Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus or malware using tons of bandwidth


  • This topic is locked This topic is locked
19 replies to this topic

#1 Charzz

Charzz

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 PM

Posted 07 March 2014 - 10:24 PM

There is a virus or a very nasty piece of malware on my computer. My virus scanner won't pick it up nor will malware bytes. This virus seems to start up whenever I boot up my computer. It has come onto my computer in the last couple of days. I did a system restore dating a couple of days back and it doesn't seem to chew up my bandwidth then but when I restart the computer it then sucks up all of my bandwidth right away. I have already had 30 gig sucked out from it. Please will someone help me, thanks. PS it is not someone hacking my wireless. I don't have wireless and my bandwidth meter says it's my computer using it. I have been checking my bandwidth meter and this nasty virus/malware is sucking the bandwidth out at a very fast pace. I have spent a whole day trying to remove the darn thing and with no luck. I don't even know how it got on here in the first place when I have kaspersky with firewall and the full malware bytes version. To be able to ask for help on here without the virus/malware sucking up my gigs I had to do a system restore from a couple of days ago before this nasty thing got on my computer but I know as soon as I restart the computer it will come back. I also have a external harddrive so if I need to download anything then restart the computer I can put it on my external so I don't lose bandwidth, darn thing just keeps sucking up my bandwidth. To give everyone idea on how fast it will suck up 3 gigs in 10 minutes, and it is my computer doing it there is no other programs running at all in the background. Clearly it is a hidden virus sucking up my broad band at a very fast rate. 


Edited by Charzz, 08 March 2014 - 01:08 AM.


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 08 March 2014 - 12:11 PM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Charzz

Charzz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 PM

Posted 08 March 2014 - 07:35 PM

Hi there thank you for your help. Here are my logs.

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-03-2014 01
Ran by Charlotte (administrator) on CHARLOTTE-PC on 09-03-2014 13:09:32
Running from C:\Users\Charlotte\Desktop
Windows Vista ™ Ultimate Service Pack 2 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\LCore.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
() C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Applets\LCDMedia.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Applets\LCDCountdown.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Applets\LCDClock.exe
(Logitech Inc.) C:\Program Files\Logitech Gaming Software\Applets\LCDPop3.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Launch LCore] - C:\Program Files\Logitech Gaming Software\LCore.exe [6900024 2012-07-24] (Logitech Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [LifeCam] - C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - E:\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [mobilegeni daemon] - "C:\Program Files (x86)\Mobogenie\DaemonProcess.exe"
HKLM-x32\...\Run: [AVP] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe [356128 2014-01-07] (Kaspersky Lab ZAO)
HKU\S-1-5-21-3261221056-2756048321-2121388272-1000\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3261221056-2756048321-2121388272-1000\...\Run: [WMPNSCFG] - C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x386067E8B8C6CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-nz
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {134F170B-B529-404E-932D-A5F92151CD7A} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3225826
BHO: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x64\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
BHO-x32: Content Blocker Plugin - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO-x32: Virtual Keyboard Plugin - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: URL Advisor Plugin - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF ProfilePath: C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\1xfzj4gf.default-1364703228275
FF user.js: detected! => C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\1xfzj4gf.default-1364703228275\user.js
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_70.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_70.dll ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @nullsoft.com/winampDetector;version=1 - E:\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-02-19]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-02-19]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected]
FF Extension: Kaspersky URL Advisor - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected] [2014-01-07]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected]
FF Extension: Virtual Keyboard - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected] [2014-01-07]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected]
FF Extension: Content Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected] [2014-01-07]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected]
FF Extension: Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected] [2014-01-07]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected]
FF Extension: Safe Money - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\[email protected] [2014-01-07]
 
Chrome: 
=======
CHR DefaultSearchKeyword: holasearch.com
CHR DefaultSearchProvider: Hola Search
CHR DefaultNewTabURL: 
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.146\pdf.dll ()
CHR Plugin: (Microsoft® Windows Media Player Firefox Plugin) - C:\Program Files (x86)\Mozilla Firefox\plugins\np-mswmp.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Windows Presentation Foundation) - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll No File
CHR Extension: (Kaspersky URL Advisor) - C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj [2014-01-08]
CHR Extension: (Safe Money) - C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\hakdifolhalapjijoafobooafbilfakh [2014-01-13]
CHR Extension: (Content Blocker) - C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\hghkgaeecgjhjkannahfamoehjmkjail [2014-01-08]
CHR Extension: (Virtual Keyboard) - C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh [2014-01-08]
CHR Extension: (Skype Click to Call) - C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-04-03]
CHR Extension: (Google Wallet) - C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Anti-Banner) - C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman [2014-01-13]
CHR HKLM-x32\...\Chrome\Extension: [dchlnpcodkpfdpacogkljefecpegganj] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\urladvisor.crx [2013-03-06]
CHR HKLM-x32\...\Chrome\Extension: [hakdifolhalapjijoafobooafbilfakh] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\online_banking_chrome.crx [2013-03-06]
CHR HKLM-x32\...\Chrome\Extension: [hghkgaeecgjhjkannahfamoehjmkjail] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\content_blocker_chrome.crx [2013-03-06]
CHR HKLM-x32\...\Chrome\Extension: [jagncdcchgajhfhijbbhecadmaiegcmh] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\virtkbd.crx [2013-03-06]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-10-09]
CHR HKLM-x32\...\Chrome\Extension: [pjldcfjmnllhmgjclecdnfampinooman] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\ab.crx [2013-03-06]
 
==================== Services (Whitelisted) =================
 
R2 AVP; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe [356128 2014-01-07] (Kaspersky Lab ZAO)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S3 TunngleService; E:\Tunngle\TnglCtrl.exe [758224 2013-11-06] (Tunngle.net GmbH)
 
