Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit, virus scan not picking up


  • This topic is locked This topic is locked
8 replies to this topic

#1 ravingglowstick

ravingglowstick

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 31 July 2014 - 09:35 PM

Hey, I ran AVG2014, Malwarebytes and Spybot, all most recent version. I removed several suspicious programs that were causing popups outside of the internet, redirectors in IE and Chrome and other problems, one of the major ones being "Severe Weather Alerts". On my last Spybot scan, it found a trojan which I think was dealt with and indicated a rootkit that nothing was able to be done about. This is my dad's computer, a Windows 7 32bit machine that is getting on in age and I know it will be slow and hot but it's not running properly and I know there is some stuff that is causing function problems but doesn't seem to be getting picked up by the scans. Also, I'm having some trouble enabling the firewall, so it is not currently enabled.

I'm sorry I'm not as descriptive as I should be but I did a lot of stuff before deciding to ask help here and didn't really record it.

 

Thanks for any help and let me know what else you need.

 

 

aDDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17207  BrowserJavaVersion: 10.55.2
Run by John at 22:24:46 on 2014-07-31
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2038.585 [GMT -4:00]
.
AV: AVG AntiVirus 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: AVG AntiVirus 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ================
.
c:\PROGRA~1\AVG\AVG2014\avgrsx.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG2014\avgidsagent.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DriverUpdate\DriverUpdate.exe
C:\Program Files\AVG\AVG2014\avgnsx.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\AVG\AVG2014\avgemcx.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\AVG\AVG2014\avgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Program Files\Real\UpdateService\RealPlayerUpdateSvc.exe
C:\Program Files\Real\RealPlayer\RPDS\Bin\rpsystray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\helppane.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uProxyServer = hxxp=127.0.0.1:14331;https=127.0.0.1:14331
uURLSearchHooks: KeyBar 1.8 Toolbar: {9ed31f84-c8b3-4926-b950-dff74047ff79} - LocalServer32 - <no file>
mURLSearchHooks: KeyBar 1.8 Toolbar: {9ed31f84-c8b3-4926-b950-dff74047ff79} - LocalServer32 - <no file>
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.130\McAfeeMSS_IE.dll
BHO: Solid Savings: {11111111-1111-1111-1111-110211621178} - 
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: KeyBar 1.8 Toolbar: {9ed31f84-c8b3-4926-b950-dff74047ff79} - LocalServer32 - <no file>
BHO: Safer-Surf: {AAC977C5-14D1-56E2-EEBD-A5E21CD065B9} - c:\program files\di6safer-surf\175.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: KeyBar 1.8 Toolbar: {9ED31F84-C8B3-4926-B950-DFF74047FF79} - LocalServer32 - <no file>
TB: KeyBar 1.8 Toolbar: {9ed31f84-c8b3-4926-b950-dff74047ff79} - LocalServer32 - <no file>
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.130\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\realpl~1.lnk - c:\program files\real\realplayer\rpds\bin\rpsystray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{0570D58F-2D94-4680-9F53-6BABF8A6666A} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{0570D58F-2D94-4680-9F53-6BABF8A6666A}\2375942554637323 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{0570D58F-2D94-4680-9F53-6BABF8A6666A}\2375942554830343 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{0570D58F-2D94-4680-9F53-6BABF8A6666A}\2656C6B696E6E2831356 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{0570D58F-2D94-4680-9F53-6BABF8A6666A}\341626C65675966496 : DHCPNameServer = 10.243.255.72 10.243.255.73
TCP: Interfaces\{0570D58F-2D94-4680-9F53-6BABF8A6666A}\45753475966496 : DHCPNameServer = 10.243.255.72 10.243.255.73
TCP: Interfaces\{0570D58F-2D94-4680-9F53-6BABF8A6666A}\876696E696479777966696 : DHCPNameServer = 10.243.255.72 10.243.255.73
TCP: Interfaces\{0570D58F-2D94-4680-9F53-6BABF8A6666A}\D456E64716C6A657E6B697162746D25374 : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\36.0.1985.125\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2014-6-17 147736]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2014-6-17 241944]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2014-6-17 98584]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2014-6-17 27416]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2014-6-30 121624]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2014-6-17 199960]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2014-6-17 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2014-6-17 188696]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2014-6-17 197400]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2014-7-10 3244048]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2014-7-10 289328]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2014-3-11 104264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-6-13 109872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-7-29 22856]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-5-12 14848]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-5-17 13464]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2013-5-12 49664]
