Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring possible Rootkits


  • This topic is locked This topic is locked
19 replies to this topic

#1 Hedgehog83

Hedgehog83

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 18 April 2014 - 09:35 PM

Hello. I recently discovered that my computer is possibly infected with rootkits. Before that, I ran Microsoft Security Essentials and even got the PRO version of MBAM, and thought that my PC was clean. However, I tried a Housecall Launcher from Trend Micro and it found Rootkits. Once they were detected and removed, I ran Housecall again and to my surprise they were back again. What is interesting to note, is that these possible rootkits are only on my hard drives. However, they are not on my flash drives. I know this because the results log that I have shows that. Once the computer is rebooted, they come back. I suspect the MBR file is infected. One thing to note is that I disabled my System Restore so that the restore files that might have been infected with malware are not present on my PC anymore. Other than that, my computer is functioning withought weird things. However, the MBAM let's me know occasionally that there is an outbound connection trying to occur (that was blocked by MBAM), when I visit a new website. I suspect that the site is infected.I stopped visiting a site that would always initiate an outbound connection from my computer. MBAm anti rootkit doesn't find anything. I should also mention that MBAm found several Trojan.Dropped infection on my hard drive. They were removed, but what is strange is that I removed them about 2 times prior to this, and from the same file location. I also have a log file from GMER.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16545  BrowserJavaVersion: 10.55.2
Run by Gav gav at 19:02:56 on 2014-04-18
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.3325.1114 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptservice.exe
C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptcore.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDisk.exe
C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDiskStarter.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Users\GAVGAV~1\AppData\Local\Temp\HouseCall\housecall.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SyncManPath] "c:\users\gav gav\appdata\roaming\yandex\yandexdisk\YandexDisk.exe" -autostart
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &??????? ? Microsoft Excel - <no file>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{2592AF23-0E9C-496D-9FCE-69BB0A031EF6} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{3E1B453B-F928-41E6-AF96-6E96B67DBE31} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{B81AC82F-1BD7-407B-A0B5-2A8BBCDABC1E} : NameServer = 192.168.1.1
TCP: Interfaces\{B81AC82F-1BD7-407B-A0B5-2A8BBCDABC1E} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gav gav\appdata\roaming\mozilla\firefox\profiles\0j48th93.default\
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-29 176128]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-11 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-11 857912]
R2 ptservice;Private Tunnel Core Service;c:\program files\openvpn technologies\privatetunnel\ptservice.exe [2014-3-11 17816]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2013-6-14 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6032.sys [2009-11-6 197288]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-2-19 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-11 107736]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-4-11 51416]
R3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-11-12 468480]
R3 ptun0901;TAP Adapter V9 for Private Tunnel;c:\windows\system32\drivers\ptun0901.sys [2014-1-20 35288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2014-1-1 8192]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104264]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-04-18 23:23:53    8050496    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{cb7ecef8-407d-45b7-9945-171bfb961244}\mpengine.dll
2014-04-18 01:31:15    --------    d-----w-    c:\programdata\Doctor Web
2014-04-18 01:31:08    --------    d-----w-    c:\users\gav gav\Doctor Web
2014-04-17 23:03:36    107736    ----a-w-    c:\windows\system32\drivers\48230029.sys
2014-04-17 20:27:50    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-04-16 17:10:33    8049928    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-04-16 17:10:33    8049928    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{3488f503-1165-42b4-a330-bdfd62469b73}\mpengine.dll
2014-04-11 16:24:25    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-11 16:23:33    51416    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-11 16:23:33    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-04-03 20:53:49    765968    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{fbef701b-4a85-4506-b375-6540de77df84}\gapaengine.dll
2014-03-25 12:18:00    23088    ----a-w-    c:\windows\DCEBoot.exe
2014-03-24 21:47:39    263072    ----a-w-    c:\windows\system32\drivers\tmcomm.sys
2014-03-24 20:54:19    --------    d-----w-    c:\program files\Spybot - Search & Destroy 2
2014-03-23 18:46:00    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-03-23 18:43:31    73432    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
.
==================== Find3M  ====================
.
2014-04-03 16:50:56    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-12 17:04:10    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 17:04:10    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-11 16:52:30    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-07 23:12:00    1806848    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-07 23:02:19    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-07 23:02:07    1129472    ----a-w-    c:\windows\system32\wininet.dll
2014-03-07 22:57:17    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-07 22:56:03    421376    ----a-w-    c:\windows\system32\vbscript.dll
2014-03-07 22:52:04    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2014-02-07 10:38:44    2050560    ----a-w-    c:\windows\system32\win32k.sys
2014-02-03 10:37:54    505344    ----a-w-    c:\windows\system32\qedit.dll
2014-01-30 07:46:58    876032    ----a-w-    c:\windows\system32\wer.dll
2014-01-25 08:19:42    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2014-01-20 17:38:30    35288    ----a-w-    c:\windows\system32\drivers\ptun0901.sys
2014-01-19 07:32:23    231584    ------w-    c:\windows\system32\MpSigStub.exe
.
============= FINISH: 19:03:30.50 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 23 April 2014 - 09:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/531593 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 23 April 2014 - 11:10 PM

Hello. I recently discovered that my computer is possibly infected with rootkits. Before that, I ran Microsoft Security Essentials and even got the PRO version of MBAM, and thought that my PC was clean. However, I tried a Housecall Launcher from Trend Micro and it found Rootkits. Once they were detected and removed, I ran Housecall again and to my surprise they were back again. What is interesting to note, is that these possible rootkits are only on my hard drives. However, they are not on my flash drives. I know this because the results log that I have shows that. Once the computer is rebooted, they come back. I suspect the MBR file is infected. One thing to note is that I disabled my System Restore so that the restore files that might have been infected with malware are not present on my PC anymore. Other than that, my computer is functioning withought weird things. However, the MBAM let's me know occasionally that there is an outbound connection trying to occur (that was blocked by MBAM), when I visit a new website. I suspect that the site is infected.I stopped visiting a site that would always initiate an outbound connection from my computer. MBAm anti rootkit doesn't find anything. I should also mention that MBAm found several Trojan.Dropped infection on my hard drive. They were removed, but what is strange is that I removed them about 2 times prior to this, and from the same file location. I also have a log file from GMER.

I couldn't put the attach log in this post.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16545  BrowserJavaVersion: 10.55.2
Run by Gav gav at 21:06:17 on 2014-04-23
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.3325.1893 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptservice.exe
C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptcore.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDisk.exe
C:\Windows\system32\taskeng.exe
C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDiskStarter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SyncManPath] "c:\users\gav gav\appdata\roaming\yandex\yandexdisk\YandexDisk.exe" -autostart
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_12_0_0_77_Plugin.exe -update plugin
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &??????? ? Microsoft Excel - <no file>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{2592AF23-0E9C-496D-9FCE-69BB0A031EF6} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{3E1B453B-F928-41E6-AF96-6E96B67DBE31} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{B81AC82F-1BD7-407B-A0B5-2A8BBCDABC1E} : NameServer = 192.168.1.1
TCP: Interfaces\{B81AC82F-1BD7-407B-A0B5-2A8BBCDABC1E} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gav gav\appdata\roaming\mozilla\firefox\profiles\0j48th93.default\
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-29 176128]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-11 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-11 857912]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104264]
R2 ptservice;Private Tunnel Core Service;c:\program files\openvpn technologies\privatetunnel\ptservice.exe [2014-3-11 17816]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2013-6-14 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6032.sys [2009-11-6 197288]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-2-19 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-11 107736]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-4-11 51416]
R3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-11-12 468480]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
R3 ptun0901;TAP Adapter V9 for Private Tunnel;c:\windows\system32\drivers\ptun0901.sys [2014-1-20 35288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2014-1-1 8192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-04-23 03:33:24    8050496    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{b7f20605-e606-4dc3-b5f7-a7553d6df216}\mpengine.dll
2014-04-20 17:58:23    765968    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{650ac306-24c1-49ce-92d2-e7e538ebdb6d}\gapaengine.dll
2014-04-20 17:57:54    8050496    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-04-18 01:31:15    --------    d-----w-    c:\programdata\Doctor Web
2014-04-18 01:31:08    --------    d-----w-    c:\users\gav gav\Doctor Web
2014-04-17 23:03:36    107736    ----a-w-    c:\windows\system32\drivers\48230029.sys
2014-04-17 20:27:50    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-04-11 16:24:25    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-11 16:23:33    51416    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-11 16:23:33    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-03-25 12:18:00    23088    ----a-w-    c:\windows\DCEBoot.exe
.
==================== Find3M  ====================
.
2014-04-03 16:51:00    73432    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-04-03 16:50:56    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-12 17:04:10    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 17:04:10    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-11 16:52:30    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-07 23:12:00    1806848    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-07 23:02:19    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-07 23:02:07    1129472    ----a-w-    c:\windows\system32\wininet.dll
2014-03-07 22:57:17    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-07 22:56:03    421376    ----a-w-    c:\windows\system32\vbscript.dll
2014-03-07 22:52:04    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2014-02-07 10:38:44    2050560    ----a-w-    c:\windows\system32\win32k.sys
2014-02-03 10:37:54    505344    ----a-w-    c:\windows\system32\qedit.dll
2014-01-30 07:46:58    876032    ----a-w-    c:\windows\system32\wer.dll
2014-01-25 08:19:42    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 21:07:01.33 ===============
 



#4 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 23 April 2014 - 11:17 PM

Looks like I was able to find the correct posting place. Here is attach log as well from DDS. I don't have the original Windows DVD. However, I do have a system image DVD of this machine taken after a little use of the PC.

 

Hello. I recently discovered that my computer is possibly infected with rootkits. Before that, I ran Microsoft Security Essentials and even got the PRO version of MBAM, and thought that my PC was clean. However, I tried a Housecall Launcher from Trend Micro and it found Rootkits. Once they were detected and removed, I ran Housecall again and to my surprise they were back again. What is interesting to note, is that these possible rootkits are only on my hard drives. However, they are not on my flash drives. I know this because the results log that I have shows that. Once the computer is rebooted, they come back. I suspect the MBR file is infected. One thing to note is that I disabled my System Restore so that the restore files that might have been infected with malware are not present on my PC anymore. Other than that, my computer is functioning withought weird things. However, the MBAM let's me know occasionally that there is an outbound connection trying to occur (that was blocked by MBAM), when I visit a new website. I suspect that the site is infected.I stopped visiting a site that would always initiate an outbound connection from my computer. MBAm anti rootkit doesn't find anything. I should also mention that MBAm found several Trojan.Dropped infection on my hard drive. They were removed, but what is strange is that I removed them about 2 times prior to this, and from the same file location. I also have a log file from GMER.

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16545  BrowserJavaVersion: 10.55.2
Run by Gav gav at 21:06:17 on 2014-04-23
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.3325.1893 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptservice.exe
C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptcore.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDisk.exe
C:\Windows\system32\taskeng.exe
C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDiskStarter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SyncManPath] "c:\users\gav gav\appdata\roaming\yandex\yandexdisk\YandexDisk.exe" -autostart
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_12_0_0_77_Plugin.exe -update plugin
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &??????? ? Microsoft Excel - <no file>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{2592AF23-0E9C-496D-9FCE-69BB0A031EF6} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{3E1B453B-F928-41E6-AF96-6E96B67DBE31} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{B81AC82F-1BD7-407B-A0B5-2A8BBCDABC1E} : NameServer = 192.168.1.1
TCP: Interfaces\{B81AC82F-1BD7-407B-A0B5-2A8BBCDABC1E} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gav gav\appdata\roaming\mozilla\firefox\profiles\0j48th93.default\
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-29 176128]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-11 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-11 857912]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104264]
R2 ptservice;Private Tunnel Core Service;c:\program files\openvpn technologies\privatetunnel\ptservice.exe [2014-3-11 17816]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2013-6-14 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6032.sys [2009-11-6 197288]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-2-19 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-11 107736]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-4-11 51416]
R3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-11-12 468480]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
R3 ptun0901;TAP Adapter V9 for Private Tunnel;c:\windows\system32\drivers\ptun0901.sys [2014-1-20 35288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2014-1-1 8192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
.
=============== Created Last 30 ================
.
2014-04-23 03:33:24    8050496    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{b7f20605-e606-4dc3-b5f7-a7553d6df216}\mpengine.dll
2014-04-20 17:58:23    765968    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{650ac306-24c1-49ce-92d2-e7e538ebdb6d}\gapaengine.dll
2014-04-20 17:57:54    8050496    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-04-18 01:31:15    --------    d-----w-    c:\programdata\Doctor Web
2014-04-18 01:31:08    --------    d-----w-    c:\users\gav gav\Doctor Web
2014-04-17 23:03:36    107736    ----a-w-    c:\windows\system32\drivers\48230029.sys
2014-04-17 20:27:50    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-04-11 16:24:25    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-11 16:23:33    51416    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-11 16:23:33    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-03-25 12:18:00    23088    ----a-w-    c:\windows\DCEBoot.exe
.
==================== Find3M  ====================
.
2014-04-03 16:51:00    73432    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-04-03 16:50:56    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-12 17:04:10    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 17:04:10    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-11 16:52:30    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-07 23:12:00    1806848    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-07 23:02:19    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-07 23:02:07    1129472    ----a-w-    c:\windows\system32\wininet.dll
2014-03-07 22:57:17    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-07 22:56:03    421376    ----a-w-    c:\windows\system32\vbscript.dll
2014-03-07 22:52:04    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2014-02-07 10:38:44    2050560    ----a-w-    c:\windows\system32\win32k.sys
2014-02-03 10:37:54    505344    ----a-w-    c:\windows\system32\qedit.dll
2014-01-30 07:46:58    876032    ----a-w-    c:\windows\system32\wer.dll
2014-01-25 08:19:42    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
.
============= FINISH: 21:07:01.33 ===============
 

Attached Files



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:35 PM

Posted 24 April 2014 - 09:41 AM

Greetings and  :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now  :thumbup2:

==========================
 
Hi Hedgehog83,
 
Is this computer used by a company?
 
