Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Rootkit Leftovers - Yuck! Who likes leftovers anyway?


  • This topic is locked This topic is locked
109 replies to this topic

#1 Jean91

Jean91

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 30 July 2014 - 11:43 PM

First I was helped to remove all of Search Conduit from my computer by Machiavelli, still had errors show up (highlighted below in purple) so he directed me to another forum, which directed me to Broni! He helped identify that I have ZeroAccess Rootkit leftovers. I did not even know I had this! Besides what is listed in purple, I cannot access: Microsoft Word, iTunes, Update Google, System Restore, or Windows Defender. Not to mention the speed of my poor PC is drastically slower. I have pasted the DDS.log and attached 1 file that will help you where I am at for a faster and easier fix. Thanks guys!!!
 
ToshibaServiceStation.exe - Bad Image
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or software vendor for
support.


ToshibaAppPlace.exe - Bad Image
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or software vendor for
support.

MOM.exe - Bad Image
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or software vendor for
support.

TimelineMonitor: ToshibaTimelineMonitor.exe - Bad Image
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or software vendor for
support.

Microsoft Visual C++ Runtime Library
* Runtime Error
Program:C\Program Files\TOSHIBA\ReelTime\TimelineMonitor.exe
"This application has requestes the Runtime to terminate in an unusual way."

ToshibaAppPlace.exe.NET Framework Initialization Error
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

 

Toshiba Service Station.NET Framework Initialization Error
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

MOM.exe. NET Framework Initialization Error

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

 

Google Chrome

Your profile can not be used because it is from a newer version of Google Chrome

(This one showed up 5+ times)

 

