Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Root Kit - Now Cannot Install MSE


  • This topic is locked This topic is locked
25 replies to this topic

#1 Bilingual

Bilingual

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 20 January 2014 - 05:13 PM

Sirs -

 

I believe my computer was infected with the Zero Access Root Kit and I attempted to use Hitman Pro and MalwareBytes to successfully clean the system.  After booting with HitmanPro and scanning the system with Malwarebytes the tools found the rootkit and seemed to remove it successfully after 2 or three reboots and system.

 

However, I am attempting to install Microsoft Security Essentials now and cannot successfully install the software.  I believe there may be remnants that are still affecting the system but do not know how to use further tools to check and see what is going on.

 

Initially the system would display various pop-up about virus having infected the computer, windows firewall not working and no connection to internet pages and that's when I attempted to clean it. Now the only symptom that I see is that I cannot install Microsoft Security Essentials and I am not convinced the computer is totally clean.

 

The computer is using Windows Vista Home Premium with SP2.

 

I would appreciate any asisstance and help confirming the virus/rootkit is completely removed and/or removing it completely.

 

Thank you.

 



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:42 AM

Posted 20 January 2014 - 06:43 PM

Please download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.

  • Press Scan button.

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

NEXT

 

Please download Malwarebytes Anti-Rootkit (MBAR) from here and save it to your desktop. 

(Direct link to the file: http://downloads.malwarebytes.org/file/mbar)

  • Be sure to print out and follow the instructions provided on that same page.

  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

  • Doubleclick on the MBAR file you downloaded and approve the UAC prompt in Vista and newer operating systems.

  • Click OK on the next screen, to allow the package to extract the contents of the file to its own folder, mbar.

  • mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

  • After reading the Introduction, click 'Next' if you agree.

  • On the Update Database screen, click on the 'Update' button.

  • Once you see 'Success: Database was successfully updated' click on 'Next'.

  • Click the 'Scan' button.

 

With some infections, you may see two messages boxes.

  • 'Could not load protection driver'. Click 'OK'.

  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

 

If malware is found, do NOT press the Cleanup button when the scan completes. Click EXIT.

Then, please send the following logs as attachments to your reply.

These logs are located in the mbar folder on your desktop where the tool extracted itself to.

 

mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)

system-log.txt


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Bilingual

Bilingual
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 20 January 2014 - 09:28 PM

Bleepin' Tiger -

 

Thank you for your time.  Please find FRST Log pasted in the email.  I have attached the "Additional" file and Malwarebytes AntiRootKit found 2 infections and so that log is attached as well without cleaning the system.  Thanks again!

 

 

FRST Log - 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-01-2014
Ran by Andrew (administrator) on ANDREW-PC on 20-01-2014 21:06:10
Running from C:\Users\Andrew\Downloads
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) ===================
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\ehome\ehrecvr.exe
(Microsoft Corporation) C:\Windows\ehome\ehsched.exe
() C:\Windows\SMINST\BLService.exe
() C:\Program Files\CyberLink\Shared Files\RichVideo.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdSync.exe
(Fisher-Price) C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe
(Fisher-Price) C:\Program Files\Fisher-Price\iXL\iXL.Middleware.exe
(CANON INC.) C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(CyberLink Corp.) C:\Program Files\HP\QuickPlay\QPService.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-17] (Synaptics, Inc.)
HKLM\...\Run: [QlbCtrl.exe] - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2008-03-14] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpWirelessAssistant] - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [Windows Mobile-based device management] - C:\Windows\WindowsMobile\wmdSync.exe [215552 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [HP Health Check Scheduler] - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-16] (Hewlett-Packard)
HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [58656 2011-04-20] (Apple Inc.)
HKLM\...\Run: [eligmini] - C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe [487424 2008-09-03] (Fisher-Price)
HKLM\...\Run: [iXL_MiddleWare] - C:\Program Files\Fisher-Price\iXL\iXL.Middleware.exe [52280 2010-11-29] (Fisher-Price)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [Nikon Message Center 2] - C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe [619008 2010-05-25] (Nikon Corporation)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [IJNetworkScanUtility] - C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE [124256 2010-01-18] (CANON INC.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM\...\Run: [QPService] - C:\Program Files\HP\QuickPlay\QPService.exe [468264 2008-04-01] (CyberLink Corp.)
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation)
Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
SearchScopes: HKLM - {427D4576-43A0-4DC5-A47D-B4FEB3C56518} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psnb
SearchScopes: HKLM - {AE83A03E-F4BC-4D8E-8E26-29E14DEB4135} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscql
SearchScopes: HKCU - {427D4576-43A0-4DC5-A47D-B4FEB3C56518} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psnb
SearchScopes: HKCU - {AE83A03E-F4BC-4D8E-8E26-29E14DEB4135} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscql
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://www.disneyphotopass.com/software/ImageUploader4.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [223232] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\nyfd181p.default
FF SearchEngineOrder.1: Ask.com
FF SelectedSearchEngine: Ask.com
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "type", 0
FF DefaultSearchEngine: Google
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @viewpoint.com/VMP - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npnul32.dll (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF SearchPlugin: C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\nyfd181p.default\searchplugins\askcom.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\nyfd181p.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2013-01-01]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-08-19]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-01-09]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-01-09]
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\32.0.1700.76\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\32.0.1700.76\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\32.0.1700.76\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U26) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (McAfee Security Scanner +) - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (YouTube) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-03-20]
CHR Extension: (Google Search) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-03-20]
CHR Extension: (Google Wallet) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-26]
CHR Extension: (Gmail) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-03-20]
 
