Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Accidentally Clicked "Allow" on Malware Detection


  • This topic is locked This topic is locked
15 replies to this topic

#1 TrueGB

TrueGB

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 23 June 2014 - 08:28 PM

The message "Malware Detected: Block or Allow" appeared right in the exact same spot where I routinely see my anti-virus asking me to buy stuff where "Allow" is where the "No" button normally is. I immediately ran a virus scan which detected a Trojan (generic kind; no specific name). It was then supposedly removed but...my PC is now acting kind of funny. Windows won't create Restore Points, manual or otherwise, the graphics tend to stutter and I'm routinely told my graphics driver is out of date (it's not), and I occasionally see file transfer graphics popping up in the corner of the screen.

Anyway, something feels off. I've ran multiple virus scans (Avira, MalwareBytes, SuperAntiSpyware, Rogue Killer) but they haven't found anything. I know some malware only needs a few seconds upon clicking that "allow" button to cause all sorts of chaos. I just want to be sure.



DDS:


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17126
Run by david at 20:53:35 on 2014-06-22
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.3081 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Enabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{EDE44B8D-70E9-453B-A72B-99157F6DFC62} : DHCPNameServer = 192.168.2.1
SSODL: WebCheck -
x64-SSODL: WebCheck -
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\david\AppData\Roaming\Mozilla\Firefox\Profiles\qygekbmg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2013-3-27 28600]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-9-27 239616]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2013-1-4 430160]
R2 AntiVirService;Avira Real-Time Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2013-1-4 430160]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2013-3-27 112080]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-14 96896]
R3 KeyScrambler;KeyScrambler;C:\Windows\System32\drivers\keyscrambler.sys [2010-3-21 129384]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-6-11 111616]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-23 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-3-4 1255736]
.
=============== Created Last 30 ================
.
2014-06-21 04:31:47 10779000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{815D8783-EB40-4E00-BEF1-20486FF7BC44}\mpengine.dll
2014-06-18 05:07:14 -------- d-----w- C:\Users\david\AppData\Local\CrashDumps
2014-06-11 16:15:12 801280 ----a-w- C:\Windows\System32\usp10.dll
2014-06-01 20:37:09 -------- d-----w- C:\ProgramData\RogueKiller
2014-05-31 19:26:27 -------- d-----w- C:\Users\david\AppData\Local\ElevatedDiagnostics
2014-05-29 20:02:09 -------- d-----w- C:\Program Files (x86)\Project64 2.1
2014-05-29 19:50:08 -------- d-----w- C:\Program Files (x86)\Elaborate Bytes
.
==================== Find3M ====================
.
2014-06-08 09:13:05 506368 ----a-w- C:\Windows\System32\aepdu.dll
2014-06-08 09:08:04 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-06-03 16:43:11 112080 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2014-05-30 10:02:37 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-30 10:02:09 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-05-30 09:39:43 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-05-30 09:39:23 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-05-30 09:38:29 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-05-30 09:21:23 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-05-30 09:21:05 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-05-30 09:20:36 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-05-30 09:11:24 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-05-30 09:08:22 5782528 ----a-w- C:\Windows\System32\jscript9.dll
2014-05-30 09:02:39 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-30 08:55:36 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-05-30 08:44:28 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-05-30 08:43:06 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-05-30 08:42:16 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-05-30 08:28:33 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-05-30 08:27:56 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-05-30 08:24:19 1249280 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-05-30 08:23:22 2040832 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-05-30 08:10:46 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-05-30 07:56:56 2266112 ----a-w- C:\Windows\System32\wininet.dll
2014-05-30 07:56:50 4244992 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-05-30 07:50:09 1068032 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-05-30 07:49:38 1964544 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-05-30 07:21:10 1790976 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-05-13 23:25:27 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-13 23:25:27 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-25 02:06:17 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-04-05 02:47:20 1903552 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2014-04-05 02:47:09 288192 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2014-03-31 13:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-03-26 14:44:48 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2014-03-26 14:44:48 1882112 ----a-w- C:\Windows\System32\msxml3.dll
2014-03-26 14:41:39 2048 ----a-w- C:\Windows\System32\msxml6r.dll
2014-03-26 14:41:39 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2014-03-26 14:27:50 1389056 ----a-w- C:\Windows\SysWow64\msxml6.dll
2014-03-26 14:27:50 1237504 ----a-w- C:\Windows\SysWow64\msxml3.dll
2014-03-26 14:25:14 2048 ----a-w- C:\Windows\SysWow64\msxml6r.dll
2014-03-26 14:25:14 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
.
============= FINISH: 20:54:42.77 ===============

Edited by TrueGB, 23 June 2014 - 08:29 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:05 AM

Posted 28 June 2014 - 08:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Let me know what problem persists.