Here is the DDS.log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17207
Run by Aram at 0:26:55 on 2014-07-31
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2663.890 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\Explorer.EXE
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Users\Aram\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\oovoo\ooVoo.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\nacl64.exe
C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\nacl64.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Malwarebytes Anti-Malware2\mbam.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\System32\Notepad.exe
C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://start.toshiba.com
uDefault_Search_URL = hxxp://www.google.com/ie
uProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit = userinit.exe,
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Covenant Eyes for Internet Explorer: {927BD2E1-2287-49D2-AE71-95F492CE662E} - C:\Program Files (x86)\CE\extensions\ie\x86\ceie-0.7.2.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Livedrive] "C:\Program Files (x86)\Livedrive\Livedrive.exe" /setup
uRun: [Spotify Web Helper] "C:\Users\Aram\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [Facebook Update] "C:\Users\Aram\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Unified Remote v2] C:\Program Files (x86)\Unified Remote\RemoteServer.exe
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Akamai NetSession Interface] "C:\Users\Aram\AppData\Local\Akamai\netsession_win.exe"
uRun: [GoogleChromeAutoLaunch_93C7F2831C5ACD16136107BA35FA3025] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ooVoo.exe] C:\program files (x86)\oovoo\oovoo.exe /minimized
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Covenant Eyes] C:\Program Files (x86)\CE\CovenantEyes.exe
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Aram\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Aram\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Aram\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - C:\windows\System32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{546DE7CF-8AE3-4E63-A1D3-70C0001DD09C} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{546DE7CF-8AE3-4E63-A1D3-70C0001DD09C}\46169627970217575656E60266275656027796D26696 : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{546DE7CF-8AE3-4E63-A1D3-70C0001DD09C}\4796275646963736F657E647562737 : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{546DE7CF-8AE3-4E63-A1D3-70C0001DD09C}\74275656B602255667966716C60284F6573756 : DHCPNameServer = 192.168.254.254
TCP: Interfaces\{546DE7CF-8AE3-4E63-A1D3-70C0001DD09C}\B4D4243475946494 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{546DE7CF-8AE3-4E63-A1D3-70C0001DD09C}\C4166616975647565602E416A7162756E6560275966696 : DHCPNameServer = 8.8.8.8 192.168.254.254 192.168.2.1
TCP: Interfaces\{546DE7CF-8AE3-4E63-A1D3-70C0001DD09C}\D4F6E647963657C656 : DHCPNameServer = 192.168.254.254 192.168.254.254
TCP: Interfaces\{546DE7CF-8AE3-4E63-A1D3-70C0001DD09C}\F475E45425D20534F5E4564777F627B6 : DHCPNameServer = 192.168.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\SysWOW64\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: BrowserHelper Class: {EDF48A39-1442-463F-9F4E-F376A78D034A} - C:\Program Files (x86)\Livedrive\ExplorerExtensions.dll
x64-Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
x64-Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - 
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\System32\CbFsMntNtf3.dll
x64-STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\System32\CbFsMntNtf3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\windows\System32\drivers\amd_sata.sys [2011-10-5 75904]
R0 amd_xata;amd_xata;C:\windows\System32\drivers\amd_xata.sys [2011-10-5 38016]
R0 aswRvrt;avast! Revert;C:\windows\System32\drivers\aswRvrt.sys [2014-6-10 65776]
R0 aswVmm;avast! VM Monitor;C:\windows\System32\drivers\aswVmm.sys [2014-6-10 224896]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswsnx.sys [2014-6-10 1041168]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswsp.sys [2014-6-10 427360]
R1 CbFs;CbFs;C:\windows\System32\drivers\cbfs.sys [2011-10-7 191960]
R1 cbfs3;cbfs3;C:\windows\System32\drivers\cbfs3.sys [2013-5-2 352008]
R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2011-10-4 204288]
R2 aswHwid;avast! HardwareID;C:\windows\System32\drivers\aswHwid.sys [2014-6-10 29208]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2014-6-10 79184]
R2 aswStm;aswStm;C:\windows\System32\drivers\aswstm.sys [2014-6-10 92008]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-7-1 50344]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-12-7 167424]
R2 PCCUJobMgr;Common Client Job Manager Service;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [2011-10-5 126392]
R3 ETD;ELAN PS/2 Port Input Device;C:\windows\System32\drivers\ETD.sys [2010-11-11 137512]
R3 FwLnk;FwLnk Driver;C:\windows\System32\drivers\FwLnk.sys [2011-10-5 9216]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\windows\System32\drivers\MBAMSwissArmy.sys [2014-6-10 122584]
R3 PGEffect;Pangu effect driver;C:\windows\System32\drivers\PGEffect.sys [2011-10-5 38096]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2011-10-5 1109096]
R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2011-6-10 138152]
S2 Auth Service;Auth Service;C:\windows\System32\authServer.exe --> C:\windows\System32\authServer.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 CovenantEyesCommService;Covenant Eyes Communication Service;C:\Program Files (x86)\CE\CovenantEyesCommService.exe [2014-3-15 4533240]
S2 CovenantEyesProxy;CovenantEyesProxy;C:\Program Files\CE\CovenantEyesProxy.exe [2014-3-15 5346296]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
S2 LivedriveVSSService;Livedrive VSS Service;C:\Program Files (x86)\Livedrive\VSSService.exe [2013-3-14 210584]
S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [2011-10-5 123320]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 HTCAND64;HTC Device Driver;C:\windows\System32\drivers\ANDROIDUSB.sys [2009-11-2 33736]
S3 htcnprot;HTC NDIS Protocol Driver;C:\windows\System32\drivers\htcnprot.sys [2012-12-7 36928]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\windows\System32\ieetwcollector.exe [2014-7-10 111616]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2010-9-27 76912]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2011-10-5 243712]
S3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S3 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2011-10-5 57216]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-10-8 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-07-31 02:28:16 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-07-30 18:46:18 -------- d-----w- C:\Users\Aram\AppData\Local\{28E1D9EA-3524-4A4A-8C6A-9647246915F2}
2014-07-26 02:00:21 -------- d-----w- C:\Program Files\Speccy
2014-07-22 14:08:10 -------- d-----w- C:\windows\CheckSur
2014-07-21 21:34:11 -------- d-----w- C:\Program Files (x86)\ESET
2014-07-21 19:44:34 -------- d-----w- C:\windows\ERUNT
2014-07-21 19:03:19 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware2
2014-07-18 19:24:19 -------- d-----w- C:\Program Files\iPod
2014-07-18 19:24:16 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-07-18 19:24:16 -------- d-----w- C:\Program Files\iTunes
2014-07-18 19:24:16 -------- d-----w- C:\Program Files (x86)\iTunes
2014-07-18 19:15:39 -------- d-----w- C:\Program Files\Bonjour
2014-07-18 19:15:39 -------- d-----w- C:\Program Files (x86)\Bonjour
2014-07-18 18:02:46 29160 ----a-w- C:\windows\SysWow64\drivers\TrueSight.sys
2014-07-18 18:02:44 -------- d-----w- C:\ProgramData\RogueKiller
2014-07-16 04:27:36 -------- d-----w- C:\2bc435ae47c72b6532724336
2014-07-15 13:06:41 -------- d-----w- C:\e29219525bf1ca3c1e9995
2014-07-11 13:32:58 497152 ----a-w- C:\windows\System32\drivers\afd.sys
2014-07-10 16:26:09 1719296 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2014-07-10 16:26:07 1380864 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2014-07-10 16:26:06 1354240 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2014-07-10 16:26:05 1389568 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2014-07-10 16:26:04 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2014-07-10 16:24:59 812216 ----a-w- C:\Program Files (x86)\Internet Explorer\iexplore.exe
2014-07-10 16:02:39 1460736 ----a-w- C:\windows\System32\lsasrv.dll
2014-07-10 16:02:35 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2014-07-10 16:02:35 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2014-07-01 14:51:32 43152 ----a-w- C:\windows\avastSS.scr
.
==================== Find3M  ====================
.
2014-07-31 02:27:36 92888 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys
2014-07-31 01:39:37 122584 ----a-w- C:\windows\System32\drivers\MBAMSwissArmy.sys
2014-07-23 14:52:00 270496 ------w- C:\windows\System32\MpSigStub.exe
2014-07-10 17:35:51 71344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-07-10 17:35:51 699056 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2014-07-01 14:51:40 92008 ----a-w- C:\windows\System32\drivers\aswstm.sys
2014-07-01 14:51:39 224896 ----a-w- C:\windows\System32\drivers\aswVmm.sys
2014-07-01 14:51:39 1041168 ----a-w- C:\windows\System32\drivers\aswsnx.sys
2014-07-01 14:51:38 65776 ----a-w- C:\windows\System32\drivers\aswRvrt.sys
2014-07-01 14:51:37 79184 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2014-07-01 14:51:37 29208 ----a-w- C:\windows\System32\drivers\aswHwid.sys
2014-07-01 14:51:36 93568 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2014-06-30 02:09:33 519168 ----a-w- C:\windows\System32\aepdu.dll
2014-06-30 02:04:49 424448 ----a-w- C:\windows\System32\aeinv.dll
2014-06-19 01:06:55 2724864 ----a-w- C:\windows\System32\mshtml.tlb
2014-06-19 01:06:24 4096 ----a-w- C:\windows\System32\ieetwcollectorres.dll
2014-06-19 00:42:57 548352 ----a-w- C:\windows\System32\vbscript.dll
2014-06-19 00:42:49 66048 ----a-w- C:\windows\System32\iesetup.dll
2014-06-19 00:41:52 48640 ----a-w- C:\windows\System32\ieetwproxystub.dll
2014-06-19 00:41:16 83968 ----a-w- C:\windows\System32\MshtmlDac.dll
2014-06-19 00:24:30 139264 ----a-w- C:\windows\System32\ieUnatt.exe
2014-06-19 00:24:12 111616 ----a-w- C:\windows\System32\ieetwcollector.exe
2014-06-19 00:23:53 752640 ----a-w- C:\windows\System32\jscript9diag.dll
2014-06-19 00:14:28 940032 ----a-w- C:\windows\System32\MsSpellCheckingFacility.exe
2014-06-18 23:59:04 38400 ----a-w- C:\windows\System32\JavaScriptCollectionAgent.dll
2014-06-18 23:56:37 2724864 ----a-w- C:\windows\SysWow64\mshtml.tlb
2014-06-18 23:51:38 5721088 ----a-w- C:\windows\System32\jscript9.dll
2014-06-18 23:38:40 455168 ----a-w- C:\windows\SysWow64\vbscript.dll
2014-06-18 23:37:23 61952 ----a-w- C:\windows\SysWow64\iesetup.dll
2014-06-18 23:36:35 51200 ----a-w- C:\windows\SysWow64\ieetwproxystub.dll
2014-06-18 23:35:55 62464 ----a-w- C:\windows\SysWow64\MshtmlDac.dll
2014-06-18 23:27:45 1249280 ----a-w- C:\windows\System32\mshtmlmedia.dll
2014-06-18 23:27:07 2040832 ----a-w- C:\windows\System32\inetcpl.cpl
2014-06-18 23:23:27 112128 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2014-06-18 23:22:40 592896 ----a-w- C:\windows\SysWow64\jscript9diag.dll
2014-06-18 23:06:10 32256 ----a-w- C:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-06-18 22:58:27 2266112 ----a-w- C:\windows\System32\wininet.dll
2014-06-18 22:52:18 4254720 ----a-w- C:\windows\SysWow64\jscript9.dll
2014-06-18 22:46:23 1068032 ----a-w- C:\windows\SysWow64\mshtmlmedia.dll
2014-06-18 22:45:59 1964544 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2014-06-18 22:13:59 1791488 ----a-w- C:\windows\SysWow64\wininet.dll
2014-06-18 02:18:30 692736 ----a-w- C:\windows\System32\osk.exe
2014-06-18 01:51:32 646144 ----a-w- C:\windows\SysWow64\osk.exe
2014-06-18 01:10:36 3157504 ----a-w- C:\windows\System32\win32k.sys
2014-06-06 10:10:34 624128 ----a-w- C:\windows\System32\qedit.dll
2014-06-06 09:44:17 509440 ----a-w- C:\windows\SysWow64\qedit.dll
2014-05-30 08:08:52 210944 ----a-w- C:\windows\System32\wdigest.dll
2014-05-30 08:08:49 86528 ----a-w- C:\windows\System32\TSpkg.dll
2014-05-30 08:08:47 340992 ----a-w- C:\windows\System32\schannel.dll
2014-05-30 08:08:41 314880 ----a-w- C:\windows\System32\msv1_0.dll
2014-05-30 08:08:41 307200 ----a-w- C:\windows\System32\ncrypt.dll
2014-05-30 08:08:36 728064 ----a-w- C:\windows\System32\kerberos.dll
2014-05-30 08:08:31 22016 ----a-w- C:\windows\System32\credssp.dll
2014-05-30 07:52:51 172032 ----a-w- C:\windows\SysWow64\wdigest.dll
2014-05-30 07:52:49 65536 ----a-w- C:\windows\SysWow64\TSpkg.dll
2014-05-30 07:52:45 247808 ----a-w- C:\windows\SysWow64\schannel.dll
2014-05-30 07:52:41 220160 ----a-w- C:\windows\SysWow64\ncrypt.dll
2014-05-30 07:52:40 259584 ----a-w- C:\windows\SysWow64\msv1_0.dll
2014-05-30 07:52:36 550912 ----a-w- C:\windows\SysWow64\kerberos.dll
2014-05-30 07:52:30 17408 ----a-w- C:\windows\SysWow64\credssp.dll
2014-05-21 23:56:00 207301 ----a-w- C:\ProgramData\1400715025.bdinstall.bin
2014-05-16 21:49:34 5 ----a-w- C:\windows\SysWow64\lMMLDeleteUserData42107612FX.tmp
2014-05-12 11:26:10 63704 ----a-w- C:\windows\System32\drivers\mwac.sys
2014-05-12 11:25:56 25816 ----a-w- C:\windows\System32\drivers\mbam.sys
.
============= FINISH:  0:28:20.33 ===============
 


Also, I know there was that 'GoogleUpdate' virus going around with the Search Conduit. I thought at one point maybe I had that too? 

Attached Files


Edited by hamluis, 31 July 2014 - 06:30 AM.