========================== Services (Whitelisted) =================
 
R2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [361808 2008-04-25] ()
S4 RemoteAccess; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] ()
S2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
S2 RoxLiveShare9; "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe" [x]
 
==================== Drivers (Whitelisted) ====================
 
R3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)
S3 PTDMBus; C:\Windows\System32\DRIVERS\PTDMBus.sys [29952 2007-08-17] (DEVGURU Co,LTD.)
S3 PTDMMdm; C:\Windows\System32\DRIVERS\PTDMMdm.sys [41856 2007-08-17] (DEVGURU Co,LTD.)
S3 PTDMVsp; C:\Windows\System32\DRIVERS\PTDMVsp.sys [39936 2007-08-17] (DEVGURU Co,LTD.)
S3 PTDUBus; C:\Windows\System32\DRIVERS\PTDUBus.sys [29824 2008-03-11] (DEVGURU Co,LTD.)
S3 PTDUMdm; C:\Windows\System32\DRIVERS\PTDUMdm.sys [41344 2008-03-11] (DEVGURU Co,LTD.)
S3 PTDUVsp; C:\Windows\System32\DRIVERS\PTDUVsp.sys [39936 2008-03-11] (DEVGURU Co,LTD.)
S3 PTDUWWAN; C:\Windows\System32\DRIVERS\PTDUWWAN.sys [59776 2008-03-11] (DEVGURU Co,LTD.)
S3 usbbus; C:\Windows\System32\DRIVERS\lgusbbus.sys [21344 2005-05-26] (LG Electronics Inc.)
S3 UsbDiag; C:\Windows\System32\DRIVERS\lgusbdiag.sys [38144 2005-05-26] (LG Electronics Inc.)
S3 USBModem; C:\Windows\System32\DRIVERS\lgusbmodem.sys [39036 2005-06-24] (LG Electronics Inc.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 catchme; \??\C:\Users\Andrew\AppData\Local\Temp\catchme.sys [x]
U1 eabfiltr; 
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 RimUsb; System32\Drivers\RimUsb.sys [x]
U3 TrueSight; \??\C:\Windows\system32\TrueSight.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-20 21:06 - 2014-01-20 21:06 - 00018986 _____ C:\Users\Andrew\Downloads\FRST.txt
2014-01-20 21:06 - 2014-01-20 21:06 - 00000000 ____D C:\FRST
2014-01-20 21:05 - 2014-01-20 21:05 - 01222144 _____ (Farbar) C:\Users\Andrew\Downloads\FRST.exe
2014-01-20 18:30 - 2014-01-20 19:01 - 00000000 ____D C:\2b17ad45afe9a181886d5783
2014-01-20 18:28 - 2014-01-20 18:28 - 00000000 ____D C:\MATS
2014-01-20 18:18 - 2014-01-20 18:18 - 00347816 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\MicrosoftFixit.ProgramInstallUninstall.RNP.54313687146130533.1.1.Run.exe
2014-01-20 18:12 - 2014-01-20 18:12 - 01279488 _____ C:\Users\Andrew\Downloads\MicrosoftFixit50356.msi
2014-01-20 18:12 - 2014-01-20 18:12 - 00001662 _____ C:\Users\Andrew\Downloads\fix.reg
2014-01-20 18:03 - 2014-01-20 18:03 - 00899584 _____ C:\Users\Andrew\Downloads\MicrosoftFixit50535.msi
2014-01-20 17:56 - 2014-01-20 17:56 - 00550371 _____ C:\Users\Andrew\Downloads\Autoruns.zip
2014-01-20 17:56 - 2014-01-20 17:56 - 00000000 ____D C:\Users\Andrew\Downloads\Autoruns
2014-01-20 16:46 - 2014-01-20 16:47 - 11125072 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (2).exe
2014-01-20 16:45 - 2014-01-20 16:45 - 00921000 _____ (Oracle Corporation) C:\Users\Andrew\Downloads\chromeinstall-7u51 (1).exe
2014-01-20 16:34 - 2014-01-20 16:34 - 00000000 ____D C:\ProgramData\Sun