==================== Drivers (Whitelisted) ====================
 
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [14392 2007-12-17] ()
S1 Beep; No ImagePath
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [458336 2014-01-07] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [626272 2014-01-07] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [29792 2014-01-07] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [29280 2014-01-07] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [29280 2014-01-07] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54368 2014-01-07] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [178448 2014-01-07] (Kaspersky Lab ZAO)
R3 L1E; C:\Windows\System32\DRIVERS\L1E60x64.sys [57856 2009-08-05] (Atheros Communications, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15680 2006-11-02] ()
S3 pbfilter; E:\pbfilter.sys [19544 2012-11-18] ()
R3 tap0901t; C:\Windows\System32\DRIVERS\tap0901t.sys [31232 2009-09-16] (Tunngle.net)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Adware.exe\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
U5 klflt; C:\Windows\System32\Drivers\klflt.sys [90208 2014-01-07] (Kaspersky Lab ZAO)
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-09 13:09 - 2014-03-09 13:10 - 00017794 _____ () C:\Users\Charlotte\Desktop\FRST.txt
2014-03-09 13:09 - 2014-03-09 12:56 - 02156544 _____ (Farbar) C:\Users\Charlotte\Desktop\FRST64.exe
2014-03-09 12:57 - 2014-03-09 13:09 - 00000000 ____D () C:\FRST
2014-03-08 12:10 - 2014-03-08 12:10 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-08 11:44 - 2014-03-08 11:44 - 00071342 _____ () C:\Users\Charlotte\Downloads\OTL.Txt
2014-03-08 00:56 - 2014-03-08 00:56 - 00002982 _____ () C:\Windows\System32\Tasks\{808F58FD-47E5-4C27-AC1F-6E7A823BDADA}
2014-03-08 00:18 - 2014-03-08 00:30 - 295120776 _____ () C:\Users\Charlotte\Downloads\ESForces.v1.3.OPENBETA.FINAL.exe
2014-03-02 21:24 - 2014-03-02 21:24 - 00485691 _____ () C:\Users\Charlotte\Downloads\giji_ssj.rar
2014-03-02 19:41 - 2014-03-02 19:43 - 37413068 _____ () C:\Users\Charlotte\Downloads\lamron333s_evmv2.0_modles_fix_1.rar
2014-03-02 19:18 - 2014-03-02 19:18 - 01141680 _____ () C:\Users\Charlotte\Downloads\SteamSetup.exe
2014-03-02 19:18 - 2014-03-02 19:18 - 00000464 _____ () C:\Users\Public\Desktop\Steam.lnk
2014-03-02 17:54 - 2014-03-02 17:54 - 00003066 _____ () C:\Windows\System32\Tasks\{CC15EE1E-8279-4839-A9EF-8034E2F37E9D}
2014-03-02 17:51 - 2014-03-02 17:51 - 00000637 _____ () C:\Users\UpdatusUser\Desktop\Team Fortress Classic.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000637 _____ () C:\Users\Charlotte\Desktop\Team Fortress Classic.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000631 _____ () C:\Users\UpdatusUser\Desktop\Ricochet.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000631 _____ () C:\Users\UpdatusUser\Desktop\Deathmatch Classic.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000631 _____ () C:\Users\Charlotte\Desktop\Ricochet.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000631 _____ () C:\Users\Charlotte\Desktop\Deathmatch Classic.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000581 _____ () C:\Users\UpdatusUser\Desktop\Half-Life.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000581 _____ () C:\Users\Charlotte\Desktop\Half-Life.lnk
2014-03-02 17:41 - 2014-03-02 17:41 - 00000587 _____ () C:\Users\UpdatusUser\Desktop\SG-1 Missions Demo.lnk
2014-03-02 17:39 - 2014-03-02 17:40 - 18349569 _____ () C:\Users\Charlotte\Downloads\stargatetc_sg1_demo_en.exe
2014-03-02 15:24 - 2014-03-02 15:24 - 01759480 _____ (Bandoo Media Inc) C:\Users\Charlotte\Downloads\iLividSetup-r1235-n-bc.exe
2014-03-02 15:23 - 2014-03-02 15:23 - 00004522 _____ () C:\Users\Charlotte\Downloads\esf_powerlevel_changer.sma
2014-03-02 14:49 - 2014-03-02 14:49 - 00003098 _____ () C:\Windows\System32\Tasks\{452E1988-0BF1-42DF-8DC4-D83DD2A67F2F}
2014-03-02 14:38 - 2014-03-02 14:47 - 198778467 _____ () C:\Users\Charlotte\Downloads\coronabytes.net_ecx_rc2.exe
2014-03-02 14:27 - 2014-03-02 14:35 - 193797819 _____ () C:\Users\Charlotte\Downloads\esfb123.exe
2014-02-27 09:32 - 2014-03-01 03:08 - 00744336 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-02-19 13:56 - 2014-02-19 13:56 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-13 06:42 - 2014-02-05 23:19 - 17849344 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-13 06:42 - 2014-02-05 23:02 - 10926080 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-13 06:42 - 2014-02-05 23:00 - 02334720 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-13 06:42 - 2014-02-05 22:54 - 01392128 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-13 06:42 - 2014-02-05 22:54 - 01347072 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-13 06:42 - 2014-02-05 22:52 - 01494528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-13 06:42 - 2014-02-05 22:52 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-02-13 06:42 - 2014-02-05 22:52 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-13 06:42 - 2014-02-05 22:51 - 02147840 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-13 06:42 - 2014-02-05 22:51 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-02-13 06:42 - 2014-02-05 22:51 - 00729088 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-13 06:42 - 2014-02-05 22:51 - 00599040 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-13 06:42 - 2014-02-05 22:51 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-13 06:42 - 2014-02-05 22:50 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-13 06:42 - 2014-02-05 22:50 - 00248320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-13 06:42 - 2014-02-05 22:50 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-02-13 06:42 - 2014-02-05 21:58 - 12345344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-02-13 06:42 - 2014-02-05 21:56 - 01806848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-02-13 06:42 - 2014-02-05 21:53 - 09739264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-02-13 06:42 - 2014-02-05 21:51 - 01105408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-02-13 06:42 - 2014-02-05 21:50 - 01129472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-02-13 06:42 - 2014-02-05 21:49 - 01427968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-02-13 06:42 - 2014-02-05 21:49 - 00231936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2014-02-13 06:42 - 2014-02-05 21:48 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-02-13 06:42 - 2014-02-05 21:48 - 00717824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-02-13 06:42 - 2014-02-05 21:48 - 00421376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-02-13 06:42 - 2014-02-05 21:48 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-02-13 06:42 - 2014-02-05 21:48 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-02-13 06:42 - 2014-02-05 21:47 - 02382848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-02-13 06:42 - 2014-02-05 21:47 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-02-13 06:42 - 2014-02-05 21:47 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-02-13 06:42 - 2014-02-05 21:46 - 00176640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-02-12 11:21 - 2013-12-05 17:48 - 01869824 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-02-12 11:21 - 2013-12-05 15:12 - 01248768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
 