--------------
 
Please re-run Trend Micro Housecall again, and when the detections are reported please take a screenshot and attach it to your next reply. See here on how to do so.
 
--------------
 
I will also need a copy of the GMER log produced. If you do not still have the log then you will need to re-run GMER again.
 
--------------
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Screenshot of Trend Micro detections (please attach this)
  • GMER log
  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 24 April 2014 - 11:10 AM

Hello Toffee,

Thank you for replying. 

No, this computer is not used by a company. 

I will rerun Housecall from TrendMicro again. However, it takes a very long time (anywhere from 12-18 hours), so in the mean time I will post the log from several days ago.

I also need to mention that about a week ago, I ran TDSSKiller(with quick scan I think) with no detections. Also, Dr. Web Cure It. with no detections as well, I think. I downloaded the FRST and it saved to my Downloads folder. Then, I moved it to the Desktop. For this case, does it matter that it saved to one location  and I moved it to another, because I read a post on here somewhere that a particular program had to be downloaded to Desktop, otherwise it wouldn't work correctly. I just want to be sure that I am doint this correctly.

 

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-04-17 18:18:58
Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD2500AAJS-75M0A0 rev.01.03E01 232.83GB
Running: fshqzcqk.exe; Driver: C:\Users\GAVGAV~1\AppData\Local\Temp\uxdiapod.sys


---- Kernel code sections - GMER 2.1 ----

.text  C:\Windows\system32\DRIVERS\atikmdag.sys                                                                                    section is writeable [0x8EE0E000, 0x38CD55, 0xE8000020]
?      c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CF9BE9E8-02ED-4E11-8F8B-D6C1C55EE6D4}\MpKsl5e49c5fc.sys  The system cannot find the path specified. !

---- User code sections - GMER 2.1 ----

.text  C:\Program Files\Mozilla Firefox\firefox.exe[3140] ntdll.dll!LdrLoadDll                                                     77909378 5 Bytes  JMP 6F3B1FD9 C:\Program Files\Mozilla Firefox\mozglue.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3140] kernel32.dll!HeapSetInformation + 26                                     7666A9B8 7 Bytes  JMP 5ECB3255 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3140] kernel32.dll!LockResource + C                                            76686BD3 7 Bytes  JMP 5F5E40E1 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3140] kernel32.dll!VirtualAllocEx + 54                                         7668B030 2 Bytes  JMP 5F5E4104 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3140] kernel32.dll!VirtualAllocEx + 57                                         7668B033 4 Bytes  CALL 01BEAA23
.text  C:\Program Files\Mozilla Firefox\firefox.exe[3140] GDI32.dll!SetStretchBltMode + 256                                        75FA745C 7 Bytes  JMP 5F5E4062 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\plugin-container.exe[3992] USER32.dll!InSendMessageEx + 4C9                                76AEE7C8 7 Bytes  JMP 5EEDE610 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\plugin-container.exe[3992] USER32.dll!CreateWindowExW + AA                                 76AF13AF 7 Bytes  JMP 5EEDE681 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\plugin-container.exe[3992] USER32.dll!GetWindowInfo                                        76AF428E 5 Bytes  JMP 5EEE2366 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Program Files\Mozilla Firefox\plugin-container.exe[3992] USER32.dll!SetMenuItemBitmaps + 71                              76B014EE 7 Bytes  JMP 5EEDBD82 C:\Program Files\Mozilla Firefox\xul.dll
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtCreateFile + 6                         7794426A 4 Bytes  [28, B0, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtCreateFile + B                         7794426F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtCreateKey + 6                          779442AA 4 Bytes  [68, B1, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtCreateKey + B                          779442AF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtCreateMutant + 6                       779442DA 4 Bytes  [28, B2, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtCreateMutant + B                       779442DF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtCreateSection + 6                      7794435A 4 Bytes  [68, B2, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtCreateSection + B                      7794435F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtMapViewOfSection + 6                   779449BA 4 Bytes  [A8, B4, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtMapViewOfSection + B                   779449BF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenFile + 6                           77944A4A 4 Bytes  [68, B0, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenFile + B                           77944A4F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenKey + 6                            77944A7A 4 Bytes  [A8, B1, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenKey + B                            77944A7F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenMutant + B                         77944A9F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenProcess + 6                        77944ACA 4 Bytes  [28, B3, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenProcess + B                        77944ACF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenProcessToken + 6                   77944ADA 4 Bytes  [68, B3, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenProcessToken + B                   77944ADF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenProcessTokenEx + 6                 77944AEA 4 Bytes  [28, B4, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenProcessTokenEx + B                 77944AEF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenSection + 6                        77944AFA 4 Bytes  [A8, B2, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenSection + B                        77944AFF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenThread + B                         77944B3F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenThreadToken + B                    77944B4F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenThreadTokenEx + 6                  77944B5A 4 Bytes  [68, B4, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtOpenThreadTokenEx + B                  77944B5F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtQueryAttributesFile + 6                77944BEA 4 Bytes  [A8, B0, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtQueryAttributesFile + B                77944BEF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtQueryFullAttributesFile + B            77944C9F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtSetInformationFile + 6                 7794517A 4 Bytes  [28, B1, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtSetInformationFile + B                 7794517F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtSetInformationThread + 6               779451CA 4 Bytes  [A8, B3, 06, 00]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtSetInformationThread + B               779451CF 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ntdll.dll!NtUnmapViewOfSection + B                 7794546F 1 Byte  [E2]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] kernel32.dll!CreateProcessW                        76641BF3 5 Bytes  JMP 000800B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] kernel32.dll!CreateProcessA                        76641C28 5 Bytes  JMP 000800F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] kernel32.dll!OpenEventW                            7665C033 5 Bytes  JMP 00080070
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] kernel32.dll!CreateEventW                          7668B93E 5 Bytes  JMP 00080030
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!DeleteObject                             75FA5A37 5 Bytes  JMP 000B01B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetDeviceCaps                            75FA617F 5 Bytes  JMP 000B03B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SelectObject                             75FA62A0 5 Bytes  JMP 000B05F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SetTextColor                             75FA666B 5 Bytes  JMP 000B0A30
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SetBkMode                                75FA6716 5 Bytes  JMP 000B08F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!DeleteDC                                 75FA68CD 5 Bytes  JMP 000B0170
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetCurrentObject                         75FA6B58 5 Bytes  JMP 000B0370
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SetStretchBltMode                        75FA7206 5 Bytes  JMP 000B06B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SaveDC                                   75FA75BA 5 Bytes  JMP 000B0570
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!RestoreDC                                75FA7675 5 Bytes  JMP 000B0530
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!StretchDIBits                            75FA78CF 5 Bytes  JMP 000B0770
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!ExtSelectClipRgn                         75FA79F8 5 Bytes  JMP 000B02F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SelectClipRgn                            75FA7AF9 5 Bytes  JMP 000B05B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!MoveToEx                                 75FA7C33 5 Bytes  JMP 000B0470
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!Rectangle                                75FA7EA9 5 Bytes  JMP 000B09B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetTextAlign                             75FA82E0 5 Bytes  JMP 000B0D70
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SetTextAlign                             75FA85CB 5 Bytes  JMP 000B09F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!ExtTextOutW                              75FA872B 5 Bytes  JMP 000B0970
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetTextMetricsW                          75FA8A81 5 Bytes  JMP 000B0E30
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!IntersectClipRect                        75FA8B64 5 Bytes  JMP 000B03F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetClipBox                               75FA9071 5 Bytes  JMP 000B0330
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SetICMMode                               75FA94E7 5 Bytes  JMP 000B0DB0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!CreateDCW                                75FAA91D 5 Bytes  JMP 000B00F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!CreateDCA                                75FAAA49 5 Bytes  JMP 000B00B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!CreateICW                                75FAB2E9 5 Bytes  JMP 000B0130
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetTextFaceW                             75FAB637 5 Bytes  JMP 000B0D30
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetFontData                              75FABA6C 1 Byte  [E9]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetFontData                              75FABA6C 5 Bytes  JMP 000B0C70
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetTextExtentPoint32W                    75FAC01A 5 Bytes  JMP 000B0670
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SetWorldTransform                        75FAC46A 5 Bytes  JMP 000B06F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!LineTo                                   75FAC65E 5 Bytes  JMP 000B0430
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetTextMetricsA                          75FACCEB 5 Bytes  JMP 000B0DF0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!ExtTextOutA                              75FB00A5 5 Bytes  JMP 000B0930
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetTextExtentPoint32A                    75FB0E58 5 Bytes  JMP 000B0630
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!ExtEscape                                75FB22A7 5 Bytes  JMP 000B02B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!Escape                                   75FB27F1 5 Bytes  JMP 000B0270
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!ResetDCW                                 75FB3132 5 Bytes  JMP 000B0AB0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!EndPage                                  75FB375E 5 Bytes  JMP 000B0230
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SetPolyFillMode                          75FB61D3 5 Bytes  JMP 000B0B30
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SetMiterLimit                            75FB62E2 5 Bytes  JMP 000B0B70
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetTextFaceA                             75FBF489 5 Bytes  JMP 000B0CF0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!GetGlyphOutlineW                         75FCA537 5 Bytes  JMP 000B0CB0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!CreateScalableFontResourceW              75FCC993 5 Bytes  JMP 000B0BB0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!AddFontResourceW                         75FCCD9B 5 Bytes  JMP 000B0BF0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!RemoveFontResourceW                      75FCD231 5 Bytes  JMP 000B0C30
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!AbortDoc                                 75FD2E7F 5 Bytes  JMP 000B0030
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!EndDoc                                   75FD3293 5 Bytes  JMP 000B01F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!StartPage                                75FD337E 5 Bytes  JMP 000B0730
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!StartDocW                                75FD3E62 5 Bytes  JMP 000B07F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!BeginPath                                75FD461D 5 Bytes  JMP 000B0830
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!SelectClipPath                           75FD4674 5 Bytes  JMP 000B0AF0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!CloseFigure                              75FD46CF 5 Bytes  JMP 000B0070
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!EndPath                                  75FD4726 5 Bytes  JMP 000B0A70
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!StrokePath                               75FD4958 5 Bytes  JMP 000B07B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!FillPath                                 75FD49E4 5 Bytes  JMP 000B0870
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!PolylineTo                               75FD4E4D 5 Bytes  JMP 000B04F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!PolyBezierTo                             75FD4EDD 5 Bytes  JMP 000B04B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] GDI32.dll!PolyDraw                                 75FD4F8E 5 Bytes  JMP 000B08B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!SetCursor                               76AED37D 5 Bytes  JMP 000C0530
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!RegisterClipboardFormatW                76AED6AC 1 Byte  [E9]
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!RegisterClipboardFormatW                76AED6AC 5 Bytes  JMP 000C02B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!ActivateKeyboardLayout                  76AF478C 5 Bytes  JMP 000C04F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!IsWindowVisible                         76AF878A 7 Bytes  JMP 000C06B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!MonitorFromWindow                       76AF88D4 4 Bytes  JMP 000C0630
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!MonitorFromWindow + 5                   76AF88D9 2 Bytes  [CC, CC] {INT 3 ; INT 3 }
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!ScreenToClient                          76AF8C56 7 Bytes  JMP 000C0670
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetClientRect                           76AF8F0D 7 Bytes  JMP 000C05B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetParent                               76AF90AA 7 Bytes  JMP 000C06F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!RegisterClipboardFormatA                76AFA111 5 Bytes  JMP 000C02F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!PostMessageW                            76AFA175 5 Bytes  JMP 000C05F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!MapWindowPoints                         76AFA30D 5 Bytes  JMP 000C0570
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetClipboardFormatNameA                 76AFA552 5 Bytes  JMP 000C0270
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetOpenClipboardWindow                  76B026A6 5 Bytes  JMP 000C03F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!SetClipboardViewer                      76B0BA2D 5 Bytes  JMP 000C04B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!IsClipboardFormatAvailable              76B0C2E3 5 Bytes  JMP 000C00F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!CloseClipboard                          76B0C2F7 5 Bytes  JMP 000C00B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!OpenClipboard                           76B0C31D 5 Bytes  JMP 000C0070
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetTopWindow                            76B0CE0A 7 Bytes  JMP 000C0730
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetClipboardSequenceNumber              76B0D8B7 5 Bytes  JMP 000C0330
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!ChangeClipboardChain                    76B0DF83 5 Bytes  JMP 000C0430
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!CountClipboardFormats                   76B10048 5 Bytes  JMP 000C01F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetClipboardOwner                       76B126EF 5 Bytes  JMP 000C0370
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!SetClipboardData                        76B26410 5 Bytes  JMP 000C0170
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!EnumClipboardFormats                    76B26D16 5 Bytes  JMP 000C01B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!SetCursorPos                            76B26FB2 5 Bytes  JMP 000C0770
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetClipboardData                        76B2715A 5 Bytes  JMP 000C0030
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetClipboardFormatNameW                 76B2A99F 5 Bytes  JMP 000C0230
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!EmptyClipboard                          76B4398B 5 Bytes  JMP 000C0130
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetClipboardViewer                      76B439ED 5 Bytes  JMP 000C0470
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] USER32.dll!GetPriorityClipboardFormat              76B43AEF 5 Bytes  JMP 000C03B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ole32.dll!OleGetClipboard                          763B74C9 5 Bytes  JMP 000D00B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ole32.dll!OleSetClipboard                          763E11E3 5 Bytes  JMP 000D0030
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] ole32.dll!OleIsCurrentClipboard                    763EA8F9 5 Bytes  JMP 000D0070
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!FreeContextBuffer                      75E32D83 5 Bytes  JMP 000F00F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!DeleteSecurityContext                  75E32F18 5 Bytes  JMP 000F0270
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!FreeCredentialsHandle                  75E33598 5 Bytes  JMP 000F0130
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!EncryptMessage                         75E33745 5 Bytes  JMP 000F01F0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!DecryptMessage                         75E33813 5 Bytes  JMP 000F0230
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!InitializeSecurityContextA             75E387DF 5 Bytes  JMP 000F0170
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!AcquireCredentialsHandleA              75E38A43 5 Bytes  JMP 000F0030
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!QueryContextAttributesA                75E38E77 5 Bytes  JMP 000F0070
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!ApplyControlToken                      75E3DE4F 5 Bytes  JMP 000F01B0
.text  C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe[4112] Secur32.dll!QueryCredentialsAttributesA            75E3E052 5 Bytes  JMP 000F00B0

