17 02:29 - 2014-03-17 02:29 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2014-03-17 02:28 - 2014-03-17 02:28 - 03944112 _____ () C:\Users\Kitty Clark\Downloads\tweaking.com_registry_backup_setup.exe
2014-03-16 16:13 - 2014-03-16 16:13 - 00022982 _____ () C:\Users\Kitty Clark\Desktop\dds.txt
2014-03-16 16:13 - 2014-03-16 16:13 - 00014698 _____ () C:\Users\Kitty Clark\Desktop\attach.txt
2014-03-16 16:09 - 2014-03-16 16:10 - 00688992 ____R (Swearware) C:\Users\Kitty Clark\Downloads\dds.com
2014-03-16 15:55 - 2014-03-16 16:02 - 00001821 _____ () C:\Users\Kitty Clark\Desktop\MalwareRemoval.txt
2014-03-15 23:18 - 2014-03-15 23:18 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Kitty Clark\Downloads\iexplore.exe.exe
2014-03-15 22:31 - 2014-03-15 22:31 - 00237056 _____ (SC BitDefender , Romania) C:\Users\Kitty Clark\Downloads\ZbotRemovalTool.exe
2014-03-15 16:01 - 2014-03-15 16:01 - 03640880 _____ () C:\Users\Kitty Clark\Downloads\avg_remover_zbot.exe
2014-03-14 21:36 - 2014-03-14 21:36 - 00003560 ____N () C:\bootsqm.dat
2014-03-14 17:35 - 2014-03-14 17:36 - 104233240 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\msert(1).exe
2014-03-14 17:12 - 2014-03-14 17:13 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-03-14 17:12 - 2014-03-14 17:12 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-03-14 17:07 - 2014-03-14 17:08 - 13670584 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\mseinstall(1).exe
2014-03-13 20:19 - 2014-03-13 20:19 - 00122976 _____ (Kaspersky Lab ZAO) C:\Users\Kitty Clark\Downloads\zbotkiller.exe
2014-03-13 20:07 - 2014-03-13 20:07 - 26437344 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\Windows-KB890830-x64-V5.10(1).exe
2014-03-13 05:34 - 2014-03-15 18:33 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-03-11 17:52 - 2014-03-01 01:05 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-11 17:52 - 2014-03-01 00:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-11 17:52 - 2014-03-01 00:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-03-11 17:52 - 2014-02-28 23:58 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-11 17:52 - 2014-02-28 23:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-03-11 17:52 - 2014-02-28 23:51 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-03-11 17:52 - 2014-02-28 23:42 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-11 17:52 - 2014-02-28 23:40 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-03-11 17:52 - 2014-02-28 23:37 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-11 17:52 - 2014-02-28 23:33 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-11 17:52 - 2014-02-28 23:33 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-03-11 17:52 - 2014-02-28 23:32 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-03-11 17:52 - 2014-02-28 23:30 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-03-11 17:52 - 2014-02-28 23:23 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-03-11 17:52 - 2014-02-28 23:17 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-03-11 17:52 - 2014-02-28 23:11 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-03-11 17:52 - 2014-02-28 23:02 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-03-11 17:52 - 2014-02-28 22:54 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-11 17:52 - 2014-02-28 22:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-03-11 17:52 - 2014-02-28 22:51 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-03-11 17:52 - 2014-02-28 22:47 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-03-11 17:52 - 2014-02-28 22:43 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-03-11 17:52 - 2014-02-28 22:43 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-03-11 17:52 - 2014-02-28 22:42 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-11 17:52 - 2014-02-28 22:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-03-11 17:52 - 2014-02-28 22:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-03-11 17:52 - 2014-02-28 22:37 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-03-11 17:52 - 2014-02-28 22:35 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-11 17:52 - 2014-02-28 22:18 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-11 17:52 - 2014-02-28 22:16 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-03-11 17:52 - 2014-02-28 22:14 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-03-11 17:52 - 2014-02-28 22:10 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-11 17:52 - 2014-02-28 22:03 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-03-11 17:52 - 2014-02-28 22:00 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-03-11 17:52 - 2014-02-28 21:57 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-03-11 17:52 - 2014-02-28 21:38 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-11 17:52 - 2014-02-28 21:32 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-03-11 17:52 - 2014-02-28 21:27 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-03-11 17:52 - 2014-02-28 21:25 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-03-11 17:52 - 2014-02-28 21:25 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-03-11 17:52 - 2014-02-06 20:23 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-11 17:52 - 2014-02-03 21:32 - 00624128 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-11 17:52 - 2014-02-03 21:04 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2014-03-11 17:52 - 2014-01-28 21:32 - 00484864 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-11 17:52 - 2014-01-28 21:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2014-03-11 17:52 - 2014-01-27 21:32 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-03-11 17:51 - 2014-02-03 21:32 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-03-11 17:51 - 2014-02-03 21:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files\iTunes