2014-01-20 16:34 - 2014-01-20 16:34 - 00000000 ____D C:\ProgramData\Oracle
2014-01-20 16:34 - 2014-01-20 16:33 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-01-20 16:34 - 2014-01-20 16:33 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-01-20 16:34 - 2014-01-20 16:33 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-01-20 16:34 - 2014-01-20 16:33 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-01-20 16:32 - 2014-01-20 16:32 - 00921000 _____ (Oracle Corporation) C:\Users\Andrew\Downloads\chromeinstall-7u51.exe
2014-01-08 23:20 - 2010-08-12 11:46 - 00758784 _____ (NVIDIA Corporation) C:\Windows\system32\cohelper.dll
2014-01-08 23:09 - 2014-01-08 23:20 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2014-01-08 22:05 - 2013-11-14 18:13 - 12344320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-01-08 22:05 - 2013-11-14 17:50 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-01-08 22:05 - 2013-11-14 17:50 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-01-08 22:05 - 2013-11-14 17:43 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-01-08 22:05 - 2013-11-14 17:42 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-01-08 22:05 - 2013-11-14 17:42 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-01-08 22:05 - 2013-11-14 17:41 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-01-08 22:05 - 2013-11-14 17:40 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-01-08 22:05 - 2013-11-14 17:38 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-01-08 22:05 - 2013-11-14 17:38 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-01-08 22:05 - 2013-11-14 17:38 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-01-08 22:05 - 2013-11-14 17:37 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-01-08 22:05 - 2013-11-14 17:36 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-01-08 22:05 - 2013-11-14 17:36 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-01-08 22:05 - 2013-11-14 17:35 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-01-08 22:05 - 2013-11-14 17:32 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-01-08 22:04 - 2013-10-29 21:12 - 00335360 _____ (Microsoft Corporation) C:\Windows\system32\SysFxUI.dll
2014-01-08 22:04 - 2013-10-29 20:43 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2014-01-08 22:04 - 2013-10-29 19:43 - 00167936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2014-01-08 22:04 - 2013-10-29 19:35 - 02050560 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-01-08 22:04 - 2013-10-22 02:19 - 00158208 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2014-01-08 22:04 - 2013-10-10 21:08 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2014-01-08 22:04 - 2013-10-10 21:08 - 00131072 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2014-01-08 22:04 - 2013-10-10 21:08 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wshcon.dll