BC AdBot (Login to Remove)

 


m

#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:37 PM

Posted 04 August 2014 - 10:38 AM

Hello and Welcome to BleepingComputer Jean91,

my Name is Machiavelli and I will assist you with your problem.   :exclame: The fixes are specific to your problem and should only be used for the issue on your machine!  :exclame:
 
I'm in the 'Malware Staff Team' and will provide you with advice:
To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.
 
You must reply to posts within days. If you haven't replied within 4 days your topic will be closed. If you go away for some time please let me know. Communication is a important part here! If you are unsure about something - STOP - and ask me. No need to be afraid of asking - better ask than doing a mistake. Mistakes can lead to an unbootable PC! I would recommend to follow the topic by clicking on the Follow this topic button - you will get notified when I have replied to your topic.
 

:exclame: Below are a few tips :exclame:
  • Removing Malware is usually very difficult.
    We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!
  • Please follow these instructions
    If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
  • Please stay in contact with me until your problem is resolved
    As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
  • Please don't run any other tools without consulting with me as this can complicate finding and removing all Malware
    Don't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
  • Read my post completely
    If you don't do so, you may make mistakes that could result in your System crashing by your own actions!
 

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 Jean91

Jean91
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 August 2014 - 10:50 AM

Thanks again!

 

Step 1)

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-08-2014
Ran by Aram (administrator) on ARAM-PC on 04-08-2014 11:44:01
Running from C:\Users\Aram\Desktop
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
() C:\Users\Aram\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(ooVoo LLC) C:\Program Files (x86)\oovoo\ooVoo.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\nacl64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\nacl64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Aram\Desktop\111Farbar64.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2010-12-14] (Conexant systems, Inc.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2588456 2010-11-11] (ELAN Microelectronics Corp.)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-05-17] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [972672 2011-04-27] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-06-10] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [596912 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-06-08] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ToshibaServiceStation] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1298816 2011-07-11] (TOSHIBA Corporation)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] => C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe [3218864 2011-06-22] (Toshiba)
HKLM-x32\...\Run: [ToshibaAppPlace] => C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-03] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [Covenant Eyes] => C:\Program Files (x86)\CE\CovenantEyes.exe [7104504 2014-01-28] ()
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-07-29] (AVAST Software)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [Livedrive] => C:\Program Files (x86)\Livedrive\Livedrive.exe [1798144 2013-03-14] (Livedrive Internet Ltd)
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [Spotify Web Helper] => C:\Users\Aram\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [932528 2012-05-07] ()
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [Facebook Update] => C:\Users\Aram\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2012-07-27] (Facebook Inc.)
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [Unified Remote v2] => C:\Program Files (x86)\Unified Remote\RemoteServer.exe
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [21444224 2014-05-08] (Skype Technologies S.A.)
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-10-05] (Google Inc.)
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [Akamai NetSession Interface] => "C:\Users\Aram\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [GoogleChromeAutoLaunch_93C7F2831C5ACD16136107BA35FA3025] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [841032 2014-05-07] (Google Inc.)
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\Run: [ooVoo.exe] => C:\program files (x86)\oovoo\oovoo.exe [36247104 2014-03-25] (ooVoo LLC)
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\MountPoints2: E - E:\HTC_Sync_Manager_PC.exe
Startup: C:\Users\Aram\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Aram\AppData\Roaming\Dropbox\bin\Dropbox.exe ()
Startup: C:\Users\Aram\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
SSODL-x32: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: BackupOverlay -> {B44A5D93-1351-41A1-BD91-5E92435D8ECD} => C:\Program Files (x86)\Livedrive\Extensions.dll (Livedrive Internet Ltd)
ShellIconOverlayIdentifiers: EldosIconOverlay -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: LivedriveDownloadOverlay -> {CBCDB610-6B68-4EE9-B7A2-1282FD0C9292} => C:\Program Files (x86)\Livedrive\Extensions.dll (Livedrive Internet Ltd)
ShellIconOverlayIdentifiers: LivedriveSharedOverlay -> {84CEF1E4-1356-4063-845F-05047F4DD52C} => C:\Program Files (x86)\Livedrive\Extensions.dll (Livedrive Internet Ltd)
ShellIconOverlayIdentifiers: LivedriveSyncedOverlay -> {42058329-2FBF-4B33-8E52-3BE5754DE0C1} => C:\Program Files (x86)\Livedrive\Extensions.dll (Livedrive Internet Ltd)
ShellIconOverlayIdentifiers: LivedriveUploadOverlay -> {39A1715A-E4CD-4F1E-B5C4-36B5DB80124E} => C:\Program Files (x86)\Livedrive\Extensions.dll (Livedrive Internet Ltd)
ShellIconOverlayIdentifiers-x32: EldosIconOverlay -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\windows\SysWOW64\CbFsMntNtf3.dll (EldoS Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.toshiba.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - DefaultScope value is missing.
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: BrowserHelper Class -> {EDF48A39-1442-463F-9F4E-F376A78D034A} -> C:\Program Files (x86)\Livedrive\ExplorerExtensions.dll (Livedrive Internet Ltd)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Covenant Eyes for Internet Explorer -> {927BD2E1-2287-49D2-AE71-95F492CE662E} -> C:\Program Files (x86)\CE\extensions\ie\x86\ceie-0.7.2.dll (Covenant Eyes)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @Musicnotes.com/Musicnotes Viewer -> C:\Program Files\Musicnotes\npmusicn64.dll (Musicnotes, Inc.)
FF Plugin: @Skype Technologies S.A..com/Skype Web Plugin -> C:\Program Files (x86)\SkypeWebPlugin\npSkypeWebPlugin64.dll (Skype)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @Musicnotes.com/Musicnotes Viewer -> C:\Program Files (x86)\Musicnotes\npmusicn.dll (Musicnotes, Inc.)
FF Plugin-x32: @Sibelius.com/Scorch Plugin -> C:\Program Files (x86)\Musicnotes\npsibelius.dll ()
FF Plugin-x32: @Skype Technologies S.A..com/Skype Web Plugin -> C:\Program Files (x86)\SkypeWebPlugin\npSkypeWebPlugin.dll (Skype)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\Aram\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Users\Aram\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Users\Aram\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Aram\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Aram\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Aram\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Aram\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF HKLM-x32\...\Firefox\Extensions: [firefox-integrated-extension@covenanteyes.com] - C:\Program Files (x86)\CE\extensions\firefox\firefox-integrated-extension@covenanteyes.com
FF Extension: Covenant Eyes for Firefox - C:\Program Files (x86)\CE\extensions\firefox\firefox-integrated-extension@covenanteyes.com [2014-03-15]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-06-10]
 
Chrome: 
=======
CHR HomePage: hxxp://google.com/
CHR StartupUrls: "hxxp://mysearch.avg.com/?cid={DE2A4FBB-BBF9-4DA8-AE44-C2C86F235237}&mid=3a7addbb839847d38884b91405ff9fb6-8c46a7115d5de0210b90ec9655a39df44ede3231&lang=en&ds=AVG&pr=pr&d=2013-03-15 12:17:56&v=17.0.2.13&pid=safeguard&sg=0&sap=hp|hxxp://www.aol.com/?icid=acm50mtmhpgreetingdetect|hxxp://www.aol.com/?icid=acm50mtmhpgreetingdetect|hxxp://www.aol.com/?icid=acm50mtmhpgreetingdetect|hxxp://www.aol.com/?icid=acm50mtmhpgreetingdetect", "hxxp://www.aol.com/?icid=acm50mtmhpgreetingdetect", "https://www.google.com/"
CHR Extension: (Oovoo Toolbar) - C:\Users\Aram\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaainelhcgoinheohbeolppeofibjlh [2013-08-26]
CHR Extension: (YouTube) - C:\Users\Aram\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-17]
CHR Extension: (Google Search) - C:\Users\Aram\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-17]
CHR Extension: (Grooveshark Remote) - C:\Users\Aram\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbpifhknilaflibiifjhhofddbbchmhh [2012-12-15]
CHR Extension: (avast! Online Security) - C:\Users\Aram\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-06-17]
CHR Extension: (Skype Click to Call) - C:\Users\Aram\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-06-19]
CHR Extension: (Google Wallet) - C:\Users\Aram\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-05]
CHR Extension: (Gmail) - C:\Users\Aram\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-17]
CHR HKLM-x32\...\Chrome\Extension: [aaaainelhcgoinheohbeolppeofibjlh] - C:\ProgramData\AskPartnerNetwork\Toolbar\OVO2V7\CRX\ToolbarCR.crx [2011-12-17]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-07-01]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-01]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [65432 2013-12-18] () [File not signed]
S2 Auth Service; C:\windows\SysWOW64\authServer.exe [4446712 2014-01-28] () [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-07-01] (AVAST Software)
S2 CovenantEyesCommService; C:\Program Files (x86)\CE\CovenantEyesCommService.exe [4533240 2014-01-28] () [File not signed]
S2 CovenantEyesProxy; C:\Program Files\CE\CovenantEyesProxy.exe [5346296 2014-01-28] () [File not signed]
S2 gupdate; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2011-10-05] () [File not signed]
S3 gupdatem; C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176 2011-10-05] () [File not signed]
S2 LivedriveVSSService; C:\Program Files (x86)\Livedrive\VSSService.exe [210584 2013-03-14] ()
S2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\SymcPCCULaunchSvc.exe [123320 2012-12-26] () [File not signed]
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
R2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.13.11\ccSvcHst.exe [126392 2011-07-19] (Symantec Corporation)
S3 sftvsa; C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [207528 2013-06-26] () [File not signed]
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] () [File not signed]
S3 gusvc; "C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-01] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-01] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-01] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-01] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-07-01] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-04] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-01] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-01] ()
R1 CbFs; C:\windows\system32\drivers\cbfs.sys [191960 2010-02-16] (EldoS Corporation)
R1 cbfs3; C:\windows\system32\drivers\cbfs3.sys [352008 2012-11-10] (EldoS Corporation)
U3 TrueSight; C:\Windows\SysWOW64\drivers\TrueSight.sys [29160 2014-07-18] ()
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-07-09] (Apple, Inc.) [File not signed]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-04 11:44 - 2014-08-04 11:45 - 00023366 _____ () C:\Users\Aram\Desktop\FRST.txt
2014-08-04 11:43 - 2014-08-04 11:44 - 00000000 ____D () C:\FRST
2014-08-04 11:40 - 2014-08-04 11:40 - 02094080 _____ (Farbar) C:\Users\Aram\Desktop\111Farbar64.exe
2014-08-03 23:01 - 2014-08-03 23:05 - 00000000 ____D () C:\Users\Aram\Documents\My Media
2014-08-03 23:01 - 2014-08-03 23:01 - 00000000 ____D () C:\Users\Aram\AppData\Roaming\OverDrive
2014-08-03 22:59 - 2014-08-03 22:59 - 00002525 _____ () C:\Users\Public\Desktop\OverDrive Media Console.lnk
2014-08-03 22:59 - 2014-08-03 22:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OverDrive Media Console
2014-08-03 22:59 - 2014-08-03 22:59 - 00000000 ____D () C:\Program Files (x86)\OverDrive Media Console
2014-07-31 00:42 - 2014-07-31 00:42 - 00012731 _____ () C:\Users\Aram\Desktop\11Attach.txt
2014-07-31 00:28 - 2014-07-31 00:28 - 00024379 _____ () C:\Users\Aram\Desktop\dds.txt
2014-07-31 00:24 - 2014-07-31 00:25 - 00688992 ____R (Swearware) C:\Users\Aram\Desktop\dds11.com
2014-07-30 23:17 - 2014-07-30 23:21 - 00002166 _____ () C:\Users\Aram\Desktop\Rkill.txt
2014-07-30 22:35 - 2014-07-30 22:35 - 01942776 _____ (Bleeping Computer, LLC) C:\Users\Aram\Desktop\rkill11.exe
2014-07-30 22:28 - 2014-07-30 23:11 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-07-30 22:27 - 2014-07-30 23:11 - 00000000 ____D () C:\Users\Aram\Desktop\mbar
2014-07-30 22:26 - 2014-07-30 22:27 - 14349744 _____ (Malwarebytes Corp.) C:\Users\Aram\Desktop\mbar-1.07.0.1012.exe
2014-07-30 22:25 - 2014-07-30 22:25 - 00001060 _____ () C:\Users\Aram\Desktop\MBAM TXT 1.txt
2014-07-30 21:33 - 2014-07-30 21:34 - 00042715 _____ () C:\Users\Aram\Desktop\Result.txt
2014-07-30 21:32 - 2014-07-30 21:32 - 00401920 _____ (Farbar) C:\Users\Aram\Desktop\MiniToolBox (1).exe
2014-07-30 21:20 - 2014-07-30 21:26 - 00002700 _____ () C:\Users\Aram\Desktop\FSS.txt
2014-07-30 21:20 - 2014-07-30 21:20 - 00415232 _____ (Farbar) C:\Users\Aram\Desktop\FSS1.exe
2014-07-30 21:01 - 2014-07-30 21:01 - 00854390 _____ () C:\Users\Aram\Documents\SecurityCheck.exe
2014-07-30 14:46 - 2014-07-30 14:46 - 00000000 ____D () C:\Users\Aram\AppData\Local\{28E1D9EA-3524-4A4A-8C6A-9647246915F2}
2014-07-29 16:17 - 2014-07-29 16:24 - 00274561 _____ () C:\Users\Aram\Desktop\TCM-WeeklyHouseholdPlanner-2014-TEXT.txt
2014-07-25 22:00 - 2014-07-25 22:00 - 00000767 _____ () C:\Users\Public\Desktop\Speccy.lnk
2014-07-25 22:00 - 2014-07-25 22:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
2014-07-25 22:00 - 2014-07-25 22:00 - 00000000 ____D () C:\Program Files\Speccy
2014-07-25 21:59 - 2014-07-25 21:59 - 04890736 _____ (Piriform Ltd) C:\Users\Aram\Desktop\spsetup126.exe
2014-07-24 13:52 - 2014-07-24 13:52 - 00334136 _____ () C:\Users\Aram\Desktop\MiniToolBox.exe
2014-07-22 14:24 - 2014-07-22 14:24 - 00001220 _____ () C:\DelFix.txt
2014-07-22 10:47 - 2014-07-22 10:47 - 00000360 _____ () C:\Users\Aram\Desktop\CheckSUR.persist.zip
2014-07-22 10:08 - 2014-07-22 10:08 - 00000000 ____D () C:\windows\CheckSur
2014-07-22 09:58 - 2014-07-22 10:05 - 551293744 _____ () C:\Users\Aram\Desktop\Windows6.1-KB947821-v33-x64.msu
2014-07-22 08:28 - 2014-07-22 08:28 - 18354176 _____ () C:\Users\Aram\Desktop\CBS.zip
2014-07-22 08:27 - 2014-07-22 08:27 - 00000000 ____D () C:\Users\Aram\Desktop\CBS
2014-07-21 17:34 - 2014-07-21 17:34 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-07-21 15:44 - 2014-07-21 15:44 - 00000000 ____D () C:\windows\ERUNT
2014-07-21 15:40 - 2014-07-21 15:40 - 00001063 _____ () C:\Users\Aram\Desktop\MBAM TEXT 11.txt
2014-07-21 15:03 - 2014-07-21 15:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware2
2014-07-21 15:03 - 2014-07-21 15:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware2
2014-07-21 15:02 - 2014-07-21 15:02 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Aram\Desktop\mbam-setup-2.0.2.1012.exe
2014-07-21 13:24 - 2014-07-21 13:24 - 00001758 _____ () C:\Users\Aram\Desktop\first reply -MBAM 2.txt
2014-07-21 13:22 - 2014-07-21 13:38 - 00001158 _____ () C:\Users\Aram\Desktop\first reply - MBAM.txt
2014-07-21 12:05 - 2014-07-21 12:05 - 00001937 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-07-18 15:25 - 2014-07-18 15:25 - 00001754 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-07-18 15:25 - 2014-07-18 15:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-07-18 15:24 - 2014-07-18 15:25 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-07-18 15:24 - 2014-07-18 15:25 - 00000000 ____D () C:\Program Files\iTunes
2014-07-18 15:24 - 2014-07-18 15:25 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-07-18 15:24 - 2014-07-18 15:24 - 00000000 ____D () C:\Program Files\iPod
2014-07-18 15:15 - 2014-07-18 15:15 - 00000000 ____D () C:\Program Files\Bonjour
2014-07-18 15:15 - 2014-07-18 15:15 - 00000000 ____D () C:\Program Files (x86)\Bonjour
2014-07-18 14:02 - 2014-07-18 14:02 - 00029160 _____ () C:\windows\SysWOW64\Drivers\TrueSight.sys
2014-07-18 14:02 - 2014-07-18 14:02 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-07-18 13:48 - 2014-07-31 00:28 - 00012731 _____ () C:\Users\Aram\Desktop\attach.txt
2014-07-18 13:42 - 2014-07-18 13:42 - 00000895 _____ () C:\Users\Aram\Desktop\NTREGOPT.lnk
2014-07-18 13:42 - 2014-07-18 13:42 - 00000876 _____ () C:\Users\Aram\Desktop\ERUNT.lnk
2014-07-18 13:42 - 2014-07-18 13:42 - 00000000 ____D () C:\windows\ERDNT
2014-07-18 13:42 - 2014-07-18 13:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2014-07-18 13:42 - 2014-07-18 13:42 - 00000000 ____D () C:\Program Files (x86)\ERUNT
2014-07-18 13:37 - 2014-07-18 13:37 - 00791393 _____ (Lars Hederer ) C:\Users\Aram\Desktop\erunt-setup.exe
2014-07-16 00:27 - 2014-07-16 00:27 - 00000000 ____D () C:\2bc435ae47c72b6532724336
2014-07-15 23:20 - 2014-07-15 23:20 - 00007601 _____ () C:\Users\Aram\AppData\Local\Resmon.ResmonCfg
2014-07-15 09:06 - 2014-07-15 09:06 - 00000000 ____D () C:\e29219525bf1ca3c1e9995
2014-07-14 16:55 - 2014-07-14 16:56 - 00002151 _____ () C:\Users\Aram\gp.txt
2014-07-11 09:32 - 2014-05-30 02:45 - 00497152 _____ (Microsoft Corporation) C:\windows\system32\Drivers\afd.sys
2014-07-10 12:27 - 2014-06-17 22:18 - 00692736 _____ (Microsoft Corporation) C:\windows\system32\osk.exe
2014-07-10 12:27 - 2014-06-17 21:51 - 00646144 _____ (Microsoft Corporation) C:\windows\SysWOW64\osk.exe
2014-07-10 12:27 - 2014-06-17 21:10 - 03157504 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2014-07-10 12:27 - 2014-06-06 06:10 - 00624128 _____ (Microsoft Corporation) C:\windows\system32\qedit.dll
2014-07-10 12:27 - 2014-06-06 05:44 - 00509440 _____ (Microsoft Corporation) C:\windows\SysWOW64\qedit.dll
2014-07-10 12:27 - 2014-05-30 04:08 - 00728064 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2014-07-10 12:27 - 2014-05-30 04:08 - 00340992 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2014-07-10 12:27 - 2014-05-30 04:08 - 00314880 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2014-07-10 12:27 - 2014-05-30 04:08 - 00307200 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2014-07-10 12:27 - 2014-05-30 04:08 - 00210944 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2014-07-10 12:27 - 2014-05-30 04:08 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2014-07-10 12:27 - 2014-05-30 04:08 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2014-07-10 12:27 - 2014-05-30 03:52 - 00550912 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2014-07-10 12:27 - 2014-05-30 03:52 - 00259584 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2014-07-10 12:27 - 2014-05-30 03:52 - 00247808 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2014-07-10 12:27 - 2014-05-30 03:52 - 00220160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2014-07-10 12:27 - 2014-05-30 03:52 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2014-07-10 12:27 - 2014-05-30 03:52 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2014-07-10 12:27 - 2014-05-30 03:52 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2014-07-10 12:25 - 2014-06-29 22:09 - 00519168 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2014-07-10 12:25 - 2014-06-29 22:04 - 00424448 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2014-07-10 12:25 - 2014-06-20 16:14 - 00266424 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-07-10 12:25 - 2014-06-18 21:06 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-07-10 12:25 - 2014-06-18 20:41 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-07-10 12:25 - 2014-06-18 20:31 - 00033792 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-07-10 12:25 - 2014-06-18 20:16 - 17276416 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-07-10 12:25 - 2014-06-18 19:59 - 00038400 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-07-10 12:25 - 2014-06-18 19:56 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-07-10 12:25 - 2014-06-18 19:36 - 00051200 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2014-07-10 12:25 - 2014-06-18 19:28 - 00032768 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-07-10 12:25 - 2014-06-18 19:22 - 00592896 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2014-07-10 12:25 - 2014-06-18 19:12 - 00367616 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-07-10 12:25 - 2014-06-18 19:06 - 00032256 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-07-10 12:25 - 2014-06-18 18:59 - 00069632 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-07-10 12:25 - 2014-06-18 18:49 - 00526336 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-07-10 12:25 - 2014-06-18 18:09 - 01139200 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-07-10 12:24 - 2014-06-20 15:39 - 00240824 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-07-10 12:24 - 2014-06-18 21:39 - 23464448 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-07-10 12:24 - 2014-06-18 21:06 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-07-10 12:24 - 2014-06-18 20:48 - 02768384 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-07-10 12:24 - 2014-06-18 20:42 - 00548352 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-07-10 12:24 - 2014-06-18 20:42 - 00066048 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-07-10 12:24 - 2014-06-18 20:41 - 00083968 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2014-07-10 12:24 - 2014-06-18 20:32 - 00051200 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-07-10 12:24 - 2014-06-18 20:26 - 00598016 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-07-10 12:24 - 2014-06-18 20:24 - 00139264 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-07-10 12:24 - 2014-06-18 20:24 - 00111616 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-07-10 12:24 - 2014-06-18 20:23 - 00752640 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-07-10 12:24 - 2014-06-18 20:14 - 00940032 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-07-10 12:24 - 2014-06-18 20:09 - 00452608 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-07-10 12:24 - 2014-06-18 19:53 - 00195584 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-07-10 12:24 - 2014-06-18 19:51 - 05721088 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-07-10 12:24 - 2014-06-18 19:50 - 00085504 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-07-10 12:24 - 2014-06-18 19:48 - 00292864 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-07-10 12:24 - 2014-06-18 19:39 - 00608768 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-07-10 12:24 - 2014-06-18 19:38 - 00455168 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2014-07-10 12:24 - 2014-06-18 19:37 - 00061952 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-07-10 12:24 - 2014-06-18 19:35 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2014-07-10 12:24 - 2014-06-18 19:33 - 00631808 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-07-10 12:24 - 2014-06-18 19:32 - 02179072 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-07-10 12:24 - 2014-06-18 19:28 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-07-10 12:24 - 2014-06-18 19:27 - 02040832 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-07-10 12:24 - 2014-06-18 19:27 - 01249280 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-07-10 12:24 - 2014-06-18 19:25 - 00442368 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-07-10 12:24 - 2014-06-18 19:23 - 00112128 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-07-10 12:24 - 2014-06-18 19:01 - 00164864 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-07-10 12:24 - 2014-06-18 18:58 - 02266112 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-07-10 12:24 - 2014-06-18 18:58 - 00239616 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-07-10 12:24 - 2014-06-18 18:52 - 04254720 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-07-10 12:24 - 2014-06-18 18:51 - 13527040 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-07-10 12:24 - 2014-06-18 18:46 - 01068032 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2014-07-10 12:24 - 2014-06-18 18:45 - 01964544 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-07-10 12:24 - 2014-06-18 18:35 - 11742208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-07-10 12:24 - 2014-06-18 18:34 - 01393664 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-07-10 12:24 - 2014-06-18 18:15 - 00846336 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-07-10 12:24 - 2014-06-18 18:13 - 01791488 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-07-10 12:24 - 2014-06-18 18:07 - 00704512 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2014-07-10 12:02 - 2014-06-05 10:45 - 01460736 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2014-07-10 12:02 - 2014-06-05 10:26 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2014-07-10 12:02 - 2014-06-05 10:25 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-04 11:45 - 2014-08-04 11:44 - 00023366 _____ () C:\Users\Aram\Desktop\FRST.txt
2014-08-04 11:44 - 2014-08-04 11:43 - 00000000 ____D () C:\FRST
2014-08-04 11:40 - 2014-08-04 11:40 - 02094080 _____ (Farbar) C:\Users\Aram\Desktop\111Farbar64.exe
2014-08-04 11:38 - 2014-06-24 11:41 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-08-04 11:13 - 2013-10-01 19:11 - 00000904 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390040317-3028383122-884077495-1000UA.job
2014-08-04 11:04 - 2011-10-05 00:59 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-04 11:03 - 2012-07-27 01:58 - 00000924 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1390040317-3028383122-884077495-1000UA.job
2014-08-04 10:59 - 2011-10-04 23:50 - 01072516 _____ () C:\windows\WindowsUpdate.log
2014-08-04 08:29 - 2011-10-05 00:59 - 00000908 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-03 23:17 - 2009-07-14 00:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-03 23:17 - 2009-07-14 00:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-03 23:12 - 2011-10-06 20:38 - 00000000 ____D () C:\Users\Aram\AppData\Local\VirtualStore
2014-08-03 23:11 - 2012-02-17 02:39 - 00000000 ____D () C:\Users\Aram\AppData\Roaming\Skype
2014-08-03 23:10 - 2011-10-07 01:23 - 00000000 ____D () C:\Users\Aram\AppData\Local\CrashDumps
2014-08-03 23:09 - 2014-05-03 17:44 - 00005724 _____ () C:\windows\setupact.log
2014-08-03 23:09 - 2009-07-14 01:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-08-03 23:05 - 2014-08-03 23:01 - 00000000 ____D () C:\Users\Aram\Documents\My Media
2014-08-03 23:03 - 2012-07-27 01:58 - 00000902 _____ () C:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1390040317-3028383122-884077495-1000Core.job
2014-08-03 23:01 - 2014-08-03 23:01 - 00000000 ____D () C:\Users\Aram\AppData\Roaming\OverDrive
2014-08-03 22:59 - 2014-08-03 22:59 - 00002525 _____ () C:\Users\Public\Desktop\OverDrive Media Console.lnk
2014-08-03 22:59 - 2014-08-03 22:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OverDrive Media Console
2014-08-03 22:59 - 2014-08-03 22:59 - 00000000 ____D () C:\Program Files (x86)\OverDrive Media Console
2014-08-03 16:13 - 2013-10-01 19:11 - 00000852 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390040317-3028383122-884077495-1000Core.job
2014-08-02 16:21 - 2012-05-18 01:01 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-08-02 16:21 - 2012-05-18 01:01 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-08-02 14:34 - 2014-06-10 22:10 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-31 00:42 - 2014-07-31 00:42 - 00012731 _____ () C:\Users\Aram\Desktop\11Attach.txt
2014-07-31 00:28 - 2014-07-31 00:28 - 00024379 _____ () C:\Users\Aram\Desktop\dds.txt
2014-07-31 00:28 - 2014-07-18 13:48 - 00012731 _____ () C:\Users\Aram\Desktop\attach.txt
2014-07-31 00:25 - 2014-07-31 00:24 - 00688992 ____R (Swearware) C:\Users\Aram\Desktop\dds11.com
2014-07-30 23:21 - 2014-07-30 23:17 - 00002166 _____ () C:\Users\Aram\Desktop\Rkill.txt
2014-07-30 23:11 - 2014-07-30 22:28 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-07-30 23:11 - 2014-07-30 22:27 - 00000000 ____D () C:\Users\Aram\Desktop\mbar
2014-07-30 22:35 - 2014-07-30 22:35 - 01942776 _____ (Bleeping Computer, LLC) C:\Users\Aram\Desktop\rkill11.exe
2014-07-30 22:27 - 2014-07-30 22:26 - 14349744 _____ (Malwarebytes Corp.) C:\Users\Aram\Desktop\mbar-1.07.0.1012.exe
2014-07-30 22:27 - 2014-06-10 22:09 - 00092888 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-07-30 22:25 - 2014-07-30 22:25 - 00001060 _____ () C:\Users\Aram\Desktop\MBAM TXT 1.txt
2014-07-30 21:34 - 2014-07-30 21:33 - 00042715 _____ () C:\Users\Aram\Desktop\Result.txt
2014-07-30 21:32 - 2014-07-30 21:32 - 00401920 _____ (Farbar) C:\Users\Aram\Desktop\MiniToolBox (1).exe
2014-07-30 21:26 - 2014-07-30 21:20 - 00002700 _____ () C:\Users\Aram\Desktop\FSS.txt
2014-07-30 21:20 - 2014-07-30 21:20 - 00415232 _____ (Farbar) C:\Users\Aram\Desktop\FSS1.exe
2014-07-30 21:01 - 2014-07-30 21:01 - 00854390 _____ () C:\Users\Aram\Documents\SecurityCheck.exe
2014-07-30 14:46 - 2014-07-30 14:46 - 00000000 ____D () C:\Users\Aram\AppData\Local\{28E1D9EA-3524-4A4A-8C6A-9647246915F2}
2014-07-30 12:33 - 2014-06-10 22:08 - 00004182 _____ () C:\windows\System32\Tasks\avast! Emergency Update
2014-07-29 22:59 - 2011-10-06 20:38 - 00000000 ____D () C:\Users\Aram
2014-07-29 16:24 - 2014-07-29 16:17 - 00274561 _____ () C:\Users\Aram\Desktop\TCM-WeeklyHouseholdPlanner-2014-TEXT.txt
2014-07-27 12:08 - 2012-05-18 01:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-07-25 23:57 - 2009-07-14 01:13 - 00783464 _____ () C:\windows\system32\PerfStringBackup.INI
2014-07-25 22:00 - 2014-07-25 22:00 - 00000767 _____ () C:\Users\Public\Desktop\Speccy.lnk
2014-07-25 22:00 - 2014-07-25 22:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
2014-07-25 22:00 - 2014-07-25 22:00 - 00000000 ____D () C:\Program Files\Speccy
2014-07-25 21:59 - 2014-07-25 21:59 - 04890736 _____ (Piriform Ltd) C:\Users\Aram\Desktop\spsetup126.exe
2014-07-24 13:52 - 2014-07-24 13:52 - 00334136 _____ () C:\Users\Aram\Desktop\MiniToolBox.exe
2014-07-23 10:52 - 2010-11-20 23:27 - 00270496 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2014-07-22 14:24 - 2014-07-22 14:24 - 00001220 _____ () C:\DelFix.txt
2014-07-22 10:47 - 2014-07-22 10:47 - 00000360 _____ () C:\Users\Aram\Desktop\CheckSUR.persist.zip
2014-07-22 10:08 - 2014-07-22 10:08 - 00000000 ____D () C:\windows\CheckSur
2014-07-22 10:05 - 2014-07-22 09:58 - 551293744 _____ () C:\Users\Aram\Desktop\Windows6.1-KB947821-v33-x64.msu
2014-07-22 08:28 - 2014-07-22 08:28 - 18354176 _____ () C:\Users\Aram\Desktop\CBS.zip
2014-07-22 08:27 - 2014-07-22 08:27 - 00000000 ____D () C:\Users\Aram\Desktop\CBS
2014-07-21 17:34 - 2014-07-21 17:34 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-07-21 17:03 - 2014-03-15 22:41 - 00000008 __RSH () C:\ProgramData\ntuser.pol
2014-07-21 16:58 - 2009-07-13 23:20 - 00000000 ___HD () C:\windows\system32\GroupPolicy
2014-07-21 15:44 - 2014-07-21 15:44 - 00000000 ____D () C:\windows\ERUNT
2014-07-21 15:40 - 2014-07-21 15:40 - 00001063 _____ () C:\Users\Aram\Desktop\MBAM TEXT 11.txt
2014-07-21 15:03 - 2014-07-21 15:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware2
2014-07-21 15:03 - 2014-07-21 15:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware2
2014-07-21 15:03 - 2014-06-17 15:27 - 00001080 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-07-21 15:02 - 2014-07-21 15:02 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Aram\Desktop\mbam-setup-2.0.2.1012.exe
2014-07-21 14:54 - 2014-05-16 16:10 - 00052790 _____ () C:\windows\PFRO.log
2014-07-21 13:38 - 2014-07-21 13:22 - 00001158 _____ () C:\Users\Aram\Desktop\first reply - MBAM.txt
2014-07-21 13:24 - 2014-07-21 13:24 - 00001758 _____ () C:\Users\Aram\Desktop\first reply -MBAM 2.txt
2014-07-21 12:05 - 2014-07-21 12:05 - 00001937 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-07-21 12:05 - 2014-06-10 22:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast
2014-07-18 15:25 - 2014-07-18 15:25 - 00001754 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-07-18 15:25 - 2014-07-18 15:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-07-18 15:25 - 2014-07-18 15:24 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-07-18 15:25 - 2014-07-18 15:24 - 00000000 ____D () C:\Program Files\iTunes
2014-07-18 15:25 - 2014-07-18 15:24 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-07-18 15:24 - 2014-07-18 15:24 - 00000000 ____D () C:\Program Files\iPod
2014-07-18 15:15 - 2014-07-18 15:15 - 00000000 ____D () C:\Program Files\Bonjour
2014-07-18 15:15 - 2014-07-18 15:15 - 00000000 ____D () C:\Program Files (x86)\Bonjour
2014-07-18 14:02 - 2014-07-18 14:02 - 00029160 _____ () C:\windows\SysWOW64\Drivers\TrueSight.sys
2014-07-18 14:02 - 2014-07-18 14:02 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-07-18 13:42 - 2014-07-18 13:42 - 00000895 _____ () C:\Users\Aram\Desktop\NTREGOPT.lnk
2014-07-18 13:42 - 2014-07-18 13:42 - 00000876 _____ () C:\Users\Aram\Desktop\ERUNT.lnk
2014-07-18 13:42 - 2014-07-18 13:42 - 00000000 ____D () C:\windows\ERDNT
2014-07-18 13:42 - 2014-07-18 13:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2014-07-18 13:42 - 2014-07-18 13:42 - 00000000 ____D () C:\Program Files (x86)\ERUNT
2014-07-18 13:37 - 2014-07-18 13:37 - 00791393 _____ (Lars Hederer ) C:\Users\Aram\Desktop\erunt-setup.exe
2014-07-17 12:22 - 2013-05-02 15:58 - 00000000 ____D () C:\Program Files (x86)\Livedrive
2014-07-16 00:27 - 2014-07-16 00:27 - 00000000 ____D () C:\2bc435ae47c72b6532724336
2014-07-16 00:07 - 2014-06-10 16:05 - 00000000 ____D () C:\windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP
2014-07-16 00:07 - 2011-10-07 00:25 - 00000000 ____D () C:\Program Files (x86)\Microsoft Application Virtualization Client
2014-07-16 00:07 - 2011-10-05 00:59 - 00000000 ____D () C:\Program Files (x86)\Google
2014-07-15 23:20 - 2014-07-15 23:20 - 00007601 _____ () C:\Users\Aram\AppData\Local\Resmon.ResmonCfg
2014-07-15 17:44 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\rescache
2014-07-15 09:42 - 2013-07-23 20:29 - 00000000 ____D () C:\Users\Aram\Documents\Amway
2014-07-15 09:06 - 2014-07-15 09:06 - 00000000 ____D () C:\e29219525bf1ca3c1e9995
2014-07-15 08:35 - 2011-10-07 01:37 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-07-14 16:58 - 2010-11-21 03:17 - 00000000 ____D () C:\Program Files\Windows Journal
2014-07-14 16:56 - 2014-07-14 16:55 - 00002151 _____ () C:\Users\Aram\gp.txt
2014-07-11 16:33 - 2009-07-14 00:45 - 05100296 _____ () C:\windows\system32\FNTCACHE.DAT
2014-07-11 16:30 - 2014-05-09 11:17 - 00000000 ___SD () C:\windows\system32\CompatTel
2014-07-11 16:30 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\SysWOW64\Dism
2014-07-11 16:30 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\Dism
2014-07-11 13:47 - 2013-08-21 16:41 - 00000000 ____D () C:\windows\system32\MRT
2014-07-10 13:35 - 2014-06-24 11:41 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2014-07-10 13:35 - 2014-06-24 11:40 - 00699056 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2014-07-10 13:35 - 2011-07-21 21:55 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-07-10 11:51 - 2014-03-14 16:25 - 00000000 ___RD () C:\Program Files (x86)\Skype
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-07-28 19:32
 
