Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware from USBs...which are infecting other USBs...


  • This topic is locked This topic is locked
19 replies to this topic

#1 theroguejedi

theroguejedi

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 24 June 2014 - 07:00 PM

Hello,

I'm helping my kindly old prof out with his computer and I have a funny feeling that malware is involved, but I'm not sure how to get rid of it.

The Situ:
* His USB was lent to a colleague for class and returned. I have feeling the issue came from there but I am not sure.
* When that returned USB (USB 1) was plugged back into the computer it wound up with
     * almost all the files being hidden.  Since I have the option to show all files, they were shaded in gray.
     * the following suspicious file: chrome.exe
     * the following suspicious shortcuts, all targeting "chrome.exe": backup, Directory, Documents, Downloads (see attached screenshot)
* Chrome is not used on the computer, which is suspicious
* A second USB (USB 2) was plugged in, and it seemed fine at first.  But when when checked a second time, it looked like USB 1 (chrome.exe, shortcuts, etc)
* I searched online for solutions to this and couldn't find any
* I ran Endpoint, Spybot S&D, MalwareBytes & MBR
     * the antivirus box to scan the USB drives are grayed out
     * MalwareBytes found the following, but under C:/, not any of the USBs: PUP.Optional.SearchProtect.A, PUP.Optional.Trovi, PUP.Optional.InstallCore.A, Malware.Trace & Trojan.Agent
     * none of the other ones found anything else
* When I checked this morning, the shortcuts seem to "remodify" (for lack of a better word) themselves (see Date Modified in pic attached)
* I don't know if it's related at all but I found something called "vctray.exe" in the appdata.  I looked it up and supposedly it is something Sony-related, but there are no Sony products either on the computer or gadgets. It also seems to start up with Windows and I shut that down.
* About a week ago, I manually deleted something called "Search Protect." I don't know if that's related. I also don't know if I got it all out.
* Privacy is a concern so I've changed personally identifying info (proxy, etc)

* Windows 64-bit, Windows 7 but it is sloowwwwww
* I don't have 24/7 access to the computer, so please give me some time to respond

Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,632 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 PM

Posted 29 June 2014 - 07:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/538895 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 theroguejedi

theroguejedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 30 June 2014 - 10:44 PM

Yes, still very much need help, especially since my prof really, really, really needs his computer for his research. 

Here's what has changed since the last time. Please read the last post as well as the following is additional info:

* I ran another Malwarebytes scan on the USB drives, which haven't been unplugged since the presumed infection. It came up with one PUP.Optional.SearchProtect.A, which I quarantined as Search Protect is not a program my prof wants and just showed up out of nowhere.  The chrome files, shortcuts, etc are still in the USBs, however.  (see last post's attached pic)

* I don't know if the malware has grown, but now Firefox will not keep its cookies settings.  It's normally set to deny all, with per site session permissions. Now, if I shut it down and start it back up, it goes back to allowing all cookies despite me changing it.  I've deleted the cookies.sqlite,  preferences.sqlite and prefs.js but it still keeps happening.

* In addition, a file called vctray.exe is showng up hidden in appdata/roaming. I looked online and it seems to be connected to something called VisualCron.  I checked to see if VisualCron was in our programs, and it is not, and we don't want it.  Must be malware?

* I ran AdwCleaner.
     * It found other things on C:/, which it wouldn't delete, so I went and deleted them all manually.  (They were malware from previous users, like HooApp, etc)
     * It won't generate any logs and it says "file not found," else I would attach them here.
     * The files are also still in the USBs, despite AdwCleaner.

* Still running Windows 7, 64-bit

* Assume don't have original Windows DVD

* Again, I have anonymized the logs and changed the proxies, IPs.

 

Thank you very much in advance.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:12 PM

Posted 01 July 2014 - 08:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please execute the following in the order listed.

Flash Disinfector from sUBs

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
<<<>>

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Let me know what problem persists.