2014-01-08 22:04 - 2013-10-10 19:35 - 00155648 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2014-01-08 22:04 - 2013-10-10 19:35 - 00135168 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2014-01-08 21:53 - 2010-04-05 15:00 - 00221568 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-01-08 21:48 - 2014-01-08 21:48 - 11125072 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall.exe
2014-01-06 20:22 - 2014-01-06 20:22 - 00000207 _____ C:\Windows\tweaking.com-regbackup-ANDREW-PC-Microsoft®-Windows-Vista™-Home-Premium-(32-bit).dat
2014-01-06 20:21 - 2014-01-06 20:21 - 00000000 ____D C:\RegBackup
2014-01-06 20:17 - 2014-01-06 20:17 - 00147276 _____ C:\Users\Andrew\Desktop\sfcdetails.txt
2014-01-06 17:55 - 2014-01-06 17:55 - 00000000 ____D C:\Users\Andrew\Downloads\tweaking.com_windows_repair_aio
2014-01-06 17:54 - 2014-01-06 17:54 - 02903255 _____ C:\Users\Andrew\Downloads\tweaking.com_windows_repair_aio.zip
2014-01-06 17:41 - 2014-01-06 17:41 - 00000000 ____D C:\678
2014-01-06 17:37 - 2014-01-06 17:41 - 00000000 ___SD C:\32788R22FWJFW
2014-01-06 17:05 - 2014-01-06 17:05 - 00000000 ____D C:\Program Files\Tweaking.com
2014-01-06 17:04 - 2014-01-06 17:04 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-01-06 17:02 - 2014-01-06 17:02 - 00011259 _____ C:\ComboFix.txt
2014-01-06 16:43 - 2014-01-06 17:41 - 00000000 ____D C:\ComboFix
2014-01-06 16:43 - 2011-06-26 01:45 - 00256000 _____ C:\Windows\PEV.exe
2014-01-06 16:43 - 2010-11-07 12:20 - 00208896 _____ C:\Windows\MBR.exe
2014-01-06 16:43 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-01-06 16:43 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-01-06 16:43 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-01-06 16:43 - 2000-08-30 19:00 - 00098816 _____ C:\Windows\sed.exe
2014-01-06 16:43 - 2000-08-30 19:00 - 00080412 _____ C:\Windows\grep.exe
2014-01-06 16:43 - 2000-08-30 19:00 - 00068096 _____ C:\Windows\zip.exe
2014-01-06 16:27 - 2014-01-06 17:36 - 00000000 ____D C:\Users\Andrew\Desktop\Tools
2014-01-06 16:18 - 2014-01-06 16:40 - 00000000 ____D C:\Users\Andrew\AppData\Local\QuickPlay
2014-01-06 16:12 - 2014-01-06 16:12 - 00003283 _____ C:\Users\Andrew\Downloads\WindowsUpdateFix.reg
2014-01-06 16:12 - 2014-01-06 16:12 - 00003283 _____ C:\Users\Andrew\Downloads\WindowsUpdateFix (1).reg
2014-01-06 16:06 - 2014-01-06 16:51 - 00000000 ____D C:\Users\Andrew\AppData\Local\CrashDumps
2013-12-25 18:57 - 2014-01-06 20:22 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-12-25 18:56 - 2013-12-25 18:56 - 00000000 ____D C:\Users\Andrew\Documents\tweaking.com_windows_repair_aio
2013-12-25 18:10 - 2013-12-25 18:10 - 00347816 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\MicrosoftFixit.ProgramInstallUninstall.MATSKB.Run (1).exe
2013-12-25 18:02 - 2013-12-25 18:02 - 00347816 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\MicrosoftFixit.ProgramInstallUninstall.MATSKB.Run.exe
2013-12-25 17:44 - 2013-12-25 17:44 - 11125072 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (1).exe
2013-12-25 15:30 - 2013-12-25 17:27 - 00000000 ____D C:\ProgramData\HitmanPro
2013-12-24 20:19 - 2013-12-24 20:20 - 00000000 ____D C:\Users\Andrew\Desktop\RK_Quarantine
 