---- EOF - GMER 2.1 ----
 

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-04-2014
Ran by Gav gav (administrator) on GAVGAV-PC on 24-04-2014 08:52:46
Running from C:\Users\Gav gav\Desktop
Microsoft® Windows Vista™ Business  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Intel Corporation) C:\Program Files\Intel\AMT\LMS.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(OpenVPN Technologies, Inc) C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptservice.exe
(OpenVPN Technologies, Inc) C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptcore.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
() C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDisk.exe
() C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDiskStarter.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\system32\conime.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
(Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [796184 2009-02-27] (Intel Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-4263348169-260297145-143740743-1001\...\Run: [SyncManPath] => C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDisk.exe [17189152 2014-03-13] ()
HKU\S-1-5-21-4263348169-260297145-143740743-1001\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil32_12_0_0_77_Plugin.exe [841096 2014-03-12] (Adobe Systems Incorporated)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x91B2FB151E69CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
Tcpip\..\Interfaces\{B81AC82F-1BD7-407B-A0B5-2A8BBCDABC1E}: [NameServer]192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Gav gav\AppData\Roaming\Mozilla\Firefox\Profiles\0j48th93.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Extension: DoNotTrackMe: Online Privacy Protection - C:\Users\Gav gav\AppData\Roaming\Mozilla\Firefox\Profiles\0j48th93.default\Extensions\donottrackplus@abine.com [2014-03-15]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []

========================== Services (Whitelisted) =================

S2 KMService; C:\Windows\system32\srvany.exe [8192 2014-01-01] ()
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-04-03] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [857912 2014-04-03] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
R2 ptservice; C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptservice.exe [17816 2014-03-11] (OpenVPN Technologies, Inc)
R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-02-27] (Intel Corporation)

==================== Drivers (Whitelisted) ====================

R2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [21275 2013-08-09] (Meetinghouse Data Communications)
R3 e1kexpress; C:\Windows\System32\DRIVERS\e1k6032.sys [197288 2009-11-06] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-04-03] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [107736 2014-04-23] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51416 2014-04-03] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R3 ptun0901; C:\Windows\System32\DRIVERS\ptun0901.sys [35288 2014-01-20] (The OpenVPN Project)
S3 RT73; C:\Windows\System32\DRIVERS\rt73.sys [347776 2006-09-07] (Ralink Technology, Corp.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
U3 mbr; \??\C:\Users\GAVGAV~1\AppData\Local\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-24 08:52 - 2014-04-24 08:52 - 00008977 _____ () C:\Users\Gav gav\Desktop\FRST.txt
2014-04-24 08:52 - 2014-04-24 08:52 - 00000000 ____D () C:\FRST
2014-04-24 08:47 - 2014-04-24 08:47 - 01048576 _____ (Farbar) C:\Users\Gav gav\Desktop\FRST.exe
2014-04-23 21:14 - 2014-04-23 21:14 - 00011126 _____ () C:\Users\Gav gav\Desktop\Attach2.txt
2014-04-23 21:14 - 2014-04-23 21:14 - 00011003 _____ () C:\Users\Gav gav\Desktop\DDS2.txt
2014-04-18 19:03 - 2014-04-23 21:07 - 00011126 _____ () C:\Users\Gav gav\Desktop\attach.txt
2014-04-18 19:03 - 2014-04-23 21:07 - 00011003 _____ () C:\Users\Gav gav\Desktop\dds.txt
2014-04-18 19:00 - 2014-04-18 19:00 - 00688992 ____R (Swearware) C:\Users\Gav gav\Downloads\dds.com
2014-04-18 06:57 - 2014-04-18 06:57 - 00033850 _____ () C:\Users\Gav gav\Desktop\gmer full.log
2014-04-17 18:49 - 2014-04-17 18:49 - 00781560 _____ (McAfee, Inc.) C:\Users\Gav gav\Downloads\rootkitremover.exe
2014-04-17 18:49 - 2014-04-17 18:49 - 00037070 _____ () C:\Users\Gav gav\Desktop\How to Use RootkitRemover _ McAfee Free Tools.htm
2014-04-17 18:49 - 2014-04-17 18:49 - 00000000 ____D () C:\Users\Gav gav\Desktop\How to Use RootkitRemover _ McAfee Free Tools_files
2014-04-17 18:48 - 2014-04-17 18:48 - 00154677 _____ () C:\Users\Gav gav\Desktop\McAfee Communities  Anti-Spyware_Malware & Hijacker Tools.htm
2014-04-17 18:48 - 2014-04-17 18:48 - 00000000 ____D () C:\Users\Gav gav\Desktop\McAfee Communities  Anti-Spyware_Malware & Hijacker Tools_files
2014-04-17 18:43 - 2014-04-17 18:44 - 91370840 _____ (Sophos Limited) C:\Users\Gav gav\Downloads\Sophos Virus Removal Tool.exe
2014-04-17 18:31 - 2014-04-17 18:31 - 00000000 ____D () C:\Users\Gav gav\Doctor Web
2014-04-17 18:31 - 2014-04-17 18:31 - 00000000 ____D () C:\ProgramData\Doctor Web
2014-04-17 18:22 - 2014-04-17 18:26 - 140362656 _____ () C:\Users\Gav gav\Downloads\cureit.exe
2014-04-17 18:18 - 2014-04-17 18:18 - 00025903 _____ () C:\Users\Gav gav\Desktop\GMER results.log
2014-04-17 17:44 - 2014-04-17 17:44 - 00212337 _____ () C:\Users\Gav gav\Desktop\Книга2.xlsx
2014-04-17 16:03 - 2014-04-17 16:03 - 220739279 _____ () C:\Windows\MEMORY.DMP
2014-04-17 16:03 - 2014-04-17 16:03 - 00144984 _____ () C:\Windows\Minidump\Mini041714-01.dmp
2014-04-17 16:03 - 2014-04-17 16:03 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-04-17 16:03 - 2014-04-17 16:03 - 00000000 ____D () C:\Windows\Minidump
2014-04-17 14:59 - 2014-04-17 14:59 - 00380416 _____ () C:\Users\Gav gav\Downloads\fshqzcqk.exe
2014-04-17 13:32 - 2014-04-17 13:32 - 00148220 _____ () C:\Users\Gav gav\Desktop\Virus Keeps Coming Back.htm
2014-04-17 13:32 - 2014-04-17 13:32 - 00000000 ____D () C:\Users\Gav gav\Desktop\Virus Keeps Coming Back_files
2014-04-17 13:27 - 2014-04-17 13:27 - 00004117 _____ () C:\Windows\system32\jupdate-1.7.0_55-b14.log
2014-04-17 13:27 - 2014-04-17 13:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-04-17 13:27 - 2014-04-14 20:13 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-04-17 13:27 - 2014-04-14 20:05 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-17 13:27 - 2014-04-14 20:05 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-17 13:27 - 2014-04-14 20:04 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-17 13:01 - 2014-04-17 13:01 - 00150507 _____ () C:\Users\Gav gav\Desktop\Best Free Rootkit Scanner and Remover.htm
2014-04-17 13:01 - 2014-04-17 13:01 - 00000000 ____D () C:\Users\Gav gav\Desktop\Best Free Rootkit Scanner and Remover_files
2014-04-17 12:59 - 2014-04-17 13:00 - 04139360 _____ (Kaspersky Lab ZAO) C:\Users\Gav gav\Downloads\tdsskiller.exe
2014-04-14 12:41 - 2014-04-16 13:11 - 00249382 _____ () C:\Users\Gav gav\Desktop\IT wages.xlsx
2014-04-11 19:25 - 2014-04-11 19:25 - 00084833 _____ () C:\Users\Gav gav\Desktop\Network Engineer Vs. Network Administrator _ Chron.com.htm
2014-04-11 19:25 - 2014-04-11 19:25 - 00000000 ____D () C:\Users\Gav gav\Desktop\Network Engineer Vs. Network Administrator _ Chron.com_files
2014-04-11 12:59 - 2014-04-11 12:59 - 00465642 _____ () C:\Users\Gav gav\Desktop\Книга1.xlsx
2014-04-11 11:18 - 2014-04-11 11:18 - 00000012 _____ () C:\Users\Gav gav\Desktop\a.txt
2014-04-11 09:24 - 2014-04-23 21:01 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-11 09:23 - 2014-04-11 09:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-11 09:23 - 2014-04-11 09:23 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-11 09:23 - 2014-04-03 09:51 - 00051416 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-10 10:37 - 2014-04-10 10:37 - 00108382 _____ () C:\Users\Gav gav\Desktop\Product Key Number - Uninstall and Deactivate in Windows - Windows 7 Help Forums.htm
2014-04-10 10:37 - 2014-04-10 10:37 - 00000000 ____D () C:\Users\Gav gav\Desktop\Product Key Number - Uninstall and Deactivate in Windows - Windows 7 Help Forums_files
2014-04-09 14:42 - 2014-03-07 16:51 - 12347904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-09 14:42 - 2014-03-07 16:20 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-09 14:42 - 2014-03-07 16:12 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-09 14:42 - 2014-03-07 16:03 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-09 14:42 - 2014-03-07 16:02 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-09 14:42 - 2014-03-07 16:02 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-09 14:42 - 2014-03-07 16:00 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-04-09 14:42 - 2014-03-07 15:59 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-09 14:42 - 2014-03-07 15:57 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-04-09 14:42 - 2014-03-07 15:57 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-09 14:42 - 2014-03-07 15:56 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-09 14:42 - 2014-03-07 15:54 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-09 14:42 - 2014-03-07 15:53 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-09 14:42 - 2014-03-07 15:52 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-09 14:42 - 2014-03-07 15:52 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-04-09 14:42 - 2014-03-07 15:47 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-09 05:23 - 2014-02-05 18:56 - 00894464 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-07 09:43 - 2014-04-07 09:43 - 02049128 _____ (Trend Micro Inc.) C:\Users\Gav gav\Desktop\HousecallLauncher.exe
2014-04-02 09:03 - 2014-04-02 09:03 - 00000000 ____D () C:\Users\Gav gav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Яндекс.Диск
2014-03-31 09:25 - 2014-04-09 06:38 - 00000000 ____D () C:\Users\Gav gav\Downloads\Microsoft developer tools
2014-03-30 09:02 - 2014-03-30 09:02 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-03-28 15:17 - 2014-04-09 06:44 - 00000000 ____D () C:\Users\Gav gav\Downloads\l
2014-03-28 14:50 - 2014-03-30 11:32 - 00000000 ____D () C:\Users\Gav gav\Downloads\Other Servers
2014-03-27 19:44 - 2014-03-27 19:45 - 00000000 ____D () C:\Users\Gav gav\AppData\Roaming\vlc
2014-03-26 10:15 - 2014-03-26 10:15 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-26 10:15 - 2014-03-26 10:15 - 00000000 _____ () C:\Windows\setupact.log
2014-03-26 07:01 - 2014-03-26 07:03 - 00000000 ____D () C:\Users\Gav gav\Desktop\IT278 Project (all videos)
2014-03-25 13:14 - 2014-03-25 13:14 - 00000079 _____ () C:\Windows\wininit.ini
2014-03-25 05:21 - 2014-04-18 19:44 - 00008446 _____ () C:\Windows\DCEBOOT.RST
2014-03-25 05:21 - 2014-04-18 19:44 - 00000000 _____ () C:\Windows\DCEBOOT.LOG
2014-03-25 05:18 - 2014-04-18 14:26 - 00023088 _____ () C:\Windows\DCEBoot.exe