#3 TrueGB

TrueGB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 28 June 2014 - 06:33 PM

Thanks for helping!

Unfortunately, this is the start of a long weekend and I have a lot of family pestering me at the moment. Trying to stay on top of this but it may be difficult. Here's the AdwCleaner log at any rate. Mostly just the remains of that Wajam thing I somehow picked up years ago. I guess Adw found its skeleton:


# AdwCleaner v3.213 - Report created 28/06/2014 at 16:18:07
# Updated 23/06/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : (not sharing this info)
# Running from : C:\Users\private\Desktop\adwcleaner_3.213.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajam_install_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\wajamupdater_rasmancs
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17126


-\\ Mozilla Firefox v30.0 (en-GB)

[ File : C:\Users\private\AppData\Roaming\Mozilla\Firefox\Profiles\qygekbmg.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [1455 octets] - [28/06/2014 15:38:32]
AdwCleaner[S0].txt - [1355 octets] - [28/06/2014 16:18:07]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1415 octets] ##########

Edited by TrueGB, 28 June 2014 - 06:34 PM.


#4 TrueGB

TrueGB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 June 2014 - 02:46 AM

Now for the FRST. Seems to show a lot of old Key Scrambler and WizeTrade files although I deleted those programs a long time ago:


Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-06-2014 02
Ran by private (administrator) on private-PC on 28-06-2014 16:36:57
Running from C:\Users\private\Desktop
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\System32\atiesrxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe


==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [737872 2014-06-03] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-02-02] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
HKU\S-1-5-19\...\RunOnce: [KeyScrambler] - C:\Program Files (x86)\KeyScrambler\getting_started.html
HKU\S-1-5-20\...\RunOnce: [KeyScrambler] - C:\Program Files (x86)\KeyScrambler\getting_started.html

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF49A89C077DACA01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-ca
SearchScopes: HKLM-x32 - DefaultScope value is missing.
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/da2/PCPitStop2.cab
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.1xx.x.x

FireFox:
========
FF ProfilePath: C:\Users\private\AppData\Roaming\Mozilla\Firefox\Profiles\qygekbmg.default
FF Homepage: hxxp://www.google.ca/
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_214.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\chambers-en-GB.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-en-GB.xml
FF Extension: Classic Theme Restorer - C:\Users\private\AppData\Roaming\Mozilla\Firefox\Profiles\qygekbmg.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-05-09]
FF Extension: NoScript - C:\Users\private\AppData\Roaming\Mozilla\Firefox\Profiles\qygekbmg.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2011-05-21]

==================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [140672 2012-07-11] (SUPERAntiSpyware.com) [File not signed]
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-06-03] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-06-03] (Avira Operations GmbH & Co. KG)