==================== One Month Modified Files and Folders =======
 
2014-01-20 21:06 - 2014-01-20 21:06 - 00018986 _____ C:\Users\Andrew\Downloads\FRST.txt
2014-01-20 21:06 - 2014-01-20 21:06 - 00000000 ____D C:\FRST
2014-01-20 21:05 - 2014-01-20 21:05 - 01222144 _____ (Farbar) C:\Users\Andrew\Downloads\FRST.exe
2014-01-20 21:05 - 2006-11-02 07:47 - 00003216 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-20 21:05 - 2006-11-02 07:47 - 00003216 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-20 20:57 - 2008-07-29 14:57 - 01101870 _____ C:\Windows\WindowsUpdate.log
2014-01-20 20:55 - 2012-11-21 00:32 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-20 20:55 - 2010-03-04 23:55 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-20 20:55 - 2008-07-29 15:30 - 00031966 _____ C:\ProgramData\nvModes.dat
2014-01-20 20:55 - 2008-07-29 15:30 - 00031966 _____ C:\ProgramData\nvModes.001
2014-01-20 19:01 - 2014-01-20 18:30 - 00000000 ____D C:\2b17ad45afe9a181886d5783
2014-01-20 19:01 - 2013-11-26 18:38 - 00002150 _____ C:\Windows\epplauncher.mif
2014-01-20 18:28 - 2014-01-20 18:28 - 00000000 ____D C:\MATS
2014-01-20 18:20 - 2006-11-02 05:33 - 00758180 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-20 18:18 - 2014-01-20 18:18 - 00347816 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\MicrosoftFixit.ProgramInstallUninstall.RNP.54313687146130533.1.1.Run.exe
2014-01-20 18:16 - 2008-07-29 15:35 - 00000246 _____ C:\Users\Public\Documents\hpqp.ini
2014-01-20 18:15 - 2010-03-04 23:55 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-20 18:15 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-20 18:15 - 2006-11-02 07:37 - 00000000 ___RD C:\Users\Public\Recorded TV
2014-01-20 18:14 - 2006-11-02 08:01 - 00032634 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-20 18:12 - 2014-01-20 18:12 - 01279488 _____ C:\Users\Andrew\Downloads\MicrosoftFixit50356.msi
2014-01-20 18:12 - 2014-01-20 18:12 - 00001662 _____ C:\Users\Andrew\Downloads\fix.reg
2014-01-20 18:03 - 2014-01-20 18:03 - 00899584 _____ C:\Users\Andrew\Downloads\MicrosoftFixit50535.msi
2014-01-20 18:03 - 2013-11-26 22:58 - 00005324 _____ C:\FixitRegBackup.reg
2014-01-20 17:56 - 2014-01-20 17:56 - 00550371 _____ C:\Users\Andrew\Downloads\Autoruns.zip
2014-01-20 17:56 - 2014-01-20 17:56 - 00000000 ____D C:\Users\Andrew\Downloads\Autoruns
2014-01-20 17:32 - 2013-03-20 18:54 - 00001971 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2014-01-20 16:54 - 2008-06-25 01:30 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-01-20 16:53 - 2013-08-18 03:11 - 00000000 ____D C:\Windows\system32\MRT
2014-01-20 16:50 - 2006-11-02 05:24 - 83425928 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-01-20 16:47 - 2014-01-20 16:46 - 11125072 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (2).exe
2014-01-20 16:45 - 2014-01-20 16:45 - 00921000 _____ (Oracle Corporation) C:\Users\Andrew\Downloads\chromeinstall-7u51 (1).exe
2014-01-20 16:45 - 2013-03-20 18:52 - 00000000 ____D C:\Program Files\Common Files\Adobe
2014-01-20 16:43 - 2008-08-13 15:46 - 00075440 _____ C:\Users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2014-01-20 16:42 - 2006-11-02 07:47 - 00312384 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-20 16:41 - 2013-11-26 22:49 - 00056974 _____ C:\Windows\PFRO.log
2014-01-20 16:34 - 2014-01-20 16:34 - 00000000 ____D C:\ProgramData\Sun
2014-01-20 16:34 - 2014-01-20 16:34 - 00000000 ____D C:\ProgramData\Oracle
2014-01-20 16:34 - 2008-06-25 02:03 - 00000000 ____D C:\Program Files\Common Files\Java
2014-01-20 16:33 - 2014-01-20 16:34 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-01-20 16:33 - 2014-01-20 16:34 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-01-20 16:33 - 2014-01-20 16:34 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-01-20 16:33 - 2014-01-20 16:34 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-01-20 16:33 - 2008-06-25 02:03 - 00000000 ____D C:\Program Files\Java
2014-01-20 16:32 - 2014-01-20 16:32 - 00921000 _____ (Oracle Corporation) C:\Users\Andrew\Downloads\chromeinstall-7u51.exe