#5 theroguejedi

theroguejedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 01 July 2014 - 08:26 PM

Hey there, nasdaq,

 

Thank you so much for replying quickly!  It's huge relief. 

 

Just to let you know: I'm having trouble downloading Flash Disinfector, as it is blocked by the network firewall, and for various and sundry un-fun reasons, it's not something I can disable or get someone to. 

 

Is there another place I can download it? 

 

Everything else downloaded just fine.

 

The only other thing I've noticed since the is that aside from Firefox not keeping the cookie settings, it is now redirecting addresses typed into the address bar to Amazon.  I typed in "https://www.bleepingcomputer.com" and it redirected to search "https://www.bleepingcomputer.com" in Amazon.  Why is it doing that?  Argh.

 

Thanks again



#6 theroguejedi

theroguejedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 02 July 2014 - 03:35 AM

Hi again, nasdaq, 

 

So...I found a sacrificial USB and got the Flash Disinfector, but I don't think it runs.  I double click and nothing happens.  No dialogs, no nothing.  No auto.inf either.

 

I didn't move on to the next programs, as per your instructions.

 

However, my prof has an important meeting coming up and he really needs the USBs as well as the computer so I reformatted both USBs and uninstalled/reinstalled Firefox.  The files seem to be gone and Firefox seems to now retain settings.

 

Does this solve the issue/is there any way to check?  I have heard that viruses/malware survive even reformatting so I'm reluctant to leave it right here.  Plus there's that random vctray.exe thing in the appdata that still hasn't been figured out.

 

I'm very sorry we couldn't follow your instructions and had to reformat/reinstall! :( I hope we can still be helped, though as I think the malware has spread beyond the USBs.



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:12 PM

Posted 02 July 2014 - 08:02 AM

I have heard that viruses/malware survive even reformatting so I'm reluctant to leave it right here

If you do not boot from the USB you should be OK.


I s VCTray.exe from this Co.
http://systemexplorer.net/file-database/file/vctray-exe/14617856

You can submit the file here and find out if it's clean.
https://www.virustotal.com/

Post the FRST log as previously requested.

#8 theroguejedi

theroguejedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 03 July 2014 - 08:28 PM

Hi, nasdaq,

 

Thank you about the USBs.  That makes me feel better.

 

I think vctray.exe is from that company, I looked it up as well but that program isn't used at all.  It seems like malware to me. 

 

Here's the log, with the same anonymized as before.  I'm not going to have access to this computer over the coming weekend, though, so I might be a bit late in replying.

 

====

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-07-2014
Ran by User1 (administrator) on Desk Computer 02 on 04-07-2014 08:49:32
Running from C:\Users\User1\Desktop\
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(Microsoft Corporation) C:\Windows\CCM\RemCtrl\CmRcService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Bartels Media GmbH) C:\Program Files (x86)\PhraseExpress\phraseexpress.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Elias Fotinis) C:\Program Files (x86)\DeskPins\DeskPins.exe
(Dropbox, Inc.) C:\Users\User1\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1437064 2011-10-29] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [108144 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2099200 2014-04-13] (Dominik Reichl)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101584 2014-04-25] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.)
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer\Run: [1] => iexplore.exe internal.xyz.edu No File
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Run: [LHFDaphne] => C:\Program Files\DRK\Daphne_x64\Daphne.exe [591872 2012-10-23] (Leandro H. Fernández)
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566984 2014-04-25] (Safer-Networking Ltd.)
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [1] FreemakeVideoDownloader.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [2] u10*.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [3] u11*.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [4] u12%.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [5] u1201.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [6] u1202.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [7] u1203.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [8] u1210.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [9] u1301.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [10] ytd.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [11] u1204.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer\DisallowRun: [12] u1205.exe
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-2115746752-2439760008-272883147-13346\...\Policies\Explorer: [DisallowCpl] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PhraseExpress.lnk
ShortcutTarget: PhraseExpress.lnk -> C:\Program Files (x86)\PhraseExpress\phraseexpress.exe (Bartels Media GmbH)
Startup: C:\Users\User1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\   .lnk
ShortcutTarget:    .lnk -> C:\Users\User1\AppData\Roaming\csrss.exe (No File)
Startup: C:\Users\User1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeskPins.lnk
ShortcutTarget: DeskPins.lnk -> C:\Program Files (x86)\DeskPins\DeskPins.exe (Elias Fotinis)
Startup: C:\Users\User1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\User1\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