==================== One Month Modified Files and Folders =======

2014-04-24 08:52 - 2014-04-24 08:52 - 00008977 _____ () C:\Users\Gav gav\Desktop\FRST.txt
2014-04-24 08:52 - 2014-04-24 08:52 - 00000000 ____D () C:\FRST
2014-04-24 08:47 - 2014-04-24 08:47 - 01048576 _____ (Farbar) C:\Users\Gav gav\Desktop\FRST.exe
2014-04-24 08:40 - 2013-07-17 10:39 - 01544847 _____ () C:\Windows\WindowsUpdate.log
2014-04-24 08:37 - 2006-11-02 05:47 - 00003344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-24 08:37 - 2006-11-02 05:47 - 00003344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-24 08:27 - 2013-08-09 13:09 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-23 21:14 - 2014-04-23 21:14 - 00011126 _____ () C:\Users\Gav gav\Desktop\Attach2.txt
2014-04-23 21:14 - 2014-04-23 21:14 - 00011003 _____ () C:\Users\Gav gav\Desktop\DDS2.txt
2014-04-23 21:07 - 2014-04-18 19:03 - 00011126 _____ () C:\Users\Gav gav\Desktop\attach.txt
2014-04-23 21:07 - 2014-04-18 19:03 - 00011003 _____ () C:\Users\Gav gav\Desktop\dds.txt
2014-04-23 21:01 - 2014-04-11 09:24 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-22 06:06 - 2006-11-02 03:33 - 00759542 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-21 07:49 - 2014-03-01 20:09 - 00000000 ___RD () C:\Users\Gav gav\YandexDisk
2014-04-21 07:49 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-20 20:55 - 2006-11-02 06:01 - 00032650 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-18 19:44 - 2014-03-25 05:21 - 00008446 _____ () C:\Windows\DCEBOOT.RST
2014-04-18 19:44 - 2014-03-25 05:21 - 00000000 _____ () C:\Windows\DCEBOOT.LOG
2014-04-18 19:44 - 2006-11-02 06:00 - 00147200 _____ () C:\Windows\PFRO.log
2014-04-18 19:00 - 2014-04-18 19:00 - 00688992 ____R (Swearware) C:\Users\Gav gav\Downloads\dds.com
2014-04-18 14:26 - 2014-03-25 05:18 - 00023088 _____ () C:\Windows\DCEBoot.exe
2014-04-18 14:20 - 2014-03-24 21:57 - 18107150 _____ () C:\Users\Gav gav\AppData\Local\census.cache
2014-04-18 12:14 - 2014-03-24 21:48 - 00000000 _____ () C:\Users\Gav gav\AppData\Local\ars.cache
2014-04-18 06:57 - 2014-04-18 06:57 - 00033850 _____ () C:\Users\Gav gav\Desktop\gmer full.log
2014-04-17 18:49 - 2014-04-17 18:49 - 00781560 _____ (McAfee, Inc.) C:\Users\Gav gav\Downloads\rootkitremover.exe
2014-04-17 18:49 - 2014-04-17 18:49 - 00037070 _____ () C:\Users\Gav gav\Desktop\How to Use RootkitRemover _ McAfee Free Tools.htm
2014-04-17 18:49 - 2014-04-17 18:49 - 00000000 ____D () C:\Users\Gav gav\Desktop\How to Use RootkitRemover _ McAfee Free Tools_files
2014-04-17 18:48 - 2014-04-17 18:48 - 00154677 _____ () C:\Users\Gav gav\Desktop\McAfee Communities  Anti-Spyware_Malware & Hijacker Tools.htm
2014-04-17 18:48 - 2014-04-17 18:48 - 00000000 ____D () C:\Users\Gav gav\Desktop\McAfee Communities  Anti-Spyware_Malware & Hijacker Tools_files
2014-04-17 18:44 - 2014-04-17 18:43 - 91370840 _____ (Sophos Limited) C:\Users\Gav gav\Downloads\Sophos Virus Removal Tool.exe
2014-04-17 18:31 - 2014-04-17 18:31 - 00000000 ____D () C:\Users\Gav gav\Doctor Web
2014-04-17 18:31 - 2014-04-17 18:31 - 00000000 ____D () C:\ProgramData\Doctor Web
2014-04-17 18:31 - 2013-08-09 08:26 - 00000000 ____D () C:\Users\Gav gav
2014-04-17 18:26 - 2014-04-17 18:22 - 140362656 _____ () C:\Users\Gav gav\Downloads\cureit.exe
2014-04-17 18:18 - 2014-04-17 18:18 - 00025903 _____ () C:\Users\Gav gav\Desktop\GMER results.log
2014-04-17 17:44 - 2014-04-17 17:44 - 00212337 _____ () C:\Users\Gav gav\Desktop\Книга2.xlsx
2014-04-17 16:03 - 2014-04-17 16:03 - 220739279 _____ () C:\Windows\MEMORY.DMP
2014-04-17 16:03 - 2014-04-17 16:03 - 00144984 _____ () C:\Windows\Minidump\Mini041714-01.dmp
2014-04-17 16:03 - 2014-04-17 16:03 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-04-17 16:03 - 2014-04-17 16:03 - 00000000 ____D () C:\Windows\Minidump
2014-04-17 14:59 - 2014-04-17 14:59 - 00380416 _____ () C:\Users\Gav gav\Downloads\fshqzcqk.exe
2014-04-17 13:32 - 2014-04-17 13:32 - 00148220 _____ () C:\Users\Gav gav\Desktop\Virus Keeps Coming Back.htm
2014-04-17 13:32 - 2014-04-17 13:32 - 00000000 ____D () C:\Users\Gav gav\Desktop\Virus Keeps Coming Back_files
2014-04-17 13:28 - 2013-12-16 06:52 - 00000000 ____D () C:\ProgramData\Oracle
2014-04-17 13:27 - 2014-04-17 13:27 - 00004117 _____ () C:\Windows\system32\jupdate-1.7.0_55-b14.log
2014-04-17 13:27 - 2014-04-17 13:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-04-17 13:27 - 2013-08-09 13:08 - 00000000 ____D () C:\Program Files\Java
2014-04-17 13:01 - 2014-04-17 13:01 - 00150507 _____ () C:\Users\Gav gav\Desktop\Best Free Rootkit Scanner and Remover.htm
2014-04-17 13:01 - 2014-04-17 13:01 - 00000000 ____D () C:\Users\Gav gav\Desktop\Best Free Rootkit Scanner and Remover_files
2014-04-17 13:00 - 2014-04-17 12:59 - 04139360 _____ (Kaspersky Lab ZAO) C:\Users\Gav gav\Downloads\tdsskiller.exe
2014-04-16 13:11 - 2014-04-14 12:41 - 00249382 _____ () C:\Users\Gav gav\Desktop\IT wages.xlsx
2014-04-14 20:13 - 2014-04-17 13:27 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-04-14 20:05 - 2014-04-17 13:27 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-14 20:05 - 2014-04-17 13:27 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-14 20:04 - 2014-04-17 13:27 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-11 19:25 - 2014-04-11 19:25 - 00084833 _____ () C:\Users\Gav gav\Desktop\Network Engineer Vs. Network Administrator _ Chron.com.htm
2014-04-11 19:25 - 2014-04-11 19:25 - 00000000 ____D () C:\Users\Gav gav\Desktop\Network Engineer Vs. Network Administrator _ Chron.com_files
2014-04-11 12:59 - 2014-04-11 12:59 - 00465642 _____ () C:\Users\Gav gav\Desktop\Книга1.xlsx
2014-04-11 11:18 - 2014-04-11 11:18 - 00000012 _____ () C:\Users\Gav gav\Desktop\a.txt
2014-04-11 09:23 - 2014-04-11 09:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-11 09:23 - 2014-04-11 09:23 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-11 09:23 - 2013-12-18 18:34 - 00000000 ____D () C:\Users\Gav gav\AppData\Roaming\Malwarebytes
2014-04-11 09:23 - 2013-12-18 18:34 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-10 10:37 - 2014-04-10 10:37 - 00108382 _____ () C:\Users\Gav gav\Desktop\Product Key Number - Uninstall and Deactivate in Windows - Windows 7 Help Forums.htm
2014-04-10 10:37 - 2014-04-10 10:37 - 00000000 ____D () C:\Users\Gav gav\Desktop\Product Key Number - Uninstall and Deactivate in Windows - Windows 7 Help Forums_files
2014-04-09 14:43 - 2014-01-01 15:58 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-09 14:42 - 2013-12-16 11:40 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-09 14:41 - 2006-11-02 03:24 - 88028728 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-04-09 06:44 - 2014-03-28 15:17 - 00000000 ____D () C:\Users\Gav gav\Downloads\l
2014-04-09 06:38 - 2014-03-31 09:25 - 00000000 ____D () C:\Users\Gav gav\Downloads\Microsoft developer tools
2014-04-07 09:43 - 2014-04-07 09:43 - 02049128 _____ (Trend Micro Inc.) C:\Users\Gav gav\Desktop\HousecallLauncher.exe
2014-04-03 09:51 - 2014-04-11 09:23 - 00051416 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:51 - 2014-03-23 11:43 - 00073432 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:50 - 2014-02-19 09:08 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-02 20:29 - 2012-08-02 08:29 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-04-02 20:29 - 2012-08-02 08:28 - 00001826 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-04-02 20:29 - 2012-08-02 08:28 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-02 09:03 - 2014-04-02 09:03 - 00000000 ____D () C:\Users\Gav gav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Яндекс.Диск
2014-04-02 09:03 - 2014-03-01 20:09 - 00001934 _____ () C:\Users\Gav gav\Desktop\Скриншоты в Яндекс.Диске.lnk
2014-04-02 09:03 - 2014-03-01 20:09 - 00001875 _____ () C:\Users\Gav gav\Desktop\Яндекс.Диск.lnk
2014-04-01 08:39 - 2013-06-14 10:29 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-03-30 11:32 - 2014-03-28 14:50 - 00000000 ____D () C:\Users\Gav gav\Downloads\Other Servers
2014-03-30 09:02 - 2014-03-30 09:02 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-03-28 14:34 - 2014-03-21 11:02 - 00000000 ____D () C:\Users\Gav gav\Downloads\Dreamspark
2014-03-27 21:04 - 2014-03-13 11:43 - 00015360 _____ () C:\Users\Gav gav\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-03-27 19:45 - 2014-03-27 19:44 - 00000000 ____D () C:\Users\Gav gav\AppData\Roaming\vlc
2014-03-26 10:15 - 2014-03-26 10:15 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-26 10:15 - 2014-03-26 10:15 - 00000000 _____ () C:\Windows\setupact.log
2014-03-26 07:03 - 2014-03-26 07:01 - 00000000 ____D () C:\Users\Gav gav\Desktop\IT278 Project (all videos)
2014-03-26 06:07 - 2014-03-24 13:54 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-03-25 13:14 - 2014-03-25 13:14 - 00000079 _____ () C:\Windows\wininit.ini
2014-03-25 13:14 - 2013-12-18 19:07 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy

Some content of TEMP:
====================
C:\Users\Gav gav\AppData\Local\Temp\i4jd3682828998924456985.exe
C:\Users\Gav gav\AppData\Local\Temp\i4jdel0.exe
C:\Users\Gav gav\AppData\Local\Temp\JExplorer32.2.7.1.dll
C:\Users\Gav gav\AppData\Local\Temp\JExplorer32.2.7.1.exe
C:\Users\Gav gav\AppData\Local\Temp\JExplorer64.2.7.1.dll
C:\Users\Gav gav\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-04-21 07:54

==================== End Of Log ============================

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-04-2014
Ran by Gav gav at 2014-04-24 08:53:08
Running from C:\Users\Gav gav\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1022 - )
ATI Catalyst Install Manager (HKLM\...\{15344991-A05D-C520-4C60-AED93B8FE169}) (Version: 3.0.645.0 - ATI Technologies, Inc.)
Belkin Wireless G Plus MIMO USB Network Adapter (HKLM\...\InstallShield_{993A352A-2957-4661-A1EF-2D8F6F3C9234}) (Version: 1.00.0002 - Belkin)
Belkin Wireless G Plus MIMO USB Network Adapter (Version: 1.00.0002 - Belkin) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5971CA1F-6BDE-498F-952C-9F2BF94070A4}) (Version:  - Microsoft)
Intel® Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version:  - )
Intel® Active Management Technology (HKLM\...\MESOL) (Version:  - Intel Corporation)
Java 7 Update 55 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.550 - Oracle)
Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
Malwarebytes Anti-Malware version 2.0.1.1004 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.1.1004 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Baseline Security Analyzer 2.3 (HKLM\...\{C3013E88-B772-4446-A0AE-A7F37180B9F1}) (Version: 2.3.2208 - Microsoft Corporation)
Microsoft Office Access MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Ukrainian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (Russian) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office профессиональный плюс 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Mozilla Firefox 28.0 (x86 en-US) (HKLM\...\Mozilla Firefox 28.0 (x86 en-US)) (Version: 28.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 28.0 - Mozilla)
PrivateTunnel (HKLM\...\PrivateTunnel) (Version: 2.3.6.1 - OpenVPN Technologies)
Secure Download Manager (HKLM\...\{E040B65B-8683-4228-8C33-D44A141E40EA}) (Version: 3.1.60 - Kivuto Solutions Inc.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (Version:  - Microsoft) Hidden
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 6.10.1.5853 - Analog Devices)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{39767ECA-1731-45DB-AB5B-6BF40E151D66}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{BA610006-2C39-4419-9834-CF61AB24810A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (HKLM\...\{90140000-001F-0407-0000-0000000FF1CE}_Office14.PROPLUS_{C70D2038-A2C4-4A99-87DE-5272BB44F0CE}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{83B1B530-7D9E-4C6A-907F-E979CEE9C295}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM\...\{90140000-001F-0419-0000-0000000FF1CE}_Office14.PROPLUS_{E61D2005-D8F8-4C83-A08E-7E43C1D8588B}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{EFF5EBA3-40AD-4859-85E7-3C1CF4F297EB}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM\...\{90140000-001A-0419-0000-0000000FF1CE}_Office14.PROPLUS_{0EE1502C-F58E-4981-895D-9657A86A8CD0}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM\...\{90140000-0018-0419-0000-0000000FF1CE}_Office14.PROPLUS_{0EB3EFB9-FCF7-4E86-AADF-C08D9BA6847B}) (Version:  - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version:  - Microsoft)
Update for Microsoft Visio 2010 (KB2553444) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{799005D3-9B70-4219-AFE0-BC479614CC4D}) (Version:  - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{8C55AA83-54C2-4236-A622-78440A411DC5}) (Version:  - Microsoft)
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Яндекс.Диск (HKCU\...\YandexDisk) (Version: 1.2.2.4524 - Яндекс)

==================== Restore Points  =========================


==================== Hosts content: ==========================

2006-11-02 03:23 - 2013-12-18 19:18 - 00450597 ___RA C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============

Task: {0CAB7B68-718C-40E0-B83B-89DDF7007DC8} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => Rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries
Task: {155723BA-60E2-4354-93AF-84EAC8D3C2D8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-20] ()
Task: {22E1772E-7DFE-4C5F-841F-1C93FD5D82A4} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {2DE18FE4-6467-484F-8431-206702EC5546} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-20] (Microsoft Corporation)
Task: {2E5B7D97-F14C-4CFF-864E-620AABA892D1} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {4D72741E-769C-45DB-8604-CB8EBDADAA29} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {5FF57FE9-F67B-4E21-874D-DA6629EA259E} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\netsh.exe [2006-11-02] (Microsoft Corporation)
Task: {D022F6BD-301C-41E6-91CB-CE981F641168} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-12] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2011-04-20 01:21 - 2011-04-20 01:21 - 00037376 _____ () C:\Windows\system32\atitmpxx.dll
2014-03-01 20:09 - 2014-02-12 08:50 - 01283872 _____ () C:\Program Files\Yandex\YandexDisk\bin\YandexDiskOverlays-2398.dll
2013-09-05 01:14 - 2013-09-05 01:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2014-03-01 20:09 - 2014-02-12 08:50 - 00923936 _____ () C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDiskShellExt-3998.dll
2014-03-10 09:30 - 2014-03-10 09:30 - 00089088 _____ () C:\Program Files\OpenVPN Technologies\PrivateTunnel\lzo2.dll
2014-03-10 09:30 - 2014-03-10 09:30 - 00064512 _____ () C:\Program Files\OpenVPN Technologies\PrivateTunnel\libpkcs11-helper-1.dll
2014-03-10 09:30 - 2014-03-10 09:30 - 01034752 _____ () C:\Program Files\OpenVPN Technologies\PrivateTunnel\libxml2.dll
2013-06-14 09:42 - 2009-02-19 09:27 - 00077824 _____ () C:\Program Files\Common Files\Intel\Privacy Icon\UNS\DTMessageLib.dll
2014-03-01 20:09 - 2014-03-13 02:32 - 17189152 _____ () C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDisk.exe
2014-03-01 20:09 - 2014-03-13 02:32 - 00236968 _____ () C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\libpng14-14.dll
2014-03-01 20:09 - 2014-03-13 02:32 - 00106784 _____ () C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\zlib1.dll
2014-03-01 20:09 - 2014-03-13 02:32 - 00168224 _____ () C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDiskStarter.exe
2014-03-01 20:09 - 2014-03-13 02:32 - 00354592 _____ () C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDiskHooks-3998.dll
2014-03-30 09:02 - 2014-03-30 09:02 - 03642480 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll
2014-03-12 10:04 - 2014-03-12 10:04 - 16276872 _____ () C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Disabled items from MSCONFIG ==============

MSCONFIG\Services: atchksrv => 2
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: UNS => 2
MSCONFIG\startupreg: atchk => "C:\Program Files\Intel\AMT\atchk.exe"
MSCONFIG\startupreg: SoundMAXPnP => C:\Program Files\Analog Devices\Core\smax4pnp.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/21/2014 07:50:58 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/20/2014 10:48:58 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/19/2014 09:08:16 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/17/2014 05:50:41 PM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (04/17/2014 04:04:48 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/14/2014 08:41:51 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/13/2014 07:26:40 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/11/2014 03:57:41 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/11/2014 09:23:52 AM) (Source: Application Error) (User: )
Description: Faulting application mbamservice.exe, version 2.1.9.0, time stamp 0x530619b7, faulting module mbamservice.exe, version 2.1.9.0, time stamp 0x530619b7, exception code 0x40000015, fault offset 0x0007d28a,
process id 0x970, application start time 0xmbamservice.exe0.

Error: (04/11/2014 08:24:23 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (04/23/2014 07:12:43 AM) (Source: DCOM) (User: )
Description: {6295DF2D-35EE-11D1-8707-00C04FD93327}

Error: (04/22/2014 08:34:34 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%835

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: %%840

Error: (04/21/2014 01:16:55 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%835

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: %%858

Error: (04/21/2014 01:16:55 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%835

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: %%840

Error: (04/21/2014 07:49:28 AM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%835

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: %%842

Error: (04/20/2014 08:55:21 PM) (Source: DCOM) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (04/20/2014 10:58:24 AM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%835

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: %%840

Error: (04/20/2014 10:58:23 AM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%835

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: %%858

Error: (04/20/2014 10:58:23 AM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%835

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: %%840

Error: (04/20/2014 10:47:17 AM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

    Feature: %%835

    Error Code: 0x80004005

    Error description: Unspecified error

    Reason: %%842


Microsoft Office Sessions:
=========================
Error: (04/21/2014 07:50:58 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/20/2014 10:48:58 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/19/2014 09:08:16 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/17/2014 05:50:41 PM) (Source: Perflib)(User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (04/17/2014 04:04:48 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/14/2014 08:41:51 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/13/2014 07:26:40 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/11/2014 03:57:41 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/11/2014 09:23:52 AM) (Source: Application Error)(User: )
Description: mbamservice.exe2.1.9.0530619b7mbamservice.exe2.1.9.0530619b7400000150007d28a97001cf55a26a56446a

Error: (04/11/2014 08:24:23 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2014-04-24 08:53:02.571
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:02.479
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:02.388
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:02.297
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:02.203
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:02.111
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:02.018
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:01.926
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:01.763
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-04-24 08:53:01.672
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 48%
Total physical RAM: 3324.69 MB
Available physical RAM: 1726.29 MB
Total Pagefile: 6896.4 MB
Available Pagefile: 4759.53 MB
Total Virtual: 2047.88 MB
Available Virtual: 1908.5 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.83 GB) (Free:52.99 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: C9EC2311)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

Attached Files



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:35 PM

Posted 24 April 2014 - 11:53 AM

Hi Hedgehog83,

 

FRST works from any location, it just makes it easier on the helper if you save it to the desktop as fixes need to be placed next to FRST. You're doing fine though.

 

I have to say, your logs look clean. The detections from Trend Micro look like false positives to me as the actual detection is because they are hidden files, which is not unusual for files in locations like these are.

 

Are you having any problems with your computer? If not, I will get you to run some more scans to be sure and then we can finish up here, if you are okay with this?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 24 April 2014 - 01:53 PM

Hello Toffee,

I don't have any computer problems. The only strange thing is when I turn on the PC from hibernation and don't move the mouse, it goes back in hibernation in like 30 seconds. Also, since I removed the hidden files that came up in results page from Housecall multiple times, do you know why are they returning every single time I restart the computer?

 

But I do have several questions on this topic. I downloaded a Trojan several months ago, and removed it with MBAM. However, I learned that there might be a possibility that the malware can still be on the system even if it is removed. In my case, since you didn't see anything in the logs, is there a high likelihood that that Trojan is gone, or I shouldn't be concerned about it at all? Is it okay for me to run the program that had a Trojan attached, after the Trojan was removed from it?

 

Also, on another occasions the Trojans and a PUP that were detected several times in the same locations by MBAM with significant time in between( it was the CPUz and DriverPack Auto programs)? Do you think they were false positives or it was recurring malware?  I scanned those files and MBAM doesn't find anything there. IT looks like CPUz was deleted as an actual program, but there is another occurrence of CPuz as an add on in another program. However, the Driver Pack Auto is till on my external drive. Since I have some system images on the external drive, I just don't want anything malicous attached into those.