==================== One Month Modified Files and Folders =======
 
2014-03-09 13:10 - 2014-03-09 13:09 - 00017794 _____ () C:\Users\Charlotte\Desktop\FRST.txt
2014-03-09 13:09 - 2014-03-09 12:57 - 00000000 ____D () C:\FRST
2014-03-09 13:09 - 2006-11-03 04:26 - 02007345 _____ () C:\Windows\WindowsUpdate.log
2014-03-09 13:08 - 2014-01-07 23:06 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2014-03-09 13:07 - 2014-01-22 10:54 - 00003112 _____ () C:\Windows\System32\Tasks\RDReminder
2014-03-09 13:06 - 2012-10-29 21:03 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-09 13:05 - 2006-11-03 04:40 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-09 13:05 - 2006-11-03 04:21 - 00004336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-09 13:05 - 2006-11-03 04:21 - 00004336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-09 13:03 - 2006-11-03 04:40 - 00032552 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-09 12:56 - 2014-03-09 13:09 - 02156544 _____ (Farbar) C:\Users\Charlotte\Desktop\FRST64.exe
2014-03-09 12:54 - 2012-12-19 17:01 - 00000000 ____D () C:\Users\Charlotte\AppData\Local\Paint.NET
2014-03-09 12:53 - 2012-10-29 21:03 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-09 12:47 - 2012-10-29 19:24 - 00000000 ____D () C:\Users\Charlotte
2014-03-09 12:46 - 2006-11-03 02:34 - 00000000 ____D () C:\Windows\system32\Msdtc
2014-03-09 12:44 - 2013-03-16 18:19 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-03-09 12:44 - 2006-11-03 02:34 - 00000000 ____D () C:\Windows\system32\spool
2014-03-09 12:44 - 2006-11-03 02:33 - 00000000 ____D () C:\Windows\registration
2014-03-09 12:44 - 2006-11-03 01:33 - 55574528 _____ () C:\Windows\system32\config\software_previous
2014-03-09 12:44 - 2006-11-03 01:33 - 51380224 _____ () C:\Windows\system32\config\components_previous
2014-03-09 12:44 - 2006-11-03 01:33 - 22282240 _____ () C:\Windows\system32\config\system_previous
2014-03-09 12:44 - 2006-11-03 01:33 - 00262144 _____ () C:\Windows\system32\config\security_previous
2014-03-09 12:44 - 2006-11-03 01:33 - 00262144 _____ () C:\Windows\system32\config\sam_previous
2014-03-09 12:44 - 2006-11-03 01:33 - 00262144 _____ () C:\Windows\system32\config\default_previous
2014-03-09 03:01 - 2013-03-16 18:19 - 00000000 ____D () C:\ProgramData\Skype
2014-03-08 22:44 - 2012-12-08 21:55 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-08 20:38 - 2013-02-07 14:52 - 00000000 ____D () C:\Users\Charlotte\AppData\Roaming\vlc
2014-03-08 20:35 - 2012-10-30 15:37 - 00086528 _____ () C:\Users\Charlotte\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-03-08 16:06 - 2013-12-20 16:37 - 00000000 ____D () C:\Users\Charlotte\AppData\Roaming\Tunngle
2014-03-08 16:06 - 2013-12-20 16:37 - 00000000 ____D () C:\ProgramData\Tunngle
2014-03-08 16:06 - 2013-06-19 02:49 - 00000000 ____D () C:\Windows\74224F8D4A1748169EDB7BB854DE532C.TMP
2014-03-08 16:06 - 2012-11-09 14:45 - 00000000 ____D () C:\Users\Charlotte\AppData\Roaming\Winamp
2014-03-08 12:10 - 2014-03-08 12:10 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-03-08 11:44 - 2014-03-08 11:44 - 00071342 _____ () C:\Users\Charlotte\Downloads\OTL.Txt
2014-03-08 11:23 - 2006-11-03 04:39 - 00145938 _____ () C:\Windows\PFRO.log
2014-03-08 00:56 - 2014-03-08 00:56 - 00002982 _____ () C:\Windows\System32\Tasks\{808F58FD-47E5-4C27-AC1F-6E7A823BDADA}
2014-03-08 00:30 - 2014-03-08 00:18 - 295120776 _____ () C:\Users\Charlotte\Downloads\ESForces.v1.3.OPENBETA.FINAL.exe
2014-03-04 15:58 - 2013-12-20 13:58 - 00000292 _____ () C:\Windows\Tasks\DLL-Files FixerASKUSER.job
2014-03-03 10:17 - 2006-11-03 01:46 - 00759582 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-02 21:24 - 2014-03-02 21:24 - 00485691 _____ () C:\Users\Charlotte\Downloads\giji_ssj.rar
2014-03-02 19:43 - 2014-03-02 19:41 - 37413068 _____ () C:\Users\Charlotte\Downloads\lamron333s_evmv2.0_modles_fix_1.rar
2014-03-02 19:18 - 2014-03-02 19:18 - 01141680 _____ () C:\Users\Charlotte\Downloads\SteamSetup.exe
2014-03-02 19:18 - 2014-03-02 19:18 - 00000464 _____ () C:\Users\Public\Desktop\Steam.lnk
2014-03-02 17:54 - 2014-03-02 17:54 - 00003066 _____ () C:\Windows\System32\Tasks\{CC15EE1E-8279-4839-A9EF-8034E2F37E9D}
2014-03-02 17:51 - 2014-03-02 17:51 - 00000637 _____ () C:\Users\UpdatusUser\Desktop\Team Fortress Classic.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000637 _____ () C:\Users\Charlotte\Desktop\Team Fortress Classic.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000631 _____ () C:\Users\UpdatusUser\Desktop\Ricochet.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000631 _____ () C:\Users\UpdatusUser\Desktop\Deathmatch Classic.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000631 _____ () C:\Users\Charlotte\Desktop\Ricochet.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000631 _____ () C:\Users\Charlotte\Desktop\Deathmatch Classic.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000581 _____ () C:\Users\UpdatusUser\Desktop\Half-Life.lnk
2014-03-02 17:51 - 2014-03-02 17:51 - 00000581 _____ () C:\Users\Charlotte\Desktop\Half-Life.lnk
2014-03-02 17:41 - 2014-03-02 17:41 - 00000587 _____ () C:\Users\UpdatusUser\Desktop\SG-1 Missions Demo.lnk
2014-03-02 17:40 - 2014-03-02 17:39 - 18349569 _____ () C:\Users\Charlotte\Downloads\stargatetc_sg1_demo_en.exe
2014-03-02 15:24 - 2014-03-02 15:24 - 01759480 _____ (Bandoo Media Inc) C:\Users\Charlotte\Downloads\iLividSetup-r1235-n-bc.exe
2014-03-02 15:23 - 2014-03-02 15:23 - 00004522 _____ () C:\Users\Charlotte\Downloads\esf_powerlevel_changer.sma
2014-03-02 14:49 - 2014-03-02 14:49 - 00003098 _____ () C:\Windows\System32\Tasks\{452E1988-0BF1-42DF-8DC4-D83DD2A67F2F}
2014-03-02 14:47 - 2014-03-02 14:38 - 198778467 _____ () C:\Users\Charlotte\Downloads\coronabytes.net_ecx_rc2.exe
2014-03-02 14:35 - 2014-03-02 14:27 - 193797819 _____ () C:\Users\Charlotte\Downloads\esfb123.exe
2014-03-02 14:14 - 2013-12-20 14:05 - 00000000 ____D () C:\Users\Charlotte\Documents\My Games
2014-03-01 14:03 - 2013-12-20 13:57 - 00000300 _____ () C:\Windows\Tasks\DLL-Files.Com Fixer_Updates.job
2014-03-01 03:08 - 2014-02-27 09:32 - 00744336 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-02-28 21:05 - 2013-08-03 12:34 - 00000000 ____D () C:\Users\Charlotte\AppData\Local\Microsoft Games
2014-02-26 11:31 - 2012-11-18 01:04 - 00000000 ____D () C:\Users\Charlotte\AppData\Roaming\BitTorrent
2014-02-24 10:44 - 2012-12-08 15:56 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-02-21 13:45 - 2012-12-08 21:55 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-21 13:45 - 2012-12-08 21:55 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-21 13:45 - 2012-12-08 21:55 - 00003682 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-19 15:52 - 2006-11-03 04:26 - 00017956 _____ () C:\Windows\setupact.log
2014-02-19 14:04 - 2013-12-20 13:57 - 00000284 _____ () C:\Windows\Tasks\DLL-Files.Com Fixer_MONTHLY.job
2014-02-19 13:56 - 2014-02-19 13:56 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-02-17 10:09 - 2013-07-21 13:52 - 00000000 ____D () C:\Windows\system32\MRT
2014-02-17 10:06 - 2006-11-03 01:35 - 88567024 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-02-12 11:48 - 2012-10-29 21:03 - 00003900 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-12 11:48 - 2012-10-29 21:03 - 00003648 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
 
Some content of TEMP:
====================
C:\Users\Charlotte\AppData\Local\Temp\A~NSISu_.exe
C:\Users\Charlotte\AppData\Local\Temp\drm_dyndata_7370014.dll
C:\Users\Charlotte\AppData\Local\Temp\drm_dyndata_7380006.dll
C:\Users\Charlotte\AppData\Local\Temp\drm_dyndata_7380014.dll
C:\Users\Charlotte\AppData\Local\Temp\drm_dyndata_7410004.dll
C:\Users\Charlotte\AppData\Local\Temp\SkypeSetup.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-09 13:11
 
==================== End Of Log ============================
 
 
Addition Log:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 08-03-2014 01
Ran by Charlotte at 2014-03-09 13:10:32
Running from C:\Users\Charlotte\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Kaspersky Internet Security (Enabled - Up to date) {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
AS: Kaspersky Internet Security (Enabled - Up to date) {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security (Enabled) {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
 