ProxyServer: xyz.edu
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ph.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF7BA45A89C53CF01
SearchScopes: HKLM - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM-x32 - DefaultScope value is missing.
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Evernote extension - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 000.00.0.000

FireFox:
========
FF ProfilePath: C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default
FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine: DuckDuckGo
FF Homepage: chrome://speeddial/content/speeddial.xul
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_214.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1210150.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=16.0.0.282 - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.0 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.0 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.0 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.0.282 - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\searchplugins\duckduckgo.xml
FF Extension: Click&amp;Clean - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\clickclean@hotcleaner.com [2014-07-02]
FF Extension: HTTPS-Everywhere - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\https-everywhere@eff.org [2014-07-02]
FF Extension: FEBE - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3} [2014-07-02]
FF Extension: All-in-One Gestures - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055} [2014-07-02]
FF Extension: WOT - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-07-02]
FF Extension: Disconnect - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\2.0@disconnect.me.xpi [2014-07-02]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\adblockpopups@jessehakanen.net.xpi [2014-07-02]
FF Extension: DownThemAll! AntiContainer - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\anticontainer@downthemall.net.xpi [2014-07-02]
FF Extension: Ghostery - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\firefox@ghostery.com.xpi [2014-07-02]
FF Extension: Webmail Ad Blocker - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\gmailnoads@mywebber.com.xpi [2014-07-02]
FF Extension: DuckDuckGo Plus - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi [2014-07-02]
FF Extension: Private Tab - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\privateTab@infocatcher.xpi [2014-07-02]
FF Extension: Redirect Cleaner - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\redirectcleaner@example.net.xpi [2014-07-02]
FF Extension: All-in-One Sidebar - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi [2014-07-02]
FF Extension: Speed Dial - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{64161300-e22b-11db-8314-0800200c9a66}.xpi [2014-07-02]
FF Extension: NoScript - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-07-02]
FF Extension: Cookie Controller - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{ac2cfa60-bc96-11e0-962b-0800200c9a66}.xpi [2014-07-02]
FF Extension: NoRedirect - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{c1970c0d-dbe6-4d91-804f-c9c0de643a57}.xpi [2014-07-02]
FF Extension: Adblock Plus - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-07-02]
FF Extension: Tab Mix Plus - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2014-07-02]
FF Extension: DownThemAll! - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2014-07-02]
FF HKLM-x32\...\Firefox\Extensions: [{34712C68-7391-4c47-94F3-8F88D49AD632}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-01-31]

==================== Services (Whitelisted) =================

R2 CcmExec; C:\Windows\CCM\CcmExec.exe [1684848 2012-02-20] (Microsoft Corporation)
R2 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [605040 2012-02-20] (Microsoft Corporation)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50472 2011-12-06] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50472 2011-12-06] (Microsoft Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [12768 2011-09-02] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [288256 2011-09-02] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738200 2014-04-25] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2081752 2014-04-25] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [374640 2012-02-20] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