==================== Drivers (Whitelisted) ====================

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [112080 2014-06-03] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-06-03] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-11-25] (Avira Operations GmbH & Co. KG)
R3 KeyScrambler; C:\Windows\System32\drivers\keyscrambler.sys [129384 2008-03-22] (QFX Software Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-28 16:36 - 2014-06-28 16:37 - 00007308 _____ () C:\Users\private\Desktop\FRST.txt
2014-06-28 16:36 - 2014-06-28 16:36 - 00000000 ____D () C:\FRST
2014-06-28 16:35 - 2014-06-28 16:35 - 02083328 _____ (Farbar) C:\Users\private\Desktop\FRST64.exe
2014-06-28 16:28 - 2014-06-28 16:28 - 00001495 _____ () C:\Users\private\Desktop\AdwCleaner[S0].txt
2014-06-28 15:38 - 2014-06-28 16:18 - 00000000 ____D () C:\AdwCleaner
2014-06-28 15:34 - 2014-06-28 15:34 - 01342659 _____ () C:\Users\private\Desktop\adwcleaner_3.213.exe
2014-06-23 15:18 - 2014-06-23 15:20 - 269338400 _____ (AMD Inc.) C:\Users\private\Downloads\14-4-win7-win8-win8.1-64-dd-ccc-whql.exe
2014-06-22 20:54 - 2014-06-23 15:23 - 00003952 _____ () C:\Users\private\Desktop\attach.txt
2014-06-22 20:54 - 2014-06-22 20:54 - 00010204 _____ () C:\Users\private\Desktop\dds.txt
2014-06-22 20:53 - 2014-06-22 20:53 - 00688992 ____R (Swearware) C:\Users\private\Desktop\dds.com
2014-06-18 01:07 - 2014-06-18 01:07 - 00000000 ____D () C:\Users\private\AppData\Local\CrashDumps
2014-06-18 00:37 - 2014-06-18 00:44 - 554267568 _____ (GOG.com ) C:\Users\private\Downloads\setup_the_7th_guest_2.0.0.17.exe
2014-06-18 00:36 - 2014-06-18 00:51 - 1907001072 _____ (GOG.com ) C:\Users\private\Downloads\setup_baldurs_gate_2.0.0.20.exe
2014-06-18 00:36 - 2014-06-18 00:40 - 258148408 _____ (GOG.com ) C:\Users\private\Downloads\setup_dungeon_keeper_gold_2.0.0.4.exe
2014-06-17 21:32 - 2014-06-17 21:32 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-06-11 12:15 - 2014-05-30 06:02 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-06-11 12:15 - 2014-05-30 06:02 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-06-11 12:15 - 2014-05-30 05:45 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-06-11 12:15 - 2014-05-30 05:39 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-06-11 12:15 - 2014-05-30 05:38 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-06-11 12:15 - 2014-05-30 05:28 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-06-11 12:15 - 2014-05-30 05:27 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-06-11 12:15 - 2014-05-30 05:24 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-06-11 12:15 - 2014-05-30 05:21 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-06-11 12:15 - 2014-05-30 05:18 - 17271296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-06-11 12:15 - 2014-05-30 05:06 - 00452096 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-06-11 12:15 - 2014-05-30 05:02 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-06-11 12:15 - 2014-05-30 04:55 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-06-11 12:15 - 2014-05-30 04:44 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-06-11 12:15 - 2014-05-30 04:44 - 00295424 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-06-11 12:15 - 2014-05-30 04:43 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-06-11 12:15 - 2014-05-30 04:42 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-06-11 12:15 - 2014-05-30 04:38 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-06-11 12:15 - 2014-05-30 04:35 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-06-11 12:15 - 2014-05-30 04:34 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-06-11 12:15 - 2014-05-30 04:33 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-06-11 12:15 - 2014-05-30 04:30 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-06-11 12:15 - 2014-05-30 04:29 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-06-11 12:15 - 2014-05-30 04:28 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-06-11 12:15 - 2014-05-30 04:27 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-06-11 12:15 - 2014-05-30 04:23 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-06-11 12:15 - 2014-05-30 04:16 - 00368128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-06-11 12:15 - 2014-05-30 04:10 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-06-11 12:15 - 2014-05-30 04:06 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-06-11 12:15 - 2014-05-30 04:04 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-06-11 12:15 - 2014-05-30 04:02 - 00242688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-06-11 12:15 - 2014-05-30 03:56 - 04244992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-06-11 12:15 - 2014-05-30 03:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-06-11 12:15 - 2014-05-30 03:50 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-06-11 12:15 - 2014-05-30 03:49 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-06-11 12:15 - 2014-05-30 03:43 - 13522944 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-06-11 12:15 - 2014-05-30 03:40 - 11725312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-06-11 12:15 - 2014-05-30 03:30 - 01398272 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-06-11 12:15 - 2014-05-30 03:21 - 01790976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-06-11 12:15 - 2014-05-30 03:15 - 01143296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-06-11 12:15 - 2014-05-30 03:13 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-06-11 12:15 - 2014-04-24 22:34 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2014-06-11 12:15 - 2014-04-24 22:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2014-06-11 12:15 - 2014-04-04 22:47 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-06-11 12:15 - 2014-04-04 22:47 - 00288192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2014-06-11 12:15 - 2014-03-26 10:44 - 02002432 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2014-06-11 12:15 - 2014-03-26 10:44 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-06-11 12:15 - 2014-03-26 10:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2014-06-11 12:15 - 2014-03-26 10:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-06-11 12:15 - 2014-03-26 10:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2014-06-11 12:15 - 2014-03-26 10:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-06-11 12:15 - 2014-03-26 10:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6r.dll
2014-06-11 12:15 - 2014-03-26 10:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-06-11 12:14 - 2014-06-08 05:13 - 00506368 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-06-11 12:14 - 2014-06-08 05:08 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-06-11 12:14 - 2014-05-30 06:21 - 23414784 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-06-11 12:14 - 2014-05-30 05:39 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-06-11 12:14 - 2014-05-30 05:21 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-06-11 12:14 - 2014-05-30 05:20 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-06-11 12:14 - 2014-05-30 05:11 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-06-11 12:14 - 2014-05-30 05:08 - 05782528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-06-11 12:14 - 2014-05-30 04:49 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-06-11 12:14 - 2014-05-30 04:46 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-06-11 12:14 - 2014-05-30 04:24 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-06-11 12:14 - 2014-05-30 03:56 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-06-11 12:14 - 2014-05-30 03:13 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-06-07 18:32 - 2014-06-07 18:32 - 00000643 _____ () C:\Users\private\Documents\private - Shortcut.lnk
2014-06-01 16:37 - 2014-06-01 16:37 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-06-01 16:16 - 2014-06-01 16:16 - 04668928 _____ () C:\Users\private\Downloads\RogueKiller.exe
2014-05-29 15:50 - 2014-05-29 15:50 - 00000000 ____D () C:\Program Files (x86)\Elaborate Bytes

==================== One Month Modified Files and Folders =======

2014-06-28 16:37 - 2014-06-28 16:36 - 00007308 _____ () C:\Users\private\Desktop\FRST.txt
2014-06-28 16:36 - 2014-06-28 16:36 - 00000000 ____D () C:\FRST
2014-06-28 16:35 - 2014-06-28 16:35 - 02083328 _____ (Farbar) C:\Users\private\Desktop\FRST64.exe
2014-06-28 16:28 - 2014-06-28 16:28 - 00001495 _____ () C:\Users\private\Desktop\AdwCleaner[S0].txt
2014-06-28 16:27 - 2009-07-14 00:45 - 00014848 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-28 16:27 - 2009-07-14 00:45 - 00014848 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-28 16:25 - 2013-05-27 23:43 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-06-28 16:24 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-06-28 16:23 - 2010-01-07 19:53 - 01750263 _____ () C:\Windows\WindowsUpdate.log
2014-06-28 16:22 - 2012-11-25 18:49 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-28 16:20 - 2012-11-25 18:49 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-28 16:20 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-28 16:20 - 2009-07-14 00:51 - 00034723 _____ () C:\Windows\setupact.log
2014-06-28 16:19 - 2012-05-09 00:03 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-06-28 16:19 - 2010-03-11 00:49 - 00198112 _____ () C:\Windows\PFRO.log
2014-06-28 16:18 - 2014-06-28 15:38 - 00000000 ____D () C:\AdwCleaner
2014-06-28 15:34 - 2014-06-28 15:34 - 01342659 _____ () C:\Users\private\Desktop\adwcleaner_3.213.exe
2014-06-23 15:23 - 2014-06-22 20:54 - 00003952 _____ () C:\Users\private\Desktop\attach.txt
2014-06-23 15:20 - 2014-06-23 15:18 - 269338400 _____ (AMD Inc.) C:\Users\private\Downloads\14-4-win7-win8-win8.1-64-dd-ccc-whql.exe
2014-06-22 20:54 - 2014-06-22 20:54 - 00010204 _____ () C:\Users\private\Desktop\dds.txt
2014-06-22 20:53 - 2014-06-22 20:53 - 00688992 ____R (Swearware) C:\Users\private\Desktop\dds.com
2014-06-21 23:50 - 2012-11-05 02:55 - 00000000 ____D () C:\Users\private\Stories
2014-06-21 01:28 - 2010-01-08 02:08 - 00002957 _____ () C:\Users\private\passwords.txt
2014-06-18 19:17 - 2012-11-25 18:49 - 00003892 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-06-18 19:17 - 2012-11-25 18:49 - 00003640 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-06-18 01:07 - 2014-06-18 01:07 - 00000000 ____D () C:\Users\private\AppData\Local\CrashDumps
2014-06-18 00:51 - 2014-06-18 00:36 - 1907001072 _____ (GOG.com ) C:\Users\private\Downloads\setup_baldurs_gate_2.0.0.20.exe
2014-06-18 00:44 - 2014-06-18 00:37 - 554267568 _____ (GOG.com ) C:\Users\private\Downloads\setup_the_7th_guest_2.0.0.17.exe
2014-06-18 00:40 - 2014-06-18 00:36 - 258148408 _____ (GOG.com ) C:\Users\private\Downloads\setup_dungeon_keeper_gold_2.0.0.4.exe
2014-06-17 21:32 - 2014-06-17 21:32 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-06-14 21:08 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-06-12 20:43 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-06-12 19:41 - 2010-01-07 20:02 - 00000000 ____D () C:\Users\private
2014-06-12 03:03 - 2013-07-27 03:03 - 00000000 ____D () C:\Windows\system32\MRT
2014-06-12 03:02 - 2010-01-08 04:20 - 95414520 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-06-12 03:00 - 2014-05-07 03:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-06-11 14:22 - 2014-04-28 04:44 - 00000000 ____D () C:\Users\private
2014-06-08 05:13 - 2014-06-11 12:14 - 00506368 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-06-08 05:08 - 2014-06-11 12:14 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-06-07 18:32 - 2014-06-07 18:32 - 00000643 _____ () C:\Users\private\Documents\private - Shortcut.lnk
2014-06-03 12:43 - 2013-03-27 21:53 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-06-03 12:43 - 2013-03-27 21:53 - 00112080 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-06-01 18:02 - 2010-01-08 02:02 - 00000000 ____D () C:\Users\private\My Pics
2014-06-01 16:37 - 2014-06-01 16:37 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-06-01 16:16 - 2014-06-01 16:16 - 04668928 _____ () C:\Users\private\Downloads\RogueKiller.exe
2014-05-30 06:21 - 2014-06-11 12:14 - 23414784 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-30 06:02 - 2014-06-11 12:15 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-30 06:02 - 2014-06-11 12:15 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-05-30 05:45 - 2014-06-11 12:15 - 02768384 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-05-30 05:39 - 2014-06-11 12:15 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-05-30 05:39 - 2014-06-11 12:14 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-05-30 05:38 - 2014-06-11 12:15 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-05-30 05:28 - 2014-06-11 12:15 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-05-30 05:27 - 2014-06-11 12:15 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-05-30 05:24 - 2014-06-11 12:15 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-05-30 05:21 - 2014-06-11 12:15 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-05-30 05:21 - 2014-06-11 12:14 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-05-30 05:20 - 2014-06-11 12:14 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-05-30 05:18 - 2014-06-11 12:15 - 17271296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-30 05:11 - 2014-06-11 12:14 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-05-30 05:08 - 2014-06-11 12:14 - 05782528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-05-30 05:06 - 2014-06-11 12:15 - 00452096 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-05-30 05:02 - 2014-06-11 12:15 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-30 04:55 - 2014-06-11 12:15 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-05-30 04:49 - 2014-06-11 12:14 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-05-30 04:46 - 2014-06-11 12:14 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-30 04:44 - 2014-06-11 12:15 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-05-30 04:44 - 2014-06-11 12:15 - 00295424 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-05-30 04:43 - 2014-06-11 12:15 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-05-30 04:42 - 2014-06-11 12:15 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-05-30 04:38 - 2014-06-11 12:15 - 02179072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-05-30 04:35 - 2014-06-11 12:15 - 00608768 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-05-30 04:34 - 2014-06-11 12:15 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-05-30 04:33 - 2014-06-11 12:15 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-05-30 04:30 - 2014-06-11 12:15 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-05-30 04:29 - 2014-06-11 12:15 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-05-30 04:28 - 2014-06-11 12:15 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-05-30 04:27 - 2014-06-11 12:15 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-05-30 04:24 - 2014-06-11 12:14 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-05-30 04:23 - 2014-06-11 12:15 - 02040832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-05-30 04:16 - 2014-06-11 12:15 - 00368128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-05-30 04:10 - 2014-06-11 12:15 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-05-30 04:06 - 2014-06-11 12:15 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-05-30 04:04 - 2014-06-11 12:15 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-30 04:02 - 2014-06-11 12:15 - 00242688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-05-30 03:56 - 2014-06-11 12:15 - 04244992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-05-30 03:56 - 2014-06-11 12:14 - 02266112 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-05-30 03:54 - 2014-06-11 12:15 - 00526336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-05-30 03:50 - 2014-06-11 12:15 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-05-30 03:49 - 2014-06-11 12:15 - 01964544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-05-30 03:43 - 2014-06-11 12:15 - 13522944 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-05-30 03:40 - 2014-06-11 12:15 - 11725312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-05-30 03:30 - 2014-06-11 12:15 - 01398272 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-05-30 03:21 - 2014-06-11 12:15 - 01790976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-05-30 03:15 - 2014-06-11 12:15 - 01143296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-05-30 03:13 - 2014-06-11 12:15 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-05-30 03:13 - 2014-06-11 12:14 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-05-29 16:46 - 2012-11-25 18:49 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-05-29 15:50 - 2014-05-29 15:50 - 00000000 ____D () C:\Program Files (x86)\Elaborate Bytes