==================== Installed Programs ======================
 
ActiveX912 v3.0.0.8 (HKLM-x32\...\ActiveX912_is1) (Version: 3.0.0.8 - )
Adobe Flash Player 12 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Reader X (10.1.9) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.9 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.38 - Atheros Communications Inc.)
BitTorrent (HKLM-x32\...\BitTorrent) (Version: 7.7.2.28499 - BitTorrent Inc.)
Central Management System(VH3E-E-2.0.1.7) (HKLM-x32\...\Central Management System(VH3E-E-2.0.1.7)_is1) (Version: 2.0.1.7 - )
Dll-Files Fixer (HKLM-x32\...\Dll-Files Fixer_is1) (Version: 3.1.81 - Dll-Files.com)
ENPlayer_8125 (HKLM-x32\...\H3_ActiveX_8125_is1) (Version: 3.0.1.3 - )
EPU-4 Engine (HKLM-x32\...\{8F66047B-1AF3-40D9-80D7-106E2EDC2C2A}) (Version: 1.00.07 - )
ESForces (HKLM-x32\...\ESForces) (Version: 1.3 OPENBETA FINAL - ESForces Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 33.0.1750.146 - Google Inc.)
Google Update Helper (x32 Version: 1.3.22.5 - Google Inc.) Hidden
Grand Theft Auto IV (HKLM-x32\...\{579BA58C-F33D-4970-9953-B94B43768AC3}) (Version: 1.00.0000 - Rockstar Games)
Grand Theft Auto IV (x32 Version: 1.0.0013.131 - Rockstar Games Inc.) Hidden
Grand Theft Auto: Episodes From Liberty City (HKLM-x32\...\{61B8B2F9-D8DA-4B24-89A9-DB09F38A4899}) (Version: 1.1.0.0 - Rockstar Games)
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0003.135 - Rockstar Games Inc.) Hidden
Half-Life (HKLM-x32\...\Half-Life_is1) (Version: Half-Life - Non Steam - KingSOFT DVD)
Kaspersky Internet Security 2013 (HKLM-x32\...\InstallWIX_{560985FB-4B76-4121-9189-7A2CDC7886D6}) (Version: 13.0.1.4190 - Kaspersky Lab)
Kaspersky Internet Security 2013 (x32 Version: 13.0.1.4190 - Kaspersky Lab) Hidden
Logitech Gaming Software (Version: 8.35.18 - Logitech Inc.) Hidden
Logitech Gaming Software 8.35 (HKLM\...\Logitech Gaming Software) (Version: 8.35.18 - Logitech Inc.)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Corporation (Version: 9.1.0.0 - Microsoft Corporation) Hidden
Microsoft Corporation (x32 Version: 9.1.0.0 - Microsoft Corporation) Hidden
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{4CB0307C-565E-4441-86BE-0DF2E4FB828C}) (Version: 3.5.50.0 - Microsoft Corporation)
Microsoft LifeCam (HKLM\...\{5CE7E3F5-9803-4F32-AA89-2D8848A80109}) (Version: 3.60.253.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 27.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 27.0.1 (x86 en-US)) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 27.0.1 - Mozilla)
NVIDIA 3D Vision Controller Driver 314.22 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 314.22 - NVIDIA Corporation)
NVIDIA Control Panel 314.22 (Version: 314.22 - NVIDIA Corporation) Hidden
NVIDIA Graphics Driver 314.22 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 314.22 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.23.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.23.1 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.115.743 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.12.1031 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.12.1031 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.1031 - NVIDIA Corporation)
NVIDIA Update 1.12.12 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.12.12 - NVIDIA Corporation)
NVIDIA Update Components (Version: 1.12.12 - NVIDIA Corporation) Hidden
P2P Client (HKLM-x32\...\{E38A7DA3-341C-46EA-8D26-FDF78387D018}) (Version: 3.0.0.0 - hi)
Paint.NET v3.5.10 (HKLM\...\{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}) (Version: 3.60.0 - dotPDN LLC)
PowerPaint 2.50 (HKLM-x32\...\PowerPaint_is1) (Version:  - FLISoft)
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5713 - Realtek Semiconductor Corp.)
Safari (HKLM-x32\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.13.13771 - Skype Technologies S.A.)
Skype™ 6.3 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.3.105 - Skype Technologies S.A.)
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
System Requirements Lab Detection (HKLM-x32\...\{A407FC22-36BF-4C82-A516-59D94BC505A9}) (Version: 1.0.5.0 - Husdawg, LLC)
Tunngle beta (HKLM-x32\...\Tunngle beta_is1) (Version:  - Tunngle.net GmbH)
Ultimate Extras sounds from Microsoft® Tinker™ (HKLM\...\UltSounds2) (Version:  - Microsoft Corporation)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM-x32\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
VLC media player 2.0.5 (HKLM-x32\...\VLC media player) (Version: 2.0.5 - VideoLAN)
Winamp (HKLM-x32\...\Winamp) (Version: 5.65  - Nullsoft, Inc)
Winamp Detector Plug-in (HKCU\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
Windows Live ID Sign-in Assistant (HKLM\...\{9B48B0AC-C813-4174-9042-476A887592C7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Media Player Firefox Plugin (HKLM-x32\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
WinRAR 5.01 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)
 
==================== Restore Points  =========================
 
07-03-2014 23:37:44 Restore Operation
08-03-2014 03:02:46 Restore Operation
08-03-2014 05:22:31 Before Restart
08-03-2014 07:24:35 Restart 2
08-03-2014 09:54:48 restart 3
08-03-2014 10:23:13 restart 4
08-03-2014 10:24:05 restart again
08-03-2014 14:00:12 Windows Update
08-03-2014 23:42:43 Restore Operation
09-03-2014 00:02:54 restart 5
 
==================== Hosts content: ==========================
 
2006-11-03 01:34 - 2013-03-31 12:47 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {2D83BB9E-C23D-4ED8-8A0D-7B485476DFA2} - System32\Tasks\{BDBB01B2-9234-48E5-B7DE-956A8A290F49} => Firefox.exe http://ui.skype.com/ui/0/6.5.59.158/en/abandoninstall?page=tsProgressBar
Task: {2F9A04D6-1FED-4172-8A08-ADFBCDEA10A5} - System32\Tasks\ASUS\ASUS SIX Engine => C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe [2008-07-23] ()
Task: {3A0FECBC-BB63-4FDA-BAE9-B48FF27EC146} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-02-21] (Adobe Systems Incorporated)
Task: {43180261-1334-47CD-8878-8040BDAE04A0} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\netsh.exe [2006-11-03] (Microsoft Corporation)
Task: {76F452B8-2854-4FA3-9D17-B4D36E5FAEE1} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-10-29] (Google Inc.)
Task: {9475DD97-BB54-4FD8-A31A-032B4833F6AA} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {9A441CE9-6C4F-4991-954B-EDCB9256D04F} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => Rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries
Task: {A4A50414-CE69-4A0C-B53A-7C7BB40F50AF} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-19] (Microsoft Corporation)
Task: {AA105019-BFFB-4713-B627-81B47F4419F0} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {C28278BF-1ABF-4595-BB2A-15201DDF25E3} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-05] ()
Task: {C41E9FD5-A5DB-4DEF-9715-E4F7BAFEE730} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {CFC922A2-E7AA-4040-AFD8-81290900B296} - System32\Tasks\DLL-Files FixerASKUSER => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-11-25] (Dll-FIles.Com)
Task: {DE196CD4-1461-4D94-9D9A-E037C7634284} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-10-29] (Google Inc.)
Task: {E9208F9E-D244-41F4-B8DF-AAC1DE4DEF93} - System32\Tasks\RDReminder => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-11-25] (Dll-FIles.Com)
Task: {EDCB118F-E66A-4D67-85B7-E5622EA84E99} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {F6FBA634-82C7-4456-829E-B59E42C13109} - System32\Tasks\DLL-Files.Com Fixer_Updates => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-11-25] (Dll-FIles.Com)
Task: {FB28B1DE-A2FB-4E07-8A67-A5EEAD580333} - System32\Tasks\DLL-Files.Com Fixer_MONTHLY => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-11-25] (Dll-FIles.Com)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\DLL-Files FixerASKUSER.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: C:\Windows\Tasks\DLL-Files.Com Fixer_MONTHLY.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: C:\Windows\Tasks\DLL-Files.Com Fixer_Updates.job => C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2012-10-29 20:37 - 2008-07-23 17:04 - 05625344 _____ () C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
2013-03-06 13:24 - 2013-03-06 13:24 - 01310136 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\kpcengine.2.2.dll
2012-10-29 20:37 - 2005-05-11 16:39 - 00565248 _____ () C:\Program Files (x86)\ASUS\EPU-4 Engine\pngio.dll
2012-10-29 20:37 - 2008-04-15 10:07 - 00053248 _____ () C:\Program Files (x86)\ASUS\EPU-4 Engine\AsSpindownTimeout.dll
2012-08-17 21:38 - 2012-08-17 21:38 - 00479160 _____ () C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\dblite.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
 