==================== Drivers (Whitelisted) ====================

R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [189424 2011-10-05] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [84864 2011-10-05] (Microsoft Corporation)
R3 prepdrvr; C:\Windows\CCM\prepdrv.sys [26992 2012-02-20] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-07-04 08:49 - 2014-07-04 08:49 - 00000000 ____D () C:\FRST
2014-07-03 08:51 - 2014-07-03 08:51 - 00000000 ____D () C:\Users\User1\AppData\Local\VirtualStore
2014-07-03 08:50 - 2014-07-03 08:50 - 00000330 _____ () C:\Windows\PFRO.log
2014-07-02 15:43 - 2014-07-02 15:43 - 00001163 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-07-02 15:43 - 2014-07-02 15:43 - 00000000 ____D () C:\Users\User1\AppData\Roaming\Mozilla
2014-07-02 15:43 - 2014-07-02 15:43 - 00000000 ____D () C:\Users\User1\AppData\Local\Mozilla
2014-07-02 15:43 - 2014-07-02 15:43 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-07-02 15:41 - 2014-07-02 15:41 - 00004764 _____ () C:\Windows\system32\CcmFramework.ini
2014-07-02 15:41 - 2014-07-02 15:41 - 00000621 _____ () C:\Windows\system32\CcmFramework.h
2014-07-02 15:40 - 2014-07-02 15:40 - 00000000 ____D () C:\Windows\ms
2014-07-02 15:28 - 2014-07-04 07:31 - 00000280 _____ () C:\Windows\setupact.log
2014-07-02 15:28 - 2014-07-02 15:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-07-02 14:50 - 2014-07-02 14:50 - 00002786 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-07-02 14:50 - 2014-07-02 14:50 - 00000000 ____D () C:\Users\User1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-07-02 14:50 - 2014-07-02 14:50 - 00000000 ____D () C:\Program Files\CCleaner
2014-07-02 14:29 - 2014-07-02 14:29 - 00003174 _____ () C:\Windows\System32\Tasks\{BBE0A96A-A619-4F0E-8158-3E6D18B6EE1E}
2014-06-23 08:03 - 2014-06-23 08:31 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-06-22 15:46 - 2014-06-22 15:46 - 00000165 _____ () C:\Windows\wininit.ini
2014-06-15 10:02 - 2009-06-11 05:00 - 00000824 _____ () C:\Windows\system32\Drivers\etc\hosts.20140615-100232.backup
2014-06-15 09:22 - 2014-06-15 09:22 - 00003274 _____ () C:\Windows\System32\Tasks\{C80B33BA-7F79-4056-90AD-FE426F934280}
2014-06-15 09:01 - 2014-06-15 09:01 - 00003292 _____ () C:\Windows\System32\Tasks\{7FCB5B74-89D2-46D5-B5EB-D51B6832D20F}
2014-06-15 08:49 - 2014-07-02 15:07 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-15 08:28 - 2014-06-15 10:10 - 00000000 ____D () C:\Users\User1\AppData\Roaming\CDisplayEx
2014-06-15 08:22 - 2014-06-15 08:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CDisplayEx
2014-06-15 08:22 - 2014-06-15 08:22 - 00000000 ____D () C:\Program Files\CDisplayEx
2014-06-12 13:26 - 2014-04-25 10:34 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2014-06-12 13:26 - 2014-04-25 10:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usp10.dll
2014-06-12 13:25 - 2014-04-05 10:47 - 01903552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-06-12 13:25 - 2014-04-05 10:47 - 00288192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2014-06-12 13:24 - 2014-03-26 22:44 - 02002432 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2014-06-12 13:24 - 2014-03-26 22:44 - 01882112 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-06-12 13:24 - 2014-03-26 22:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2014-06-12 13:24 - 2014-03-26 22:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-06-12 13:24 - 2014-03-26 22:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2014-06-12 13:24 - 2014-03-26 22:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-06-12 13:24 - 2014-03-26 22:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6r.dll
2014-06-12 13:24 - 2014-03-26 22:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-06-12 13:23 - 2014-05-08 17:32 - 03178496 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-06-12 13:23 - 2014-05-08 17:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2014-06-12 13:17 - 2014-05-24 10:48 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-06-12 13:17 - 2014-05-24 10:47 - 01366016 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 03958784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 02650112 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-06-12 13:17 - 2014-05-24 10:46 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-06-12 13:17 - 2014-05-24 10:45 - 01508864 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-06-12 13:17 - 2014-05-24 10:45 - 00452096 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-06-12 13:17 - 2014-05-24 10:45 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-06-12 13:17 - 2014-05-24 09:26 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-06-12 13:17 - 2014-05-24 09:26 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-06-12 13:17 - 2014-05-24 09:26 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-06-12 13:17 - 2014-05-24 09:26 - 00080896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 02862080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 02050560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 01440768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-06-12 13:17 - 2014-05-24 09:25 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-06-12 13:17 - 2014-05-24 09:25 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-06-12 13:17 - 2014-05-24 09:09 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-06-12 13:17 - 2014-05-24 09:03 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-06-12 13:17 - 2014-05-24 08:13 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-06-12 13:17 - 2014-05-24 08:06 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2014-06-12 13:16 - 2014-05-24 10:47 - 02239488 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-06-12 13:16 - 2014-05-24 10:46 - 19290112 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-06-12 13:16 - 2014-05-24 10:46 - 15368704 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-06-12 13:16 - 2014-05-24 10:46 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-06-12 13:16 - 2014-05-24 09:26 - 14365696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-06-12 13:16 - 2014-05-24 09:26 - 01766400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-06-12 13:16 - 2014-05-24 09:25 - 13731328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-06-12 13:16 - 2014-05-24 09:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-06-08 13:50 - 2014-06-08 13:50 - 00003352 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2115746752-2439760008-272883147-13346
2014-06-08 13:50 - 2014-06-08 13:50 - 00003232 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2115746752-2439760008-272883147-13346
2014-06-08 12:08 - 2014-06-08 12:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-06-08 12:07 - 2014-06-08 12:08 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-06-08 12:07 - 2014-06-08 12:08 - 00000000 ____D () C:\Program Files\iTunes
2014-06-08 12:07 - 2014-06-08 12:08 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-06-08 12:07 - 2014-06-08 12:07 - 00000000 ____D () C:\Program Files\iPod