.
=============== Created Last 30 ================
.
2014-07-31 02:40:37 8217224 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{fde44c6f-5ac5-4cb5-916d-0a667fe4ef86}\mpengine.dll
2014-07-31 01:23:24 18968 ----a-w- c:\windows\system32\sdnclean.exe
2014-07-31 01:23:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-07-31 01:22:18 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2014-07-29 20:40:23 765968 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2014-07-29 20:40:23 765968 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{255aff4f-045c-4978-9a7e-fab553350b37}\gapaengine.dll
2014-07-29 20:38:07 8217224 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-07-29 20:28:56 -------- d-----w- c:\program files\Microsoft Security Client
2014-07-29 19:01:50 388096 ----a-r- c:\users\john\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2014-07-29 19:01:46 -------- d-----w- c:\program files\Trend Micro
2014-07-29 18:55:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-07-29 18:55:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2014-07-27 21:15:46 736952 ----a-w- c:\programdata\microsoft\ehome\packages\sportsv2\sportstemplatecore-2\Microsoft.MediaCenter.Sports.UI.dll
2014-07-27 21:15:25 2876528 ----a-w- c:\programdata\microsoft\ehome\packages\mceclientux\updateablemarkup-2\markup.dll
2014-07-27 21:15:12 42168 ----a-w- c:\programdata\microsoft\ehome\packages\mceclientux\dsm-2\StartResources.dll
2014-07-27 21:15:07 539984 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight-2\SpotlightResources.dll
2014-07-27 21:00:18 -------- d-----w- c:\users\john\appdata\roaming\AVG2014
2014-07-27 20:55:03 -------- d-----w- c:\users\john\appdata\roaming\TuneUp Software
2014-07-27 20:47:35 -------- d--h--w- C:\$AVG
2014-07-27 20:47:35 -------- d-----w- c:\programdata\AVG2014
2014-07-27 20:39:03 -------- d-----w- c:\program files\AVG
2014-07-27 20:31:02 8217224 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1c4eb1a9-9489-41d9-99bc-bbd89b20c878}\mpengine.dll
2014-07-27 20:13:03 -------- d--h--w- c:\programdata\Common Files
2014-07-27 20:13:02 -------- d-----w- c:\users\john\appdata\local\MFAData
2014-07-27 20:13:02 -------- d-----w- c:\users\john\appdata\local\Avg2014
2014-07-27 20:13:02 -------- d-----w- c:\programdata\MFAData
2014-07-14 17:19:12 -------- d-----w- c:\program files\Media Downloader
2014-07-14 17:18:54 0 ----a-w- C:\LILBFE2.tmp
2014-07-14 17:18:54 0 ----a-w- C:\LILBFE1.tmp
2014-07-14 17:12:33 -------- d-----w- c:\users\john\appdata\roaming\VOPackage
2014-07-14 17:10:46 -------- d-----w- c:\program files\di6Safer-Surf
2014-07-13 13:15:23 -------- d-----w- c:\program files\sizlsearch
2014-07-13 13:13:54 -------- d-----w- c:\program files\SearchProtect
2014-07-10 12:41:09 1059840 ----a-w- c:\windows\system32\lsasrv.dll
.
==================== Find3M  ====================
.
2014-08-01 01:44:07 13464 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2014-07-08 22:32:14 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-08 22:32:14 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-06-30 16:43:12 121624 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2014-06-18 23:56:37 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-06-18 23:56:03 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-06-18 23:38:40 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-06-18 23:37:23 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-06-18 23:36:35 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-06-18 23:35:55 62464 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-06-18 23:23:27 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-06-18 23:23:24 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-06-18 23:22:40 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-06-18 23:16:33 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-06-18 23:06:10 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-06-18 22:52:18 4254720 ----a-w- c:\windows\system32\jscript9.dll
2014-06-18 22:46:23 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-06-18 22:45:59 1964544 ----a-w- c:\windows\system32\inetcpl.cpl
2014-06-18 22:13:59 1791488 ----a-w- c:\windows\system32\wininet.dll
2014-06-18 01:51:32 646144 ----a-w- c:\windows\system32\osk.exe
2014-06-18 00:52:00 2350080 ----a-w- c:\windows\system32\win32k.sys
2014-06-17 20:22:02 188696 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2014-06-17 20:21:22 197400 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2014-06-17 20:18:00 241944 ----a-w- c:\windows\system32\drivers\avglogx.sys
2014-06-17 20:17:58 147736 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-06-17 20:06:40 199960 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2014-06-17 20:06:22 27416 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2014-06-17 20:06:20 21272 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2014-06-06 09:44:17 509440 ----a-w- c:\windows\system32\qedit.dll
2014-05-30 06:36:07 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2014-05-08 09:06:54 2742784 ----a-w- c:\windows\system32\rdpcorets.dll
2014-05-08 09:06:54 13824 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
.
============= FINISH: 22:26:27.07 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 PM

Posted 05 August 2014 - 09:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Let me know what problem persists.