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files\iPod
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-02-26 18:12 - 2014-02-26 18:13 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-02-26 14:57 - 2014-01-08 21:22 - 05694464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-02-26 14:57 - 2014-01-03 17:44 - 06574592 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll

==================== One Month Modified Files and Folders =======

2014-03-17 19:12 - 2014-03-17 02:58 - 00013397 _____ () C:\Users\Kitty Clark\Downloads\FRST.txt
2014-03-17 19:11 - 2014-03-17 02:56 - 00000000 ____D () C:\FRST
2014-03-17 19:10 - 2011-04-10 22:37 - 01475722 _____ () C:\Windows\WindowsUpdate.log
2014-03-17 19:09 - 2014-03-17 02:35 - 00000035 _____ () C:\Users\Kitty Clark\Desktop\Gary Reply.txt
2014-03-17 19:05 - 2011-10-16 17:28 - 00006613 _____ () C:\Windows\setupact.log
2014-03-17 19:05 - 2011-05-04 23:41 - 00000148 _____ () C:\service.log
2014-03-17 19:04 - 2011-04-25 21:06 - 00025640 _____ (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys
2014-03-17 19:04 - 2010-02-28 13:39 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-03-17 19:04 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-17 19:00 - 2014-03-17 14:30 - 00000834 _____ () C:\Windows\Tasks\Security Center Update - 11611984.job
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Vyoqti
2014-03-17 18:59 - 2014-03-17 18:59 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Omvutyg
2014-03-17 18:59 - 2009-07-13 23:45 - 00025552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-17 18:59 - 2009-07-13 23:45 - 00025552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-17 18:00 - 2014-03-17 18:00 - 00005845 _____ () C:\Users\Kitty Clark\Desktop\ESET.txt
2014-03-17 17:50 - 2012-04-07 15:30 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-17 14:53 - 2014-03-17 14:53 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-17 14:52 - 2014-03-17 14:52 - 02347384 _____ (ESET) C:\Users\Kitty Clark\Downloads\esetsmartinstaller_enu.exe
2014-03-17 14:30 - 2014-03-17 14:30 - 00003854 _____ () C:\Windows\System32\Tasks\Security Center Update - 11611984
2014-03-17 03:14 - 2014-03-17 03:14 - 00000000 ____D () C:\Users\Kitty Clark\Downloads\tdsskiller
2014-03-17 03:14 - 2014-03-17 03:13 - 02218636 _____ () C:\Users\Kitty Clark\Downloads\tdsskiller.zip
2014-03-17 03:05 - 2014-03-17 03:02 - 00043902 _____ () C:\Users\Kitty Clark\Downloads\Addition.txt
2014-03-17 02:56 - 2014-03-17 02:56 - 02157056 _____ (Farbar) C:\Users\Kitty Clark\Downloads\FRST64.exe
2014-03-17 02:42 - 2011-09-24 11:19 - 00269378 _____ () C:\Windows\PFRO.log
2014-03-17 02:39 - 2011-05-12 16:36 - 00000197 _____ () C:\Windows\wininit.ini
2014-03-17 02:32 - 2014-03-17 02:32 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-KITTY4-Microsoft-Windows-7-Professional-(64-bit).dat
2014-03-17 02:31 - 2014-03-17 02:31 - 00000000 ____D () C:\RegBackup
2014-03-17 02:30 - 2014-03-17 02:30 - 00002245 _____ () C:\Users\Kitty Clark\Desktop\Tweaking.com - Registry Backup.lnk
2014-03-17 02:30 - 2014-03-17 02:30 - 00000000 ____D () C:\Users\Kitty Clark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-03-17 02:29 - 2014-03-17 02:29 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2014-03-17 02:28 - 2014-03-17 02:28 - 03944112 _____ () C:\Users\Kitty Clark\Downloads\tweaking.com_registry_backup_setup.exe
2014-03-16 16:13 - 2014-03-16 16:13 - 00022982 _____ () C:\Users\Kitty Clark\Desktop\dds.txt
2014-03-16 16:13 - 2014-03-16 16:13 - 00014698 _____ () C:\Users\Kitty Clark\Desktop\attach.txt
2014-03-16 16:10 - 2014-03-16 16:09 - 00688992 ____R (Swearware) C:\Users\Kitty Clark\Downloads\dds.com
2014-03-16 16:02 - 2014-03-16 15:55 - 00001821 _____ () C:\Users\Kitty Clark\Desktop\MalwareRemoval.txt
2014-03-16 15:11 - 2013-10-03 20:15 - 00000338 _____ () C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
2014-03-16 15:11 - 2013-10-03 20:14 - 00000352 _____ () C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
2014-03-15 23:48 - 2011-11-28 17:15 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-15 23:18 - 2014-03-15 23:18 - 02237968 _____ (Kaspersky Lab ZAO) C:\Users\Kitty Clark\Downloads\iexplore.exe.exe
2014-03-15 22:31 - 2014-03-15 22:31 - 00237056 _____ (SC BitDefender , Romania) C:\Users\Kitty Clark\Downloads\ZbotRemovalTool.exe
2014-03-15 18:33 - 2014-03-13 05:34 - 00000000 ____D () C:\Windows\Microsoft Antimalware
2014-03-15 16:01 - 2014-03-15 16:01 - 03640880 _____ () C:\Users\Kitty Clark\Downloads\avg_remover_zbot.exe
2014-03-15 15:04 - 2009-07-14 00:13 - 00786538 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-14 22:20 - 2009-07-14 00:08 - 00032558 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-14 21:36 - 2014-03-14 21:36 - 00003560 ____N () C:\bootsqm.dat
2014-03-14 17:36 - 2014-03-14 17:35 - 104233240 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\msert(1).exe
2014-03-14 17:13 - 2014-03-14 17:12 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-03-14 17:13 - 2011-09-26 12:35 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-03-14 17:12 - 2014-03-14 17:12 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-03-14 17:08 - 2014-03-14 17:07 - 13670584 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\mseinstall(1).exe