2014-01-20 16:29 - 2013-05-06 15:43 - 00002009 _____ C:\Users\Andrew\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2014-01-20 16:29 - 2013-05-06 15:40 - 00000000 ____D C:\Program Files\Common Files\XCPCSync.OEM
2014-01-20 16:29 - 2009-04-25 16:06 - 00000000 ____D C:\Program Files\Research In Motion
2014-01-20 16:29 - 2009-04-25 16:06 - 00000000 ____D C:\Program Files\Common Files\Research In Motion
2014-01-18 00:48 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET
2014-01-08 23:20 - 2014-01-08 23:09 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2014-01-08 23:20 - 2008-08-13 15:37 - 00000000 ____D C:\Users\Andrew
2014-01-08 21:48 - 2014-01-08 21:48 - 11125072 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall.exe
2014-01-06 20:22 - 2014-01-06 20:22 - 00000207 _____ C:\Windows\tweaking.com-regbackup-ANDREW-PC-Microsoft®-Windows-Vista™-Home-Premium-(32-bit).dat
2014-01-06 20:22 - 2013-12-25 18:57 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE
2014-01-06 20:21 - 2014-01-06 20:21 - 00000000 ____D C:\RegBackup
2014-01-06 20:17 - 2014-01-06 20:17 - 00147276 _____ C:\Users\Andrew\Desktop\sfcdetails.txt
2014-01-06 17:55 - 2014-01-06 17:55 - 00000000 ____D C:\Users\Andrew\Downloads\tweaking.com_windows_repair_aio
2014-01-06 17:54 - 2014-01-06 17:54 - 02903255 _____ C:\Users\Andrew\Downloads\tweaking.com_windows_repair_aio.zip
2014-01-06 17:41 - 2014-01-06 17:41 - 00000000 ____D C:\678
2014-01-06 17:41 - 2014-01-06 17:37 - 00000000 ___SD C:\32788R22FWJFW
2014-01-06 17:41 - 2014-01-06 16:43 - 00000000 ____D C:\ComboFix
2014-01-06 17:41 - 2013-11-26 21:45 - 00000000 ____D C:\Windows\erdnt
2014-01-06 17:36 - 2014-01-06 16:27 - 00000000 ____D C:\Users\Andrew\Desktop\Tools
2014-01-06 17:05 - 2014-01-06 17:05 - 00000000 ____D C:\Program Files\Tweaking.com
2014-01-06 17:04 - 2014-01-06 17:04 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-01-06 17:04 - 2011-06-28 23:00 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-01-06 17:02 - 2014-01-06 17:02 - 00011259 _____ C:\ComboFix.txt
2014-01-06 17:02 - 2013-11-26 21:45 - 00000000 ____D C:\Qoobox
2014-01-06 17:02 - 2006-11-02 06:18 - 00000000 ___RD C:\Users\Public
2014-01-06 17:02 - 2006-11-02 06:18 - 00000000 ___RD C:\Users\Default
2014-01-06 16:59 - 2006-11-02 05:23 - 00000215 _____ C:\Windows\system.ini
2014-01-06 16:51 - 2014-01-06 16:06 - 00000000 ____D C:\Users\Andrew\AppData\Local\CrashDumps
2014-01-06 16:41 - 2013-11-26 18:28 - 00000000 ____D C:\TDSSKiller_Quarantine
2014-01-06 16:40 - 2014-01-06 16:18 - 00000000 ____D C:\Users\Andrew\AppData\Local\QuickPlay
2014-01-06 16:18 - 2008-07-29 15:35 - 00000000 ____D C:\ProgramData\CyberLink
2014-01-06 16:17 - 2008-06-25 00:24 - 00000000 ____D C:\Program Files\HP
2014-01-06 16:17 - 2008-06-25 00:05 - 00000000 ____D C:\Program Files\InstallShield Installation Information
2014-01-06 16:16 - 2008-03-31 11:06 - 00000000 ____D C:\Windows\SMINST
2014-01-06 16:12 - 2014-01-06 16:12 - 00003283 _____ C:\Users\Andrew\Downloads\WindowsUpdateFix.reg
2014-01-06 16:12 - 2014-01-06 16:12 - 00003283 _____ C:\Users\Andrew\Downloads\WindowsUpdateFix (1).reg
2013-12-25 19:12 - 2006-11-02 05:23 - 00000855 _____ C:\Windows\system32\Drivers\etc\hosts_bak_312
2013-12-25 18:56 - 2013-12-25 18:56 - 00000000 ____D C:\Users\Andrew\Documents\tweaking.com_windows_repair_aio
2013-12-25 18:10 - 2013-12-25 18:10 - 00347816 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\MicrosoftFixit.ProgramInstallUninstall.MATSKB.Run (1).exe
2013-12-25 18:02 - 2013-12-25 18:02 - 00347816 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\MicrosoftFixit.ProgramInstallUninstall.MATSKB.Run.exe
2013-12-25 17:44 - 2013-12-25 17:44 - 11125072 _____ (Microsoft Corporation) C:\Users\Andrew\Downloads\mseinstall (1).exe
2013-12-25 17:27 - 2013-12-25 15:30 - 00000000 ____D C:\ProgramData\HitmanPro
2013-12-25 15:00 - 2009-02-26 03:06 - 00008484 _____ C:\Users\Andrew\AppData\Local\d3d9caps.dat
2013-12-24 20:20 - 2013-12-24 20:19 - 00000000 ____D C:\Users\Andrew\Desktop\RK_Quarantine
2013-12-24 20:16 - 2013-11-26 21:18 - 00015254 _____ C:\Users\Andrew\Desktop\Rkill.txt
 