==================== Disabled items from MSCONFIG ==============
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/09/2014 01:02:12 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3.manifest.
 
Error: (03/09/2014 00:49:50 PM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.
 
Error: (03/09/2014 00:49:26 PM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.
 
Error: (03/09/2014 00:49:01 PM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.
 
Error: (03/08/2014 11:29:07 PM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.
 
Error: (03/08/2014 08:40:01 PM) (Source: Application Hang) (User: )
Description: The program LaunchEFLC.exe version 0.1.0.8 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: de4
Start Time: 01cf3aa18fdbf58f
Termination Time: 2
 
Error: (03/08/2014 07:17:13 PM) (Source: Application Error) (User: )
Description: Faulting application hl.exe, version 1.1.1.1, time stamp 0x43712ff5, faulting module serverbrowser.dll_unloaded, version 0.0.0.0, time stamp 0x42f19fab, exception code 0xc0000005, fault offset 0x0bc3e290,
process id 0x1568, application start time 0xhl.exe0.
 
Error: (03/08/2014 07:16:24 PM) (Source: Application Error) (User: )
Description: Faulting application hl.exe, version 1.1.1.1, time stamp 0x43712ff5, faulting module serverbrowser.dll_unloaded, version 0.0.0.0, time stamp 0x42f19fab, exception code 0xc0000005, fault offset 0x0d64e290,
process id 0x15bc, application start time 0xhl.exe0.
 
Error: (03/08/2014 04:01:52 PM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.
 
Error: (03/08/2014 04:01:31 PM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.
 
 
System errors:
=============
Error: (03/09/2014 01:07:39 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (03/09/2014 01:07:39 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (03/09/2014 01:06:55 PM) (Source: Service Control Manager) (User: )
Description: Beep
i8042prt
 
Error: (03/09/2014 00:50:02 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (03/09/2014 00:50:02 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (03/09/2014 00:48:05 PM) (Source: Service Control Manager) (User: )
Description: Beep
i8042prt
 
Error: (03/08/2014 11:29:56 PM) (Source: Service Control Manager) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (03/08/2014 11:29:56 PM) (Source: Service Control Manager) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (03/08/2014 11:29:00 PM) (Source: Service Control Manager) (User: )
Description: Beep
i8042prt
 
Error: (03/08/2014 04:16:57 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: 0x80070643Definition Update for Windows Defender - KB915597 (Definition 1.167.1370.0){D8F2C3A2-B854-4A8E-9172-03189CEB09B7}200
 
 
Microsoft Office Sessions:
=========================
Error: (03/09/2014 01:02:12 PM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_1509f852f40ee5cd.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3.manifestG:\esetsmartinstaller_enu.exe
 
Error: (03/09/2014 00:49:50 PM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.(NULL)(NULL)(NULL)(NULL)
 
Error: (03/09/2014 00:49:26 PM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.(NULL)(NULL)(NULL)(NULL)
 
Error: (03/09/2014 00:49:01 PM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.(NULL)(NULL)(NULL)(NULL)
 
Error: (03/08/2014 11:29:07 PM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.(NULL)(NULL)(NULL)(NULL)
 
Error: (03/08/2014 08:40:01 PM) (Source: Application Hang)(User: )
Description: LaunchEFLC.exe0.1.0.8de401cf3aa18fdbf58f2
 
Error: (03/08/2014 07:17:13 PM) (Source: Application Error)(User: )
Description: hl.exe1.1.1.143712ff5serverbrowser.dll_unloaded0.0.0.042f19fabc00000050bc3e290156801cf3a95febe6d4f
 
Error: (03/08/2014 07:16:24 PM) (Source: Application Error)(User: )
Description: hl.exe1.1.1.143712ff5serverbrowser.dll_unloaded0.0.0.042f19fabc00000050d64e29015bc01cf3a95debc750f
 
Error: (03/08/2014 04:01:52 PM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.(NULL)(NULL)(NULL)(NULL)
 
Error: (03/08/2014 04:01:31 PM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Skype Click to Call -- Installation cannot proceed on this operating system.(NULL)(NULL)(NULL)(NULL)
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-03-09 13:10:06.176
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-09 13:10:06.082
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-09 13:10:05.958
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-09 13:10:05.848
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-08 11:36:28.531
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-08 11:36:28.453
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-08 11:36:28.375
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-08 11:36:28.313
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-08 11:36:28.235
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-08 11:36:28.157
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kl1.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 42%
Total physical RAM: 4094.19 MB
Available physical RAM: 2371.61 MB
Total Pagefile: 8361.64 MB
Available Pagefile: 6400.53 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:96.57 GB) (Free:11.36 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:147.58 GB) (Free:33.11 GB) NTFS
Drive e: () (Fixed) (Total:221.61 GB) (Free:85.4 GB) NTFS
Drive f: (EFLC_DISC1) (CDROM) (Total:7.72 GB) (Free:0 GB) UDF
Drive g: (Elements) (Fixed) (Total:465.76 GB) (Free:424.6 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 655C5EA8)
Partition 1: (Active) - (Size=97 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=369 GB) - (Type=OF Extended)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 466 GB) (Disk ID: 0002E78D)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 
Gmer log:
 
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-03-09 13:20:45
Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AACS-00ZUB0 rev.01.01B01 465.76GB
Running: om9cm2kx.exe; Driver: C:\Users\CHARLO~1\AppData\Local\Temp\pxroyuog.sys
 
 
---- Kernel code sections - GMER 2.1 ----
 
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
INITKDBG  C:\Windows\system32\ntoskrnl.exe                                                                                        suspicious modification
 
---- Registry - GMER 2.1 ----
 
Reg       HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{59450fb1-226b-4885-aeae-c37c6e966456}@Dhcpv6State  0
 
---- EOF - GMER 2.1 ----
 


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 10 March 2014 - 07:40 AM

P2P software installed

Going over your logs I noticed that you have BitTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

 

 

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Charzz

Charzz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 PM

Posted 10 March 2014 - 04:31 PM

I know the dangers of running programs like bit torrent. I only use it once in a blue moon and I get my torrents from pirate bay where I will only download torrents from trusted members and I always read the comments on the torrent before downloading. I never leave bit torrent running in the background at all and like I said only use it once in a blue moon. I had not used it recently so I don't think the virus or malware came from there. Anyway here is my log from combo fix.