I attached a MBAm quarantine log:

 

I am okay with running more scans and finishing if nothir more is found. Thank you for your help

 

 

Attached Files



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:35 PM

Posted 25 April 2014 - 10:59 AM

Hi Hedgehog83,
 
That sounds like it may be a setting for hibernation which does that, I would experiment with some of the settings, information to be how to access these settings can be found here.
I cannot say for sure, but my guess is that they either weren't actually removed or they are re-created on startup. I think it's probably the former, as most programs cannot get permission to do anything for files in locations such as these.
 
I would say that the trojan is no longer around, MBAM is generally pretty effective at removing malware.
 
Can you show me where DriverPack Auto was downloaded from?
 
The detection of CPUz is because the installer prompts you to download a toolbar or PUP, see here for what toolbars and PUP are and do. You may use this program, but I suggest when installing it be wary of what else you are being offered.
 
--------------

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

--------------

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • ESET log
  • Emsisoft Emergency Kit log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 25 April 2014 - 04:08 PM

Hello Toffee,

I am currently running the scans, but they take a long time. I will get back to you when they are done.

 

I got the DriverPack several years ago from a friend, so I don't really know where he got it.



#11 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 25 April 2014 - 08:11 PM

Hello Toffee

After 7 hours of scanning, the ESET is still at 44% of scan completion. The Emsisoft finished in several hours.

 

 

Emsisoft Emergency Kit - Version 4.0
Last update: 4/25/2014 11:37:06 AM
User account: Gavgav-PC\Gav gav

Scan settings:

Scan type: Deep Scan
Objects: Rootkits, Memory, Traces, C:\, F:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    4/25/2014 11:38:25 AM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}     detected: Application.AdReg (A)

Scanned    179645
Found    1

Scan end:    4/25/2014 2:56:58 PM
Scan time:    3:18:33

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}    Quarantined Application.AdReg (A)

Quarantined    1
 



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:35 PM

Posted 26 April 2014 - 06:14 AM

Hi Hedgehog83,

 

Yes, ESET will take a long time as it scans the whole of your computer.

 

You can reinstall DriverPack, but if you do then do this for me:

  • Visit VirusTotal, and click Choose File. Navigate to the following files and choose them, one at a time:
C:\Program Files\Driver Pack Auto\tools\hidcon.exe
F:\Programs\Driver Pack Auto\tools\hidcon.exe
  • Click Scan it! after choosing your file. If you receive a message telling you the file has already been scanned, please scan it again anyway.

  • Once VirusTotal is done scanning the files, copy and paste each of the URLs of the scan results into your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 26 April 2014 - 10:49 AM

Hello Toffee,

The ESET scan was left overnight. It seems that the programs that were listed in the results were deleted even though they were not installed on the computer. Were they uninstalled because the installation process for them gives the option to install those Toolbars and PUPs? I know I ddin't have those toolbars installed on the PC. I am little concerned with the first item found in C drive, the Shadow.KMS. I found info that someone can potentially hack into my PC using that. However, others say that the Shadow.KMS is fine. After searching on the web for this service, I clicked on hm.baidu.com. The site name seemed suspicious and the amount of time it took to connecting to site(I never actually got on the site), however I did see my browser say "Transffering data from hm.baidu.com". I closed the tab, and put the site in VirusTotal, with 1result coming up as malicious. WOT found the site to be good. AVGlabs said the site is good except for the small number of visitors who reported malware being downloaded from it. So, I wanted to know your opinion in regards to this. Do you think my PC is now compromised in any way?

 

 

When I checked drive C for DriverPack, it wasn't there. I think it is because the program does not install itself, it executes without installation. However, when I checked the F drive and went tot the tools folder to see the hidcon.exe, it wasn't there. It wasn't there even after I enabled the hidden attribute for the tools folder. Once I entered both paths into into the "browse to upload files" menu and hit "open", I received a message stating that the path to those files does not exist.

 

Here are the results:

 

 

 

C:\Windows\kmsem\Shadow.KMS    Win32/HackKMS.B potentially unsafe application    deleted - quarantined
F:\Programs\avc-free.exe    Win32/OpenCandy potentially unsafe application    deleted - quarantined
F:\Programs\ccsetup325.exe    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
F:\Programs\pc-wizard_2012.2.11-setup.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
F:\Programs\ExpressBurn\burnsetup_v4.40.exe    a variant of Win32/Toolbar.Conduit.J potentially unwanted application    deleted - quarantined
F:\Programs\ExpressBurn\expressburn.exe    a variant of Win32/Toolbar.Conduit.J potentially unwanted application    deleted - quarantined
F:\Programs\ExpressBurn\uninst.exe    a variant of Win32/Toolbar.Conduit.J potentially unwanted application    deleted - quarantined
 



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:35 PM

Posted 26 April 2014 - 02:26 PM

Hi Hedgehog83,
 

It seems that the programs that were listed in the results were deleted even though they were not installed on the computer. Were they uninstalled because the installation process for them gives the option to install those Toolbars and PUPs? I know I ddin't have those toolbars installed on the PC.

Yes, ESET deleted the installers you have downloaded before. You are completely correct on that, and from your logs I can say that you don't have those toolbars. If you have installed the programs then you probably unchecked these extra programs which is good to do.
 

I am little concerned with the first item found in C drive, the Shadow.KMS. I found info that someone can potentially hack into my PC using that. However, others say that the Shadow.KMS is fine.

Well the actual detection is generally for hacks for a program to bypass the need for a legitimate product key, i.e. it is a tool/modified file which cracks a program. It is detected because there is a possibility that someone may be using the file to install malware instead or modified in such a way that its purpose is malicious. You never know with these types of programs, and that's why it's a good idea to avoid them.
 
No, baidu is not a distributor of malware as far as I know. It's a Chinese search engine I believe. Seeing as you did not actually get to the site, then you should be okay anyway. I would think your PC is not compromised.
 

When I checked drive C for DriverPack, it wasn't there. I think it is because the program does not install itself, it executes without installation. However, when I checked the F drive and went tot the tools folder to see the hidcon.exe, it wasn't there. It wasn't there even after I enabled the hidden attribute for the tools folder. Once I entered both paths into into the "browse to upload files" menu and hit "open", I received a message stating that the path to those files does not exist.

Ah, no worries then. As long as the tool works as it should then it's fine.
 
--------------
 
I would like one last look at a log before declaring you clean:
Please run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop, please copy and paste the contents into your next reply.
 
--------------

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • New FRST.txt log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 Hedgehog83

Hedgehog83
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:02:35 PM

Posted 27 April 2014 - 10:53 AM

Hello Toffee,

Can I just move the deleted programs by ESET back from quarantine (except the Hack KMS) because I don't plan on installing PUPs and Potentially Unsafe Programs in the installation process of the deleted programs by ESET. It looks like for the most part PUPs and potentially unsafe programs are installed when I consent to their installation. What are your thoughts about this?

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-04-2014
Ran by Gav gav (administrator) on GAVGAV-PC on 27-04-2014 08:39:59
Running from C:\Users\Gav gav\Desktop
Microsoft® Windows Vista™ Business  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Intel Corporation) C:\Program Files\Intel\AMT\LMS.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(OpenVPN Technologies, Inc) C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptservice.exe
(OpenVPN Technologies, Inc) C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptcore.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
() C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDisk.exe
() C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDiskStarter.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\system32\conime.exe
(ESET) C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
() C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
(Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [796184 2009-02-27] (Intel Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-4263348169-260297145-143740743-1001\...\Run: [SyncManPath] => C:\Users\Gav gav\AppData\Roaming\Yandex\YandexDisk\YandexDisk.exe [17189152 2014-03-13] ()
HKU\S-1-5-21-4263348169-260297145-143740743-1001\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil32_12_0_0_77_Plugin.exe [841096 2014-03-12] (Adobe Systems Incorporated)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x91B2FB151E69CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
Tcpip\..\Interfaces\{B81AC82F-1BD7-407B-A0B5-2A8BBCDABC1E}: [NameServer]192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Gav gav\AppData\Roaming\Mozilla\Firefox\Profiles\0j48th93.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Extension: DoNotTrackMe: Online Privacy Protection - C:\Users\Gav gav\AppData\Roaming\Mozilla\Firefox\Profiles\0j48th93.default\Extensions\donottrackplus@abine.com [2014-04-24]
FF Extension: Heartbleed-Ext - C:\Users\Gav gav\AppData\Roaming\Mozilla\Firefox\Profiles\0j48th93.default\Extensions\{CB454AEB-2F60-4441-ADEB-2CB43BB33B20}.xpi [2014-04-24]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []

========================== Services (Whitelisted) =================

S2 KMService; C:\Windows\system32\srvany.exe [8192 2014-01-01] ()
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-04-03] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [857912 2014-04-03] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
R2 ptservice; C:\Program Files\OpenVPN Technologies\PrivateTunnel\ptservice.exe [17816 2014-03-11] (OpenVPN Technologies, Inc)
R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-02-27] (Intel Corporation)