Some content of TEMP:
====================
C:\Users\private\AppData\Local\Temp\avgnt.exe
C:\Users\private\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-06-18 13:46

==================== End Of Log ============================

Edited by TrueGB, 29 June 2014 - 02:48 AM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:05 AM

Posted 29 June 2014 - 07:22 AM

Seems to show a lot of old Key Scrambler and WizeTrade files although I deleted those programs a long time ago:


Nothing malicious was found. Just run this fix to clean old entries.

p.s. Nothing was identified as WizeTrade to I could find.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

HKU\S-1-5-19\...\RunOnce: [KeyScrambler] - C:\Program Files (x86)\KeyScrambler\getting_started.html
HKU\S-1-5-20\...\RunOnce: [KeyScrambler] - C:\Program Files (x86)\KeyScrambler\getting_started.html
SearchScopes: HKLM-x32 - DefaultScope value is missing.
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
R3 KeyScrambler; C:\Windows\System32\drivers\keyscrambler.sys [129384 2008-03-22] (QFX Software Corporation)
C:\Users\private\AppData\Local\Temp\avgnt.exe
C:\Windows\System32\drivers\keyscrambler.sys

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait.

Restart the computer to reset the registry.
The tool will create a log (Fixlog.txt) please post it to your reply.

====

Let me know if you have any issues with computer.

#6 TrueGB

TrueGB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 June 2014 - 12:36 PM

Keyboards-Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-06-2014 02 Ran by at 2014-06-29 12:52:46 Run:1 Running from C:\Users\\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** start HKU\S-1-5-19\...\RunOnce: [KeyScrambler] - C:\Program Files (x86)\KeyScrambler\getting_started.html HKU\S-1-5-20\...\RunOnce: [KeyScrambler] - C:\Program Files (x86)\KeyScrambler\getting_started.html SearchScopes: HKLM-x32 - DefaultScope value is missing. Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File FF Plugin: @microsoft.com/GENUINE - disabled No File FF Plugin-x32: @microsoft.com/GENUINE - disabled No File R3 KeyScrambler; C:\Windows\System32\drivers\keyscrambler.sys [129384 2008-03-22] (QFX Software Corporation) C:\Users\private\AppData\Local\Temp\avgnt.exe C:\Windows\System32\drivers\keyscrambler.sys end ***************** HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\KeyScrambler => value deleted successfully. HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\KeyScrambler => value deleted successfully. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. 'HKCR\PROTOCOLS\Handler\ipp\0x00000001' => Key deleted successfully. 'HKCR\CLSID\{E1D2BF42-A96B-11D1-9C6B-0000F875AC61}'=> Key not found. 'HKLM\Software\MozillaPlugins\FF Plugin: @microsoft.com/GENUINE - disabled No File'=> Key not found. "FF Plugin: @microsoft.com/GENUINE - disabled No File" => not found. 'HKLM\Software\Wow6432Node\MozillaPlugins\FF Plugin-x32: @microsoft.com/GENUINE - disabled No File'=> Key not found. FF Plugin-x32: @microsoft.com/GENUINE - disabled No File not found. KeyScrambler => Unable to stop service KeyScrambler => Service deleted successfully. "C:\Users\private\AppData\Local\Temp\avgnt.exe" => File/Directory not found. C:\Windows\System32\drivers\keyscrambler.sys => Moved successfully. The system needed a reboot. ==== End of Fixlog ====

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:05 AM

Posted 29 June 2014 - 01:08 PM

One last scan.

Please let me know how things are with this computer.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

#8 TrueGB

TrueGB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 29 June 2014 - 01:36 PM

My keyboard is now dead. I have to post from another computer now. Windows shows an error message about the registry key for the hardware being corrupted in the device manager:

Keyboards-Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)

That security checker program requires me to press "any key to continue", so I can't use that either.

Is there any way to roll back your "fix"? And no, Windows won't create restore points so I can't use System Restore. In fact, after I rebooted the one good restore point I managed to keep for the last week was wiped.

Edited by TrueGB, 29 June 2014 - 03:31 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:05 AM

Posted 30 June 2014 - 07:12 AM


You removed the Keyscranble but the file was still active.

Removing it may have caused the Keyboard problem

C:\Windows\System32\drivers\keyscrambler.sys

===

Try this

You may be able to use the keyboard in Safe mode.

How to boot to Safe Mode, Vista - Windows 7
http://www.computerhope.com/issues/chsafe.htm#03

At the DOS prompt type CD C:\Windows\System32
Hit the Enter key.

At the prompt type
FSC /Scannow (make sure you have a space after FSC

Hit the enter key.

How is it now?

#10 TrueGB

TrueGB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 June 2014 - 01:32 PM

I already ran an SFC scan. Didn't help. The keyboard did not work in safe mode. It did work in the preboot screen though.

Edited by TrueGB, 30 June 2014 - 01:33 PM.


#11 TrueGB

TrueGB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 30 June 2014 - 05:17 PM

Okay, I fixed the keyboard issue. Upon backing up some files, I discovered some more remnants of the KeyScrambler program. I did a file search and discovered one of the remaining bones of KS' skeleton was the Uninstall program, so I ran it and restarted my computer. Voila! Keyboards works. Don't know why it didn't work in Safe Mode though.

I ran Security Check, but aside from informing me Flash Player is out of date (flash programs seem to run just fine with FireFox's Shockwave plugin), it didn't discover anything. Just a lot of empty lines and notes about my antivirus and Windows service packs being up to date and enable.


This little experiment did help me narrow down the nature of the System Restore issue. Windows DOES automatically create restore points, but this leads to another question: why is Windows wiping clean my restore points on reboot?

Edited by TrueGB, 30 June 2014 - 05:19 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:05 AM

Posted 01 July 2014 - 07:20 AM


why is Windows wiping clean my restore points on reboot?

Check this out.

This issue can be caused if the maximum storage size limit is set to low for your shadow storage.
http://support.microsoft.com/kb/2506576

#13 TrueGB

TrueGB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 01 July 2014 - 11:20 AM

Yes, I've read that tip before. My current memory allocation for restore points is 20gigs and I've just increased it to 30gigs just in case. That's 10% of my total hard drive. System Restore is currently using only 100megs for a couple restore points.
***Yep. Just restarted my computer. Despite having 30gigs allocated to it, Windows still wiped my restore points.

The only thing I didn't know from that link is the existence of Error 25 which I see now in one of those scans:

Event ID 25:

The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.


Edited by TrueGB, 01 July 2014 - 11:34 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:05 AM

Posted 02 July 2014 - 06:34 AM



Run a CHKDSK and defrag the volume c:

===

Follow the instructions on this page.
http://www.sevenforums.com/tutorials/57746-system-restore-general-troubleshooting-fix-issues.html?ltr=S

Any question on this issue should be asked in the Windows 7 Forum
http://www.bleepingcomputer.com/forums/forum167.html

This is realy not my forte.
===

#15 TrueGB

TrueGB
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 02 July 2014 - 01:23 PM

In that case, I'll try another forum.

Edited by TrueGB, 02 July 2014 - 01:23 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users