==================== One Month Modified Files and Folders =======

2014-07-04 08:49 - 2014-07-04 08:49 - 00000000 ____D () C:\FRST
2014-07-04 08:43 - 2014-04-22 13:57 - 00000000 ___RD () C:\Users\User1\Dropbox
2014-07-04 08:43 - 2014-04-22 13:56 - 00000000 ____D () C:\Users\User1\AppData\Roaming\DropboxMaster
2014-07-04 08:43 - 2014-04-22 13:46 - 00000000 ____D () C:\Users\User1\AppData\Roaming\Dropbox
2014-07-04 08:43 - 2013-01-31 09:23 - 01150728 _____ () C:\Windows\WindowsUpdate.log
2014-07-04 08:42 - 2014-04-10 16:05 - 00000368 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_IT.job
2014-07-04 08:42 - 2013-01-31 11:39 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-04 08:42 - 2013-01-31 09:40 - 00000120 _____ () C:\Windows\system32\config\netlogon.ftl
2014-07-04 08:03 - 2013-01-31 11:39 - 00000906 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-04 07:51 - 2014-04-10 14:33 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-07-04 07:39 - 2009-07-14 12:45 - 00022000 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-04 07:39 - 2009-07-14 12:45 - 00022000 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-07-04 07:34 - 2013-01-31 11:28 - 00000548 _____ () C:\Windows\SMSCFG.ini
2014-07-04 07:31 - 2014-07-02 15:28 - 00000280 _____ () C:\Windows\setupact.log
2014-07-04 07:31 - 2009-07-14 13:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-07-03 16:35 - 2014-04-09 10:57 - 00000000 ____D () C:\Users\User1\Documents\PhraseExpress
2014-07-03 16:06 - 2014-04-10 16:05 - 00000358 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_IT.job
2014-07-03 15:06 - 2014-04-10 16:05 - 00000362 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_IT.job
2014-07-03 14:25 - 2014-05-01 11:25 - 00000000 ____D () C:\Users\User1\Documents\Calibre Library
2014-07-03 13:18 - 2013-01-31 09:44 - 00052858 __RSH () C:\ProgramData\ntuser.pol
2014-07-03 09:02 - 2013-01-31 11:05 - 00000000 ____D () C:\Windows\ccmsetup
2014-07-03 08:51 - 2014-07-03 08:51 - 00000000 ____D () C:\Users\User1\AppData\Local\VirtualStore
2014-07-03 08:50 - 2014-07-03 08:50 - 00000330 _____ () C:\Windows\PFRO.log
2014-07-02 16:10 - 2014-04-09 10:36 - 00000000 ____D () C:\Users\User1\Documents\Backups Techology
2014-07-02 15:43 - 2014-07-02 15:43 - 00001163 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-07-02 15:43 - 2014-07-02 15:43 - 00000000 ____D () C:\Users\User1\AppData\Roaming\Mozilla
2014-07-02 15:43 - 2014-07-02 15:43 - 00000000 ____D () C:\Users\User1\AppData\Local\Mozilla
2014-07-02 15:43 - 2014-07-02 15:43 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-07-02 15:41 - 2014-07-02 15:41 - 00004764 _____ () C:\Windows\system32\CcmFramework.ini
2014-07-02 15:41 - 2014-07-02 15:41 - 00000621 _____ () C:\Windows\system32\CcmFramework.h
2014-07-02 15:41 - 2013-01-31 11:28 - 00000000 ____D () C:\Windows\CCM
2014-07-02 15:41 - 2009-07-14 13:13 - 00801548 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-07-02 15:40 - 2014-07-02 15:40 - 00000000 ____D () C:\Windows\ms
2014-07-02 15:39 - 2014-07-02 15:39 - 00000000 ____D () C:\Users\User1\AppData\Local\Temp 02
2014-07-02 15:28 - 2014-07-02 15:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-07-02 15:16 - 2014-04-22 14:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2014-07-02 15:16 - 2014-04-22 14:24 - 00000000 ____D () C:\Program Files (x86)\Calibre2
2014-07-02 15:10 - 2013-01-31 11:39 - 00000000 ____D () C:\Program Files (x86)\Google
2014-07-02 15:07 - 2014-06-15 08:49 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-02 15:07 - 2014-04-22 14:18 - 00000000 ____D () C:\Users\User1\AppData\Roaming\Notepad++
2014-07-02 14:56 - 2013-02-01 01:16 - 00000000 ____D () C:\Windows\Panther
2014-07-02 14:50 - 2014-07-02 14:50 - 00002786 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-07-02 14:50 - 2014-07-02 14:50 - 00000000 ____D () C:\Users\User1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-07-02 14:50 - 2014-07-02 14:50 - 00000000 ____D () C:\Program Files\CCleaner
2014-07-02 14:29 - 2014-07-02 14:29 - 00003174 _____ () C:\Windows\System32\Tasks\{BBE0A96A-A619-4F0E-8158-3E6D18B6EE1E}
2014-06-29 13:35 - 2014-04-22 15:29 - 00000000 ____D () C:\Users\User1\AppData\Roaming\Skype
2014-06-29 09:18 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\schemas
2014-06-27 09:10 - 2014-04-12 15:15 - 00000000 ____D () C:\Windows\System32\Tasks\Games
2014-06-23 13:43 - 2014-04-08 14:43 - 00000000 ____D () C:\Users\User1\AppData\Local\Microsoft Help
2014-06-23 08:31 - 2014-06-23 08:03 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-06-23 08:02 - 2014-05-01 11:48 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-06-23 07:37 - 2009-07-14 13:08 - 00032632 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-06-22 21:58 - 2013-01-31 11:39 - 00003902 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-06-22 21:58 - 2013-01-31 11:39 - 00003650 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-06-22 16:04 - 2009-07-14 11:20 - 00000000 ____D () C:\Windows\Registration
2014-06-22 15:46 - 2014-06-22 15:46 - 00000165 _____ () C:\Windows\wininit.ini
2014-06-22 15:46 - 2014-05-01 11:51 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-06-15 10:10 - 2014-06-15 08:28 - 00000000 ____D () C:\Users\User1\AppData\Roaming\CDisplayEx
2014-06-15 09:42 - 2014-05-01 11:51 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-06-15 09:22 - 2014-06-15 09:22 - 00003274 _____ () C:\Windows\System32\Tasks\{C80B33BA-7F79-4056-90AD-FE426F934280}
2014-06-15 09:09 - 2014-05-01 11:48 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-15 09:01 - 2014-06-15 09:01 - 00003292 _____ () C:\Windows\System32\Tasks\{7FCB5B74-89D2-46D5-B5EB-D51B6832D20F}
2014-06-15 08:53 - 2014-05-01 11:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-06-15 08:22 - 2014-06-15 08:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CDisplayEx
2014-06-15 08:22 - 2014-06-15 08:22 - 00000000 ____D () C:\Program Files\CDisplayEx
2014-06-15 07:21 - 2014-04-22 15:28 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-06-15 07:21 - 2013-05-07 14:17 - 00000000 ____D () C:\ProgramData\Skype
2014-06-13 13:03 - 2014-05-01 11:32 - 00000000 ____D () C:\Users\User1\AppData\Local\calibre-cache
2014-06-13 13:02 - 2014-05-01 11:25 - 00000000 ____D () C:\Users\User1\AppData\Roaming\calibre
2014-06-12 13:16 - 2013-01-31 12:34 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-06-08 13:50 - 2014-06-08 13:50 - 00003352 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2115746752-2439760008-272883147-13346
2014-06-08 13:50 - 2014-06-08 13:50 - 00003232 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2115746752-2439760008-272883147-13346
2014-06-08 12:08 - 2014-06-08 12:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-06-08 12:08 - 2014-06-08 12:07 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-06-08 12:08 - 2014-06-08 12:07 - 00000000 ____D () C:\Program Files\iTunes
2014-06-08 12:08 - 2014-06-08 12:07 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-06-08 12:07 - 2014-06-08 12:07 - 00000000 ____D () C:\Program Files\iPod

Some content of TEMP:
====================
C:\Users\User1\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphs__cn.dll
C:\Users\User1\AppData\Local\Temp\nircmd.exe
C:\Users\User1\AppData\Local\Temp\pv.exe
C:\Users\User1\AppData\Local\Temp\vfind.exe
C:\Users\IT\AppData\Local\Temp\vlc-2.1.3-win32.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-06-28 09:09

==================== End Of Log ============================

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:12 PM

Posted 04 July 2014 - 09:58 AM

Rename the file vctray.exe to vctray.exe.old
If a program need it you will get a error message.
If all is well you can deleted after a week of using the computer.
===


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer\Run: [1] => iexplore.exe internal.xyz.edu No File
ShortcutTarget:    .lnk -> C:\Users\User1\AppData\Roaming\csrss.exe (No File)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKLM - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM-x32 - DefaultScope value is missing.
FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine: DuckDuckGo
FF Homepage: chrome://speeddial/content/speeddial.xul
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF SearchPlugin: C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\searchplugins\duckduckgo.xml
FF Extension: DuckDuckGo Plus - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi [2014-07-02]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
C:\Users\User1\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmphs__cn.dll
C:\Users\User1\AppData\Local\Temp\nircmd.exe
C:\Users\User1\AppData\Local\Temp\pv.exe
C:\Users\User1\AppData\Local\Temp\vfind.exe
C:\Users\IT\AppData\Local\Temp\vlc-2.1.3-win32.exe
Task: {28BF8E1E-2D59-4CE5-AD66-93939C20B988} - \Hoolapp For Android No Task File <==== ATTENTION
Task: {B08BBEB4-120C-4E2F-8EF4-D1C9DC3FFB51} - \QtraxPlayer No Task File <==== ATTENTION
Task: {BE1BFF9D-3877-4294-9CC9-9BD0763AE875} - \Hoolapp Init No Task File <==== ATTENTION

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

I need to check further.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============

#10 theroguejedi

theroguejedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 06 July 2014 - 05:59 AM

Hi, nasdaq,

 

Thanks for replying!  I just have a couple of n00b questions about the code:

  • Will it delete the group policy restrictions on the computer? I'm not sure if I'm allowed to do that as the computer's on a network.
  • Will it change the default search engine?  I put duckduckgo on there on purpose.
  • Is the duckduckgo extension for FF malware and phoning home? I'll delete it if so.
  • I deleted Google Update (memory hog/phone home), HoolApp and QTrax Player (Malwarebytes listed them as malware).  Will the code just delete these entries from the registry? I hope so. The only Google product on the computer that is not web-based is Google Earth, which I intend to update manually. I'm not 100% sure about this but it seems all these background update programs, though tiny, seem to be slowing the computer down, so I'd rather just check periodically myself every so often.

Sorry if these are forehead slap questions...

 

Also, there's been a change in schedule so I might not be able to get to the computer tomorrow. Please keep the thread open as I'm not going anywhere :)

 

Thanks again



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:12 PM

Posted 06 July 2014 - 08:17 AM

HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION

Ask the Administrator. If not sure leave remove the entry in my fix. You find out after testing the system if it's causing problems.

===


http://www.systemlookup.com/FF_Extensions/2818-jid1_ZAdIEUB7XOzOJw_jetpack_xpi.html
Your call if you want to keep it.

FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine: DuckDuckGo
C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\searchplugins\duckduckgo.xml
FF Extension: DuckDuckGo Plus - C:\Users\User1\AppData\Roaming\Mozilla\Firefox\Profiles\n6fo1zvz.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi [2014-07-02]

===
 

I'm not 100% sure about this but it seems all these background update programs, though tiny, seem to be slowing the computer down, so I'd rather just check periodically myself every so often.

The slowdown is very limited. I rather be safe the sorrry.

#12 theroguejedi

theroguejedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 07 July 2014 - 06:05 AM

If not sure leave remove the entry in my fix.

Wait, leave or remove?

Your call if you want to keep it.

My mistake. Thank you for pointing that out - it's going in the trash.

The slowdown is very limited. I rather be safe the sorrry.

Oh. So it's worth running them despite the slowdown? If so, please let me know - I'll remember it for the future! :)

Thank you again for your patience and kindness! Pending no schedule changes (though who knows) I should be back tomorrow, or the day after at the latest.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:12 PM

Posted 07 July 2014 - 06:51 AM

Wait, leave or remove?

Sorry it should read "If not sure leave it, remove the entry line from my fix.

Oh. So it's worth running them despite the slowdown?

With the speed of computer today I would leave them.

But if the computer is used for on-line games well may be they are a nuisance.

#14 theroguejedi

theroguejedi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:12 AM

Posted 08 July 2014 - 07:12 PM

Hi, nasdaq,

 

Thank you for your reply and points.  I've removed the Group Policy lines (just in case), but have left the updates.

 

I tried to run FRST64 as recommended.  It started to run, then it updated, then nothing happened.    Then I started to get the error message (as attached). I've redownloaded it twice, with the same error message. The network has now blocked it as malware. (Ack.)

 

What are next steps?

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:12 PM

Posted 09 July 2014 - 08:39 AM

That program is not malware.
We use it everyday.

Who is responsible for this network?

===

You can try to run this tool.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
==============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users