==================== End Of Log ============================
 
Addition TXT:
 
2010-11-18 20:18 - 2010-11-18 20:18 - 11190784 _____ () C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
2012-05-07 18:57 - 2012-05-07 18:57 - 00932528 _____ () C:\Users\Aram\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
2012-12-07 18:27 - 2012-12-07 18:27 - 00167424 _____ () C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
2011-06-10 00:09 - 2011-06-10 00:09 - 00079784 _____ () C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosIPCWraper.dll
2014-07-01 10:51 - 2014-07-01 10:51 - 00301152 _____ () C:\Program Files\AVAST Software\Avast\aswProperty.dll
2014-08-03 17:50 - 2014-08-03 17:50 - 02795008 _____ () C:\Program Files\AVAST Software\Avast\defs\14080301\algo.dll
2014-08-04 11:43 - 2014-08-04 11:43 - 02795008 _____ () C:\Program Files\AVAST Software\Avast\defs\14080400\algo.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-07-03 13:19 - 2014-07-03 13:19 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-05-16 15:54 - 2014-05-07 19:29 - 00065352 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\chrome_elf.dll
2014-05-16 15:54 - 2014-05-07 19:29 - 00674632 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\libglesv2.dll
2014-05-16 15:54 - 2014-05-07 19:29 - 00093000 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\libegl.dll
2014-07-01 10:51 - 2014-07-01 10:51 - 19329904 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2014-05-16 15:54 - 2014-05-07 19:29 - 04081480 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\pdf.dll
2014-05-16 15:54 - 2014-05-07 19:29 - 00390472 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\ppGoogleNaClPluginChrome.dll
2014-05-16 15:54 - 2014-05-07 19:29 - 01647432 _____ () C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:B1FBBD09
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cewd64f.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cewd64r.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Auth Service => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cewd64f.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cewd64r.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CovenantEyesCommService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CovenantEyesProxy => ""="service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupreg: Google Update => "C:\Users\Aram\AppData\Local\Google\Update\GoogleUpdate.exe" /c
 
==================== Faulty Device Manager Devices =============
 
Name: Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
Description: Atheros AR8152/8158 PCI-E Fast Ethernet Controller (NDIS 6.20)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Atheros
Service: L1C
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/04/2014 11:46:49 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80004002, No such interface supported
.
 
 
Operation:
   Instantiating VSS server
 
Error: (08/04/2014 11:46:49 AM) (Source: VSS) (EventID: 22) (User: )
Description: Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered.
This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider.
The error returned from CoCreateInstance on class with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and Name IVssCoordinatorEx2 is [0x80004002, No such interface supported
].
 