 

 

 

ComboFix 14-03-10.01 - Charlotte 11/03/2014   9:49.2.4 - x64
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.64.1033.18.4094.2783 [GMT 13:00]
Running from: c:\users\Charlotte\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
FW: Kaspersky Internet Security *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
SP: Kaspersky Internet Security *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
E:\install.exe
E:\Uninstall.exe
E:\WinRAR.exe
G:\autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-10 to 2014-03-10  )))))))))))))))))))))))))))))))
.
.
2014-03-10 20:57 . 2014-03-10 20:57 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-03-10 20:57 . 2014-03-10 20:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-03-10 20:57 . 2014-03-10 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-10 20:57 . 2014-03-10 20:57 -------- d-----w- c:\users\AppData\AppData\Local\temp
2014-03-09 00:05 . 2014-03-09 00:05 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(0)\TEXTBOX.JS
2014-03-08 23:57 . 2014-03-09 00:11 -------- d-----w- C:\FRST
2014-03-08 03:39 . 2014-03-08 03:39 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{97BB6F51-E380-41C4-B4F7-44BD00424725}\offreg.dll
2014-03-08 03:21 . 2014-02-06 09:01 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{97BB6F51-E380-41C4-B4F7-44BD00424725}\mpengine.dll
2014-03-07 23:10 . 2014-03-07 23:10 -------- d-----w- c:\program files (x86)\ESET
2014-03-02 06:19 . 2014-03-07 23:17 -------- d-----w- c:\program files (x86)\Common Files\Steam
2014-02-26 20:30 . 2014-02-26 20:30 -------- d-----w- c:\windows\Migration
2014-02-11 22:21 . 2013-12-05 04:48 1869824 ----a-w- c:\windows\system32\msxml3.dll
2014-02-11 22:21 . 2013-12-05 02:12 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-21 00:45 . 2012-12-08 08:55 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-02-21 00:45 . 2012-12-08 08:55 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-16 21:06 . 2006-11-02 12:35 88567024 ----a-w- c:\windows\system32\mrt.exe
2014-02-02 23:20 . 2012-10-29 23:31 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-07 10:34 . 2013-03-06 00:24 54368 ----a-w- c:\windows\system32\drivers\kltdi.sys
2014-01-07 10:34 . 2013-03-06 00:24 29280 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2014-01-07 10:34 . 2012-08-13 03:49 178448 ----a-w- c:\windows\system32\drivers\kneps.sys
2014-01-07 10:34 . 2014-01-07 10:05 626272 ----a-w- c:\windows\system32\drivers\klif.sys
2014-01-07 10:34 . 2013-03-06 00:24 29280 ----a-w- c:\windows\system32\drivers\klkbdflt.sys
2014-01-07 10:34 . 2012-08-02 02:09 29792 ----a-w- c:\windows\system32\drivers\klim6.sys
2014-01-07 10:34 . 2014-01-07 10:05 90208 ----a-w- c:\windows\system32\drivers\klflt.sys
2014-01-07 10:34 . 2012-06-19 04:28 458336 ----a-w- c:\windows\system32\drivers\kl1.sys
2013-12-20 00:58 . 2013-12-20 00:57 3821568 ----a-w- c:\windows\SysWow64\wxmsw262u.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1555968]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-10 2153472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="E:\QTTask.exe" [2013-04-30 421888]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe" [2014-01-07 356128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-04 07:53 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-08 00:45]
.
2014-03-10 c:\windows\Tasks\DLL-Files FixerASKUSER.job
- c:\program files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-12-20 01:44]
.
2014-02-19 c:\windows\Tasks\DLL-Files.Com Fixer_MONTHLY.job
- c:\program files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-12-20 01:44]
.
2014-03-01 c:\windows\Tasks\DLL-Files.Com Fixer_Updates.job
- c:\program files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-12-20 01:44]
.
2014-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-29 08:03]
.
2014-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-29 08:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2012-07-24 6900024]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\1xfzj4gf.default-1364703228275\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-mobilegeni daemon - c:\program files (x86)\Mobogenie\DaemonProcess.exe
AddRemove-WinRAR archiver - E:\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3261221056-2756048321-2121388272-1000\Software\SecuROM\License information*]
"datasecu"=hex:e5,21,7f,ef,8f,3e,5d,ca,50,c1,c2,7f,47,2f,34,3f,26,80,64,3d,61,
   9a,4b,9e,5c,27,45,b8,ca,aa,20,4e,c1,16,6a,94,d0,61,aa,85,c7,79,41,d3,b9,4f,\
"rkeysecu"=hex:24,05,f2,6f,5a,e4,1b,e6,63,c0,df,ca,63,01,9d,53
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2014-03-11  09:59:07
ComboFix-quarantined-files.txt  2014-03-10 20:59
ComboFix2.txt  2013-03-30 23:49
.
Pre-Run: 11,712,098,304 bytes free
Post-Run: 12,631,842,816 bytes free
.
- - End Of File - - 9D1F6ACD0AD6129A5498BCFB9262024D
5C616939100B85E558DA92B899A0FC36


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 11 March 2014 - 06:04 AM

When running, BitTorrent connects your computer with the Torrent network. You´ll never know if all of the computers within there are safe and don´t spread malware.

It is known that criminals insert malware into this network this way.

 

There is nothing to see within the logs - let´s cross check:

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Charzz

Charzz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 PM

Posted 12 March 2014 - 01:36 AM

Did a scan with malware bytes and ESET they all picked up threats, ESET picked up about 12 threats and malware bytes 6. Here are the logs. 

 

Here is the log from the ESET scan.

 

C:\Users\Charlotte\Documents\Downloads\cbsidlm-tr1_13-Winamp-ORG-10251792.exe Win32/DownloadAdmin.G potentially unwanted application
C:\Users\Charlotte\Downloads\iLividSetup-r1235-n-bc.exe a variant of Win32/iLivid.A potentially unwanted application
C:\Users\Charlotte\Downloads\microsoft-word-windows-downloader.exe Win32/Malavida.A potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Application Data\Babylon\Setup\BExternal.dll a variant of Win32/Toolbar.Babylon.F potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Application Data\Babylon\Setup\IECookieLow.dll a variant of Win32/Toolbar.Babylon.E potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Application Data\Babylon\Setup\Setup.exe a variant of Win32/Toolbar.Babylon.H potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Temp\BunndleOfferManager.dll a variant of Win32/Bunndle potentially unsafe application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Temp\toolbar40362109.exe a variant of Win32/Toolbar.Babylon.C potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Temp\D1EEE622-BAB0-7891-923D-FC72511A638C\BExternal.dll a variant of Win32/Toolbar.Babylon.F potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Temp\D1EEE622-BAB0-7891-923D-FC72511A638C\IECookieLow.dll a variant of Win32/Toolbar.Babylon.E potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Temp\D1EEE622-BAB0-7891-923D-FC72511A638C\Setup.exe a variant of Win32/Toolbar.Babylon.H potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Temp\ICReinstall\cnet_PeerBlock-Setup_v1_1_r518_exe.exe a variant of Win32/InstallCore.D potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\Local Settings\Temp\is1598539481\MyBabylonTB.exe Win32/Toolbar.Babylon potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\My Documents\Downloads\cnet2_EasyGifMaker_setup_zip.exe a variant of Win32/InstallCore.D potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\My Documents\Downloads\cnet_PeerBlock-Setup_v1_1_r518_exe.exe a variant of Win32/InstallCore.D potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\My Documents\Downloads\driver_tuner_3.0.1.0._license_key.rar.rar_downloader_224.exe a variant of Win32/ExpressFiles potentially unwanted application
C:\Windows.old\Documents and Settings\charlotte\My Documents\Downloads\GraboidVideoSetup-3.11 (1).exe Win32/Graboid potentially unsafe application
C:\Windows.old\Documents and Settings\charlotte\My Documents\Downloads\GraboidVideoSetup-3.11.exe Win32/Graboid potentially unsafe application
C:\Windows.old\Documents and Settings\charlotte\My Documents\Downloads\Integrated_BrotherSoft_TB.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
D:\Users\Paul\AppData\Local\Temp\ICReinstall_PDFReaderSetup.exe a variant of Win32/InstallCore.AY potentially unwanted application
D:\Users\Paul\Downloads\PDFReaderSetup.exe a variant of Win32/InstallCore.AY potentially unwanted application
 