==================== Drivers (Whitelisted) ====================

R2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [21275 2013-08-09] (Meetinghouse Data Communications)
R3 cleanhlp; C:\Users\Gav gav\Desktop\Run\cleanhlp32.sys [50200 2014-04-25] (Emsisoft GmbH)
R3 e1kexpress; C:\Windows\System32\DRIVERS\e1k6032.sys [197288 2009-11-06] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-04-03] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [107736 2014-04-26] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51416 2014-04-03] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R3 ptun0901; C:\Windows\System32\DRIVERS\ptun0901.sys [35288 2014-01-20] (The OpenVPN Project)
S3 RT73; C:\Windows\System32\DRIVERS\rt73.sys [347776 2006-09-07] (Ralink Technology, Corp.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
U3 mbr; \??\C:\Users\GAVGAV~1\AppData\Local\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-04-27 08:38 - 2014-04-27 08:38 - 00000000 ____D () C:\Users\Gav gav\Desktop\FRST-OlderVersion
2014-04-26 08:33 - 2014-04-26 08:33 - 00063426 _____ () C:\Users\Gav gav\Desktop\How did I get infected in the first place  - Geeks to Go! - Free help from tech experts « Geeks to Go! – Free help from tech experts.htm
2014-04-26 08:33 - 2014-04-26 08:33 - 00000000 ____D () C:\Users\Gav gav\Desktop\How did I get infected in the first place  - Geeks to Go! - Free help from tech experts « Geeks to Go! – Free help from tech experts_files
2014-04-26 07:57 - 2014-04-26 07:57 - 00000838 _____ () C:\Users\Gav gav\Desktop\ESET report.txt
2014-04-25 15:16 - 2014-04-25 15:16 - 00001416 _____ () C:\Users\Gav gav\Desktop\Emsisoft report.txt
2014-04-25 14:09 - 2014-04-25 14:09 - 00406337 _____ () C:\Users\Gav gav\Desktop\Heartbleed bug  Check which sites have been patched - CNET.htm
2014-04-25 14:09 - 2014-04-25 14:09 - 00043020 _____ () C:\Users\Gav gav\Desktop\How to test your router for the Heartbleed bug  - Privacy Online Forum.htm
2014-04-25 14:09 - 2014-04-25 14:09 - 00000000 ____D () C:\Users\Gav gav\Desktop\How to test your router for the Heartbleed bug  - Privacy Online Forum_files
2014-04-25 14:09 - 2014-04-25 14:09 - 00000000 ____D () C:\Users\Gav gav\Desktop\Heartbleed bug  Check which sites have been patched - CNET_files
2014-04-25 11:41 - 2014-04-25 11:41 - 00063762 _____ () C:\Users\Gav gav\Desktop\r00tkit Analysis  What Is A Rootkit  - VnutZ Domain.htm
2014-04-25 11:41 - 2014-04-25 11:41 - 00000000 ____D () C:\Users\Gav gav\Desktop\r00tkit Analysis  What Is A Rootkit  - VnutZ Domain_files
2014-04-25 11:33 - 2014-04-25 11:33 - 00000419 _____ () C:\Users\Gav gav\Desktop\Emsisoft Emergency Kit.lnk
2014-04-25 11:32 - 2014-04-25 02:03 - 00000000 ____D () C:\Users\Gav gav\Desktop\Languages
2014-04-25 11:31 - 2014-04-25 15:27 - 00000000 ____D () C:\Users\Gav gav\Desktop\Run
2014-04-25 11:31 - 2014-04-25 00:17 - 01593776 ____N (Emsisoft GmbH) C:\Users\Gav gav\Desktop\start.exe
2014-04-25 11:31 - 2014-04-25 00:17 - 00004024 ____N () C:\Users\Gav gav\Desktop\readme.txt
2014-04-25 11:31 - 2014-04-25 00:17 - 00000060 ____N () C:\Users\Gav gav\Desktop\CommandlineScanner.bat
2014-04-25 11:31 - 2014-04-25 00:17 - 00000056 ____N () C:\Users\Gav gav\Desktop\EmergencyKitScanner.bat
2014-04-25 10:57 - 2014-04-25 11:01 - 225876832 _____ () C:\Users\Gav gav\Downloads\EmsisoftEmergencyKit.exe
2014-04-25 10:54 - 2014-04-25 10:54 - 00000000 ____D () C:\Program Files\ESET
2014-04-25 10:53 - 2014-04-25 10:54 - 02347384 _____ (ESET) C:\Users\Gav gav\Desktop\esetsmartinstaller_enu.exe
2014-04-24 14:16 - 2014-04-24 14:16 - 00000000 ____D () C:\ProgramData\WindowsSearch
2014-04-24 14:01 - 2014-04-24 14:01 - 00921512 _____ (Oracle Corporation) C:\Users\Gav gav\Downloads\jre-7u55-windows-i586-iftw.exe
2014-04-24 08:53 - 2014-04-24 08:53 - 00025774 _____ () C:\Users\Gav gav\Desktop\Addition.txt
2014-04-24 08:52 - 2014-04-27 08:40 - 00009386 _____ () C:\Users\Gav gav\Desktop\FRST.txt
2014-04-24 08:52 - 2014-04-27 08:39 - 00000000 ____D () C:\FRST
2014-04-24 08:47 - 2014-04-27 08:38 - 01049600 _____ (Farbar) C:\Users\Gav gav\Desktop\FRST.exe
2014-04-23 21:14 - 2014-04-23 21:14 - 00011126 _____ () C:\Users\Gav gav\Desktop\Attach2.txt
2014-04-23 21:14 - 2014-04-23 21:14 - 00011003 _____ () C:\Users\Gav gav\Desktop\DDS2.txt
2014-04-18 19:03 - 2014-04-23 21:07 - 00011126 _____ () C:\Users\Gav gav\Desktop\attach.txt
2014-04-18 19:03 - 2014-04-23 21:07 - 00011003 _____ () C:\Users\Gav gav\Desktop\dds.txt
2014-04-18 19:00 - 2014-04-18 19:00 - 00688992 ____R (Swearware) C:\Users\Gav gav\Downloads\dds.com
2014-04-18 06:57 - 2014-04-18 06:57 - 00033850 _____ () C:\Users\Gav gav\Desktop\gmer full.log
2014-04-17 18:49 - 2014-04-17 18:49 - 00781560 _____ (McAfee, Inc.) C:\Users\Gav gav\Downloads\rootkitremover.exe
2014-04-17 18:49 - 2014-04-17 18:49 - 00037070 _____ () C:\Users\Gav gav\Desktop\How to Use RootkitRemover _ McAfee Free Tools.htm
2014-04-17 18:49 - 2014-04-17 18:49 - 00000000 ____D () C:\Users\Gav gav\Desktop\How to Use RootkitRemover _ McAfee Free Tools_files
2014-04-17 18:48 - 2014-04-17 18:48 - 00154677 _____ () C:\Users\Gav gav\Desktop\McAfee Communities  Anti-Spyware_Malware & Hijacker Tools.htm
2014-04-17 18:48 - 2014-04-17 18:48 - 00000000 ____D () C:\Users\Gav gav\Desktop\McAfee Communities  Anti-Spyware_Malware & Hijacker Tools_files
2014-04-17 18:43 - 2014-04-17 18:44 - 91370840 _____ (Sophos Limited) C:\Users\Gav gav\Downloads\Sophos Virus Removal Tool.exe
2014-04-17 18:31 - 2014-04-17 18:31 - 00000000 ____D () C:\Users\Gav gav\Doctor Web
2014-04-17 18:31 - 2014-04-17 18:31 - 00000000 ____D () C:\ProgramData\Doctor Web
2014-04-17 18:22 - 2014-04-17 18:26 - 140362656 _____ () C:\Users\Gav gav\Downloads\cureit.exe
2014-04-17 18:18 - 2014-04-17 18:18 - 00025903 _____ () C:\Users\Gav gav\Desktop\GMER results.log
2014-04-17 17:44 - 2014-04-17 17:44 - 00212337 _____ () C:\Users\Gav gav\Desktop\Книга2.xlsx
2014-04-17 16:03 - 2014-04-17 16:03 - 220739279 _____ () C:\Windows\MEMORY.DMP
2014-04-17 16:03 - 2014-04-17 16:03 - 00144984 _____ () C:\Windows\Minidump\Mini041714-01.dmp
2014-04-17 16:03 - 2014-04-17 16:03 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-04-17 16:03 - 2014-04-17 16:03 - 00000000 ____D () C:\Windows\Minidump
2014-04-17 14:59 - 2014-04-17 14:59 - 00380416 _____ () C:\Users\Gav gav\Downloads\fshqzcqk.exe
2014-04-17 13:32 - 2014-04-17 13:32 - 00148220 _____ () C:\Users\Gav gav\Desktop\Virus Keeps Coming Back.htm
2014-04-17 13:32 - 2014-04-17 13:32 - 00000000 ____D () C:\Users\Gav gav\Desktop\Virus Keeps Coming Back_files
2014-04-17 13:27 - 2014-04-17 13:27 - 00004117 _____ () C:\Windows\system32\jupdate-1.7.0_55-b14.log
2014-04-17 13:27 - 2014-04-17 13:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-04-17 13:27 - 2014-04-14 20:13 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-04-17 13:27 - 2014-04-14 20:05 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-17 13:27 - 2014-04-14 20:05 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-17 13:27 - 2014-04-14 20:04 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-17 13:01 - 2014-04-17 13:01 - 00150507 _____ () C:\Users\Gav gav\Desktop\Best Free Rootkit Scanner and Remover.htm
2014-04-17 13:01 - 2014-04-17 13:01 - 00000000 ____D () C:\Users\Gav gav\Desktop\Best Free Rootkit Scanner and Remover_files
2014-04-17 12:59 - 2014-04-17 13:00 - 04139360 _____ (Kaspersky Lab ZAO) C:\Users\Gav gav\Downloads\tdsskiller.exe
2014-04-14 12:41 - 2014-04-16 13:11 - 00249382 _____ () C:\Users\Gav gav\Desktop\IT wages.xlsx
2014-04-11 19:25 - 2014-04-11 19:25 - 00084833 _____ () C:\Users\Gav gav\Desktop\Network Engineer Vs. Network Administrator _ Chron.com.htm
2014-04-11 19:25 - 2014-04-11 19:25 - 00000000 ____D () C:\Users\Gav gav\Desktop\Network Engineer Vs. Network Administrator _ Chron.com_files
2014-04-11 12:59 - 2014-04-11 12:59 - 00465642 _____ () C:\Users\Gav gav\Desktop\Книга1.xlsx
2014-04-11 11:18 - 2014-04-11 11:18 - 00000012 _____ () C:\Users\Gav gav\Desktop\a.txt
2014-04-11 09:24 - 2014-04-26 18:12 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-11 09:23 - 2014-04-11 09:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-11 09:23 - 2014-04-11 09:23 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-11 09:23 - 2014-04-03 09:51 - 00051416 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-10 10:37 - 2014-04-10 10:37 - 00108382 _____ () C:\Users\Gav gav\Desktop\Product Key Number - Uninstall and Deactivate in Windows - Windows 7 Help Forums.htm
2014-04-10 10:37 - 2014-04-10 10:37 - 00000000 ____D () C:\Users\Gav gav\Desktop\Product Key Number - Uninstall and Deactivate in Windows - Windows 7 Help Forums_files
2014-04-09 14:42 - 2014-03-07 16:51 - 12347904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-09 14:42 - 2014-03-07 16:20 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-09 14:42 - 2014-03-07 16:12 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-09 14:42 - 2014-03-07 16:03 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-09 14:42 - 2014-03-07 16:02 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-09 14:42 - 2014-03-07 16:02 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-09 14:42 - 2014-03-07 16:00 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-04-09 14:42 - 2014-03-07 15:59 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-09 14:42 - 2014-03-07 15:57 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-04-09 14:42 - 2014-03-07 15:57 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-09 14:42 - 2014-03-07 15:56 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-09 14:42 - 2014-03-07 15:54 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-09 14:42 - 2014-03-07 15:53 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-09 14:42 - 2014-03-07 15:52 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-09 14:42 - 2014-03-07 15:52 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-04-09 14:42 - 2014-03-07 15:47 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-09 05:23 - 2014-02-05 18:56 - 00894464 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-04-07 09:43 - 2014-04-07 09:43 - 02049128 _____ (Trend Micro Inc.) C:\Users\Gav gav\Desktop\HousecallLauncher.exe
2014-04-02 09:03 - 2014-04-02 09:03 - 00000000 ____D () C:\Users\Gav gav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Яндекс.Диск
2014-03-31 09:25 - 2014-04-09 06:38 - 00000000 ____D () C:\Users\Gav gav\Downloads\Microsoft developer tools
2014-03-30 09:02 - 2014-03-30 09:02 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-03-28 15:17 - 2014-04-09 06:44 - 00000000 ____D () C:\Users\Gav gav\Downloads\l
2014-03-28 14:50 - 2014-03-30 11:32 - 00000000 ____D () C:\Users\Gav gav\Downloads\Other Servers

