Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows startup virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 oalmi

oalmi

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 29 June 2014 - 01:35 PM

Ok, so I opened my computer a few hours ago and google was funny, with only chat written anywhere there was supposed to be language. smelled like a virus, so I closed it, and restarted my computer only to find out that now windows does not start, t keeps prompting system repairs, and it looks like a virus even more.
I read some of the posts, downloaded through another computer the Farbar software onto a diskonkey, restarted, F8, system recovery, command prompt, notepad, checked the letter of my USB, tried to write it in the notepad... and nothing happened!!
tried with both 32 and 64 as am not sure about my system, both did not work.

The troubling thing is that I saw that I have now a new 'disk' called Boot, with the letter X. when I try to restarted and go into safe modes etc, the suggestion I get are to download or direct to things on that hard drive, which looks like a virus! I never had an X drive before. I have (had?) a deadline tonight! please HELP

BC AdBot (Login to Remove)

 


#2 oalmi

oalmi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 29 June 2014 - 02:30 PM

tried several more times and finally managed to run the farbar. Here is the log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-06-2014 02
Ran by SYSTEM on MININT-TFE051M on 29-06-2014 22:05:31
Running from f:\
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [ASUS WebStorage] => C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe [1754448 2010-03-15] ()
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2188904 2011-01-17] (Realtek Semiconductor)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2587944 2010-12-13] (ELAN Microelectronics Corp.)
HKLM\...\Run: [IntelTBRunOnce] => wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
HKLM\...\Run: [Setwallpaper] => c:\programdata\SetWallpaper.cmd
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2780776 2011-07-18] (CANON INC.)
HKLM-x32\...\Run: [UpdateLBPShortCut] => C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [SonicMasterTray] => C:\Program Files (x86)\ASUS\Sonic Focus\SonicFocusTray.exe [984400 2010-07-09] (Virage Logic Corporation / Sonic Focus)
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-17] (ASUS)
HKLM-x32\...\Run: [ATKMEDIA] => C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe [170624 2010-10-07] (ASUS)
HKLM-x32\...\Run: [HControlUser] => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe [105016 2009-06-19] (ASUS)
HKLM-x32\...\Run: [Wireless Console 3] => C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [1601536 2010-09-23] ()
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1637496 2011-08-04] (CANON INC.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [439440 2011-09-27] (CANON INC.)
HKLM-x32\...\Run: [BrowserPlugInHelper] => C:\Program Files (x86)\Wondershare\Free YouTube Downloader\BrowserPlugInHelper.exe [410912 2013-02-04] (Wondershare Software)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [737872 2014-06-03] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [NSU_agent] => C:\Program Files (x86)\Nokia\Nokia Software Updater\nsu3ui_agent.exe [190768 2012-02-28] ()
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-20] (Apple Inc.)
HKLM-x32\...\Run: [NACAgentUI] => C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgentUI.exe [621384 2013-12-03] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [TkBellExe] => c:\program files (x86)\real\realplayer\update\realsched.exe [296520 2014-06-25] (RealNetworks, Inc.)
HKLM-x32\...\Runonce: [rmoc3260.dll OCX] - regsvr32.exe /s "C:\Windows\SysWOW64\rmoc3260.dll" [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\oalmi.Tali-PC\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-21] (Microsoft Corporation)
HKU\oalmi.Tali-PC\...\Run: [PC Suite Tray] => C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe [1516632 2012-06-26] (Nokia)
HKU\oalmi.Tali-PC\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21444224 2014-05-07] (Skype Technologies S.A.)
HKU\oalmi.Tali-PC\...\Run: [Syncables] => C:\Program Files (x86)\syncables\syncables desktop\Syncables.exe
HKU\oalmi.Tali-PC\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\system32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\oalmi.Tali-PC\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_13_0_0_182_ActiveX.exe [844464 2014-04-22] (Adobe Systems Incorporated)
HKU\UpdatusUser\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
HKU\UpdatusUser\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [250504 2013-03-14] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [205184 2013-03-14] (NVIDIA Corporation)
Startup: C:\Users\CompAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\oalmi.Tali-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\Users\oalmi.Tali-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
ShellIconOverlayIdentifiers: AsusWSShellExt_B -> {6D4133E5-0742-4ADC-8A8C-9303440F7190} => C:\Program Files (x86)\ASUS\ASUS WebStorage\service\AsusWSShellExt64.dll (eCareme Technologies, Inc.)
ShellIconOverlayIdentifiers: AsusWSShellExt_O -> {64174815-8D98-4CE6-8646-4C039977D808} => C:\Program Files (x86)\ASUS\ASUS WebStorage\service\AsusWSShellExt64.dll (eCareme Technologies, Inc.)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: EnhancedStorageShell -> {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} =>  No File
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} =>  No File
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} =>  No File
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} =>  No File
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} =>  No File
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} =>  No File
ShellIconOverlayIdentifiers-x32: SharingPrivate -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} =>  No File

==================== Services (Whitelisted) =================

S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-06-03] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-06-03] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [1039440 2014-06-03] (Avira Operations GmbH & Co. KG)
S2 BecHelperService; C:\Program Files (x86)\Hi\Online\BecHelperService.exe [1915904 2013-09-28] ()
S2 GtDetectSc; C:\Program Files\Option\Driver Installer\GtDetectSc.exe [809984 2009-05-04] (OptionNV)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S3 MSSQL$MSSMLBIZ; C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\sqlservr.exe [43028328 2011-09-22] (Microsoft Corporation)
S2 NACAgent; C:\Program Files (x86)\Cisco\Cisco NAC Agent\NACAgent.exe [1289544 2013-12-03] (Cisco Systems, Inc.)
S2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-06-25] (RealNetworks, Inc.)
S2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-06-10] ()
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1019328 2012-08-21] (Enigma Software Group USA, LLC.)
S4 SQLAgent$MSSMLBIZ; C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.MSSMLBIZ\MSSQL\Binn\SQLAGENT.EXE [370024 2011-09-22] (Microsoft Corporation)
S2 WACService; C:\Program Files (x86)\Wondershare\Wondershare Application Center\WACService.exe [103272 2012-11-09] (Wondershare)

==================== Drivers (Whitelisted) ====================

S0 81cb3efcdc2c15a5; C:\Windows\System32\Drivers\81cb3efcdc2c15a5.sys [77776 2014-03-29] () <===== ATTENTION Necurs Rootkit?
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [112080 2014-06-03] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-06-03] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-12-01] (Avira Operations GmbH & Co. KG)
S3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13088 2011-03-02] ()
S3 kbfiltr; C:\Windows\System32\DRIVERS\kbfiltr.sys [15416 2009-07-20] ( )
S2 TurboB; C:\Windows\System32\DRIVERS\TurboB.sys [13832 2010-04-16] ()
S3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [17920 2008-11-11] (LG Electronics Inc.)
S3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [27136 2008-11-11] (LG Electronics Inc.)
S3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [33792 2008-11-11] (LG Electronics Inc.)

========================== Drivers MD5 =======================

C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\Drivers\81cb3efcdc2c15a5.sys 039015F79A88101FB4D195583DDAA964
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpahci.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 79059559E89D06E8B80CE2944BE20228
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdk8.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys D4121AE6D0C0E7E13AA221AA57EF2D49
C:\Windows\system32\DRIVERS\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys 540DAF1CEA6094886D72126FD7C33048
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\arcsas.sys ==> MD5 is legit
C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys 4C016FD76ED5C05E84CA8CAB77993961
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\athrx.sys B4174564AD5834A1680610572477878C
C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys 1F7238A37389ED92E9D8EEE975CABD54
C:\Windows\System32\DRIVERS\avgntflt.sys 46552023B54E374C887A3A9AAF1279F2
C:\Windows\System32\DRIVERS\avipbb.sys 8902AEC2382A37E9E99A4E0D52DBD42B
C:\Windows\System32\DRIVERS\avkmgr.sys 390184FAD8FCC1B6DA25AEBAE928C3B6
C:\Windows\system32\DRIVERS\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\BthEnum.sys CF98190A94F62E405C8CB255018B2315
C:\Windows\system32\DRIVERS\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bthpan.sys 02DD601B708DD0667E1331FA8518E9FF
C:\Windows\System32\Drivers\BTHport.sys 738D0E9272F59EB7A1449C3EC118E6C4
C:\Windows\System32\Drivers\BTHUSB.sys F188B7394D81010767B6DF3178519A37
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys EBF28856F69CF094A902F884CF989706
C:\Windows\System32\DRIVERS\compbatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\disk.sys ==> MD5 is legit
C:\Windows\system32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys 88612F1CE3BF42256913BF6E61C70D52
C:\Windows\system32\DRIVERS\evbda.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys DF96C3CD6AE15F6D0A6BCB70F9C1E88D
C:\Windows\System32\DRIVERS\ETD.sys 5B042AA9CEBDAB5B61E747DDCEBFF51B
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fssfltr.sys 07DA62C960DDCCC2D35836AEAB4FC578
C:\Windows\System32\Drivers\Fs_Rec.sys 6BD9295CC032DD3077C671FCCF579A7B
C:\Windows\System32\DRIVERS\fvevol.sys 8F6322049018354F45F05A2FD2D4E5E0
C:\Windows\system32\DRIVERS\gagp30kx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\GEARAspiWDM.sys 8E98D21EE06192492A5671A6144D092F
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\system32\drivers\HdAudio.sys 975761C778E33CD22498059B91E7373A
C:\Windows\system32\drivers\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidbth.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\hidir.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\system32\drivers\i8042prt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\iaStor.sys F7CE9BE72EDAC499B713ECA6DAE5D26F
C:\Windows\system32\drivers\iaStorV.sys AAAF44DB3BD0B9D1FB6969B23ECC8366
C:\Windows\System32\DRIVERS\igdkmd64.sys 348214F96642FD4FEF630DE021BA3540
C:\Windows\system32\DRIVERS\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\RTKVHD64.sys 3E3926F4FA7C9162C5C3EC6BF1E4F349
C:\Windows\System32\DRIVERS\IntcDAud.sys FC727061C0F47C8059E88E05D5C8E381
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdclass.sys ==> MD5 is legit
C:\Windows\system32\drivers\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbfiltr.sys E63EF8C3271D014F14E2469CE75FECB4
C:\Windows\System32\Drivers\ksecdd.sys 8F489706472F7E9A06BAAA198703FA64
C:\Windows\System32\Drivers\ksecpkg.sys 868A2CAAB12EFC7A021682BCA0EEC54C
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\L1C62x64.sys 033B4AED2C5519072C0D81E00804D003
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\System32\drivers\massfilter.sys 035C83CD72E06C47000793D32B1A642D
C:\Windows\system32\DRIVERS\megasas.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\HECIx64.sys A6518DCC42F7A6E999BB3BEA8FD87567
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys 1A4F75E63C9FB84B85DFFC6B63FD5404
C:\Windows\System32\DRIVERS\mrxsmb.sys A5D9106A73DC88564C825D317CAC68AC
C:\Windows\System32\DRIVERS\mrxsmb10.sys D711B3C1D5F42C0C2415687BE09FC163
C:\Windows\System32\DRIVERS\mrxsmb20.sys 9423E9D355C8D303E76B8CFBD8A5C30C
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\system32\drivers\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys 760E38053BF56E501D562B70AD796B88
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\drivers\ccdcmbx64.sys 5FE6F8C05F0769BBB74AFAC11453B182
C:\Windows\System32\drivers\ccdcmbox64.sys 73C929945C0850B8D1FE2FEA05FDF05D
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys B98F8C6E31CD07B2E6F71F7F648E38C0
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nvlddmkm.sys 4EE399576F76D38C04745DB739BBC8C7
C:\Windows\System32\DRIVERS\nvpciflt.sys 7067753FA8B75A3BDBA5633B4D2A5D0A
C:\Windows\system32\drivers\nvraid.sys 0A92CB65770442ED0DC44834632F66AD
C:\Windows\system32\drivers\nvstor.sys DAB0E87525C10052BF65F06152F37E4A
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys E9766131EEADE40A27DC27D2D68FBA9C
C:\Windows\System32\DRIVERS\pccsmcfdx64.sys 3FDE033DFB0D07F8B7D5C9A3044AA121
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\System32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\System32\Drivers\PxHlpa64.sys F2EECF8977BD3FE4E38743DDCFBECD20
C:\Windows\system32\DRIVERS\ql2300.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys E61608AA35E98999AF9AAEEEA6114B0A
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rfcomm.sys 3DD798846E2C28102B922C56E71B7932
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RtsUVStor.sys E57FAC2CDB73F06586ED2ED310B80932
C:\Windows\System32\DRIVERS\Rt64win7.sys 6D3C7E7D82D3DC92DC2A8B0DF9F20F8A
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sfloppy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\SiSG664.sys 1BC348CF6BAA90EC8E533EF6E6A69933
C:\Windows\system32\DRIVERS\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 441FBA48BFF01FDB9D5969EBC1838F0B
C:\Windows\System32\DRIVERS\srv2.sys B4ADEBBF5E3677CCE9651E0F01F7CC28
C:\Windows\System32\DRIVERS\srvnet.sys 27E461F0BE5BFF5FC737328F749538C3
C:\Windows\system32\DRIVERS\stexstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys 40AF23633D197905F03AB5628C558C51
C:\Windows\System32\DRIVERS\tcpip.sys 40AF23633D197905F03AB5628C558C51
C:\Windows\System32\drivers\tcpipreg.sys 1B16D0BD9841794A6E0CDE0CEF744ABC
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys 51C5ECEB1CDEE2468A1748BE550CFBC8
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\system32\drivers\termdd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tssecsrv.sys 4CE278FC9671BA81A138D70823FCAA09
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\TurboB.sys B355581A9DA34C92E2DBAFA410D2F829
C:\Windows\system32\DRIVERS\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\umbus.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbser_lowerfltx64.sys 34AFB83C7BBA370E404E52CC2290350C
C:\Windows\System32\Drivers\usbaapl64.sys C9E9D59C0099A9FF51697E9306A44240
C:\Windows\System32\DRIVERS\lgx64bus.sys 5FCC71487888589A9244AF54CFEFAB29
C:\Windows\System32\DRIVERS\usbccgp.sys DCA68B0943D6FA415F0C56C92158A83A
C:\Windows\system32\drivers\usbcir.sys 80B0F7D5CCF86CEB5D402EAAF61FEC31
C:\Windows\System32\DRIVERS\lgx64diag.sys 3FB6E423F7567C92C32EA786F5FD0C69
C:\Windows\system32\drivers\usbehci.sys 18A85013A3E0F7E1755365D287443965
C:\Windows\System32\DRIVERS\usbhub.sys 8D1196CFBB223621F2C67D45710F25BA
C:\Windows\System32\DRIVERS\lgx64modem.sys 78D551F5B93488B4666F5FC8DD4815F3
C:\Windows\system32\drivers\usbohci.sys 765A92D428A8DB88B960DA5A8D6089DC
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbscan.sys 9661DA76B4531B2DA272ECCE25A8AF24
C:\Windows\system32\drivers\usbser.sys B57B4F0BEC4270A281B9F8537EB2FA04
C:\Windows\System32\DRIVERS\usbser_lowerfltjx64.sys AA75E1EFBEE7186B4CBAAACF1F15E6CA
C:\Windows\System32\DRIVERS\USBSTOR.SYS FED648B01349A3C8395A5169DB5FB7D6
C:\Windows\system32\drivers\usbuhci.sys DD253AFC3BC6CBA412342DE60C3647F3
C:\Windows\System32\Drivers\usbvideo.sys 1F775DA4CF1A3A1834207E975A72E9D7
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifibus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwififlt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vwifimp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\DRIVERS\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys E2C933EDBC389386EBE6D2BA953F43D8
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wimfltr.sys 52DED146E4797E6CCF94799E8E22BB2A
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWOW64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WinUsb.sys FE88B288356E7B47B74B13372ADD906D
C:\Windows\system32\drivers\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys AB886378EEB55C6C75B4F2D14B6C869F
C:\Windows\System32\DRIVERS\WUDFRd.sys DDA4CAF29D8C0A297F886BFE561E6659
C:\Windows\System32\DRIVERS\ZTEusbmdm6k.sys 3762B4C538B9D710F85042849C20319F
C:\Windows\System32\DRIVERS\ZTEusbnet.sys 7CC1BB2CA5A01D3AD844E6476B026733
C:\Windows\System32\DRIVERS\ZTEusbnmea.sys 3762B4C538B9D710F85042849C20319F
C:\Windows\System32\DRIVERS\ZTEusbser6k.sys 3762B4C538B9D710F85042849C20319F

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-29 22:05 - 2014-06-29 22:05 - 00000000 ____D () C:\FRST
2014-06-29 20:47 - 2014-06-29 20:47 - 00000179 _____ () C:\Local Disk (F) - Shortcut.lnk
2014-06-29 08:44 - 2014-06-29 20:24 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-25 10:40 - 2014-06-25 10:40 - 00001046 _____ () C:\Users\Public\Desktop\RealPlayer Cloud.lnk
2014-06-25 10:38 - 2014-06-25 10:38 - 00201800 _____ (RealNetworks, Inc.) C:\Windows\SysWOW64\pnup0.dll
2014-06-25 10:37 - 2014-06-25 10:37 - 00505416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2014-06-25 10:37 - 2014-06-25 10:37 - 00353864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2014-06-25 10:37 - 2014-06-25 10:37 - 00278600 _____ (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2014-06-18 13:12 - 2014-06-18 13:11 - 00084720 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
2014-06-18 06:01 - 2014-06-25 02:59 - 00002102 _____ () C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2014-06-18 06:01 - 2014-06-18 06:01 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-06-15 11:23 - 2014-06-15 11:23 - 00000000 ____D () C:\Program Files\Option
2014-06-15 11:23 - 2014-06-15 11:23 - 00000000 ____D () C:\Program Files (x86)\Option_4.0.17.0
2014-06-14 14:06 - 2014-06-14 14:06 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Local\{CB770134-CE5D-470F-A65C-FD0B7C1C1A56}
2014-06-01 22:17 - 2014-06-01 22:17 - 00002070 _____ () C:\Users\Public\Desktop\Cisco NAC Agent.lnk

==================== One Month Modified Files and Folders =======

2014-06-29 22:05 - 2014-06-29 22:05 - 00000000 ____D () C:\FRST
2014-06-29 20:47 - 2014-06-29 20:47 - 00000179 _____ () C:\Local Disk (F) - Shortcut.lnk
2014-06-29 20:24 - 2014-06-29 08:44 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-29 20:24 - 2013-12-30 10:53 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Roaming\Malwarebytes
2014-06-29 20:24 - 2013-12-30 10:53 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-06-29 20:24 - 2013-12-30 10:53 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-06-29 20:24 - 2012-10-05 08:09 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Roaming\Skype
2014-06-29 20:24 - 2012-10-05 07:30 - 00000000 ____D () C:\users\oalmi.Tali-PC
2014-06-29 20:24 - 2012-06-02 06:23 - 00000000 ____D () C:\users\CompAdmin
2014-06-29 20:24 - 2011-07-26 02:47 - 00000000 ____D () C:\users\Tali
2014-06-29 20:24 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-06-29 07:52 - 2009-07-13 21:13 - 00895382 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-06-29 00:11 - 2011-02-03 05:57 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-29 00:08 - 2011-02-03 05:57 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-26 12:28 - 2012-05-22 11:59 - 00000446 ____H () C:\Windows\Tasks\Norton Security Scan for Tali.job
2014-06-26 04:30 - 2013-09-07 04:00 - 00000000 ____D () C:\Program Files (x86)\RealNetworks
2014-06-26 04:30 - 2012-10-05 07:32 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Roaming\Real
2014-06-26 03:34 - 2012-10-05 07:45 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Local\Google
2014-06-26 03:34 - 2011-02-03 05:57 - 00000000 ____D () C:\ProgramData\Google
2014-06-25 23:11 - 2012-09-04 06:28 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-06-25 10:40 - 2014-06-25 10:40 - 00001046 _____ () C:\Users\Public\Desktop\RealPlayer Cloud.lnk
2014-06-25 10:40 - 2011-08-10 14:07 - 00000000 ____D () C:\Program Files (x86)\Real
2014-06-25 10:38 - 2014-06-25 10:38 - 00201800 _____ (RealNetworks, Inc.) C:\Windows\SysWOW64\pnup0.dll
2014-06-25 10:38 - 2011-08-10 14:07 - 00000000 ____D () C:\ProgramData\Real
2014-06-25 10:37 - 2014-06-25 10:37 - 00505416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2014-06-25 10:37 - 2014-06-25 10:37 - 00353864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2014-06-25 10:37 - 2014-06-25 10:37 - 00278600 _____ (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2014-06-25 03:40 - 2014-02-23 13:51 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Local\Windows Live
2014-06-25 02:59 - 2014-06-18 06:01 - 00002102 _____ () C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2014-06-22 13:27 - 2014-05-19 14:44 - 00003226 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3096591042-3870022599-2483910520-1009
2014-06-22 13:27 - 2014-04-20 13:30 - 00003360 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3096591042-3870022599-2483910520-1009
2014-06-19 09:22 - 2009-07-13 20:45 - 00009920 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-19 09:22 - 2009-07-13 20:45 - 00009920 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-18 13:17 - 2012-10-06 13:17 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Roaming\Dropbox
2014-06-18 13:16 - 2014-05-16 10:19 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Roaming\DropboxMaster
2014-06-18 13:16 - 2014-05-16 10:17 - 00003338 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3096591042-3870022599-2483910520-1009
2014-06-18 13:16 - 2014-04-20 14:03 - 00003204 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3096591042-3870022599-2483910520-1009
2014-06-18 13:16 - 2012-10-05 06:11 - 00000000 ___RD () C:\Users\oalmi.Tali-PC\Documents\Dropbox
2014-06-18 13:15 - 2011-05-09 17:38 - 00045056 _____ () C:\Windows\System32\acovcnt.exe
2014-06-18 13:14 - 2011-08-08 10:42 - 00000427 _____ () C:\Windows\System32\Drivers\etc\hosts.ics
2014-06-18 13:14 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-18 13:14 - 2009-07-13 20:51 - 00142044 _____ () C:\Windows\setupact.log
2014-06-18 13:11 - 2014-06-18 13:12 - 00084720 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avnetflt.sys
2014-06-18 06:06 - 2011-02-03 05:57 - 00003908 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-06-18 06:06 - 2011-02-03 05:57 - 00003656 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-06-18 06:01 - 2014-06-18 06:01 - 00000000 ____D () C:\Program Files\McAfee Security Scan
2014-06-18 06:01 - 2013-11-17 10:53 - 00000000 ____D () C:\ProgramData\McAfee Security Scan
2014-06-17 08:03 - 2011-05-09 17:38 - 00001611 _____ () C:\Windows\System32\ServiceFilter.ini
2014-06-17 03:14 - 2013-01-08 12:51 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Roaming\vlc
2014-06-16 08:51 - 2014-01-31 14:17 - 00000000 ____D () C:\Users\oalmi.Tali-PC\Desktop\Videos not on D
2014-06-15 11:49 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF
2014-06-15 11:23 - 2014-06-15 11:23 - 00000000 ____D () C:\Program Files\Option
2014-06-15 11:23 - 2014-06-15 11:23 - 00000000 ____D () C:\Program Files (x86)\Option_4.0.17.0
2014-06-14 14:06 - 2014-06-14 14:06 - 00000000 ____D () C:\Users\oalmi.Tali-PC\AppData\Local\{CB770134-CE5D-470F-A65C-FD0B7C1C1A56}
2014-06-13 05:45 - 2011-05-09 17:07 - 01714604 _____ () C:\Windows\WindowsUpdate.log
2014-06-12 06:28 - 2013-05-13 11:09 - 00002185 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-06-05 22:16 - 2012-07-23 00:29 - 00127296 _____ () C:\Users\CompAdmin\AppData\Local\GDIPFONTCACHEV1.DAT
2014-06-03 22:25 - 2013-07-10 07:02 - 00130584 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avipbb.sys
2014-06-03 22:25 - 2013-07-10 07:02 - 00112080 _____ (Avira Operations GmbH & Co. KG) C:\Windows\System32\Drivers\avgntflt.sys
2014-06-03 00:20 - 2009-07-13 21:08 - 00032564 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-06-01 22:17 - 2014-06-01 22:17 - 00002070 _____ () C:\Users\Public\Desktop\Cisco NAC Agent.lnk

Files to move or delete:
====================
C:\Users\CompAdmin\SpyHunter-Installer.exe


Some content of TEMP:
====================
C:\Users\CompAdmin\AppData\Local\Temp\avgnt.exe
C:\Users\CompAdmin\AppData\Local\Temp\MSETUP4.EXE
C:\Users\CompAdmin\AppData\Local\Temp\SHSetup.exe
C:\Users\CompAdmin\AppData\Local\Temp\uninstall.exe
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\01399631313065.exe
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\625953.exe
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\AskSLib.dll
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\avgnt.exe
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpb1u5zx.dll
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\GIcdComm2.exe
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\lowproc.exe
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\SkypeSetup.exe
C:\Users\oalmi.Tali-PC\AppData\Local\Temp\stubhelper.dll


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-06-15 10:45:57
Restore point made on: 2014-06-15 10:55:14
Restore point made on: 2014-06-18 06:04:12
Restore point made on: 2014-06-22 13:27:07
Restore point made on: 2014-06-29 08:00:37

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  boot
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {default}
resumeobject            {8cb2d9b0-7c05-11de-842e-b4611d44fefa}
displayorder            {default}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {default}
device                  boot
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {current}
recoveryenabled         Yes
testsigning             No
osdevice                boot
systemroot              \Windows
resumeobject            {8cb2d9b0-7c05-11de-842e-b4611d44fefa}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {current}
device                  ramdisk=[C:]\Recovery\8cb2d9b4-7c05-11de-842e-b4611d44fefa\Winre.wim,{8cb2d9b5-7c05-11de-842e-b4611d44fefa}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\8cb2d9b4-7c05-11de-842e-b4611d44fefa\Winre.wim,{8cb2d9b5-7c05-11de-842e-b4611d44fefa}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {8cb2d9b0-7c05-11de-842e-b4611d44fefa}
device                  boot
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {8cb2d9b5-7c05-11de-842e-b4611d44fefa}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\8cb2d9b4-7c05-11de-842e-b4611d44fefa\boot.sdi


==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 6055.77 MB
Available physical RAM: 5340.69 MB
Total Pagefile: 6053.92 MB
Available Pagefile: 5327.94 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:238.47 GB) (Free:53.64 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (DATA) (Fixed) (Total:332.7 GB) (Free:0.01 GB) NTFS
Drive f: () (Fixed) (Total:29.8 GB) (Free:6.46 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: FD65E542)
Partition 1: (Not Active) - (Size=25 GB) - (Type=1C)
Partition 2: (Active) - (Size=238 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=333 GB) - (Type=OF Extended)

========================================================
Disk: 1 (Size: 30 GB) (Disk ID: 4A42BA98)
Partition 1: (Not Active) - (Size=30 GB) - (Type=0C)


LastRegBack: 2014-06-29 21:00

==================== End Of Log ============================
 

Please help, thanks



#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:41 PM

Posted 04 July 2014 - 12:33 PM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi oalmi,

I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.
 
--------------

Running a fix Using Farbar's Recvovery Scan Tool in the Recovery Environment:

  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKLM-x32\...\Runonce: [rmoc3260.dll OCX] - regsvr32.exe /s "C:\Windows\SysWOW64\rmoc3260.dll" [X]
S0 81cb3efcdc2c15a5; C:\Windows\System32\Drivers\81cb3efcdc2c15a5.sys [77776 2014-03-29] () <===== ATTENTION Necurs Rootkit?
C:\Windows\System32\Drivers\81cb3efcdc2c15a5.sys
  • Insert the USB device into your infected computer
  • Follow the process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool.

On a clean machine, please download Farbar Recovery Scan Tool and save it to the USB (feel free to use the frst download from my last instructions, if you still have it on the USB).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

Are you able to boot into Windows?
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Fixlog.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:41 PM

Posted 07 July 2014 - 11:13 AM

Hi oalmi,
 
This is a 3 day bump:
 
It has been 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 oalmi

oalmi
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 10 July 2014 - 12:23 AM

thanks xXToffee,
The computer is about to be formatted, it feels that's the right thing to go about it. thanks a lot for looking at my log.

Orly

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:41 PM

Posted 10 July 2014 - 10:49 AM

Hi oalmi,

 

Thank you for letting me know.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:41 PM

Posted 10 July 2014 - 10:49 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users