#3 ravingglowstick

ravingglowstick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 05 August 2014 - 09:31 PM

AdwCleaner[s0] - 

 

# AdwCleaner v3.302 - Report created 05/08/2014 at 19:26:41
# Updated 30/07/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : John - PAL
# Running from : C:\Users\John\Desktop\adwcleaner_3.302.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\otshot
Folder Deleted : C:\Program Files\SearchProtect
Folder Deleted : C:\Program Files\sizlsearch
Folder Deleted : C:\Users\John\AppData\Local\Conduit
Folder Deleted : C:\Users\John\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\John\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\John\AppData\LocalLow\KeyBar_1.8
Folder Deleted : C:\Users\John\AppData\Roaming\VOPackage
Folder Deleted : C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\otshot
Folder Deleted : C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VOPackage
Folder Deleted : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb
File Deleted : C:\END
File Deleted : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.boostsaves.com_0.localstorage
File Deleted : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.boostsaves.com_0.localstorage-journal
File Deleted : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
Task Deleted : driverupdate startup
Task Deleted : Safer-Surf Update
Task Deleted : Safer-Surf_wd
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Google\Chrome\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3286042
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9ED31F84-C8B3-4926-B950-DFF74047FF79}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8B78662B-577F-4D86-82C1-3752D2A160E4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110211621178}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ED31F84-C8B3-4926-B950-DFF74047FF79}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211621178}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ED31F84-C8B3-4926-B950-DFF74047FF79}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110211621178}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9ED31F84-C8B3-4926-B950-DFF74047FF79}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110211621178}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8B78662B-577F-4D86-82C1-3752D2A160E4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211621178}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A27897B4-AD06-4AAF-AA23-4D8E8CA4AE10}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{067BD329-0F1C-47E0-B336-93736EC9DC8A}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{9ED31F84-C8B3-4926-B950-DFF74047FF79}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{9ED31F84-C8B3-4926-B950-DFF74047FF79}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{9ED31F84-C8B3-4926-B950-DFF74047FF79}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{9ED31F84-C8B3-4926-B950-DFF74047FF79}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\sizlsearch
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\KeyBar_1.8
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\sizlsearch
Key Deleted : HKLM\Software\KeyBar_1.8
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17207
 
 
-\\ Google Chrome v36.0.1985.125
 
[ File : C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://www.stratfordlibrary.org/stratford-library-search-results.html?cx=005547754767269977402%3A_bcfjm82qpc&cof=FORID%3A11&q={searchTerms}&sa=Search&domains=stratfordlibrary.org&sitesearch=stratfordlibrary.org&siteurl=www.stratfordlibrary.org%2F&ref=&ss=62096j2732919180j10
Deleted [Extension] : gpaiibklhaneknloaoccoidbaffjjlnb
 
*************************
 
AdwCleaner[R0].txt - [6881 octets] - [05/08/2014 19:18:07]
AdwCleaner[S0].txt - [6658 octets] - [05/08/2014 19:26:41]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6718 octets] ##########
 
 
 
 
 