 
Operation:
   Instantiating VSS server
 
Error: (08/04/2014 08:29:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 26684143
 
Error: (08/04/2014 08:29:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 26684143
 
Error: (08/04/2014 08:29:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (08/04/2014 08:29:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 26682895
 
Error: (08/04/2014 08:29:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 26682895
 
Error: (08/04/2014 08:29:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (08/04/2014 01:04:58 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7894
 
Error: (08/04/2014 01:04:58 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 7894
 
 
System errors:
=============
Error: (08/03/2014 11:12:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Toshiba Laptop Checkup Application Launcher service failed to start due to the following error: 
%%216
 
Error: (08/03/2014 11:12:38 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error: 
%%193
 
Error: (08/03/2014 11:12:25 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (08/03/2014 11:10:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error: 
%%1068
 
Error: (08/03/2014 11:10:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Application Virtualization Client service depends on the Application Virtualization Service Agent service which failed to start because of the following error: 
%%193
 
Error: (08/03/2014 11:10:36 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Defender service terminated with the following error: 
%%193
 
Error: (08/03/2014 11:10:33 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Application Virtualization Service Agent service failed to start due to the following error: 
%%193
 
Error: (08/03/2014 11:10:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Livedrive VSS Service service failed to start due to the following error: 
%%1053
 
Error: (08/03/2014 11:10:00 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Livedrive VSS Service service to connect.
 
Error: (08/03/2014 11:09:28 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CovenantEyesProxy service failed to start due to the following error: 
%%216
 
 
Microsoft Office Sessions:
=========================
Error: (08/04/2014 11:46:49 AM) (Source: VSS) (EventID: 8193) (User: )
Description: CoCreateInstance0x80004002, No such interface supported
 
 
Operation:
   Instantiating VSS server
 
Error: (08/04/2014 11:46:49 AM) (Source: VSS) (EventID: 22) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x80004002, No such interface supported
 
 
Operation:
   Instantiating VSS server
 
Error: (08/04/2014 08:29:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 26684143
 
Error: (08/04/2014 08:29:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 26684143
 
Error: (08/04/2014 08:29:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (08/04/2014 08:29:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 26682895
 
Error: (08/04/2014 08:29:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 26682895
 
Error: (08/04/2014 08:29:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (08/04/2014 01:04:58 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7894
 
Error: (08/04/2014 01:04:58 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 7894
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-08-03 23:30:30.146
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 49%
Total physical RAM: 2662.87 MB
Available physical RAM: 1338.1 MB
Total Pagefile: 5323.91 MB
Available Pagefile: 3513.17 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB
 
==================== Drives ================================
 
Drive c: (TI106232W0C) (Fixed) (Total:278.32 GB) (Free:173.68 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: F502B6B8)
Partition 1: (Active) - (Size=1 GB) - (Type=27)
Partition 2: (Not Active) - (Size=278 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=18 GB) - (Type=17)
 
==================== End Of Log ============================


#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:37 PM

Posted 04 August 2014 - 10:57 AM

Sorry, you haven't posted the whole Addition log. In the log I just see one "bad" line: S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] () [File not signed] It may be that ZeroAccess patched a legit file.
  • Download Farbar's Recovery Scan Tool and save it to your desktop
  • Double-click on FRST.exe/FRST64.exe to open it, in the search box, type the following: mpsvc.dll
  • Press the Search Files button, allow FRST to run
  • A log file Search.txt will appear when complete, please post this in your next reply
We will later fix these entries:
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\MountPoints2: E - E:\HTC_Sync_Manager_PC.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - DefaultScope value is missing.
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
2014-07-30 14:46 - 2014-07-30 14:46 - 00000000 ____D () C:\Users\Aram\AppData\Local\{28E1D9EA-3524-4A4A-8C6A-9647246915F2}

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 Jean91

Jean91
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 August 2014 - 11:08 AM

Oh no! I copied everything that was there! 

 

Here is the TXT:

 

Farbar Recovery Scan Tool (x64) Version: 02-08-2014
Ran by Aram at 2014-08-04 12:00:40
Running from C:\Users\Aram\Desktop
Boot Mode: Normal
 
================== Search Files: "mpsvc.dll" =============
 
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpSvc.dll
[2013-07-23 20:01][2013-05-27 01:26] 1011712 ____A (Microsoft Corporation) 7B6CD2C784B13D63481B6BF49605C026 [File is signed]
 
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpSvc.dll
[2013-07-23 20:01][2013-05-27 01:50] 1011712 ____A () E91B5E23D3B6A3E28EB0B0F2B0FE3C8E
 
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpSvc.dll
[2009-07-13 19:54][2009-07-13 21:41] 1011712 ____A (Microsoft Corporation) CF318F60A84F15AF352439465A8D05F4 [File is signed]
 
C:\Program Files\Windows Defender\MpSvc.dll
[2013-07-23 20:01][2013-05-27 01:50] 1011712 ____A () E91B5E23D3B6A3E28EB0B0F2B0FE3C8E
 
====== End Of Search ======


#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:37 PM

Posted 04 August 2014 - 11:29 AM

First,
  • Please download the attached fixlist.txt file and save it to the same location as FRST
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Next,
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

Attached Files


~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 Jean91

Jean91
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 August 2014 - 11:51 AM

I am having trouble saving the fixlist to FRST. 



#8 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:37 PM

Posted 04 August 2014 - 12:08 PM

Please describe.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#9 Jean91

Jean91
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 August 2014 - 12:14 PM

I saved FRST64.exe to my desktop. I went to download fixlist and save it in the same place , but FRST64.exe wouldn't show up. There is a folder marked FRST so I tried to save it in that - didn't work. What should I do?



#10 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:37 PM

Posted 04 August 2014 - 12:22 PM

but FRST64.exe wouldn't show up

I do not understand. Are you following my instructions?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#11 Jean91

Jean91
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 August 2014 - 12:31 PM

Yes! You asked to save the fixlist in the same location as FRST64.exe - That is what I am trying to do! When the Save As window comes up, I cannot find FRST64.exe anywhere! But when I am not trying to locate it in the Save As window, I find it. I even tried saving it to documents so I could definitely find it, and still - nothing! I promise I am following your directions to the best of my knowledge



#12 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:37 PM

Posted 04 August 2014 - 12:38 PM

When the Save As window comes up

Why Save as Window? I do not understand. Save the fixlist to your Desktop, run FRST64 and click on the Fix Button.  :scratchhead:

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#13 Jean91

Jean91
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 August 2014 - 12:39 PM

It wouldn't let me - trying again with a clean slate! Sorry for the frustration!



#14 Jean91

Jean91
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 04 August 2014 - 12:41 PM

Ok! Refreshing everything solved my issue!!!! 

 

fixlist.log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-08-2014
Ran by Aram at 2014-08-04 13:40:31 Run:1
Running from C:\Users\Aram\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKU\S-1-5-21-1390040317-3028383122-884077495-1000\...\MountPoints2: E - E:\HTC_Sync_Manager_PC.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - DefaultScope value is missing.
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
2014-07-30 14:46 - 2014-07-30 14:46 - 00000000 ____D () C:\Users\Aram\AppData\Local\{28E1D9EA-3524-4A4A-8C6A-9647246915F2}
Replace: C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpSvc.dll C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpSvc.dll
Replace: C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpSvc.dll C:\Program Files\Windows Defender\MpSvc.dll
*****************
 
"HKU\S-1-5-21-1390040317-3028383122-884077495-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\S-1-5-21-1390040317-3028383122-884077495-1000" => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\Users\Aram\AppData\Local\{28E1D9EA-3524-4A4A-8C6A-9647246915F2} => Moved successfully.
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpSvc.dll => Moved successfully.
Could not replace C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.18170_none_b59db7296f030a55\MpSvc.dll.
C:\Program Files\Windows Defender\MpSvc.dll => Moved successfully.
C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.22341_none_b648c5e888076cca\MpSvc.dll copied successfully to C:\Program Files\Windows Defender\MpSvc.dll
 
==== End of Fixlog ====


#15 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:37 PM

Posted 04 August 2014 - 12:46 PM

good, waiting for the new FRST Log.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users