2014-03-13 20:19 - 2014-03-13 20:19 - 00122976 _____ (Kaspersky Lab ZAO) C:\Users\Kitty Clark\Downloads\zbotkiller.exe
2014-03-13 20:07 - 2014-03-13 20:07 - 26437344 _____ (Microsoft Corporation) C:\Users\Kitty Clark\Downloads\Windows-KB890830-x64-V5.10(1).exe
2014-03-13 01:52 - 2011-09-24 11:19 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-13 00:52 - 2013-11-23 22:29 - 00064512 ___SH () C:\Users\Kitty Clark\Desktop\Thumbs.db
2014-03-12 14:50 - 2012-04-07 15:30 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-03-12 14:50 - 2012-04-07 15:30 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-03-12 14:50 - 2011-06-02 15:44 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-03-11 19:27 - 2009-07-13 23:45 - 00420360 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-11 19:26 - 2012-05-08 18:32 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-11 19:26 - 2012-05-08 18:32 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-03-11 19:25 - 2011-08-26 14:36 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-03-11 18:04 - 2010-02-05 02:50 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-03-11 18:00 - 2013-07-16 18:37 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-02 14:05 - 2011-04-10 21:52 - 90015360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-03-01 01:05 - 2014-03-11 17:52 - 23133696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-01 00:17 - 2014-03-11 17:52 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-01 00:16 - 2014-03-11 17:52 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-02-28 23:58 - 2014-03-11 17:52 - 02765824 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-28 23:52 - 2014-03-11 17:52 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-02-28 23:51 - 2014-03-11 17:52 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-02-28 23:42 - 2014-03-11 17:52 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-28 23:40 - 2014-03-11 17:52 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-02-28 23:37 - 2014-03-11 17:52 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-28 23:33 - 2014-03-11 17:52 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-28 23:33 - 2014-03-11 17:52 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-02-28 23:32 - 2014-03-11 17:52 - 00708608 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-02-28 23:30 - 2014-03-11 17:52 - 17074688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-28 23:23 - 2014-03-11 17:52 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-02-28 23:17 - 2014-03-11 17:52 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-02-28 23:11 - 2014-03-11 17:52 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-28 23:02 - 2014-03-11 17:52 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-02-28 22:54 - 2014-03-11 17:52 - 05768704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-28 22:52 - 2014-03-11 17:52 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-02-28 22:51 - 2014-03-11 17:52 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-02-28 22:47 - 2014-03-11 17:52 - 02168320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-28 22:43 - 2014-03-11 17:52 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-28 22:43 - 2014-03-11 17:52 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-02-28 22:42 - 2014-03-11 17:52 - 00627200 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-28 22:40 - 2014-03-11 17:52 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-28 22:38 - 2014-03-11 17:52 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-28 22:37 - 2014-03-11 17:52 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-02-28 22:35 - 2014-03-11 17:52 - 02041856 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-28 22:18 - 2014-03-11 17:52 - 13051904 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-28 22:16 - 2014-03-11 17:52 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-02-28 22:14 - 2014-03-11 17:52 - 04244480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-28 22:10 - 2014-03-11 17:52 - 02334208 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-28 22:03 - 2014-03-11 17:52 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-28 22:00 - 2014-03-11 17:52 - 01964032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-28 21:57 - 2014-03-11 17:52 - 11266048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-28 21:38 - 2014-03-11 17:52 - 01393664 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-28 21:32 - 2014-03-11 17:52 - 01820160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-28 21:27 - 2014-03-11 17:52 - 01156096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-28 21:25 - 2014-03-11 17:52 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-02-28 21:25 - 2014-03-11 17:52 - 00703488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-02-28 12:31 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-02-26 18:19 - 2012-09-13 15:10 - 00001793 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files\iTunes
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files\iPod
2014-02-26 18:18 - 2014-02-26 18:18 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-02-26 18:13 - 2014-02-26 18:12 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-02-24 00:02 - 2009-07-13 21:34 - 00450811 ____R () C:\Windows\system32\Drivers\etc\hosts.20140307-173755.backup
2014-02-21 11:05 - 2012-04-29 14:24 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-03-10 15:27

==================== End Of Log ============================
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 13 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware