Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious Software(OS:Windows Vista)


  • Please log in to reply
22 replies to this topic

#1 TrappedinWonderland

TrappedinWonderland

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:41 PM

Posted 27 February 2014 - 06:35 AM

I'm going to skip the narrative and go straight to the point: I accidentally used an infected SD card a couple of weeks ago and things have gone downhill from there.  I first noticed something was wrong when the MRT started to request permission on startup.  I had been using Malwarebytes for my scans at the time, but MBAM missed the issues in question.  When I ran the MRT, it caught a worm (VBS/Jenxus) and "partially removed" the problem.  I downloaded Microsoft Security Essentials in hopes it'd catch anything else that MBAM had missed, and it found a Java exploit.  However, I still continued to have problems, including my computer having locked without input.  A friend suggested that I run Rkill and do another scan, so I did.  The scan has yet to catch anything further.  Additionally, the DDS log took longer to create than the tool says it should have. (45 mins)

Now that it's completed, here's the log:
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.6001.19088  BrowserJavaVersion: 10.51.2
Run by owner at 2:48:40 on 2014-02-27
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.4057.1643 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\locator.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Dell Video Chat\DellVideoChat.exe
C:\Users\owner\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\owner\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\Notepad.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.startnow.com/?src=startpage&provider=Bing&provider_code=Z072&partner_id=269&product_id=567&affiliate_id=&channel=Luna_TB&toolbar_id=24&toolbar_version=1.0.0.0&install_country=US&install_date=20110609&user_guid=6CA60EAD7C2343A088BFE76F201CF63D&machine_id=711070c7993ec9c2602dea4556249f3a&browser=IE&os=win&os_version=6.0-x64-SP1
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uProxyOverride = 127.0.0.1:9421;<local>;*.local
uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>
mWinlogon: Userinit = userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [339998171] C:\Users\owner\AppData\Local\Temp\tmph8889013086767017387.tmp
uRun: [Facebook Update] "C:\Users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Akamai NetSession Interface] "C:\Users\owner\AppData\Local\Akamai\netsession_win.exe"
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRunOnce: [Shockwave Updater] "C:\Windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1150595.exe" -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDC; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://health.howstuffworks.com/blood.htm/printable"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
mRun: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Conime] C:\Windows\System32\conime.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ROC_ROC_NT] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [KodakHomeCenter] "C:\Program Files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe"
StartupFolder: C:\Users\owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{059F7F66-3506-42AA-B56C-8A9E15028AAD} : DHCPNameServer = 192.168.1.1
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - 
x64-BHO: Webroot Browser Helper Object: {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - 
x64-TB: Webroot Toolbar: {97ab88ef-346b-4179-a0b1-7445896547a5} - 
x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
x64-Run: [Apoint] "C:\Program Files\DellTPad\Apoint.exe"
x64-Run: [SysTrayApp] C:\Program Files (x86)\IDT\WDM\sttray64.exe
x64-Run: [IgfxTray] "C:\Windows\System32\igfxtray.exe"
x64-Run: [HotKeysCmds] "C:\Windows\System32\hkcmd.exe"
x64-Run: [Persistence] "C:\Windows\System32\igfxpers.exe"
x64-Run: [Broadcom Wireless Manager UI] "C:\Windows\System32\WLTRAY.exe"
x64-Run: [QuickSet] "C:\Program Files\Dell\QuickSet\QuickSet.exe"
x64-Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe"
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - LocalServer32 - <no file>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-9-27 248240]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-2-20 53488]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe [2009-2-20 88576]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2008-1-20 27648]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2014-2-4 2222416]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [2014-2-4 377616]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2013-9-27 134944]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc --> RUNDLL32.EXE ykx64coinst,serviceStartProc [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-10-23 348376]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;C:\Windows\System32\drivers\OA009Ufd.sys [2009-2-20 168864]
R3 OA009Vid;Creative Camera OA009 Function Driver;C:\Windows\System32\drivers\OA009Vid.sys [2009-2-20 307456]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;C:\Windows\System32\drivers\livecamv.sys [2009-12-13 49664]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2009-2-20 392192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1caff82f5ab2d38;Google Update Service (gupdate1caff82f5ab2d38);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-29 133104]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-11 418376]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-2-8 701512]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2014-2-27 1153368]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-2-8 25928]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\System32\GameMon.des -service --> C:\Windows\System32\GameMon.des -service [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-7-9 93184]
.
=============== File Associations ===============
.
FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2014-02-27 02:50:04 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-02-27 01:05:24 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-02-27 01:05:17 264616 ----a-w- C:\Windows\SysWow64\javaws.exe
2014-02-27 01:05:17 175016 ----a-w- C:\Windows\SysWow64\javaw.exe
2014-02-27 01:05:17 174504 ----a-w- C:\Windows\SysWow64\java.exe
2014-02-21 11:00:42 88567024 ----a-w- C:\Windows\System32\mrt.exe
2014-01-19 07:33:29 270496 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH:  3:28:23.69 ===============
 
I can also provide the rkill log if necessary.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 27 February 2014 - 09:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

Edited by nasdaq, 27 February 2014 - 02:03 PM.


#3 TrappedinWonderland

TrappedinWonderland
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:41 PM

Posted 27 February 2014 - 09:48 AM

Okay, I tried to click on the second download link you provided(64 bit operating system Roguekiller) and it brings me back to this thread.  I clicked on the other links to see if the same thing happened, but they seem to work fine.  I tried copying the link and pasting it manually, but the copied link is this thread link.


Edited by TrappedinWonderland, 27 February 2014 - 10:12 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 27 February 2014 - 02:03 PM

Sorry about that. I have corrected the link.

#5 TrappedinWonderland

TrappedinWonderland
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:41 PM

Posted 27 February 2014 - 05:24 PM

Update: Okay, so I found that the actual reason for my computer locking/going into sleep mode without warning was an accidentally hit key on my USB keyboard.  Still wary, however.
 
Also, somehow I wound up with two RKreport logs.  I'll give them both.
 
RKreport[0]_D_02272014_130853:
 
RogueKiller V8.8.9 _x64_ [Feb 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6001 Service Pack 1) 64 
 
bits version
Started in : Normal mode
User : owner [Admin rights]
Mode : Remove -- Date : 02/27/2014 13:08:53
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : 339998171 
 
(C:\Users\owner\AppData\Local\Temp\tmph8889013086767017387.t
 
mp [x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-245504629-2005997162-
 
4161654802-1000\[...]\Run : 339998171 
 
(C:\Users\owner\AppData\Local\Temp\tmph8889013086767017387.t
 
mp [x]) -> [0x2] The system cannot find the file specified. 
[HJ SMENU][PUM] HKCU\[...]\Advanced : 
 
Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-
 
89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069
 
-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
-> E:\windows\system32\config\SYSTEM | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\windows\system32\config\SOFTWARE | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\windows\system32\config\SECURITY | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\windows\system32\config\SAM | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\windows\system32\config\DEFAULT | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\Users\Default\NTUSER.DAT | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
::1             localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi 
 
HTS543232L9A300 +++++
--- User ---
[MBR] 5ad3cbffdef47ec5346bebc41b696a73
[BSP] 1119553975c6a85955e8436baabce0c8 : Windows Vista MBR 
 
Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | 
 
Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 
 
15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | 
 
Size: 290204 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_D_02272014_130853.txt >>
RKreport[0]_S_02272014_130823.txt
 
 
 
 
RKreport[0]_S_02272014_130823:
 
RogueKiller V8.8.9 _x64_ [Feb 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6001 Service Pack 1) 64 
 
bits version
Started in : Normal mode
User : owner [Admin rights]
Mode : Scan -- Date : 02/27/2014 13:08:23
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : 339998171 
 
(C:\Users\owner\AppData\Local\Temp\tmph8889013086767017387.t
 
mp [x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-245504629-2005997162-
 
4161654802-1000\[...]\Run : 339998171 
 
(C:\Users\owner\AppData\Local\Temp\tmph8889013086767017387.t
 
mp [x]) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : 
 
Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-
 
89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069
 
-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 0 ¤¤¤
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
 
¤¤¤ External Hives: ¤¤¤
-> E:\windows\system32\config\SYSTEM | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\windows\system32\config\SOFTWARE | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\windows\system32\config\SECURITY | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\windows\system32\config\SAM | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\windows\system32\config\DEFAULT | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
-> E:\Users\Default\NTUSER.DAT | DRVINFO [Drv - E:] | 
 
SYSTEMINFO [Sys - x:] [Sys32 - FOUND] | USERINFO [Startup - 
 
NOT_FOUND]
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
127.0.0.1       localhost
::1             localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi 
 
HTS543232L9A300 +++++
--- User ---
[MBR] 5ad3cbffdef47ec5346bebc41b696a73
[BSP] 1119553975c6a85955e8436baabce0c8 : Windows Vista MBR 
 
Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | 
 
Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 
 
15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | 
 
Size: 290204 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_02272014_130823.txt >>
 
 
 
 
 
AdwCleaner[S0] (From after restarting, as it prompted.  Will provide the other AdwC log if asked) :
 
# AdwCleaner v3.020 - Report created 27/02/2014 at 13:17:52
# Updated 27/02/2014 by Xplode
# Operating System : Windows ™ Vista Home Premium Service 
 
Pack 1 (64 bits)
# Username : owner - OWNER-PC
# Running from : C:\Users\owner\Desktop\adwcleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
[!] Folder Deleted : C:\ProgramData\Ask
[!] Folder Deleted : C:\ProgramData\Trymedia
[!] Folder Deleted : C:\Users\owner\AppData\Local\PackageAware
[!] Folder Deleted : C:\Users\owner\AppData\Local\visi_coupon
[!] Folder Deleted : C:\Users\owner\AppData\LocalLow\Conduit
[!] Folder Deleted : C:\Users\owner\AppData\Roaming\iWin
[!] Folder Deleted : C:\Users\Bri-Chan\AppData\Local\AskToolbar
[!] Folder Deleted : C:\Users\Bri-Chan\AppData\LocalLow\Conduit
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : 
 
HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2464976
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-
 
49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-
 
4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-
 
4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-
 
40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-
 
4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-
 
4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-
 
4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-
 
4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402
 
-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179
 
-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-
 
4AC3-AED6-A66D8DC9E1D8}
Key Deleted : 
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Bro
 
wser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : 
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Bro
 
wser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0000
 
0000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0247
 
8D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA
 
2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7
 
759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE8
 
05869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D40
 
27C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7
 
80F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99
 
BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0
 
2478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3
 
CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9
 
5B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A
 
E805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E
 
F99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : 
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreAppro
 
ved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : 
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreAppro
 
ved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet 
 
Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Deleted : HKCU\Software\Microsoft\Internet 
 
Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-
 
4243D8127440}]
Value Deleted : HKCU\Software\Microsoft\Internet 
 
Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-
 
4ED3E9456D39}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-
 
6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : [x64] 
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Bro
 
wser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKCU\Software\AppDataLow\Software\Toolbar
Key Deleted : HKLM\Software\Trymedia Systems
Key Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\App 
 
Management\ARPCache\AVG Secure Search
Key Deleted : 
 
HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686
 
953B7074FEF
Data Deleted : 
 
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
 
Settings [ProxyOverride] - 127.0.0.1:9421;<local>;*.local
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.19088
 
Setting Restored : HKCU\Software\Microsoft\Internet 
 
Explorer\Main [Start Page]
 
-\\ Google Chrome v33.0.1750.117
 
[ File : C:\Users\owner\AppData\Local\Google\Chrome\User 
 
Data\Default\preferences ]
 
 
[ File : C:\Users\Elizabeth 
 
Medley\AppData\Local\Google\Chrome\User 
 
Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [6109 octets] - [27/02/2014 13:14:08]
AdwCleaner[S0].txt - [5404 octets] - [27/02/2014 13:17:52]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5464 
 
octets] ##########
 
JRT.txt:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows ™ Vista Home Premium x64
Ran by owner on Thu 02/27/2014 at 13:36:58.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] 
 
HKEY_CURRENT_USER\Software\Microsoft\Internet 
 
Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
 
\\DisplayName
Successfully repaired: [Registry Value] 
 
HKEY_CURRENT_USER\Software\Microsoft\Internet 
 
Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
 
\\URL
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] 
 
HKEY_CURRENT_USER\Software\Microsoft\Internet 
 
Explorer\SearchScopes\{0692D505-E960-7221-A613-1CB225C40302}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] 
 
"C:\Users\owner\AppData\Roaming\getrighttogo"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
~~
Scan was completed on Thu 02/27/2014 at 13:48:21.75
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
~~
 
 
FRST.txt:
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 
 
27-02-2014 02
Ran by owner (administrator) on OWNER-PC on 27-02-2014 
 
14:12:33
Running from C:\Users\owner\Desktop\FRST
Windows Vista ™ Home Premium Service Pack 1 (X64) OS 
 
Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link for 32-Bit version: 
 
 
scan-tool/dl/81/ 
Download link for 64-Bit Version: 
 
 
scan-tool/dl/82/ 
Download link from any site other than Bleeping Computer is 
 
unpermitted or outdated.
See tutorial for FRST: 
 
 
how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) c:\Program Files\Microsoft Security 
 
Client\MsMpEng.exe
(IDT, Inc.) C:\Windows\System32
 
\DriverStore\FileRepository\stwrt64.inf_cce24a4c\STacSV64.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
() C:\Windows\System32\WLTRYSVC.EXE
(Dell Inc.) C:\Windows\System32\bcmwltry.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Andrea Electronics Corporation) C:\Windows\System32
 
\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile 
 
Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix 
 
Storage Manager\IAANTMon.exe
(Microsoft Corporation) C:\Windows\system32\locator.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Windows\System32\WLTRAY.EXE
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & 
 
Destroy\SDWinSec.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix 
 
Storage Manager\IAAnotif.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security 
 
Client\msseces.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Akamai Technologies, Inc.) 
 
C:\Users\owner\AppData\Local\Akamai\netsession_win.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD 
 
DX\PDVDDXSrv.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common 
 
Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Akamai Technologies, Inc.) 
 
C:\Users\owner\AppData\Local\Akamai\netsession_win.exe
(LogMeIn Inc.) C:\Program Files (x86)\LogMeIn Hamachi\hamachi-
 
2.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn 
 
Hamachi\LMIGuardianSvc.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidFind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apntex.exe
(Microsoft Corporation) C:\Windows\system32\conime.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows 
 
Defender\MSASCui.exe [1584184 2008-01-20] (Microsoft 
 
Corporation)
HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe 
 
[272896 2008-09-03] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] - C:\Program 
 
Files\IDT\WDM\sttray64.exe [462336 2008-12-14] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] - 
 
C:\Windows\system32\WLTRAY.exe [4119552 2008-12-22] (Dell 
 
Inc.)
HKLM\...\Run: [QuickSet] - C:\Program 
 
Files\Dell\QuickSet\QuickSet.exe [2037328 2008-08-20] (Dell Inc.)
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix 
 
Storage Manager\iaanotif.exe [178712 2008-05-07] (Intel 
 
Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)
 
\Common 
 
Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 
 
2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security 
 
Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)
 
\Dell Webcam\Dell Webcam Central\WebcamDell.exe [446635 
 
2008-06-03] (Creative Technology Ltd.)
HKLM-x32\...\Run: [PDVDDXSrv] - C:\Program 
 
Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [128296 2008-05-23] 
 
(CyberLink Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files 
 
(x86)\Microsoft\Search Enhancement Pack\Default 
 
Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [Conime] - %windir%\system32\conime.exe
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)
 
\QuickTime\QTTask.exe [421888 2010-03-17] (Apple Inc.)
HKLM-x32\...\Run: [ROC_ROC_NT] - "C:\Program Files (x86)\AVG 
 
Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common 
 
Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe 
 
Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common 
 
Files\Apple\Apple Application Support\APSDaemon.exe [59720 
 
2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)
 
\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)
 
\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] 
 
(Oracle Corporation)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] - C:\Program Files (x86)
 
\LogMeIn Hamachi\hamachi-2-ui.exe [3814736 2014-02-26] 
 
(LogMeIn Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel 
 
Corporation)
HKU\.DEFAULT\...\RunOnce: [KodakHomeCenter] - "C:\Program 
 
Files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe"
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] - rundll32.exe 
 
oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] - rundll32.exe 
 
oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Run: 
 
[ehTray.exe] - C:\Windows\ehome\ehTray.exe [138240 2008-01-
 
20] (Microsoft Corporation)
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Run: 
 
[Facebook Update] - 
 
"C:\Users\owner\AppData\Local\Facebook\Update\FacebookUpdat
 
e.exe" /c /nocrashserver
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Run: 
 
[Akamai NetSession Interface] - 
 
C:\Users\owner\AppData\Local\Akamai\netsession_win.exe 
 
[4489472 2013-06-05] (Akamai Technologies, Inc.)
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Run: 
 
[Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe 
 
[18678376 2013-04-19] (Skype Technologies S.A.)
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\RunOnce: 
 
[Shockwave Updater] - "C:\Windows\SysWOW64
 
\Adobe\Shockwave 11\SwHelper_1150595.exe" -Update -1150595 
 
-"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; 
 
Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; 
 
MDDC; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" 
 
HKU\S-1-5-21-245504629-2005997162-4161654802-1000
 
\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-245504629-2005997162-4161654802-1000
 
\...\MountPoints2: D - D:\LaunchU3.exe -a
HKU\S-1-5-21-245504629-2005997162-4161654802-1000
 
\...\MountPoints2: G - G:\LaunchU3.exe -a
HKU\S-1-5-21-245504629-2005997162-4161654802-1000
 
\...\MountPoints2: {4e51d4d4-e062-11de-a575-806e6f6e6963} - 
 
D:\LaunchU3.exe -a
HKU\S-1-5-21-245504629-2005997162-4161654802-1000
 
\...\MountPoints2: {9a785d9f-d308-11de-a5c4-0023ae1e7e5f} - 
 
D:\rcaeasyrip_setup.exe
HKU\S-1-5-21-245504629-2005997162-4161654802-1000
 
\...\MountPoints2: {e2dccaf8-2530-11de-ae0e-0023ae1e7e5f} - 
 
D:\LaunchU3.exe -a
Startup: C:\Users\Bri-
 
Chan\AppData\Roaming\Microsoft\Windows\Start 
 
Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\Bri-
 
Chan\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: 
 
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start 
 
Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> 
 
C:\Users\Guest\AppData\Roaming\wruninstall.exe (Webroot 
 
Software, Inc.)
Startup: 
 
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start 
 
Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)
 
\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe 
 
(Adobe Systems, Inc.)
 
==================== Internet (Whitelisted) 
 
====================
 
HKCU\Software\Microsoft\Internet 
 
Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = 
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page 
 
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-
 
7AF40E7D593F} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet 
 
Explorer\iexplore.exe
SearchScopes: HKLM - {DC8CEEEB-873C-4F82-82D3-E0DCD216A637} 
 
 
&Form=DLCDF7&pc=MDDC&src={referrer:source?}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} 
 
SearchScopes: HKCU - {CFBD4923-5900-40B0-AF2E-5AD463740D0D} 
 
 
{SearchTerms}
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} 
 
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-
 
CE66B5AD205D} - C:\Program Files (x86)\Google\Update\1.3.21.57
 
\%ProgramW6432%\Google\GoogleToolbarNotifier\5.7.6406.1642
 
\swg64.dll No File
BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-
 
8cf5-6e975aa88504} - C:\ProgramData\WRData\pkg\LPBar64.dll No 
 
File
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  
 
No File
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-
 
B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7
 
\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-
 
8ECC-5164760863C6} - C:\Program Files (x86)\Common 
 
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll 
 
(Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-
 
BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7
 
\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-
 
7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-
 
8A89D3229068} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-
 
009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-
 
E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {69D1A568-FFDF-4EF5-8919-
 
7003582E0EE8} -  No File
DPF: HKLM-x32 {20A60F0D-9AFA-4515-A0FD-83BD84642501} 
 
DPF: HKLM-x32 {5C051655-FCD5-4969-9182-770EA5AA5565} 
 
 
6986.cab
DPF: HKLM-x32 {5D6F45B3-9043-443D-A792-115447494D24} 
 
 
ontent/Default/uno1/GAME_UNO1.cab
DPF: HKLM-x32 {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} 
 
 
cab
DPF: HKLM-x32 {B8BE5E93-A60C-4D26-A2DC-220313175592} 
 
 
b102118.cab
DPF: HKLM-x32 {C3F79A2B-B9B4-4A66-B012-3EE46475B072} 
 
 
ab56907.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} 
 
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No 
 
File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 
 
C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler-x32: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - 
 
C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi 
 
Group, Inc.)
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-
 
FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll 
 
No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - 
 
C:\Program Files (x86)\Windows 
 
Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft 
 
Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - 
 
C:\Program Files (x86)\Windows 
 
Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft 
 
Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-
 
1830C7DD7F5D} - C:\Program Files (x86)\Common 
 
Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)
 
\Google\Chrome\Application\33.0.1750.117
 
\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-
 
remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)
 
\Google\Chrome\Application\33.0.1750.117
 
\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)
 
\Google\Chrome\Application\33.0.1750.117\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)
 
\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java™ Platform SE 6 U13) - C:\Program Files (x86)
 
\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)
 
\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)
 
\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)
 
\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)
 
\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)
 
\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)
 
\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)
 
\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)
 
\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando 
 
Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files 
 
(x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft 
 
Corporation)
CHR Plugin: (Nexon Game Controller) - 
 
C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
CHR Plugin: (Facebook Video Calling Plugin) - 
 
C:\Users\owner\AppData\Local\Facebook\Video\Skype\npFacebook
 
VideoCalling.dll No File
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64
 
\Adobe\Director\np32dsw_1200112.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft 
 
Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - 
 
c:\Windows\Microsoft.NET\Framework\v3.5\Windows 
 
Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Google Drive) - 
 
C:\Users\owner\AppData\Local\Google\Chrome\User 
 
Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-
 
03-12]
CHR Extension: (YouTube) - 
 
C:\Users\owner\AppData\Local\Google\Chrome\User 
 
Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo 
 
[2011-12-16]
CHR Extension: (Google Search) - 
 
C:\Users\owner\AppData\Local\Google\Chrome\User 
 
Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-
 
12-16]
CHR Extension: (Google Wallet) - 
 
C:\Users\owner\AppData\Local\Google\Chrome\User 
 
Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda 
 
[2013-08-23]
CHR Extension: (Gmail) - 
 
C:\Users\owner\AppData\Local\Google\Chrome\User 
 
Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011
 
-12-16]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= 
 
ATTENTION
 
==================== Services (Whitelisted) =================
 
S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe 
 
Systems Shared\Service\Adobelmsvc.exe [72704 2013-04-28] 
 
(Adobe Systems)
R2 AESTFilters; C:\Windows\System32
 
\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe 
 
[88576 2008-12-14] (Andrea Electronics Corporation)
R2 Akamai; c:\program files (x86)\common 
 
files\akamai/netsession_win_8fa3539.dll [4569856 2013-07-01] 
 
(Akamai Technologies, Inc.)
S2 gupdate1caff82f5ab2d38; C:\Program Files (x86)
 
\Google\Update\GoogleUpdate.exe [133104 2010-05-29] (Google 
 
Inc.)
S2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn 
 
Hamachi\LMIGuardianSvc.exe [377616 2014-02-26] (LogMeIn, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-
 
Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes 
 
Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-
 
Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes 
 
Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security 
 
Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe 
 
[348376 2013-10-23] (Microsoft Corporation)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [3547376 2010
 
-04-27] (INCA Internet Co., Ltd.)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & 
 
Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking 
 
Ltd.)
R2 STacSV; C:\Windows\System32
 
\DriverStore\FileRepository\stwrt64.inf_cce24a4c\STacSV64.exe 
 
[281600 2008-12-14] (IDT, Inc.)
S3 usprserv; C:\Windows\System32\svchost.exe [27648 2008-01-
 
20] (Microsoft Corporation)
S3 usprserv; C:\Windows\SysWOW64\svchost.exe [21504 2008-01-
 
20] (Microsoft Corporation)
R2 wltrysvc; C:\Windows\System32\bcmwltry.exe [3051520 2008-
 
12-22] (Dell Inc.)
S2 yksvc; RUNDLL32.EXE ykx64coinst,serviceStartProc [X]
 
==================== Drivers (Whitelisted) 
 
====================
 
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys 
 
[25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 
 
2013-09-27] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 
 
2013-09-27] (Microsoft Corporation)
S3 NPPTNT2; C:\Windows\SysWOW64\npptNT2.sys [4682 2005-01-
 
02] (INCA Internet Co., Ltd.)
R3 OA009Ufd; C:\Windows\System32\DRIVERS\OA009Ufd.sys 
 
[168864 2008-09-03] (Creative Technology Ltd.)
R3 OA009Vid; C:\Windows\System32\DRIVERS\OA009Vid.sys 
 
[307456 2008-09-03] (Creative Technology Ltd.)
R3 RLDesignVirtualAudioCableWdm; C:\Windows\System32
 
\DRIVERS\livecamv.sys [49664 2007-02-05] ()
S3 dump_wmimmc; \??\C:\Program Files (x86)
 
\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 X6va003; \??\C:\Users\owner\AppData\Local\Temp\003B33E.tmp 
 
[X]
S3 X6va005; \??\C:\Users\owner\AppData\Local\Temp\005F07D.tmp 
 
[X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders 
 
========
 
2014-02-27 14:12 - 2014-02-27 14:12 - 00000000 ____D () C:\FRST
2014-02-27 14:10 - 2014-02-27 14:12 - 00000000 ____D () 
 
C:\Users\owner\Desktop\FRST
2014-02-27 13:48 - 2014-02-27 13:48 - 00001185 _____ () 
 
C:\Users\owner\Desktop\JRT.txt
2014-02-27 13:36 - 2014-02-27 13:36 - 00000000 ____D () 
 
C:\Windows\ERUNT
2014-02-27 13:35 - 2014-02-27 13:35 - 01037734 _____ (Thisisu) 
 
C:\Users\owner\Desktop\JRT.exe
2014-02-27 13:22 - 2014-02-27 13:22 - 00000000 ____D () 
 
C:\Program Files (x86)\LogMeIn Hamachi
2014-02-27 13:14 - 2014-02-27 13:18 - 00000000 ____D () 
 
C:\AdwCleaner
2014-02-27 13:10 - 2014-02-27 13:10 - 01244192 _____ () 
 
C:\Users\owner\Desktop\adwcleaner.exe
2014-02-27 13:08 - 2014-02-27 13:08 - 00002951 _____ () 
 
C:\Users\owner\Desktop\RKreport[0]_D_02272014_130853.txt
2014-02-27 13:08 - 2014-02-27 13:08 - 00002849 _____ () 
 
C:\Users\owner\Desktop\RKreport[0]_S_02272014_130823.txt
2014-02-27 13:02 - 2014-02-27 13:09 - 00000000 ____D () 
 
C:\Users\owner\Desktop\RK_Quarantine
2014-02-27 13:00 - 2014-02-27 13:00 - 04413952 _____ () 
 
C:\Users\owner\Desktop\RogueKillerX64.exe
2014-02-27 06:42 - 2014-02-27 06:42 - 00003059 _____ () 
 
C:\Users\owner\Documents\Fix.txt
2014-02-27 03:31 - 2014-02-27 03:31 - 00005053 _____ () 
 
C:\Users\owner\Desktop\attach.txt
2014-02-27 03:31 - 2014-02-27 03:28 - 00014747 _____ () 
 
C:\Users\owner\Desktop\dds.txt
2014-02-27 02:47 - 2014-02-27 02:48 - 00688992 ____R (Swearware) 
 
C:\Users\owner\Downloads\dds.com
2014-02-27 01:39 - 2014-02-27 01:39 - 00001099 _____ () 
 
C:\Users\owner\Desktop\Spybot - Search & Destroy.lnk
2014-02-27 01:38 - 2014-02-27 01:45 - 00000000 ____D () 
 
C:\Program Files (x86)\Spybot - Search & Destroy
2014-02-27 01:28 - 2014-02-27 01:30 - 16409960 _____ (Safer 
 
Networking Limited ) C:\Users\owner\Downloads\spybotsd162.exe
2014-02-26 18:50 - 2014-02-26 18:50 - 00091352 _____ 
 
(Malwarebytes Corporation) C:\Windows\system32
 
\Drivers\mbamchameleon.sys
2014-02-26 18:49 - 2014-02-26 18:50 - 00000000 ____D () 
 
C:\Users\owner\Desktop\mbar
2014-02-26 18:46 - 2014-02-26 18:48 - 12589848 _____ 
 
(Malwarebytes Corp.) C:\Users\owner\Downloads\mbar-
 
1.07.0.1009.exe
2014-02-26 18:22 - 2014-02-26 18:29 - 00002522 _____ () 
 
C:\Users\owner\Desktop\Rkill.txt
2014-02-26 18:22 - 2014-02-26 18:22 - 01933048 _____ (Bleeping 
 
Computer, LLC) C:\Users\owner\Downloads\rkill.exe
2014-02-26 17:07 - 2014-02-26 17:07 - 00000000 ____D () 
 
C:\ProgramData\Oracle
2014-02-26 17:06 - 2014-02-26 17:05 - 00264616 _____ (Oracle 
 
Corporation) C:\Windows\SysWOW64\javaws.exe
2014-02-26 17:06 - 2014-02-26 17:05 - 00175016 _____ (Oracle 
 
Corporation) C:\Windows\SysWOW64\javaw.exe
2014-02-26 17:06 - 2014-02-26 17:05 - 00174504 _____ (Oracle 
 
Corporation) C:\Windows\SysWOW64\java.exe
2014-02-26 17:06 - 2014-02-26 17:05 - 00096168 _____ (Oracle 
 
Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-02-26 16:44 - 2014-02-26 16:44 - 00000987 _____ () 
 
C:\Users\owner\Desktop\Continue Pando Media Booster 
 
Installation.lnk
2014-02-26 16:23 - 2014-02-26 16:23 - 00005254 _____ () 
 
C:\Users\owner\.recently-used.xbel
2014-02-25 15:59 - 2014-02-25 15:59 - 00002154 _____ () 
 
C:\Windows\epplauncher.mif
2014-02-25 15:55 - 2014-02-25 15:56 - 00000000 ____D () 
 
C:\Program Files\Microsoft Security Client
2014-02-25 15:55 - 2014-02-25 15:55 - 00000000 ____D () 
 
C:\Program Files (x86)\Microsoft Security Client
2014-02-25 15:34 - 2014-02-25 15:35 - 13670584 _____ (Microsoft 
 
Corporation) C:\Users\owner\Downloads\mseinstall.exe
2014-02-24 23:05 - 2014-02-24 23:06 - 102404888 _____ (Microsoft 
 
Corporation) C:\Users\owner\Downloads\msert.exe
2014-02-16 21:26 - 2014-02-27 02:34 - 00000000 ____D () 
 
C:\ProgramData\Spybot - Search & Destroy
2014-02-16 21:26 - 2014-02-16 21:27 - 00000000 ____D () 
 
C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-02-11 18:05 - 2014-02-12 16:38 - 00000000 ____D () 
 
C:\Users\owner\Documents\3DS Backup
2014-02-06 15:20 - 2014-02-20 14:58 - 00000000 ____D () 
 
C:\Program Files (x86)\LogMeIn Hamachi(516)
2014-01-31 13:56 - 2014-02-01 20:53 - 00000000 ____D () 
 
C:\Users\owner\Downloads\MapTool Maps
2014-01-30 21:43 - 2014-01-30 21:43 - 00001200 _____ () 
 
C:\Users\owner\Documents\D20 Duel Forum Game.txt
2014-01-30 17:15 - 2014-01-30 17:15 - 00000000 ____D () 
 
C:\Users\owner\Downloads\dicetool-1.0.b34
2014-01-29 12:24 - 2009-03-18 17:35 - 00033856 ____H (LogMeIn, 
 
Inc.) C:\Windows\system32\hamachi.sys
 
==================== One Month Modified Files and Folders 
 
=======
 
2014-02-27 14:13 - 2010-05-29 15:19 - 00000898 _____ () 
 
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-27 14:12 - 2014-02-27 14:12 - 00000000 ____D () C:\FRST
2014-02-27 14:12 - 2014-02-27 14:10 - 00000000 ____D () 
 
C:\Users\owner\Desktop\FRST
2014-02-27 13:58 - 2011-09-14 18:47 - 00000928 _____ () 
 
C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-245504629-
 
2005997162-4161654802-1000UA.job
2014-02-27 13:48 - 2014-02-27 13:48 - 00001185 _____ () 
 
C:\Users\owner\Desktop\JRT.txt
2014-02-27 13:36 - 2014-02-27 13:36 - 00000000 ____D () 
 
C:\Windows\ERUNT
2014-02-27 13:35 - 2014-02-27 13:35 - 01037734 _____ (Thisisu) 
 
C:\Users\owner\Desktop\JRT.exe
2014-02-27 13:27 - 2012-08-22 18:21 - 00000830 _____ () 
 
C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-27 13:26 - 2010-05-29 15:03 - 00000000 ____D () 
 
C:\Users\owner\AppData\Roaming\Skype
2014-02-27 13:26 - 2009-02-20 00:19 - 01163715 _____ () 
 
C:\Windows\WindowsUpdate.log
2014-02-27 13:22 - 2014-02-27 13:22 - 00000000 ____D () 
 
C:\Program Files (x86)\LogMeIn Hamachi
2014-02-27 13:22 - 2014-01-23 17:13 - 00000000 ____D () 
 
C:\Users\owner\AppData\Local\LogMeIn Hamachi
2014-02-27 13:22 - 2010-05-29 15:19 - 00000894 _____ () 
 
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-27 13:20 - 2010-01-23 13:14 - 00000434 _____ () 
 
C:\Windows\system32\Drivers\etc\hosts.ics
2014-02-27 13:20 - 2006-11-02 07:42 - 00000006 ____H () 
 
C:\Windows\Tasks\SA.DAT
2014-02-27 13:20 - 2006-11-02 07:22 - 00003616 ____H () 
 
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-
 
2P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-27 13:20 - 2006-11-02 07:22 - 00003616 ____H () 
 
C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-
 
2P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-27 13:19 - 2009-03-24 14:33 - 00000000 ____D () 
 
C:\Program Files (x86)\Pando Networks
2014-02-27 13:19 - 2009-02-20 06:56 - 00000000 ____D () 
 
C:\Program Files (x86)\Dell Video Chat
2014-02-27 13:19 - 2008-01-20 19:26 - 00302130 _____ () 
 
C:\Windows\PFRO.log
2014-02-27 13:19 - 2006-11-02 07:42 - 00032620 _____ () 
 
C:\Windows\Tasks\SCHEDLGU.TXT
2014-02-27 13:18 - 2014-02-27 13:14 - 00000000 ____D () 
 
C:\AdwCleaner
2014-02-27 13:10 - 2014-02-27 13:10 - 01244192 _____ () 
 
C:\Users\owner\Desktop\adwcleaner.exe
2014-02-27 13:09 - 2014-02-27 13:02 - 00000000 ____D () 
 
C:\Users\owner\Desktop\RK_Quarantine
2014-02-27 13:08 - 2014-02-27 13:08 - 00002951 _____ () 
 
C:\Users\owner\Desktop\RKreport[0]_D_02272014_130853.txt
2014-02-27 13:08 - 2014-02-27 13:08 - 00002849 _____ () 
 
C:\Users\owner\Desktop\RKreport[0]_S_02272014_130823.txt
2014-02-27 13:00 - 2014-02-27 13:00 - 04413952 _____ () 
 
C:\Users\owner\Desktop\RogueKillerX64.exe
2014-02-27 06:42 - 2014-02-27 06:42 - 00003059 _____ () 
 
C:\Users\owner\Documents\Fix.txt
2014-02-27 03:31 - 2014-02-27 03:31 - 00005053 _____ () 
 
C:\Users\owner\Desktop\attach.txt
2014-02-27 03:28 - 2014-02-27 03:31 - 00014747 _____ () 
 
C:\Users\owner\Desktop\dds.txt
2014-02-27 02:48 - 2014-02-27 02:47 - 00688992 ____R (Swearware) 
 
C:\Users\owner\Downloads\dds.com
2014-02-27 02:34 - 2014-02-16 21:26 - 00000000 ____D () 
 
C:\ProgramData\Spybot - Search & Destroy
2014-02-27 01:45 - 2014-02-27 01:38 - 00000000 ____D () 
 
C:\Program Files (x86)\Spybot - Search & Destroy
2014-02-27 01:39 - 2014-02-27 01:39 - 00001099 _____ () 
 
C:\Users\owner\Desktop\Spybot - Search & Destroy.lnk
2014-02-27 01:30 - 2014-02-27 01:28 - 16409960 _____ (Safer 
 
Networking Limited ) C:\Users\owner\Downloads\spybotsd162.exe
2014-02-26 18:50 - 2014-02-26 18:50 - 00091352 _____ 
 
(Malwarebytes Corporation) C:\Windows\system32
 
\Drivers\mbamchameleon.sys
2014-02-26 18:50 - 2014-02-26 18:49 - 00000000 ____D () 
 
C:\Users\owner\Desktop\mbar
2014-02-26 18:48 - 2014-02-26 18:46 - 12589848 _____ 
 
(Malwarebytes Corp.) C:\Users\owner\Downloads\mbar-
 
1.07.0.1009.exe
2014-02-26 18:29 - 2014-02-26 18:22 - 00002522 _____ () 
 
C:\Users\owner\Desktop\Rkill.txt
2014-02-26 18:22 - 2014-02-26 18:22 - 01933048 _____ (Bleeping 
 
Computer, LLC) C:\Users\owner\Downloads\rkill.exe
2014-02-26 18:11 - 2009-09-05 10:44 - 00000000 ____D () 
 
C:\ProgramData\kds_kodak
2014-02-26 18:11 - 2009-09-04 14:02 - 00000000 ____D () 
 
C:\Program Files (x86)\Kodak
2014-02-26 18:11 - 2009-09-03 18:20 - 00000000 ____D () 
 
C:\ProgramData\Kodak
2014-02-26 18:10 - 2009-09-04 14:20 - 00000000 ____D () 
 
C:\Users\owner\AppData\Local\Eastman_Kodak_Company
2014-02-26 18:10 - 2009-09-04 14:05 - 00000000 ____D () 
 
C:\Users\owner\AppData\Local\Eastman Kodak Company
2014-02-26 18:02 - 2009-02-20 06:38 - 00000000 ___HD () 
 
C:\Program Files (x86)\InstallShield Installation Information
2014-02-26 17:36 - 2013-11-02 21:34 - 00001142 _____ () 
 
C:\Users\owner\Desktop\ Mabinogi .lnk
2014-02-26 17:07 - 2014-02-26 17:07 - 00000000 ____D () 
 
C:\ProgramData\Oracle
2014-02-26 17:05 - 2014-02-26 17:06 - 00264616 _____ (Oracle 
 
Corporation) C:\Windows\SysWOW64\javaws.exe
2014-02-26 17:05 - 2014-02-26 17:06 - 00175016 _____ (Oracle 
 
Corporation) C:\Windows\SysWOW64\javaw.exe
2014-02-26 17:05 - 2014-02-26 17:06 - 00174504 _____ (Oracle 
 
Corporation) C:\Windows\SysWOW64\java.exe
2014-02-26 17:05 - 2014-02-26 17:06 - 00096168 _____ (Oracle 
 
Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-02-26 17:05 - 2009-02-20 06:37 - 00000000 ____D () 
 
C:\Program Files (x86)\Java
2014-02-26 16:58 - 2011-09-14 18:47 - 00000906 _____ () 
 
C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-245504629-
 
2005997162-4161654802-1000Core.job
2014-02-26 16:44 - 2014-02-26 16:44 - 00000987 _____ () 
 
C:\Users\owner\Desktop\Continue Pando Media Booster 
 
Installation.lnk
2014-02-26 16:27 - 2009-06-19 15:16 - 00000000 ____D () 
 
C:\Users\owner\.gimp-2.6
2014-02-26 16:23 - 2014-02-26 16:23 - 00005254 _____ () 
 
C:\Users\owner\.recently-used.xbel
2014-02-26 16:23 - 2009-03-18 15:58 - 00000000 ____D () 
 
C:\Users\owner
2014-02-26 06:24 - 2013-09-27 16:53 - 00000000 ____D () 
 
C:\ProgramData\Hero Lab
2014-02-25 15:59 - 2014-02-25 15:59 - 00002154 _____ () 
 
C:\Windows\epplauncher.mif
2014-02-25 15:56 - 2014-02-25 15:55 - 00000000 ____D () 
 
C:\Program Files\Microsoft Security Client
2014-02-25 15:55 - 2014-02-25 15:55 - 00000000 ____D () 
 
C:\Program Files (x86)\Microsoft Security Client
2014-02-25 15:35 - 2014-02-25 15:34 - 13670584 _____ (Microsoft 
 
Corporation) C:\Users\owner\Downloads\mseinstall.exe
2014-02-24 23:06 - 2014-02-24 23:05 - 102404888 _____ (Microsoft 
 
Corporation) C:\Users\owner\Downloads\msert.exe
2014-02-24 23:03 - 2013-08-15 07:29 - 00000000 ____D () 
 
C:\Windows\system32\MRT
2014-02-24 22:42 - 2011-11-03 18:30 - 00000000 ____D () 
 
C:\Users\owner\AppData\Local\Akamai
2014-02-24 22:42 - 2009-04-25 09:00 - 00000000 ____D () 
 
C:\Users\Bri-Chan
2014-02-24 22:42 - 2009-04-03 10:28 - 00000000 ____D () 
 
C:\Users\Guest
2014-02-24 22:42 - 2009-03-28 08:04 - 00000000 ____D () 
 
C:\Users\Elizabeth Medley
2014-02-24 22:42 - 2006-11-02 05:34 - 00000000 ____D () 
 
C:\Windows\system32\spool
2014-02-24 22:42 - 2006-11-02 05:33 - 00000000 ____D () 
 
C:\Windows\registration
2014-02-24 22:42 - 2006-11-02 04:33 - 61865984 _____ () 
 
C:\Windows\system32\config\software_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 51904512 _____ () 
 
C:\Windows\system32\config\components_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 24117248 _____ () 
 
C:\Windows\system32\config\system_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 00262144 _____ () 
 
C:\Windows\system32\config\security_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 00262144 _____ () 
 
C:\Windows\system32\config\sam_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 00262144 _____ () 
 
C:\Windows\system32\config\default_previous
2014-02-21 03:04 - 2009-03-18 15:58 - 00000000 ___RD () 
 
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start 
 
Menu\Programs\Startup
2014-02-21 03:00 - 2006-11-02 04:35 - 88567024 _____ (Microsoft 
 
Corporation) C:\Windows\system32\mrt.exe
2014-02-20 20:16 - 2010-05-29 15:03 - 00001983 _____ () 
 
C:\Users\Public\Desktop\Google Chrome.lnk
2014-02-20 20:08 - 2010-05-29 15:19 - 00003894 _____ () 
 
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-20 20:08 - 2010-05-29 15:19 - 00003642 _____ () 
 
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-02-20 14:58 - 2014-02-06 15:20 - 00000000 ____D () 
 
C:\Program Files (x86)\LogMeIn Hamachi(516)
2014-02-20 14:58 - 2006-11-02 05:34 - 00000000 ____D () 
 
C:\Windows\system32\Msdtc
2014-02-20 14:53 - 2013-11-02 21:34 - 00000000 ___SD () 
 
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start 
 
Menu\Programs\Mabinogi
2014-02-20 14:53 - 2013-09-27 16:53 - 00000000 ____D () 
 
C:\Program Files (x86)\Hero Lab
2014-02-20 14:53 - 2013-05-31 18:58 - 00000000 ____D () 
 
C:\Users\owner\AppData\Roaming\ftblauncher
2014-02-20 14:53 - 2009-06-19 15:23 - 00000000 ____D () 
 
C:\Users\owner\AppData\Roaming\gtk-2.0
2014-02-16 21:27 - 2014-02-16 21:26 - 00000000 ____D () 
 
C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-02-12 16:38 - 2014-02-11 18:05 - 00000000 ____D () 
 
C:\Users\owner\Documents\3DS Backup
2014-02-09 19:04 - 2013-09-13 18:52 - 00000000 ____D () 
 
C:\Users\owner\Downloads\Art
2014-02-01 20:53 - 2014-01-31 13:56 - 00000000 ____D () 
 
C:\Users\owner\Downloads\MapTool Maps
2014-02-01 16:43 - 2009-07-20 12:42 - 00006080 _____ () 
 
C:\Users\owner\AppData\Local\d3d9caps.dat
2014-02-01 16:39 - 2014-01-23 16:53 - 00000000 ____D () 
 
C:\Users\owner\Downloads\MapTool Characters
2014-02-01 16:36 - 2013-07-13 10:45 - 00000000 ____D () 
 
C:\Users\owner\Documents\FTB
2014-01-31 19:29 - 2014-01-23 13:48 - 00000000 ____D () 
 
C:\Users\owner\.maptool
2014-01-30 21:43 - 2014-01-30 21:43 - 00001200 _____ () 
 
C:\Users\owner\Documents\D20 Duel Forum Game.txt
2014-01-30 17:15 - 2014-01-30 17:15 - 00000000 ____D () 
 
C:\Users\owner\Downloads\dicetool-1.0.b34
 
Some content of TEMP:
====================
C:\Users\Elizabeth Medley\AppData\Local\Temp\wruninstall.exe
C:\Users\owner\AppData\Local\Temp\ntdll_dump.dll
C:\Users\owner\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check 
 
=================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-04-15 11:05] - [2009-03-02 20:57] - 0718336 ____A (Microsoft 
 
Corporation) 52CDADE8289FF21F1F2215FF51A5F36C
 
 ATTENTION ======> If the system is having audio adware rpcss.dll 
 
is patched. Google the MD5, if the MD5 is unique the file is 
 
infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-02-27 13:27
 
==================== End Of Log ============================

Attached Files


Edited by TrappedinWonderland, 27 February 2014 - 05:25 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 28 February 2014 - 08:46 AM

Sorry but I cannot evaluate your FRST log in it's current format.

Remove the Word Wrap from NotePad this will eliminate all the extra blank lines in your log.

You will find this option on the Tools menu under the Format tag.

Then run the Farbar Recovery Scan. Post the fresh log.

#7 TrappedinWonderland

TrappedinWonderland
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:41 PM

Posted 28 February 2014 - 04:26 PM

Sorry about that.  I usually use notepad on top of other Windows to take notes, which is how it wound up so... wonky.  Nevertheless, I do thank you for being patient with me.  Here's the fresh one:
 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-02-2014 02
Ran by owner (administrator) on OWNER-PC on 28-02-2014 13:21:36
Running from C:\Users\owner\Desktop\FRST
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\STacSV64.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
() C:\Windows\System32\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Dell Inc.) C:\Windows\System32\bcmwltry.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Windows\System32\WLTRAY.EXE
(Microsoft Corporation) C:\Windows\system32\locator.exe
(LogMeIn Inc.) C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Akamai Technologies, Inc.) C:\Users\owner\AppData\Local\Akamai\netsession_win.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(LogMeIn Inc.) C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Akamai Technologies, Inc.) C:\Users\owner\AppData\Local\Akamai\netsession_win.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidFind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apntex.exe
(Microsoft Corporation) C:\Windows\system32\conime.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MpCmdRun.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [272896 2008-09-03] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [462336 2008-12-14] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Windows\system32\WLTRAY.exe [4119552 2008-12-22] (Dell Inc.)
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\QuickSet.exe [2037328 2008-08-20] (Dell Inc.)
HKLM\...\Run: [IAAnotif] - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-05-07] (Intel Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe [446635 2008-06-03] (Creative Technology Ltd.)
HKLM-x32\...\Run: [PDVDDXSrv] - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [128296 2008-05-23] (CyberLink Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [Conime] - %windir%\system32\conime.exe
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-03-17] (Apple Inc.)
HKLM-x32\...\Run: [ROC_ROC_NT] - "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [LogMeIn Hamachi Ui] - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe [3814736 2014-02-26] (LogMeIn Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\.DEFAULT\...\RunOnce: [KodakHomeCenter] - "C:\Program Files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe"
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Run: [Facebook Update] - "C:\Users\owner\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Run: [Akamai NetSession Interface] - C:\Users\owner\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-05] (Akamai Technologies, Inc.)
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [18678376 2013-04-19] (Skype Technologies S.A.)
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\RunOnce: [Shockwave Updater] - "C:\Windows\SysWOW64\Adobe\Shockwave 11\SwHelper_1150595.exe" -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; MDDC; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://health.howstuffworks.com/blood.htm/printable"
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\MountPoints2: D - D:\LaunchU3.exe -a
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\MountPoints2: G - G:\LaunchU3.exe -a
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\MountPoints2: {4e51d4d4-e062-11de-a575-806e6f6e6963} - D:\LaunchU3.exe -a
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\MountPoints2: {9a785d9f-d308-11de-a5c4-0023ae1e7e5f} - D:\rcaeasyrip_setup.exe
HKU\S-1-5-21-245504629-2005997162-4161654802-1000\...\MountPoints2: {e2dccaf8-2530-11de-ae0e-0023ae1e7e5f} - D:\LaunchU3.exe -a
Startup: C:\Users\Bri-Chan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\Bri-Chan\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Users\Guest\AppData\Roaming\wruninstall.exe (Webroot Software, Inc.)
Startup: C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Restore = http://g.msn.com/USCON/1
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {DC8CEEEB-873C-4F82-82D3-E0DCD216A637} URL = http://search.live.com/results.aspx?q={searchTerms}&Form=DLCDF7&pc=MDDC&src={referrer:source?}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKCU - {CFBD4923-5900-40B0-AF2E-5AD463740D0D} URL = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
SearchScopes: HKCU - {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\Update\1.3.21.57\%ProgramW6432%\Google\GoogleToolbarNotifier\5.7.6406.1642\swg64.dll No File
BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {69D1A568-FFDF-4EF5-8919-7003582E0EE8} -  No File
DPF: HKLM-x32 {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: HKLM-x32 {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: HKLM-x32 {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: HKLM-x32 {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: HKLM-x32 {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler-x32: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.117\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java™ Platform SE 6 U13) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.6.6) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Nexon Game Controller) - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\owner\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Google Drive) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-03-12]
CHR Extension: (YouTube) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-16]
CHR Extension: (Google Search) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-16]
CHR Extension: (Google Wallet) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-16]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Services (Whitelisted) =================
 
S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2013-04-28] (Adobe Systems)
R2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe [88576 2008-12-14] (Andrea Electronics Corporation)
R2 Akamai; c:\program files (x86)\common files\akamai/netsession_win_8fa3539.dll [4569856 2013-07-01] (Akamai Technologies, Inc.)
S2 gupdate1caff82f5ab2d38; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [133104 2010-05-29] (Google Inc.)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn Hamachi\LMIGuardianSvc.exe [377616 2014-02-26] (LogMeIn, Inc.)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [3547376 2010-04-27] (INCA Internet Co., Ltd.)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\STacSV64.exe [281600 2008-12-14] (IDT, Inc.)
S3 usprserv; C:\Windows\System32\svchost.exe [27648 2008-01-20] (Microsoft Corporation)
S3 usprserv; C:\Windows\SysWOW64\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
R2 wltrysvc; C:\Windows\System32\bcmwltry.exe [3051520 2008-12-22] (Dell Inc.)
R2 yksvc; RUNDLL32.EXE ykx64coinst,serviceStartProc [X]
 
==================== Drivers (Whitelisted) ====================
 
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 NPPTNT2; C:\Windows\SysWOW64\npptNT2.sys [4682 2005-01-02] (INCA Internet Co., Ltd.)
R3 OA009Ufd; C:\Windows\System32\DRIVERS\OA009Ufd.sys [168864 2008-09-03] (Creative Technology Ltd.)
R3 OA009Vid; C:\Windows\System32\DRIVERS\OA009Vid.sys [307456 2008-09-03] (Creative Technology Ltd.)
R3 RLDesignVirtualAudioCableWdm; C:\Windows\System32\DRIVERS\livecamv.sys [49664 2007-02-05] ()
S3 dump_wmimmc; \??\C:\Program Files (x86)\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 X6va003; \??\C:\Users\owner\AppData\Local\Temp\003B33E.tmp [X]
S3 X6va005; \??\C:\Users\owner\AppData\Local\Temp\005F07D.tmp [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-02-27 14:12 - 2014-02-28 13:21 - 00000000 ____D () C:\FRST
2014-02-27 14:10 - 2014-02-28 13:21 - 00000000 ____D () C:\Users\owner\Desktop\FRST
2014-02-27 13:48 - 2014-02-27 13:48 - 00001185 _____ () C:\Users\owner\Desktop\JRT.txt
2014-02-27 13:36 - 2014-02-27 13:36 - 00000000 ____D () C:\Windows\ERUNT
2014-02-27 13:35 - 2014-02-27 13:35 - 01037734 _____ (Thisisu) C:\Users\owner\Desktop\JRT.exe
2014-02-27 13:22 - 2014-02-27 13:22 - 00000000 ____D () C:\Program Files (x86)\LogMeIn Hamachi
2014-02-27 13:14 - 2014-02-27 13:18 - 00000000 ____D () C:\AdwCleaner
2014-02-27 13:10 - 2014-02-27 13:10 - 01244192 _____ () C:\Users\owner\Desktop\adwcleaner.exe
2014-02-27 13:08 - 2014-02-27 13:08 - 00002951 _____ () C:\Users\owner\Desktop\RKreport[0]_D_02272014_130853.txt
2014-02-27 13:08 - 2014-02-27 13:08 - 00002849 _____ () C:\Users\owner\Desktop\RKreport[0]_S_02272014_130823.txt
2014-02-27 13:02 - 2014-02-27 13:09 - 00000000 ____D () C:\Users\owner\Desktop\RK_Quarantine
2014-02-27 13:00 - 2014-02-27 13:00 - 04413952 _____ () C:\Users\owner\Desktop\RogueKillerX64.exe
2014-02-27 06:42 - 2014-02-27 06:42 - 00003059 _____ () C:\Users\owner\Documents\Fix.txt
2014-02-27 03:31 - 2014-02-27 03:31 - 00005053 _____ () C:\Users\owner\Desktop\attach.txt
2014-02-27 03:31 - 2014-02-27 03:28 - 00014747 _____ () C:\Users\owner\Desktop\dds.txt
2014-02-27 02:47 - 2014-02-27 02:48 - 00688992 ____R (Swearware) C:\Users\owner\Downloads\dds.com
2014-02-27 01:39 - 2014-02-27 01:39 - 00001099 _____ () C:\Users\owner\Desktop\Spybot - Search & Destroy.lnk
2014-02-27 01:38 - 2014-02-27 01:45 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy
2014-02-27 01:28 - 2014-02-27 01:30 - 16409960 _____ (Safer Networking Limited ) C:\Users\owner\Downloads\spybotsd162.exe
2014-02-26 18:50 - 2014-02-26 18:50 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-02-26 18:49 - 2014-02-26 18:50 - 00000000 ____D () C:\Users\owner\Desktop\mbar
2014-02-26 18:46 - 2014-02-26 18:48 - 12589848 _____ (Malwarebytes Corp.) C:\Users\owner\Downloads\mbar-1.07.0.1009.exe
2014-02-26 18:22 - 2014-02-26 18:29 - 00002522 _____ () C:\Users\owner\Desktop\Rkill.txt
2014-02-26 18:22 - 2014-02-26 18:22 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\owner\Downloads\rkill.exe
2014-02-26 17:07 - 2014-02-26 17:07 - 00000000 ____D () C:\ProgramData\Oracle
2014-02-26 17:06 - 2014-02-26 17:05 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-02-26 17:06 - 2014-02-26 17:05 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-02-26 17:06 - 2014-02-26 17:05 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-02-26 17:06 - 2014-02-26 17:05 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-02-26 16:44 - 2014-02-26 16:44 - 00000987 _____ () C:\Users\owner\Desktop\Continue Pando Media Booster Installation.lnk
2014-02-26 16:23 - 2014-02-26 16:23 - 00005254 _____ () C:\Users\owner\.recently-used.xbel
2014-02-25 15:59 - 2014-02-25 15:59 - 00002154 _____ () C:\Windows\epplauncher.mif
2014-02-25 15:55 - 2014-02-25 15:56 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-02-25 15:55 - 2014-02-25 15:55 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-02-25 15:34 - 2014-02-25 15:35 - 13670584 _____ (Microsoft Corporation) C:\Users\owner\Downloads\mseinstall.exe
2014-02-24 23:05 - 2014-02-24 23:06 - 102404888 _____ (Microsoft Corporation) C:\Users\owner\Downloads\msert.exe
2014-02-16 21:26 - 2014-02-27 02:34 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-02-16 21:26 - 2014-02-16 21:27 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-02-11 18:05 - 2014-02-12 16:38 - 00000000 ____D () C:\Users\owner\Documents\3DS Backup
2014-02-06 15:20 - 2014-02-20 14:58 - 00000000 ____D () C:\Program Files (x86)\LogMeIn Hamachi(516)
2014-01-31 13:56 - 2014-02-01 20:53 - 00000000 ____D () C:\Users\owner\Downloads\MapTool Maps
2014-01-30 21:43 - 2014-01-30 21:43 - 00001200 _____ () C:\Users\owner\Documents\D20 Duel Forum Game.txt
2014-01-30 17:15 - 2014-01-30 17:15 - 00000000 ____D () C:\Users\owner\Downloads\dicetool-1.0.b34
2014-01-29 12:24 - 2009-03-18 17:35 - 00033856 ____H (LogMeIn, Inc.) C:\Windows\system32\hamachi.sys
 
==================== One Month Modified Files and Folders =======
 
2014-02-28 13:21 - 2014-02-27 14:12 - 00000000 ____D () C:\FRST
2014-02-28 13:21 - 2014-02-27 14:10 - 00000000 ____D () C:\Users\owner\Desktop\FRST
2014-02-28 13:19 - 2010-05-29 15:03 - 00000000 ____D () C:\Users\owner\AppData\Roaming\Skype
2014-02-28 13:19 - 2009-02-20 00:19 - 01191996 _____ () C:\Windows\WindowsUpdate.log
2014-02-28 13:14 - 2010-05-29 15:19 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-28 13:14 - 2010-01-23 13:14 - 00000434 _____ () C:\Windows\system32\Drivers\etc\hosts.ics
2014-02-28 13:13 - 2014-01-23 17:13 - 00000000 ____D () C:\Users\owner\AppData\Local\LogMeIn Hamachi
2014-02-28 13:13 - 2006-11-02 07:42 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-28 13:13 - 2006-11-02 07:22 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-28 13:13 - 2006-11-02 07:22 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-28 00:51 - 2011-09-14 18:47 - 00000928 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-245504629-2005997162-4161654802-1000UA.job
2014-02-28 00:51 - 2006-11-02 07:42 - 00032620 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-02-28 00:27 - 2012-08-22 18:21 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-28 00:13 - 2010-05-29 15:19 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-27 17:32 - 2011-08-26 16:39 - 00002413 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-02-27 16:58 - 2011-09-14 18:47 - 00000906 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-245504629-2005997162-4161654802-1000Core.job
2014-02-27 13:48 - 2014-02-27 13:48 - 00001185 _____ () C:\Users\owner\Desktop\JRT.txt
2014-02-27 13:36 - 2014-02-27 13:36 - 00000000 ____D () C:\Windows\ERUNT
2014-02-27 13:35 - 2014-02-27 13:35 - 01037734 _____ (Thisisu) C:\Users\owner\Desktop\JRT.exe
2014-02-27 13:22 - 2014-02-27 13:22 - 00000000 ____D () C:\Program Files (x86)\LogMeIn Hamachi
2014-02-27 13:19 - 2009-03-24 14:33 - 00000000 ____D () C:\Program Files (x86)\Pando Networks
2014-02-27 13:19 - 2009-02-20 06:56 - 00000000 ____D () C:\Program Files (x86)\Dell Video Chat
2014-02-27 13:19 - 2008-01-20 19:26 - 00302130 _____ () C:\Windows\PFRO.log
2014-02-27 13:18 - 2014-02-27 13:14 - 00000000 ____D () C:\AdwCleaner
2014-02-27 13:10 - 2014-02-27 13:10 - 01244192 _____ () C:\Users\owner\Desktop\adwcleaner.exe
2014-02-27 13:09 - 2014-02-27 13:02 - 00000000 ____D () C:\Users\owner\Desktop\RK_Quarantine
2014-02-27 13:08 - 2014-02-27 13:08 - 00002951 _____ () C:\Users\owner\Desktop\RKreport[0]_D_02272014_130853.txt
2014-02-27 13:08 - 2014-02-27 13:08 - 00002849 _____ () C:\Users\owner\Desktop\RKreport[0]_S_02272014_130823.txt
2014-02-27 13:00 - 2014-02-27 13:00 - 04413952 _____ () C:\Users\owner\Desktop\RogueKillerX64.exe
2014-02-27 06:42 - 2014-02-27 06:42 - 00003059 _____ () C:\Users\owner\Documents\Fix.txt
2014-02-27 03:31 - 2014-02-27 03:31 - 00005053 _____ () C:\Users\owner\Desktop\attach.txt
2014-02-27 03:28 - 2014-02-27 03:31 - 00014747 _____ () C:\Users\owner\Desktop\dds.txt
2014-02-27 02:48 - 2014-02-27 02:47 - 00688992 ____R (Swearware) C:\Users\owner\Downloads\dds.com
2014-02-27 02:34 - 2014-02-16 21:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-02-27 01:45 - 2014-02-27 01:38 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy
2014-02-27 01:39 - 2014-02-27 01:39 - 00001099 _____ () C:\Users\owner\Desktop\Spybot - Search & Destroy.lnk
2014-02-27 01:30 - 2014-02-27 01:28 - 16409960 _____ (Safer Networking Limited ) C:\Users\owner\Downloads\spybotsd162.exe
2014-02-26 18:50 - 2014-02-26 18:50 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-02-26 18:50 - 2014-02-26 18:49 - 00000000 ____D () C:\Users\owner\Desktop\mbar
2014-02-26 18:48 - 2014-02-26 18:46 - 12589848 _____ (Malwarebytes Corp.) C:\Users\owner\Downloads\mbar-1.07.0.1009.exe
2014-02-26 18:29 - 2014-02-26 18:22 - 00002522 _____ () C:\Users\owner\Desktop\Rkill.txt
2014-02-26 18:22 - 2014-02-26 18:22 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\owner\Downloads\rkill.exe
2014-02-26 18:11 - 2009-09-05 10:44 - 00000000 ____D () C:\ProgramData\kds_kodak
2014-02-26 18:11 - 2009-09-04 14:02 - 00000000 ____D () C:\Program Files (x86)\Kodak
2014-02-26 18:11 - 2009-09-03 18:20 - 00000000 ____D () C:\ProgramData\Kodak
2014-02-26 18:10 - 2009-09-04 14:20 - 00000000 ____D () C:\Users\owner\AppData\Local\Eastman_Kodak_Company
2014-02-26 18:10 - 2009-09-04 14:05 - 00000000 ____D () C:\Users\owner\AppData\Local\Eastman Kodak Company
2014-02-26 18:02 - 2009-02-20 06:38 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-02-26 17:36 - 2013-11-02 21:34 - 00001142 _____ () C:\Users\owner\Desktop\ Mabinogi .lnk
2014-02-26 17:07 - 2014-02-26 17:07 - 00000000 ____D () C:\ProgramData\Oracle
2014-02-26 17:05 - 2014-02-26 17:06 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-02-26 17:05 - 2014-02-26 17:06 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-02-26 17:05 - 2014-02-26 17:06 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-02-26 17:05 - 2014-02-26 17:06 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-02-26 17:05 - 2009-02-20 06:37 - 00000000 ____D () C:\Program Files (x86)\Java
2014-02-26 16:44 - 2014-02-26 16:44 - 00000987 _____ () C:\Users\owner\Desktop\Continue Pando Media Booster Installation.lnk
2014-02-26 16:27 - 2009-06-19 15:16 - 00000000 ____D () C:\Users\owner\.gimp-2.6
2014-02-26 16:23 - 2014-02-26 16:23 - 00005254 _____ () C:\Users\owner\.recently-used.xbel
2014-02-26 16:23 - 2009-03-18 15:58 - 00000000 ____D () C:\Users\owner
2014-02-26 06:24 - 2013-09-27 16:53 - 00000000 ____D () C:\ProgramData\Hero Lab
2014-02-25 15:59 - 2014-02-25 15:59 - 00002154 _____ () C:\Windows\epplauncher.mif
2014-02-25 15:56 - 2014-02-25 15:55 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-02-25 15:55 - 2014-02-25 15:55 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-02-25 15:35 - 2014-02-25 15:34 - 13670584 _____ (Microsoft Corporation) C:\Users\owner\Downloads\mseinstall.exe
2014-02-24 23:06 - 2014-02-24 23:05 - 102404888 _____ (Microsoft Corporation) C:\Users\owner\Downloads\msert.exe
2014-02-24 23:03 - 2013-08-15 07:29 - 00000000 ____D () C:\Windows\system32\MRT
2014-02-24 22:42 - 2011-11-03 18:30 - 00000000 ____D () C:\Users\owner\AppData\Local\Akamai
2014-02-24 22:42 - 2009-04-25 09:00 - 00000000 ____D () C:\Users\Bri-Chan
2014-02-24 22:42 - 2009-04-03 10:28 - 00000000 ____D () C:\Users\Guest
2014-02-24 22:42 - 2009-03-28 08:04 - 00000000 ____D () C:\Users\Elizabeth Medley
2014-02-24 22:42 - 2006-11-02 05:34 - 00000000 ____D () C:\Windows\system32\spool
2014-02-24 22:42 - 2006-11-02 05:33 - 00000000 ____D () C:\Windows\registration
2014-02-24 22:42 - 2006-11-02 04:33 - 61865984 _____ () C:\Windows\system32\config\software_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 51904512 _____ () C:\Windows\system32\config\components_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 24117248 _____ () C:\Windows\system32\config\system_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 00262144 _____ () C:\Windows\system32\config\security_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 00262144 _____ () C:\Windows\system32\config\sam_previous
2014-02-24 22:42 - 2006-11-02 04:33 - 00262144 _____ () C:\Windows\system32\config\default_previous
2014-02-21 03:04 - 2009-03-18 15:58 - 00000000 ___RD () C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-21 03:00 - 2006-11-02 04:35 - 88567024 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-02-20 20:16 - 2010-05-29 15:03 - 00001983 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-02-20 20:08 - 2010-05-29 15:19 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-02-20 20:08 - 2010-05-29 15:19 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-02-20 14:58 - 2014-02-06 15:20 - 00000000 ____D () C:\Program Files (x86)\LogMeIn Hamachi(516)
2014-02-20 14:58 - 2006-11-02 05:34 - 00000000 ____D () C:\Windows\system32\Msdtc
2014-02-20 14:53 - 2013-11-02 21:34 - 00000000 ___SD () C:\Users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mabinogi
2014-02-20 14:53 - 2013-09-27 16:53 - 00000000 ____D () C:\Program Files (x86)\Hero Lab
2014-02-20 14:53 - 2013-05-31 18:58 - 00000000 ____D () C:\Users\owner\AppData\Roaming\ftblauncher
2014-02-20 14:53 - 2009-06-19 15:23 - 00000000 ____D () C:\Users\owner\AppData\Roaming\gtk-2.0
2014-02-16 21:27 - 2014-02-16 21:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-02-12 16:38 - 2014-02-11 18:05 - 00000000 ____D () C:\Users\owner\Documents\3DS Backup
2014-02-09 19:04 - 2013-09-13 18:52 - 00000000 ____D () C:\Users\owner\Downloads\Art
2014-02-01 20:53 - 2014-01-31 13:56 - 00000000 ____D () C:\Users\owner\Downloads\MapTool Maps
2014-02-01 16:43 - 2009-07-20 12:42 - 00006080 _____ () C:\Users\owner\AppData\Local\d3d9caps.dat
2014-02-01 16:39 - 2014-01-23 16:53 - 00000000 ____D () C:\Users\owner\Downloads\MapTool Characters
2014-02-01 16:36 - 2013-07-13 10:45 - 00000000 ____D () C:\Users\owner\Documents\FTB
2014-01-31 19:29 - 2014-01-23 13:48 - 00000000 ____D () C:\Users\owner\.maptool
2014-01-30 21:43 - 2014-01-30 21:43 - 00001200 _____ () C:\Users\owner\Documents\D20 Duel Forum Game.txt
2014-01-30 17:15 - 2014-01-30 17:15 - 00000000 ____D () C:\Users\owner\Downloads\dicetool-1.0.b34
 
Some content of TEMP:
====================
C:\Users\Elizabeth Medley\AppData\Local\Temp\wruninstall.exe
C:\Users\owner\AppData\Local\Temp\ntdll_dump.dll
C:\Users\owner\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-04-15 11:05] - [2009-03-02 20:57] - 0718336 ____A (Microsoft Corporation) 52CDADE8289FF21F1F2215FF51A5F36C
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-02-28 13:20
 
==================== End Of Log ============================


#8 TrappedinWonderland

TrappedinWonderland
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:41 PM

Posted 28 February 2014 - 09:05 PM

I also realized that I had a problem similar to the symptoms described in this thread on the SD cards in question.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 01 March 2014 - 09:16 AM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start

URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\Update\1.3.21.57\%ProgramW6432%\Google\GoogleToolbarNotifier\5.7.6406.1642\swg64.dll No File
BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {69D1A568-FFDF-4EF5-8919-7003582E0EE8} -  No File
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\owner\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 dump_wmimmc; \??\C:\Program Files (x86)\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 X6va003; \??\C:\Users\owner\AppData\Local\Temp\003B33E.tmp [X]
S3 X6va005; \??\C:\Users\owner\AppData\Local\Temp\005F07D.tmp [X]
C:\Users\Elizabeth Medley\AppData\Local\Temp\wruninstall.exe
C:\Users\owner\AppData\Local\Temp\ntdll_dump.dll

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait
The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============

Let me know what problem persists with this computer.

#10 TrappedinWonderland

TrappedinWonderland
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:41 PM

Posted 01 March 2014 - 05:58 PM

Computer's running pretty smoothly, though I'm wary of testing if SD cards are still having issues.  I'm not sure if I have one that I can be sure is already clean to test with, since most of my SD cards are shared with my cousin (Might be how I got infected to begin with, who knows.)

In any case, here are the logs:

fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-02-2014 02
Ran by owner at 2014-03-01 14:14:49 Run:1
Running from C:\Users\owner\Desktop\FRST
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
URLSearchHook: HKCU - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\Update\1.3.21.57\%ProgramW6432%\Google\GoogleToolbarNotifier\5.7.6406.1642\swg64.dll No File
BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
Toolbar: HKCU - No Name - {69D1A568-FFDF-4EF5-8919-7003582E0EE8} -  No File
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\owner\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 dump_wmimmc; \??\C:\Program Files (x86)\Gpotato\Flyff\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 X6va003; \??\C:\Users\owner\AppData\Local\Temp\003B33E.tmp [X]
S3 X6va005; \??\C:\Users\owner\AppData\Local\Temp\005F07D.tmp [X]
C:\Users\Elizabeth Medley\AppData\Local\Temp\wruninstall.exe
C:\Users\owner\AppData\Local\Temp\ntdll_dump.dll
 
end
*****************
 
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} => Key deleted successfully.
HKCR\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504} => Key deleted successfully.
HKCR\CLSID\{c8d5d964-2be8-4c5b-8cf5-6e975aa88504} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{97ab88ef-346b-4179-a0b1-7445896547a5} => Value deleted successfully.
HKCR\CLSID\{97ab88ef-346b-4179-a0b1-7445896547a5} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => Value deleted successfully.
HKCR\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{69D1A568-FFDF-4EF5-8919-7003582E0EE8} => Value deleted successfully.
HKCR\CLSID\{69D1A568-FFDF-4EF5-8919-7003582E0EE8} => Key not found.
HKCR\PROTOCOLS\Handler\cozi => Key deleted successfully.
HKCR\CLSID\{5356518D-FE9C-4E08-9C1F-1E872ECD367F} => Key deleted successfully.
HKCR\PROTOCOLS\Handler\linkscanner => Key deleted successfully.
HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => Key deleted successfully.
HKCR\Wow6432Node\PROTOCOLS\Handler\linkscanner => Key not found.
HKCR\Wow6432Node\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => Key deleted successfully.
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll not found.
C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll not found.
C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll not found.
C:\Users\owner\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll not found.
c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll not found.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
dump_wmimmc => Service deleted successfully.
EagleX64 => Service deleted successfully.
X6va003 => Service deleted successfully.
X6va005 => Service deleted successfully.
C:\Users\Elizabeth Medley\AppData\Local\Temp\wruninstall.exe => Moved successfully.
C:\Users\owner\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.
 

 

==== End of Fixlog ====

Combofix log(log.txt):
 
ComboFix 14-02-24.02 - owner 03/01/2014  14:29:09.1.2 - x64
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.4057.2084 [GMT -8:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-01 to 2014-03-01  )))))))))))))))))))))))))))))))
.
.
2014-03-01 22:45 . 2014-03-01 22:45 -------- d-----w- c:\users\owner\AppData\Local\temp
2014-03-01 22:45 . 2014-03-01 22:45 -------- d-----w- c:\users\Guest\AppData\Local\temp
2014-03-01 22:45 . 2014-03-01 22:45 -------- d-----w- c:\users\Elizabeth Medley\AppData\Local\temp
2014-03-01 22:45 . 2014-03-01 22:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-28 22:18 . 2014-02-17 09:32 10536864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C340900-B180-4A7D-9664-E6D2C179390C}\mpengine.dll
2014-02-28 06:31 . 2014-02-17 09:32 10536864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-02-27 22:12 . 2014-03-01 22:14 -------- d-----w- C:\FRST
2014-02-27 21:36 . 2014-02-27 21:36 -------- d-----w- c:\windows\ERUNT
2014-02-27 21:22 . 2014-02-27 21:22 -------- d-----w- c:\program files (x86)\LogMeIn Hamachi
2014-02-27 21:14 . 2014-02-27 21:18 -------- d-----w- C:\AdwCleaner
2014-02-27 09:38 . 2014-02-27 09:45 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2014-02-27 02:50 . 2014-02-27 02:50 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-02-27 01:07 . 2014-02-27 01:07 -------- d-----w- c:\programdata\Oracle
2014-02-27 01:06 . 2014-02-27 01:05 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-02-26 00:07 . 2014-02-17 21:30 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{260D8EFF-14B9-42A3-8626-87464D06221E}\gapaengine.dll
2014-02-25 23:55 . 2014-02-25 23:55 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2014-02-25 23:55 . 2014-02-25 23:56 -------- d-----w- c:\program files\Microsoft Security Client
2014-02-25 06:52 . 2014-02-17 09:32 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20FEF925-A6B0-49B4-942C-EE951EC2D967}\mpengine.dll
2014-02-17 05:26 . 2014-02-27 10:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-02-17 05:26 . 2014-02-17 05:27 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-21 11:00 . 2006-11-02 12:35 88567024 ----a-w- c:\windows\system32\mrt.exe
2014-01-19 07:33 . 2009-10-02 17:00 270496 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Akamai NetSession Interface"="c:\users\owner\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-04-19 18678376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Conime"="c:\windows\system32\conime.exe" [2008-01-21 69120]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-14 59720]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-11-02 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2014-02-27 3814736]
.
c:\users\Bri-Chan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\Bri-Chan\AppData\Roaming\wruninstall.exe -x -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} [2012-6-18 6492752]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Uninstall Webroot RunOnce.lnk - c:\users\Guest\AppData\Roaming\wruninstall.exe -x -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} [2012-6-18 6492752]
.
c:\users\owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe;c:\windows\SYSNATIVE\DriverStore\FileRepository\stwrt64.inf_cce24a4c\AESTSr64.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ   Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-21 04:15 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.117\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-23 02:21]
.
2014-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 23:01]
.
2014-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 23:01]
.
2013-12-13 c:\windows\Tasks\User_Feed_Synchronization-{5472FFBF-F787-49EE-B6FE-FFFBA04DDBC5}.job
- c:\windows\system32\msfeedssync.exe [2011-06-15 04:32]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-09-04 272896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-09 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-09 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-09 200216]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 4119552]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-24 1266912]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-ROC_ROC_NT - c:\program files (x86)\AVG Secure Search\ROC_ROC_NT.exe
Wow6432Node-HKU-Default-RunOnce-KodakHomeCenter - c:\program files (x86)\Kodak\AiO\Center\AiOHomeCenter.exe
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_8fa3539.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2014-03-01  14:52:12
ComboFix-quarantined-files.txt  2014-03-01 22:52
.
Pre-Run: 152,620,408,832 bytes free
Post-Run: 151,953,534,976 bytes free
.
- - End Of File - - FB38B17C86A9C3FB67A2C0E41D0F6F6D
CDB4DE4BBD714F152979DA2DCBEF57EB
 

 



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 02 March 2014 - 08:55 AM

Clean and protect your Media cards.

Flash Disinfector from sUBs

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
===
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

#12 TrappedinWonderland

TrappedinWonderland
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:41 PM

Posted 02 March 2014 - 08:06 PM

Would it work to run the fix-it from Microsoft to disable autorun entirely, or is there still something wrong that might interfere with that?  (Note: I'm asking because my shift key is a bit unreliable.  It tends to stick a bit.)


Edited by TrappedinWonderland, 03 March 2014 - 02:37 AM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 03 March 2014 - 09:19 AM

Would it work to run the fix-it from Microsoft to disable autorun entirely,

Yes do it.

#14 TrappedinWonderland

TrappedinWonderland
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:41 PM

Posted 03 March 2014 - 01:10 PM

Okay, slight problem.  I missed the part where I was supposed to reboot my computer and wound up accessing the drives to check if it worked, and MSE detected some form of threat and began cleaning it.  Sorry.  What should I do?

(The threat seems to've been the worm that had initially been on the SD cards, the detection that started all of this nonsense.  Also, it seems MSE detected it on the SD card, not my computer, now that I check this more clearly...  It at least looks like either disabling autorun did its job or MSE caught it before it could run.  Also, the USB device I have seems to be clean and clear, and doesn't seem to've been infected in the first place, let alone reinfected.)

Also, I got an error message from my OS stating that the flash disinfector may not have installed correctly for whatever reason beforehand, but I'd thought it was a false alarm.  Is this normal?


Edited by TrappedinWonderland, 03 March 2014 - 01:47 PM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:41 PM

Posted 03 March 2014 - 02:30 PM

Also, I got an error message from my OS stating that the flash disinfector may not have installed correctly for whatever reason beforehand, but I'd thought it was a false alarm. Is this normal?

When I see that message I re-install the application. You should then get an option to use the recommended settings.
===

Any other issues?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users