 
Heres Malware bytes log
 
Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.03.08.10
 
Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Charlotte :: CHARLOTTE-PC [administrator]
 
Protection: Disabled
 
12/03/2014 4:44:20 p.m.
mbam-log-2014-03-12 (16-44-20).txt
 
Scan type: Full scan (C:\|D:\|E:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 631760
Time elapsed: 2 hour(s), 15 minute(s), 42 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 6
C:\Users\Charlotte\Downloads\iLividSetup-r1235-n-bc.exe (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{EDF50B64-A81A-4659-98C9-DA9C67753387}\RP809\A0174139.exe (Adware.WhenU) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{EDF50B64-A81A-4659-98C9-DA9C67753387}\RP809\A0174590.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{EDF50B64-A81A-4659-98C9-DA9C67753387}\RP809\A0174638.exe (PUP.Optional.Inbox) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{EDF50B64-A81A-4659-98C9-DA9C67753387}\RP809\A0175058.exe (PUP.Optional.BabylonToolBar.A) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{EDF50B64-A81A-4659-98C9-DA9C67753387}\RP809\A0175064.exe (PUP.Optional.BabylonToolBar.A) -> Quarantined and deleted successfully.
 
(end)
 
PS G drive is my portable harddrive that I have plugged into my computer. I also have the full paid version of malwarebytes after removing the threats and restarting the computer I checked the bandwidth meter and yes the malware/virus thing is still on there sucking up my bandwidth.

Edited by Charzz, 12 March 2014 - 03:06 AM.


#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 12 March 2014 - 04:38 AM

 

C:\Windows.old

This is a remaining of an old windows installation - simply delete the whole directory.

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Scan with Malwarebytes Anti-Rootkit

Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page.

Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
 

  • Double click the mbar.zip file to open it, then 'Extract all files'.
  • Double click the mbar folder to open it, then double click mbar.exe to start the tool.

Check for Updates, then Scan your system for malware

If malware is found, do NOT press the Cleanup button yet. Click EXIT.

I'd like to see the log first so I can see what it sees. You'll find the log in that mbar folder as MBAR-log-[date and time]***.txt . Please attach that to your next reply.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 Charzz

Charzz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 PM

Posted 13 March 2014 - 03:34 AM

Hi there followed the instructions and here are the logs from the scans. Malwarebytes anti rootkit didn't pick up anything. 

 

Combo fix log:

 

ComboFix 14-03-10.01 - Charlotte 13/03/2014  20:44:33.2.4 - x64
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.64.1033.18.4094.2735 [GMT 13:00]
Running from: c:\users\Charlotte\Desktop\ComboFix.exe
Command switches used :: c:\users\Charlotte\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
FW: Kaspersky Internet Security *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
SP: Kaspersky Internet Security *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Charlotte\Documents\Downloads\cbsidlm-tr1_13-Winamp-ORG-10251792.exe"
"c:\users\Charlotte\Downloads\iLividSetup-r1235-n-bc.exe"
"c:\users\Charlotte\Downloads\microsoft-word-windows-downloader.exe"
"d:\users\Paul\AppData\Local\Temp\ICReinstall_PDFReaderSetup.exe"
"d:\users\Paul\Downloads\PDFReaderSetup.exe"
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-13 to 2014-03-13  )))))))))))))))))))))))))))))))
.
.
2014-03-13 07:51 . 2014-03-13 07:51 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-03-13 07:51 . 2014-03-13 07:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-03-13 07:51 . 2014-03-13 07:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-03-13 07:51 . 2014-03-13 07:51 -------- d-----w- c:\users\AppData\AppData\Local\temp
2014-03-13 03:12 . 2014-03-13 07:10 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-03-12 07:03 . 2014-03-12 07:03 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{55E013C9-B479-4119-B13E-98E8D949D7C7}\offreg.dll
2014-03-12 06:43 . 2014-02-06 09:01 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{55E013C9-B479-4119-B13E-98E8D949D7C7}\mpengine.dll
2014-03-09 00:05 . 2014-03-09 00:05 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(0)\TEXTBOX.JS
2014-03-08 23:57 . 2014-03-09 00:11 -------- d-----w- C:\FRST
2014-03-08 02:49 . 2014-03-08 02:49 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC(8)\TEXTBOX.JS
2014-03-07 23:10 . 2014-03-07 23:10 -------- d-----w- c:\program files (x86)\ESET
2014-03-02 06:19 . 2014-03-07 23:17 -------- d-----w- c:\program files (x86)\Common Files\Steam
2014-02-26 20:30 . 2014-02-26 20:30 -------- d-----w- c:\windows\Migration
2014-02-11 22:21 . 2013-12-05 04:48 1869824 ----a-w- c:\windows\system32\msxml3.dll
2014-02-11 22:21 . 2013-12-05 02:12 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-12 06:45 . 2012-12-08 08:55 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-12 06:45 . 2012-12-08 08:55 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-16 21:06 . 2006-11-02 12:35 88567024 ----a-w- c:\windows\system32\mrt.exe
2014-02-03 00:20 . 2012-10-29 23:31 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-01-07 10:34 . 2013-03-06 00:24 54368 ----a-w- c:\windows\system32\drivers\kltdi.sys
2014-01-07 10:34 . 2013-03-06 00:24 29280 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2014-01-07 10:34 . 2012-08-13 03:49 178448 ----a-w- c:\windows\system32\drivers\kneps.sys
2014-01-07 10:34 . 2014-01-07 10:05 626272 ----a-w- c:\windows\system32\drivers\klif.sys
2014-01-07 10:34 . 2013-03-06 00:24 29280 ----a-w- c:\windows\system32\drivers\klkbdflt.sys
2014-01-07 10:34 . 2012-08-02 02:09 29792 ----a-w- c:\windows\system32\drivers\klim6.sys
2014-01-07 10:34 . 2014-01-07 10:05 90208 ----a-w- c:\windows\system32\drivers\klflt.sys
2014-01-07 10:34 . 2012-06-19 04:28 458336 ----a-w- c:\windows\system32\drivers\kl1.sys
2013-12-20 00:58 . 2013-12-20 00:57 3821568 ----a-w- c:\windows\SysWow64\wxmsw262u.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-10 1555968]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-10 2153472]
"WMPNSCFG"="c:\program files (x86)\Windows Media Player\WMPNSCFG.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="E:\QTTask.exe" [2013-04-30 421888]
"mobilegeni daemon"="c:\program files (x86)\Mobogenie\DaemonProcess.exe" [BU]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe" [2014-01-07 356128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-04 07:53 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.146\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-08 06:45]
.
2014-03-10 c:\windows\Tasks\DLL-Files FixerASKUSER.job
- c:\program files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-12-20 01:44]
.
2014-02-19 c:\windows\Tasks\DLL-Files.Com Fixer_MONTHLY.job
- c:\program files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-12-20 01:44]
.
2014-03-01 c:\windows\Tasks\DLL-Files.Com Fixer_Updates.job
- c:\program files (x86)\Dll-Files.com Fixer\DLLFixer.exe [2013-12-20 01:44]
.
2014-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-29 08:03]
.
2014-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-29 08:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2012-07-24 6900024]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\1xfzj4gf.default-1364703228275\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-WinRAR archiver - E:\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3261221056-2756048321-2121388272-1000\Software\SecuROM\License information*]
"datasecu"=hex:e5,21,7f,ef,8f,3e,5d,ca,50,c1,c2,7f,47,2f,34,3f,26,80,64,3d,61,
   9a,4b,9e,5c,27,45,b8,ca,aa,20,4e,c1,16,6a,94,d0,61,aa,85,c7,79,41,d3,b9,4f,\
"rkeysecu"=hex:24,05,f2,6f,5a,e4,1b,e6,63,c0,df,ca,63,01,9d,53
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2014-03-13  20:53:18
ComboFix-quarantined-files.txt  2014-03-13 07:53
ComboFix2.txt  2014-03-10 20:59
ComboFix3.txt  2013-03-30 23:49
.
Pre-Run: 10,809,765,888 bytes free
Post-Run: 12,120,338,432 bytes free
.
- - End Of File - - E75C10178D664808E913E5BA95628DC0
5C616939100B85E558DA92B899A0FC36
 