==================== One Month Modified Files and Folders =======

2014-04-27 08:40 - 2014-04-24 08:52 - 00009386 _____ () C:\Users\Gav gav\Desktop\FRST.txt
2014-04-27 08:39 - 2014-04-24 08:52 - 00000000 ____D () C:\FRST
2014-04-27 08:38 - 2014-04-27 08:38 - 00000000 ____D () C:\Users\Gav gav\Desktop\FRST-OlderVersion
2014-04-27 08:38 - 2014-04-24 08:47 - 01049600 _____ (Farbar) C:\Users\Gav gav\Desktop\FRST.exe
2014-04-27 08:13 - 2013-07-17 10:39 - 01650940 _____ () C:\Windows\WindowsUpdate.log
2014-04-27 08:04 - 2013-08-09 13:09 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-27 07:54 - 2006-11-02 05:47 - 00003344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-27 07:54 - 2006-11-02 05:47 - 00003344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-26 18:12 - 2014-04-11 09:24 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-26 18:08 - 2014-03-13 11:43 - 00016384 _____ () C:\Users\Gav gav\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-04-26 08:33 - 2014-04-26 08:33 - 00063426 _____ () C:\Users\Gav gav\Desktop\How did I get infected in the first place  - Geeks to Go! - Free help from tech experts « Geeks to Go! – Free help from tech experts.htm
2014-04-26 08:33 - 2014-04-26 08:33 - 00000000 ____D () C:\Users\Gav gav\Desktop\How did I get infected in the first place  - Geeks to Go! - Free help from tech experts « Geeks to Go! – Free help from tech experts_files
2014-04-26 07:57 - 2014-04-26 07:57 - 00000838 _____ () C:\Users\Gav gav\Desktop\ESET report.txt
2014-04-26 00:15 - 2014-01-01 16:17 - 00000000 _RSHD () C:\Windows\kmsem
2014-04-25 15:27 - 2014-04-25 11:31 - 00000000 ____D () C:\Users\Gav gav\Desktop\Run
2014-04-25 15:16 - 2014-04-25 15:16 - 00001416 _____ () C:\Users\Gav gav\Desktop\Emsisoft report.txt
2014-04-25 14:09 - 2014-04-25 14:09 - 00406337 _____ () C:\Users\Gav gav\Desktop\Heartbleed bug  Check which sites have been patched - CNET.htm
2014-04-25 14:09 - 2014-04-25 14:09 - 00043020 _____ () C:\Users\Gav gav\Desktop\How to test your router for the Heartbleed bug  - Privacy Online Forum.htm
2014-04-25 14:09 - 2014-04-25 14:09 - 00000000 ____D () C:\Users\Gav gav\Desktop\How to test your router for the Heartbleed bug  - Privacy Online Forum_files
2014-04-25 14:09 - 2014-04-25 14:09 - 00000000 ____D () C:\Users\Gav gav\Desktop\Heartbleed bug  Check which sites have been patched - CNET_files
2014-04-25 11:41 - 2014-04-25 11:41 - 00063762 _____ () C:\Users\Gav gav\Desktop\r00tkit Analysis  What Is A Rootkit  - VnutZ Domain.htm
2014-04-25 11:41 - 2014-04-25 11:41 - 00000000 ____D () C:\Users\Gav gav\Desktop\r00tkit Analysis  What Is A Rootkit  - VnutZ Domain_files
2014-04-25 11:33 - 2014-04-25 11:33 - 00000419 _____ () C:\Users\Gav gav\Desktop\Emsisoft Emergency Kit.lnk
2014-04-25 11:01 - 2014-04-25 10:57 - 225876832 _____ () C:\Users\Gav gav\Downloads\EmsisoftEmergencyKit.exe
2014-04-25 10:54 - 2014-04-25 10:54 - 00000000 ____D () C:\Program Files\ESET
2014-04-25 10:54 - 2014-04-25 10:53 - 02347384 _____ (ESET) C:\Users\Gav gav\Desktop\esetsmartinstaller_enu.exe
2014-04-25 02:03 - 2014-04-25 11:32 - 00000000 ____D () C:\Users\Gav gav\Desktop\Languages
2014-04-25 00:17 - 2014-04-25 11:31 - 01593776 ____N (Emsisoft GmbH) C:\Users\Gav gav\Desktop\start.exe
2014-04-25 00:17 - 2014-04-25 11:31 - 00004024 ____N () C:\Users\Gav gav\Desktop\readme.txt
2014-04-25 00:17 - 2014-04-25 11:31 - 00000060 ____N () C:\Users\Gav gav\Desktop\CommandlineScanner.bat
2014-04-25 00:17 - 2014-04-25 11:31 - 00000056 ____N () C:\Users\Gav gav\Desktop\EmergencyKitScanner.bat
2014-04-24 14:16 - 2014-04-24 14:16 - 00000000 ____D () C:\ProgramData\WindowsSearch
2014-04-24 14:01 - 2014-04-24 14:01 - 00921512 _____ (Oracle Corporation) C:\Users\Gav gav\Downloads\jre-7u55-windows-i586-iftw.exe
2014-04-24 09:44 - 2006-11-02 03:33 - 00759542 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-24 09:43 - 2014-03-24 14:51 - 00000010 _____ () C:\Users\Gav gav\AppData\Local\sponge.last.runtime.cache
2014-04-24 08:53 - 2014-04-24 08:53 - 00025774 _____ () C:\Users\Gav gav\Desktop\Addition.txt
2014-04-23 21:14 - 2014-04-23 21:14 - 00011126 _____ () C:\Users\Gav gav\Desktop\Attach2.txt
2014-04-23 21:14 - 2014-04-23 21:14 - 00011003 _____ () C:\Users\Gav gav\Desktop\DDS2.txt
2014-04-23 21:07 - 2014-04-18 19:03 - 00011126 _____ () C:\Users\Gav gav\Desktop\attach.txt
2014-04-23 21:07 - 2014-04-18 19:03 - 00011003 _____ () C:\Users\Gav gav\Desktop\dds.txt
2014-04-21 07:49 - 2014-03-01 20:09 - 00000000 ___RD () C:\Users\Gav gav\YandexDisk
2014-04-21 07:49 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-20 20:55 - 2006-11-02 06:01 - 00032650 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-04-18 19:44 - 2014-03-25 05:21 - 00008446 _____ () C:\Windows\DCEBOOT.RST
2014-04-18 19:44 - 2014-03-25 05:21 - 00000000 _____ () C:\Windows\DCEBOOT.LOG
2014-04-18 19:44 - 2006-11-02 06:00 - 00147200 _____ () C:\Windows\PFRO.log
2014-04-18 19:00 - 2014-04-18 19:00 - 00688992 ____R (Swearware) C:\Users\Gav gav\Downloads\dds.com
2014-04-18 14:26 - 2014-03-25 05:18 - 00023088 _____ () C:\Windows\DCEBoot.exe
2014-04-18 14:20 - 2014-03-24 21:57 - 18107150 _____ () C:\Users\Gav gav\AppData\Local\census.cache
2014-04-18 12:14 - 2014-03-24 21:48 - 00000000 _____ () C:\Users\Gav gav\AppData\Local\ars.cache
2014-04-18 06:57 - 2014-04-18 06:57 - 00033850 _____ () C:\Users\Gav gav\Desktop\gmer full.log
2014-04-17 18:49 - 2014-04-17 18:49 - 00781560 _____ (McAfee, Inc.) C:\Users\Gav gav\Downloads\rootkitremover.exe
2014-04-17 18:49 - 2014-04-17 18:49 - 00037070 _____ () C:\Users\Gav gav\Desktop\How to Use RootkitRemover _ McAfee Free Tools.htm
2014-04-17 18:49 - 2014-04-17 18:49 - 00000000 ____D () C:\Users\Gav gav\Desktop\How to Use RootkitRemover _ McAfee Free Tools_files
2014-04-17 18:48 - 2014-04-17 18:48 - 00154677 _____ () C:\Users\Gav gav\Desktop\McAfee Communities  Anti-Spyware_Malware & Hijacker Tools.htm
2014-04-17 18:48 - 2014-04-17 18:48 - 00000000 ____D () C:\Users\Gav gav\Desktop\McAfee Communities  Anti-Spyware_Malware & Hijacker Tools_files
2014-04-17 18:44 - 2014-04-17 18:43 - 91370840 _____ (Sophos Limited) C:\Users\Gav gav\Downloads\Sophos Virus Removal Tool.exe
2014-04-17 18:31 - 2014-04-17 18:31 - 00000000 ____D () C:\Users\Gav gav\Doctor Web
2014-04-17 18:31 - 2014-04-17 18:31 - 00000000 ____D () C:\ProgramData\Doctor Web
2014-04-17 18:31 - 2013-08-09 08:26 - 00000000 ____D () C:\Users\Gav gav
2014-04-17 18:26 - 2014-04-17 18:22 - 140362656 _____ () C:\Users\Gav gav\Downloads\cureit.exe
2014-04-17 18:18 - 2014-04-17 18:18 - 00025903 _____ () C:\Users\Gav gav\Desktop\GMER results.log
2014-04-17 17:44 - 2014-04-17 17:44 - 00212337 _____ () C:\Users\Gav gav\Desktop\Книга2.xlsx
2014-04-17 16:03 - 2014-04-17 16:03 - 220739279 _____ () C:\Windows\MEMORY.DMP
2014-04-17 16:03 - 2014-04-17 16:03 - 00144984 _____ () C:\Windows\Minidump\Mini041714-01.dmp
2014-04-17 16:03 - 2014-04-17 16:03 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-04-17 16:03 - 2014-04-17 16:03 - 00000000 ____D () C:\Windows\Minidump
2014-04-17 14:59 - 2014-04-17 14:59 - 00380416 _____ () C:\Users\Gav gav\Downloads\fshqzcqk.exe
2014-04-17 13:32 - 2014-04-17 13:32 - 00148220 _____ () C:\Users\Gav gav\Desktop\Virus Keeps Coming Back.htm
2014-04-17 13:32 - 2014-04-17 13:32 - 00000000 ____D () C:\Users\Gav gav\Desktop\Virus Keeps Coming Back_files
2014-04-17 13:28 - 2013-12-16 06:52 - 00000000 ____D () C:\ProgramData\Oracle
2014-04-17 13:27 - 2014-04-17 13:27 - 00004117 _____ () C:\Windows\system32\jupdate-1.7.0_55-b14.log
2014-04-17 13:27 - 2014-04-17 13:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-04-17 13:27 - 2013-08-09 13:08 - 00000000 ____D () C:\Program Files\Java
2014-04-17 13:01 - 2014-04-17 13:01 - 00150507 _____ () C:\Users\Gav gav\Desktop\Best Free Rootkit Scanner and Remover.htm
2014-04-17 13:01 - 2014-04-17 13:01 - 00000000 ____D () C:\Users\Gav gav\Desktop\Best Free Rootkit Scanner and Remover_files
2014-04-17 13:00 - 2014-04-17 12:59 - 04139360 _____ (Kaspersky Lab ZAO) C:\Users\Gav gav\Downloads\tdsskiller.exe
2014-04-16 13:11 - 2014-04-14 12:41 - 00249382 _____ () C:\Users\Gav gav\Desktop\IT wages.xlsx
2014-04-14 20:13 - 2014-04-17 13:27 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-04-14 20:05 - 2014-04-17 13:27 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-04-14 20:05 - 2014-04-17 13:27 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-04-14 20:04 - 2014-04-17 13:27 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-04-11 19:25 - 2014-04-11 19:25 - 00084833 _____ () C:\Users\Gav gav\Desktop\Network Engineer Vs. Network Administrator _ Chron.com.htm
2014-04-11 19:25 - 2014-04-11 19:25 - 00000000 ____D () C:\Users\Gav gav\Desktop\Network Engineer Vs. Network Administrator _ Chron.com_files
2014-04-11 12:59 - 2014-04-11 12:59 - 00465642 _____ () C:\Users\Gav gav\Desktop\Книга1.xlsx
2014-04-11 11:18 - 2014-04-11 11:18 - 00000012 _____ () C:\Users\Gav gav\Desktop\a.txt
2014-04-11 09:23 - 2014-04-11 09:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-11 09:23 - 2014-04-11 09:23 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-11 09:23 - 2013-12-18 18:34 - 00000000 ____D () C:\Users\Gav gav\AppData\Roaming\Malwarebytes
2014-04-11 09:23 - 2013-12-18 18:34 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-10 10:37 - 2014-04-10 10:37 - 00108382 _____ () C:\Users\Gav gav\Desktop\Product Key Number - Uninstall and Deactivate in Windows - Windows 7 Help Forums.htm
2014-04-10 10:37 - 2014-04-10 10:37 - 00000000 ____D () C:\Users\Gav gav\Desktop\Product Key Number - Uninstall and Deactivate in Windows - Windows 7 Help Forums_files
2014-04-09 14:43 - 2014-01-01 15:58 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-04-09 14:42 - 2013-12-16 11:40 - 00000000 ____D () C:\Windows\system32\MRT
2014-04-09 14:41 - 2006-11-02 03:24 - 88028728 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-04-09 06:44 - 2014-03-28 15:17 - 00000000 ____D () C:\Users\Gav gav\Downloads\l
2014-04-09 06:38 - 2014-03-31 09:25 - 00000000 ____D () C:\Users\Gav gav\Downloads\Microsoft developer tools
2014-04-07 09:43 - 2014-04-07 09:43 - 02049128 _____ (Trend Micro Inc.) C:\Users\Gav gav\Desktop\HousecallLauncher.exe
2014-04-03 09:51 - 2014-04-11 09:23 - 00051416 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:51 - 2014-03-23 11:43 - 00073432 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:50 - 2014-02-19 09:08 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-02 20:29 - 2012-08-02 08:29 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-04-02 20:29 - 2012-08-02 08:28 - 00001826 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-04-02 20:29 - 2012-08-02 08:28 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-02 09:03 - 2014-04-02 09:03 - 00000000 ____D () C:\Users\Gav gav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Яндекс.Диск
2014-04-02 09:03 - 2014-03-01 20:09 - 00001934 _____ () C:\Users\Gav gav\Desktop\Скриншоты в Яндекс.Диске.lnk
2014-04-02 09:03 - 2014-03-01 20:09 - 00001875 _____ () C:\Users\Gav gav\Desktop\Яндекс.Диск.lnk
2014-04-01 08:39 - 2013-06-14 10:29 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-03-30 11:32 - 2014-03-28 14:50 - 00000000 ____D () C:\Users\Gav gav\Downloads\Other Servers
2014-03-30 09:02 - 2014-03-30 09:02 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-03-28 14:34 - 2014-03-21 11:02 - 00000000 ____D () C:\Users\Gav gav\Downloads\Dreamspark

Some content of TEMP:
====================
C:\Users\Gav gav\AppData\Local\Temp\i4jd3682828998924456985.exe
C:\Users\Gav gav\AppData\Local\Temp\i4jdel0.exe
C:\Users\Gav gav\AppData\Local\Temp\JExplorer32.2.7.1.dll
C:\Users\Gav gav\AppData\Local\Temp\JExplorer32.2.7.1.exe
C:\Users\Gav gav\AppData\Local\Temp\JExplorer64.2.7.1.dll
C:\Users\Gav gav\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-04-21 07:54

==================== End Of Log ============================






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users