Files to move or delete:
====================
C:\Users\Andrew\AppData\Roaming\desktop.ini
C:\ProgramData\PKP_DLes.DAT
C:\ProgramData\PKP_DLet.DAT
C:\ProgramData\PKP_DLev.DAT
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-01-20 18:22
 
==================== End Of Log ============================

 

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:42 AM

Posted 20 January 2014 - 09:55 PM

Please run the following:

 

Download attached fixlist.txt file and save it to the Downloads folder as that is where you have FRST.exe saved to.

 

Attached File  FixList.txt   1.15KB   4 downloads

 

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

 

Run FRST and press the Fix button just once and wait.

The tool will make a log to the downloads folder (Fixlog.txt). Please post it to your reply.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Bilingual

Bilingual
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 20 January 2014 - 10:01 PM

CatByte - 
 
Here is the FixLog.txt as requested. Thanks much for your assistance.

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:42 AM

Posted 21 January 2014 - 11:46 AM

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

 

(MBAR tutorial can be found here: http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit)

 

Please download Malwarebytes Anti-Rootkit (MBAR) from here http://www.malwarebytes.org/products/mbar/ and save it to your desktop.

Direct link to the file: http://downloads.malwarebytes.org/file/mbar

•Be sure to print out and follow the instructions provided on that same page.
•Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.

•Doubleclick on the MBAR file you downloaded.
•Approve the UAC prompt in Vista and newer operating systems.
•Click OK on the next screen, to allow the package to extract the contents of the file to it's own folder, mbar.
•By default, this will be on your desktop, though you can choose another location if you wish. We advise using the default location for simplicity.
•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•After reading the Introduction, click 'Next' if you agree.
•On the Update Database screen, click on the 'Update' button.
•Once you see 'Success: Database was successfully updated' click on 'Next'.
•Click the 'Scan' button.

A.With some infections, you may see two messages boxes.
  1.'Could not load protection driver'. Click 'OK'.
  2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes.