 
FRST - 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:5-08-2014
Ran by John (administrator) on PAL on 05-08-2014 21:51:28
Running from C:\Users\John\Desktop
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgcsrvx.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgwdsvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgnsx.exe
(Motorola Inc.) C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgemcx.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgui.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\RPDS\Bin\rpsystray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
() C:\Program Files\Real\UpdateService\RealPlayerUpdateSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgcsrvx.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\.DEFAULT\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-05-12] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk
ShortcutTarget: RealPlayer Cloud Service UI.lnk -> C:\Program Files\Real\RealPlayer\RPDS\Bin\rpsystray.exe (RealNetworks, Inc.)
Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyServer: http=127.0.0.1:14331;https=127.0.0.1:14331
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x52AD1E2E864FCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKCU - {656B8520-C6BC-4139-B7CC-F4EF80A3F458} URL = https://www.google.com/search?q={searchTerms}
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Safer-Surf -> {AAC977C5-14D1-56E2-EEBD-A5E21CD065B9} -> C:\Program Files\di6Safer-Surf\175.dll ()
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=17.0.8.22 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=17.0.8 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=17.0.8 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=17.0.8 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=17.0.8.22 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer Cloud)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{0FAA5C82-A094-4541-8811-D3361F972A81}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-03-30]
FF HKCU\...\Firefox\Extensions: [{B982E72A-E91F-D658-0A31-83C3802076E3}] - C:\Program Files\di6Safer-Surf\175.xpi
FF Extension: Safer-Surf - C:\Program Files\di6Safer-Surf\175.xpi [2014-07-14]
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR StartupUrls: "hxxp://www.stratfordlibrary.org/"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\36.0.1985.125\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\36.0.1985.125\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\36.0.1985.125\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U25) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Download Plugin) - C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer Cloud)
CHR Plugin: (RealNetworks™ RealDownloader Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader PepperFlashVideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealDownloader Plugin) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\system32\npDeployJava1.dll No File
CHR Extension: (Google Docs) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-29]
CHR Extension: (Google Drive) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-29]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-02]
CHR Extension: (YouTube) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-29]
CHR Extension: (Google Search) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-29]
CHR Extension: (No Name) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb [2013-07-29]
CHR Extension: (RealPlayer Downloader) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-07-29]
CHR Extension: (Google Wallet) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-02]
CHR Extension: (Gmail) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-29]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2014-03-15]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3244048 2014-07-10] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [289328 2014-07-10] (AVG Technologies CZ, s.r.o.)
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-07-08] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2009-07-08] (Symantec Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-03-15] ()
S2 RealPlayer Cloud Service; c:\program files\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-03-30] (RealNetworks, Inc.)
R2 RealPlayerUpdateSvc; C:\Program Files\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-03-20] () [File not signed]
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1864888 2009-09-17] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [341320 2009-09-17] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2477304 2009-09-17] (Symantec Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [121624 2014-06-30] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [199960 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [147736 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [188696 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [241944 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [98584 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27416 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [197400 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-06-11] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-08-05] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Definitions\VirusDefs\20140730.003\NAVENG.SYS [93272 2013-09-16] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Definitions\VirusDefs\20140730.003\NAVEX15.SYS [1612376 2013-09-16] (Symantec Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2009-08-26] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [281648 2009-08-25] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [320560 2009-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2009-08-25] (Symantec Corporation)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13464 2014-08-05] ()
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2013-05-12] (Symantec Corporation)
R3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2009-09-03] (Symantec Corporation)
R1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [188080 2009-09-03] (Symantec Corporation)
S4 SysPlant; C:\Windows\SYSTEM32\Drivers\SysPlant.sys [92488 2009-09-17] (Symantec Corporation)
R3 Teefer2; C:\Windows\System32\DRIVERS\teefer2.sys [50064 2009-05-27] (Symantec Corporation)
R1 WPS; C:\Windows\system32\drivers\wpsdrvnt.sys [42312 2009-09-17] (Symantec Corporation)
R3 WpsHelper; C:\Windows\system32\drivers\WpsHelper.sys [174056 2012-10-05] (Symantec Corporation)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-05 21:51 - 2014-08-05 21:52 - 00018700 _____ () C:\Users\John\Desktop\FRST.txt
2014-08-05 21:50 - 2014-08-05 21:51 - 00000000 ____D () C:\FRST
2014-08-05 19:20 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2014-08-05 19:18 - 2014-08-05 19:27 - 00000000 ____D () C:\AdwCleaner
2014-08-05 19:17 - 2014-08-05 19:17 - 01361309 _____ () C:\Users\John\Desktop\adwcleaner_3.302.exe
2014-08-05 19:16 - 2014-08-05 19:16 - 01084928 _____ (Farbar) C:\Users\John\Desktop\FRST.exe
2014-08-05 19:04 - 2014-08-05 19:36 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-04 21:27 - 2014-08-04 21:27 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-04 21:27 - 2014-08-04 21:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-04 21:26 - 2014-08-04 21:27 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-08-04 21:26 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-08-04 21:26 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-07-31 22:26 - 2014-07-31 22:26 - 00017382 _____ () C:\Users\John\Desktop\dds.txt
2014-07-31 22:26 - 2014-07-31 22:26 - 00017058 _____ () C:\Users\John\Desktop\attach.txt
2014-07-31 22:17 - 2014-07-31 22:17 - 00688992 ____R (Swearware) C:\Users\John\Downloads\dds.com
2014-07-30 21:24 - 2014-07-30 21:24 - 00002131 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2014-07-30 21:24 - 2014-07-30 21:24 - 00002119 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2014-07-30 21:23 - 2014-07-30 21:48 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-07-30 21:23 - 2014-07-30 21:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2014-07-30 21:23 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2014-07-30 21:22 - 2014-07-30 21:40 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-07-30 21:09 - 2014-07-30 21:15 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\John\Downloads\spybot-2.4.exe
2014-07-29 16:32 - 2014-07-29 16:32 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-07-29 16:30 - 2014-07-29 16:30 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-07-29 16:28 - 2014-07-29 16:31 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-07-29 16:26 - 2014-07-29 16:27 - 11241816 _____ (Microsoft Corporation) C:\Users\John\Downloads\mseinstall (2).exe
2014-07-29 16:13 - 2014-07-29 16:15 - 11241816 _____ (Microsoft Corporation) C:\Users\John\Downloads\MSEInstall (1).exe
2014-07-29 16:13 - 2014-07-29 16:14 - 13829304 _____ (Microsoft Corporation) C:\Users\John\Downloads\MSEInstall.exe
2014-07-29 15:01 - 2014-07-29 15:01 - 00002959 _____ () C:\Users\John\Desktop\HiJackThis.lnk
2014-07-29 15:01 - 2014-07-29 15:01 - 00000000 ____D () C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
2014-07-29 15:01 - 2014-07-29 15:01 - 00000000 ____D () C:\Program Files\Trend Micro
2014-07-29 14:55 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-07-29 14:31 - 2014-07-29 14:33 - 00000000 ____D () C:\Users\John\Documents\compu_fix
2014-07-29 13:59 - 2014-07-29 14:42 - 00034001 _____ () C:\Users\John\Desktop\avgrep.txt
2014-07-27 17:00 - 2014-07-27 17:00 - 00000000 ____D () C:\Users\John\AppData\Roaming\AVG2014
2014-07-27 16:55 - 2014-07-27 16:55 - 00000935 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-07-27 16:55 - 2014-07-27 16:55 - 00000000 ____D () C:\Users\John\AppData\Roaming\TuneUp Software
2014-07-27 16:55 - 2014-07-27 16:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-07-27 16:47 - 2014-07-27 17:06 - 00000000 ____D () C:\ProgramData\AVG2014
2014-07-27 16:47 - 2014-07-27 16:47 - 00000000 ___HD () C:\$AVG
2014-07-27 16:39 - 2014-07-27 16:39 - 00000000 ____D () C:\Program Files\AVG
2014-07-27 16:13 - 2014-08-05 19:41 - 00000000 ____D () C:\ProgramData\MFAData
2014-07-27 16:13 - 2014-07-27 17:06 - 00000000 ____D () C:\Users\John\AppData\Local\Avg2014
2014-07-27 16:13 - 2014-07-27 16:13 - 00000000 ____D () C:\Users\John\AppData\Local\MFAData
2014-07-27 16:09 - 2014-07-27 16:11 - 04462440 _____ (AVG Technologies) C:\Users\John\Downloads\avg_avct_stb_all_2014_4335_welcomecmp.exe
2014-07-15 22:45 - 2014-07-15 22:45 - 00000000 _____ () C:\t140.3
2014-07-14 13:19 - 2014-07-14 13:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Downloader
2014-07-14 13:19 - 2014-07-14 13:19 - 00000000 ____D () C:\Program Files\Media Downloader
2014-07-14 13:18 - 2014-07-14 13:18 - 00000000 _____ () C:\LILBFE2.tmp
2014-07-14 13:18 - 2014-07-14 13:18 - 00000000 _____ () C:\LILBFE1.tmp
2014-07-14 13:10 - 2014-07-29 17:15 - 00000000 ____D () C:\Program Files\di6Safer-Surf
2014-07-10 08:45 - 2014-06-20 15:39 - 00240824 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-07-10 08:45 - 2014-06-18 19:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-07-10 08:45 - 2014-06-18 19:56 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-07-10 08:45 - 2014-06-18 19:37 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-07-10 08:45 - 2014-06-18 19:36 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-07-10 08:45 - 2014-06-18 19:28 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-07-10 08:45 - 2014-06-18 19:28 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-07-10 08:45 - 2014-06-18 19:25 - 00442368 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-07-10 08:45 - 2014-06-18 19:23 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-07-10 08:45 - 2014-06-18 19:23 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-07-10 08:45 - 2014-06-18 19:16 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-07-10 08:45 - 2014-06-18 19:12 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-07-10 08:45 - 2014-06-18 19:06 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-07-10 08:45 - 2014-06-18 19:01 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-07-10 08:45 - 2014-06-18 18:58 - 00239616 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-07-10 08:45 - 2014-06-18 18:52 - 00595968 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-07-10 08:45 - 2014-06-18 18:49 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-07-10 08:45 - 2014-06-18 18:45 - 01964544 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-07-10 08:45 - 2014-06-18 18:13 - 01791488 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-07-10 08:45 - 2014-06-18 18:09 - 01139200 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-07-10 08:45 - 2014-06-18 18:07 - 00704512 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-07-10 08:44 - 2014-06-18 20:16 - 17276416 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-07-10 08:44 - 2014-06-18 19:38 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-07-10 08:44 - 2014-06-18 19:35 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-07-10 08:44 - 2014-06-18 19:32 - 02179072 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-07-10 08:44 - 2014-06-18 19:22 - 00592896 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-07-10 08:44 - 2014-06-18 18:59 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-07-10 08:44 - 2014-06-18 18:52 - 04254720 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-07-10 08:44 - 2014-06-18 18:46 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-07-10 08:44 - 2014-06-18 18:35 - 11742208 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-07-10 08:44 - 2014-06-17 21:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-07-10 08:44 - 2014-06-17 20:52 - 02350080 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-07-10 08:44 - 2014-06-06 05:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-07-10 08:44 - 2014-05-30 02:36 - 00338944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-07-10 08:41 - 2014-06-05 10:26 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-07-07 17:49 - 2014-07-07 17:50 - 00000197 _____ () C:\Users\John\Desktop\Hurricane Water Vapor Loop - Satellite Services Division - Office of Satellite Data Processing and Distribution.url
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-08-05 21:52 - 2014-08-05 21:51 - 00018700 _____ () C:\Users\John\Desktop\FRST.txt
2014-08-05 21:51 - 2014-08-05 21:50 - 00000000 ____D () C:\FRST
2014-08-05 21:32 - 2013-10-14 14:19 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-08-05 21:27 - 2013-07-29 00:07 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-08-05 21:27 - 2013-07-29 00:07 - 00000878 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-08-05 20:24 - 2013-05-12 18:56 - 02070397 _____ () C:\Windows\WindowsUpdate.log
2014-08-05 19:42 - 2009-07-14 00:34 - 00019760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-08-05 19:42 - 2009-07-14 00:34 - 00019760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-08-05 19:41 - 2014-07-27 16:13 - 00000000 ____D () C:\ProgramData\MFAData
2014-08-05 19:36 - 2014-08-05 19:04 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-08-05 19:36 - 2009-07-14 00:33 - 00411128 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-05 19:32 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-08-05 19:31 - 2013-05-13 21:43 - 00010116 _____ () C:\Windows\PFRO.log
2014-08-05 19:31 - 2013-05-13 09:09 - 00011336 _____ () C:\Windows\setupact.log
2014-08-05 19:27 - 2014-08-05 19:18 - 00000000 ____D () C:\AdwCleaner
2014-08-05 19:17 - 2014-08-05 19:17 - 01361309 _____ () C:\Users\John\Desktop\adwcleaner_3.302.exe
2014-08-05 19:16 - 2014-08-05 19:16 - 01084928 _____ (Farbar) C:\Users\John\Desktop\FRST.exe
2014-08-05 19:01 - 2013-05-17 17:57 - 00013464 _____ () C:\Windows\system32\Drivers\SWDUMon.sys
2014-08-04 21:27 - 2014-08-04 21:27 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-08-04 21:27 - 2014-08-04 21:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-08-04 21:27 - 2014-08-04 21:26 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-08-04 21:27 - 2013-05-12 19:22 - 00000000 ____D () C:\Users\John\AppData\Roaming\Malwarebytes
2014-08-04 21:26 - 2013-05-12 19:20 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-31 22:26 - 2014-07-31 22:26 - 00017382 _____ () C:\Users\John\Desktop\dds.txt
2014-07-31 22:26 - 2014-07-31 22:26 - 00017058 _____ () C:\Users\John\Desktop\attach.txt
2014-07-31 22:17 - 2014-07-31 22:17 - 00688992 ____R (Swearware) C:\Users\John\Downloads\dds.com
2014-07-30 23:19 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-07-30 22:14 - 2013-05-12 22:40 - 00000000 ____D () C:\Program Files\Symantec
2014-07-30 21:48 - 2014-07-30 21:23 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-07-30 21:40 - 2014-07-30 21:22 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-07-30 21:24 - 2014-07-30 21:24 - 00002131 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2014-07-30 21:24 - 2014-07-30 21:24 - 00002119 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2014-07-30 21:24 - 2014-07-30 21:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2014-07-30 21:18 - 2013-06-11 16:16 - 02385920 ___SH () C:\Users\John\Downloads\Thumbs.db
2014-07-30 21:15 - 2014-07-30 21:09 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\John\Downloads\spybot-2.4.exe
2014-07-30 20:55 - 2013-05-12 16:03 - 00726316 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-07-29 17:15 - 2014-07-14 13:10 - 00000000 ____D () C:\Program Files\di6Safer-Surf
2014-07-29 17:09 - 2013-05-21 14:48 - 00000000 ____D () C:\Users\John\AppData\Local\Updater26278
2014-07-29 16:32 - 2014-07-29 16:32 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-07-29 16:31 - 2014-07-29 16:28 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-07-29 16:30 - 2014-07-29 16:30 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-07-29 16:27 - 2014-07-29 16:26 - 11241816 _____ (Microsoft Corporation) C:\Users\John\Downloads\mseinstall (2).exe
2014-07-29 16:15 - 2014-07-29 16:13 - 11241816 _____ (Microsoft Corporation) C:\Users\John\Downloads\MSEInstall (1).exe
2014-07-29 16:14 - 2014-07-29 16:13 - 13829304 _____ (Microsoft Corporation) C:\Users\John\Downloads\MSEInstall.exe
2014-07-29 15:03 - 2013-05-12 16:00 - 00000000 ____D () C:\Users\John\AppData\Local\VirtualStore
2014-07-29 15:01 - 2014-07-29 15:01 - 00002959 _____ () C:\Users\John\Desktop\HiJackThis.lnk
2014-07-29 15:01 - 2014-07-29 15:01 - 00000000 ____D () C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
2014-07-29 15:01 - 2014-07-29 15:01 - 00000000 ____D () C:\Program Files\Trend Micro
2014-07-29 14:42 - 2014-07-29 13:59 - 00034001 _____ () C:\Users\John\Desktop\avgrep.txt
2014-07-29 14:33 - 2014-07-29 14:31 - 00000000 ____D () C:\Users\John\Documents\compu_fix
2014-07-29 13:57 - 2013-05-21 17:17 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-07-29 13:35 - 2013-05-21 17:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-07-27 17:06 - 2014-07-27 16:47 - 00000000 ____D () C:\ProgramData\AVG2014
2014-07-27 17:06 - 2014-07-27 16:13 - 00000000 ____D () C:\Users\John\AppData\Local\Avg2014
2014-07-27 17:00 - 2014-07-27 17:00 - 00000000 ____D () C:\Users\John\AppData\Roaming\AVG2014
2014-07-27 16:55 - 2014-07-27 16:55 - 00000935 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-07-27 16:55 - 2014-07-27 16:55 - 00000000 ____D () C:\Users\John\AppData\Roaming\TuneUp Software
2014-07-27 16:55 - 2014-07-27 16:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-07-27 16:47 - 2014-07-27 16:47 - 00000000 ___HD () C:\$AVG
2014-07-27 16:39 - 2014-07-27 16:39 - 00000000 ____D () C:\Program Files\AVG
2014-07-27 16:13 - 2014-07-27 16:13 - 00000000 ____D () C:\Users\John\AppData\Local\MFAData
2014-07-27 16:11 - 2014-07-27 16:09 - 04462440 _____ (AVG Technologies) C:\Users\John\Downloads\avg_avct_stb_all_2014_4335_welcomecmp.exe
2014-07-21 08:48 - 2009-07-13 22:04 - 00000580 _____ () C:\Windows\win.ini
2014-07-20 00:18 - 2013-07-29 00:14 - 00002129 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-07-15 22:45 - 2014-07-15 22:45 - 00000000 _____ () C:\t140.3
2014-07-14 13:19 - 2014-07-14 13:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Downloader
2014-07-14 13:19 - 2014-07-14 13:19 - 00000000 ____D () C:\Program Files\Media Downloader
2014-07-14 13:18 - 2014-07-14 13:18 - 00000000 _____ () C:\LILBFE2.tmp
2014-07-14 13:18 - 2014-07-14 13:18 - 00000000 _____ () C:\LILBFE1.tmp
2014-07-11 04:01 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache
2014-07-11 03:20 - 2009-07-14 03:50 - 00000000 ____D () C:\Program Files\Windows Journal
2014-07-11 03:04 - 2013-08-17 07:46 - 00000000 ____D () C:\Windows\system32\MRT
2014-07-11 03:02 - 2013-05-12 17:20 - 93585272 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-07-11 03:01 - 2013-05-12 22:25 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-07-08 18:32 - 2013-05-12 23:03 - 00699056 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-07-08 18:32 - 2013-05-12 23:03 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-07-07 17:50 - 2014-07-07 17:49 - 00000197 _____ () C:\Users\John\Desktop\Hurricane Water Vapor Loop - Satellite Services Division - Office of Satellite Data Processing and Distribution.url
 
Some content of TEMP:
====================
C:\Users\John\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-07-29 20:30
 
==================== End Of Log ============================
 
 
 
 
I tried to open IE to see what would happen and some Flash mimic popup came up, so I'm not sure what's left. 

I'm also unclear about one particular program, Symantec Endpoint Protection. A Google search is showing that in name, the program is legitimate, however it seems to provide resistance to everything I try to run. Also, the screenshot of the program on Wiki is very different from the program that comes up. 

 

Thanks for helping out, I appreciate it.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 PM

Posted 06 August 2014 - 08:44 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
SearchScopes: HKCU - {C1A89DC3-FCAF-41B9-8173-057B4938E7A2} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3286042&CUI=UN27309786431235382&UM=2
BHO: Safer-Surf -> {AAC977C5-14D1-56E2-EEBD-A5E21CD065B9} -> C:\Program Files\di6Safer-Surf\175.dll ()
FF HKCU\...\Firefox\Extensions: [{B982E72A-E91F-D658-0A31-83C3802076E3}] - C:\Program Files\di6Safer-Surf\175.xpi
FF Extension: Safer-Surf - C:\Program Files\di6Safer-Surf\175.xpi [2014-07-14]
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
CHR Plugin: (RealDownloader Plugin) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\system32\npDeployJava1.dll No File
CHR Extension: (No Name) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb [2013-07-29]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb
C:\Program Files\di6Safer-Surf

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/
===
 

I tried to open IE to see what would happen and some Flash mimic popup came up

Reset Internet Explorer:
Menu > Tools > Internet Options > General Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

Can this article help in understanding SEP?
Security Response recommendations for Symantec Endpoint Protection
http://www.symantec.com/business/support/index?page=content&id=TECH173752

The screen shot at Wiki is understandable someone needs to update or make an image for all version of SEP.
===

#5 ravingglowstick

ravingglowstick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 10 August 2014 - 01:23 PM

I found "RegServo" by chance while cleaning up the desk top and got rid of that.

 

 

 

The fixlist log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:10-08-2014 01
Ran by John at 2014-08-10 13:40:17 Run:1
Running from C:\Users\John\Desktop\compufix
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
BHO: Safer-Surf -> {AAC977C5-14D1-56E2-EEBD-A5E21CD065B9} -> C:\Program Files\di6Safer-Surf\175.dll ()
FF HKCU\...\Firefox\Extensions: [{B982E72A-E91F-D658-0A31-83C3802076E3}] - C:\Program Files\di6Safer-Surf\175.xpi
FF Extension: Safer-Surf - C:\Program Files\di6Safer-Surf\175.xpi [2014-07-14]
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
CHR Plugin: (RealDownloader Plugin) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\system32\npDeployJava1.dll No File
CHR Extension: (No Name) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb [2013-07-29]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb
C:\Program Files\di6Safer-Surf
 
End
*****************
 
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => Key deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C1A89DC3-FCAF-41B9-8173-057B4938E7A2}" => Key deleted successfully.
"HKCR\CLSID\{C1A89DC3-FCAF-41B9-8173-057B4938E7A2}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAC977C5-14D1-56E2-EEBD-A5E21CD065B9}" => Key deleted successfully.
"HKCR\CLSID\{AAC977C5-14D1-56E2-EEBD-A5E21CD065B9}" => Key deleted successfully.
HKCU\Software\Mozilla\Firefox\Extensions\\{B982E72A-E91F-D658-0A31-83C3802076E3} => value deleted successfully.
C:\Program Files\di6Safer-Surf\175.xpi => Moved successfully.
C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll not found.
C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll not found.
C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll not found.
C:\Windows\system32\npDeployJava1.dll not found.
C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb directory not found.
Synth3dVsc => Service deleted successfully.
tsusbhub => Service deleted successfully.
VGPU => Service deleted successfully.
"C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpaiibklhaneknloaoccoidbaffjjlnb" => File/Directory not found.
C:\Program Files\di6Safer-Surf => Moved successfully.
 
==== End of Fixlog ====
 
 
 
 

Checkup log:

 

 Results of screen317's Security Check version 0.99.86  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
AVG AntiVirus 2014              
Microsoft Security Essentials   
Symantec Endpoint Protection    
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Spybot - Search & Destroy 
 Java 7 Update 55  
 Java version out of Date! 
 Adobe Reader 10.1.10 Adobe Reader out of Date!  
 Google Chrome 35.0.1916.153  
 Google Chrome 36.0.1985.125  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe 
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Spybot Teatimer.exe is disabled! 
 AVG avgwdsvc.exe 
 AVG avgrsx.exe 
 AVG avgnsx.exe 
 AVG avgemc.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log`````````````````````` 
 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 PM

Posted 11 August 2014 - 07:14 AM

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u65.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 55

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

How is the computer running now?

#7 ravingglowstick

ravingglowstick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 12 August 2014 - 08:49 PM

I think this is about as good as we're gonna get it. Thanks for your help.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 PM

Posted 13 August 2014 - 06:45 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:07 PM

Posted 19 August 2014 - 08:08 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users