 
Malware bytes log:
 
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
 
Database version: v2014.03.12.13
 
Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Charlotte :: CHARLOTTE-PC [administrator]
 
13/03/2014 4:12:29 p.m.
mbar-log-2014-03-13 (16-12-29).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 272225
Time elapsed: 9 minute(s), 58 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
PS I am sorry but I forgot about the old windows on my C drive and didn't delete it until after the scan sorry my bad.

Edited by Charzz, 13 March 2014 - 03:37 AM.


#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 13 March 2014 - 08:39 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also

 

 

 

Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 Charzz

Charzz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 PM

Posted 14 March 2014 - 04:33 AM

I've had a busy day today so I haven't had much time on the computer. I ran the adware cleaner though just a question I took this screenshot and unchecked the box because of it's location it looked important. If it is ok for adware to delete it I can run another scan and click that box that say System32/roboot64.ex other wise if it is something important that shouldn't be deleted from adware I will just ignore. Here is the log from adware. I am about to go to bed and since you say that JRT takes a while to scan I will just leave it running overnight while I sleep and post the logs when I wake up tomorrow along with securitycheck I really appreciate your help here so thanks heaps. 4_zpse6d0d142.png

 

 

Adware Log

 

# AdwCleaner v3.022 - Report created 14/03/2014 at 22:15:27
# Updated 13/03/2014 by Xplode
# Operating System : Windows ™ Vista Ultimate Service Pack 2 (64 bits)
# Username : Charlotte - CHARLOTTE-PC
# Running from : C:\Users\Charlotte\Desktop\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
[!] Folder Deleted : C:\ProgramData\Babylon
[!] Folder Deleted : C:\ProgramData\uniblue
[!] Folder Deleted : C:\ProgramData\Uniblue\DriverScanner
[!] Folder Deleted : C:\Program Files (x86)\Mobogenie
[!] Folder Deleted : C:\Program Files (x86)\uniblue
[!] Folder Deleted : C:\Program Files (x86)\Uniblue\DriverScanner
[!] Folder Deleted : C:\Users\Charlotte\AppData\Local\genienext
[!] Folder Deleted : C:\Users\Charlotte\AppData\Local\Mobogenie
[!] Folder Deleted : C:\Users\Charlotte\Documents\Mobogenie
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\1xfzj4gf.default-1364703228275\user.js
File Deleted : C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.babylon.com_0.localstorage
File Deleted : C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_search.babylon.com_0.localstorage-journal
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\*\shell\filescout
Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [mobilegeni daemon]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{8D5CFE57-B0FD-4396-97A2-DFD0B7DA935B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\Software\Uniblue
Key Deleted : HKLM\Software\Vittalia
Key Deleted : [x64] HKLM\SOFTWARE\Speedchecker Limited
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16540
 
 
-\\ Mozilla Firefox v27.0.1 (en-US)
 
[ File : C:\Users\Charlotte\AppData\Roaming\Mozilla\Firefox\Profiles\1xfzj4gf.default-1364703228275\prefs.js ]
 
 
-\\ Google Chrome v33.0.1750.146
 
[ File : C:\Users\Charlotte\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted : icon_url
Deleted : search_url
Deleted : keyword
 
*************************
 
AdwCleaner[R0].txt - [3208 octets] - [14/03/2014 21:51:13]
AdwCleaner[R1].txt - [3268 octets] - [14/03/2014 21:56:53]
AdwCleaner[S0].txt - [3293 octets] - [14/03/2014 22:15:27]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3353 octets] ##########
 
 
PS I meant to say Adwcleaner not Adware as not to confuse you with any other programs out there that may have the same name. 

Edited by Charzz, 14 March 2014 - 04:37 AM.


#12 Charzz

Charzz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 PM

Posted 14 March 2014 - 09:17 PM

Ok so I got around to doing the scans with JRT and the security check. Even though JRT said it picked something up and deleted it, my problem with the high bandwidth usage is still there. But here are the logs.

 

JRT Logs:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows Vista ™ Ultimate x64
Ran by Charlotte on Sat 15/03/2014 at 11:10:21.95
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\AppID\{8D5CFE57-B0FD-4396-97A2-DFD0B7DA935B}
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3261221056-2756048321-2121388272-1000\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\tarma installer
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\driverscanner
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\AppID\{8D5CFE57-B0FD-4396-97A2-DFD0B7DA935B}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{134F170B-B529-404E-932D-A5F92151CD7A}
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\Windows\Tasks\dll-files.com fixer_monthly.job"
Successfully deleted: [File] "C:\Windows\Tasks\dll-files.com fixer_updates.job"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Charlotte\AppData\Roaming\dll-files.com"
Successfully deleted: [Folder] "C:\Users\Charlotte\appdata\local\cre"
Failed to delete: [Folder] "C:\Program Files (x86)\dll-files.com fixer"
 
 
 
~~~ FireFox
 
Successfully deleted: [File] C:\Users\Charlotte\AppData\Roaming\mozilla\firefox\profiles\1xfzj4gf.default-1364703228275\user.js
Emptied folder: C:\Users\Charlotte\AppData\Roaming\mozilla\firefox\profiles\1xfzj4gf.default-1364703228275\minidumps [96 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 15/03/2014 at 11:14:20.53
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
And security check log:
 

 Results of screen317's Security Check version 0.99.80  
 Windows Vista Service Pack 2 x64 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Disabled!  
Kaspersky Internet Security   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Adobe Flash Player 12.0.0.77  
 Adobe Reader 10.1.9 Adobe Reader out of Date!  
 Mozilla Firefox (27.0.1) 
 Google Chrome 33.0.1750.117  
 Google Chrome 33.0.1750.146  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 Kaspersky Lab Kaspersky Internet Security 2013 avp.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 14 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 


#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 15 March 2014 - 09:03 AM

Your computer is free of malware! :)

 

If you are still facing bandwith issues, please start a new topic here: http://www.bleepingcomputer.com/forums/f/14/web-browsingemail-and-other-internet-applications/

Tell the helper that you came from here and finished the malware removal process.

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#14 Charzz

Charzz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:56 PM

Posted 15 March 2014 - 04:57 PM

I just need you to answer my one question. I have provided a screen shot from using adwcleaner and need to know do I delete get adwcleaner to delete the box that I have unchecked in the screen shot or not? The one

at the top that is unticked and says system32/roboot64.exe? I drew a circle around it so you know what one it is. Thanks. 

 

4_zpsfea50c20.png


Edited by Charzz, 15 March 2014 - 05:05 PM.


#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 5,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 PM

Posted 15 March 2014 - 05:03 PM

File Deleted : C:\Windows\System32\roboot64.exe

as you can see, this file has already been deleted.
It was part of the adware. ;)
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users