 

~~~~~~~~~~~~~~~~~~~~~~~

Note:  <<<< this is an important step >>>>

fixdamage - repair damaged services

 

If no detections occurred during the MBAR scan, and/or if the issue with Security Essentials, please do this next:

Open the Malwarebytes Anti-Rootkit folder.

Locate fixdamage.exe within the \mbar\Plugins folder and double click on it. In Windows Vista and Windows 7, approve the UAC prompt

fixdamage.exe will open a command window.

You will be asked if you want to continue. Type y if you do.

A reboot request may be made after the fix. Type y in the command prompt, and allow the computer to be rebooted.

Even if a reboot request was not made after running FixDamage.exe please restart the computer.

 

Once back in Windows, please send the following logs as attachments to your reply. These logs are located in the Malwarebytes Anti-Rootkit folder.

 

mbar-log-2013-xx-xx(xx-xx-xx).txt (where xx-xx(xx-xx-xx) is the date and time of the scan)

system-log.txt


Edited by CatByte, 21 January 2014 - 11:47 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Bilingual

Bilingual
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 21 January 2014 - 02:46 PM

CatByte -

Thanks for your assistance. Following your steps I was unable to first create a Restore Point before running the MalwareBytes Rootkit. I received an error when trying to do so and therefore just continued with the steps. Once I ran the MB AntiRootkit if found the same to instances as previous and so they were cleaned. I then rebooted, ran MB Anti-root again and it did not find anything. I then used the FixDamage.exe and rebooted. I have attached the logs as requested. I am still not able to install Microsoft Security Essentials and receive the same general error.

I appreciate your time and help!

#8 Bilingual

Bilingual
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 21 January 2014 - 02:46 PM

CatByte -

Thanks for your assistance. Following your steps I was unable to first create a Restore Point before running the MalwareBytes Rootkit. I received an error when trying to do so and therefore just continued with the steps. Once I ran the MB AntiRootkit if found the same to instances as previous and so they were cleaned. I then rebooted, ran MB Anti-root again and it did not find anything. I then used the FixDamage.exe and rebooted. I have attached the logs as requested. I am still not able to install Microsoft Security Essentials and receive the same general error.

I appreciate your time and help!

Attached Files



#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:42 AM

Posted 21 January 2014 - 03:03 PM

Please run the following:

 

  • Download RogueKiller  and save it to your desktop.

    32bit version

    64bit version

  • Quit all other programs

  • Start RogueKiller.exe

  • Wait until the Prescan has finished ...

  • Click on Scan

    RGKRScan.png

  • Wait for the end of the scan

  • A report will be created on your desktop. 

  • Click on the Delete button

    RGKRDelete.png

  • Next click on the ShortcutsFix  

    RGKRShortcutsFix.png

  • another report will be created on your desktop.

 

Please post:    All RKreport.txt text files located on your desktop.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Bilingual

Bilingual
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 21 January 2014 - 03:20 PM

Catbyte -

Here are the logs from the RogueKiller. I Scanned, deleted and fixed the items that were found. Thanks again for all the helpf!

Attached Files



#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:42 AM

Posted 21 January 2014 - 03:33 PM

Please run the following:

 

  • Please download aswMBR.exe and save it to your desktop.

     

  • Double click aswMBR.exe to start the tool.

  • When asked if you want to download Avast's virus definitions please select Yes.

     

  • Click Scan

     

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.

     

  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Bilingual

Bilingual
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 21 January 2014 - 04:40 PM

CatByte -

Here are the logs from the Avast scan. Thank you.
CatByte -

Here are the logs from the Avast scan. Thank you.

Attached Files



#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:42 AM

Posted 21 January 2014 - 07:01 PM

looks ok now.

 

How is the computer running, are there any outstanding issues?

 

Are you able to install MSE now?


Edited by CatByte, 21 January 2014 - 07:02 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Bilingual

Bilingual
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 21 January 2014 - 08:19 PM

CatByte -

I have attached the screen shot from the Microsoft Security Essentials install process. This is the error the system has continually given. "Cannot complete the Security Essentials Installation. An error has prevented the Security Essentials Setup Wizard from completing successfully. Please restart your computer and try again." Error 0x80070643

Thanks for all the help. If the system is clean I will look into permissions being locked on those files that it may not allow the install.

Attached Files



#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:42 AM

Posted 22 January 2014 - 12:12 PM

try this


Please download the MSE removal tool, MicrosoftFixit50535.msi, by clicking the Fix it button and saving the file to your desktop.
  • Close all programs.
  • Double-click MicrosoftFixit50535.msi then click 'Run'.
  • In Vista/Win7, right-click and choose 'Run as administrator'.
  • Follow the on-screen instructions.
  • Reboot your computer if not prompted already.
  • Then delete MicrosoftFixit50535.msi from your desktop.
that should remove all traces of MSE so you can start from scratch

let me know how it goes

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users