Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locked registry keys


  • This topic is locked This topic is locked
8 replies to this topic

#1 PCMan55

PCMan55

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 11 September 2014 - 11:03 AM

Greetings everyone.

 

I am not exactly a computer expert, and I recently had a trojan which MSE listed as "Win32/Small".

 

After I deleted it I ran Combofix, and the log looks weird.

 

There are many locked registry keys, and the last item in that list of locked keys makes me a bit worried.

 

I have attached the Combofix log as well as a DDS log.

 

Any input would be much appreciated.Attached File  attach.txt   9.04KB   2 downloadsAttached File  ComboFix.txt   26.45KB   8 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:25 PM

Posted 15 September 2014 - 08:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 PCMan55

PCMan55
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 17 September 2014 - 09:32 AM

Hi nasdaq, thanks for responding.

 

Here is the MBAM log file :

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/17/2014
Scan Time: 8:01:11 PM
Logfile: mbamlog.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.17.03
Rootkit Database: v2014.09.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 299824
Time Elapsed: 8 min, 35 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0

 

AdwCleaner log :

 

# AdwCleaner v3.310 - Report created 17/09/2014 at 20:22:32
# Updated 12/09/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Admin - PC2014041311HFY
# Running from : C:\Users\Admin\Desktop\adwcleaner_3.310.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

[x] Not Deleted : C:\ProgramData\SecTaskMan

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASAPI32
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASMANCS
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskPIP_FF__RASAPI32
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskPIP_FF__RASMANCS

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17280


-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ark98j1s.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [1267 octets] - [17/09/2014 20:19:03]
AdwCleaner[S0].txt - [1227 octets] - [17/09/2014 20:22:32]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1287 octets] ##########


(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)
 

Farbar log :

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
Ran by Admin (administrator) on PC2014041311HFY on 17-09-2014 21:09:18
Running from C:\Users\Admin\Desktop
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\dsiwmis.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\LMutilps32.exe
(Nero AG) C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
(Prolific Technology Inc.) C:\Windows\System32\IoctlSvc.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Nullsoft, Inc.) C:\Program Files\Winamp\winampa.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\LManager.exe
(Dritek System Inc.) C:\Program Files\Launch Manager\LMworker.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\w32x86\3\E_TATII2E.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [417792 2009-11-10] (Apple Inc.)
HKLM\...\Run: [WinampAgent] => C:\Program Files\Winamp\winampa.exe [74752 2011-07-01] (Nullsoft, Inc.)
HKLM\...\Run: [NBKeyScan] => C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2221352 2008-06-08] (Nero AG)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10082920 2011-05-31] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [285240 2012-09-01] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2295080 2011-10-03] (Synaptics Incorporated)
HKLM\...\Run: [LManager] => C:\Program Files\Launch Manager\LManager.exe [1081424 2011-03-15] (Dritek System Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKU\S-1-5-21-1942616502-260430014-267345241-1000\...\Run: [EPLTarget\P0000000000000001] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_TATII2E.EXE [249440 2012-02-27] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1942616502-260430014-267345241-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1942616502-260430014-267345241-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.duckduckgo.com/
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 203.144.206.29 203.144.206.49
Tcpip\..\Interfaces\{875A030E-CF67-4ECD-A797-26B03AB90FB5}: [NameServer] 95.211.10.3
Tcpip\..\Interfaces\{99B758C8-2616-498E-94C4-37BDB04C5DE0}: [NameServer] 95.211.10.3

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ark98j1s.default
FF DefaultSearchEngine: Wikipedia (en)
FF Homepage: www.duckduckgo.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_182.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: DownloadHelper - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ark98j1s.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-09-17]
FF Extension: DownThemAll! - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ark98j1s.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2014-04-17]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
S3 OpenVPNService; C:\Program Files\OpenVPN\bin\openvpnserv.exe [32568 2014-05-02] (The OpenVPN Project)
R2 PLFlash DeviceIoControl Service; C:\Windows\system32\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]
S2 RichVideo; "C:\Program Files\CyberLink\Shared files\RichVideo.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\System32\DRIVERS\athr.sys [2241024 2012-11-26] (Qualcomm Atheros Communications, Inc.)
R0 iaStorA; C:\Windows\System32\DRIVERS\iaStorA.sys [532536 2012-09-01] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [25656 2012-09-01] (Intel Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-17] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [35288 2013-08-22] (The OpenVPN Project)
S3 catchme; \??\C:\Users\Admin\AppData\Local\Temp\catchme.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-17 20:27 - 2014-09-17 21:08 - 00017958 _____ () C:\Users\Admin\Desktop\Addition.txt
2014-09-17 20:26 - 2014-09-17 21:09 - 00008706 _____ () C:\Users\Admin\Desktop\FRST.txt
2014-09-17 20:26 - 2014-09-17 21:09 - 00000000 ____D () C:\FRST
2014-09-17 20:25 - 2014-09-17 20:22 - 00001367 _____ () C:\Users\Admin\Desktop\AdwCleaner[S0].txt
2014-09-17 20:22 - 2014-09-17 20:22 - 00001412 _____ () C:\Users\Admin\Desktop\inst.txt
2014-09-17 20:18 - 2014-09-17 20:22 - 00000000 ____D () C:\AdwCleaner
2014-09-17 20:17 - 2014-09-17 20:17 - 01097728 _____ (Farbar) C:\Users\Admin\Desktop\FRST.exe
2014-09-17 20:16 - 2014-09-17 20:16 - 01373475 _____ () C:\Users\Admin\Desktop\adwcleaner_3.310.exe
2014-09-17 20:09 - 2014-09-17 20:09 - 00002484 _____ () C:\Users\Admin\Desktop\mbam-log-2014-09-17 (20-01-01).xml
2014-09-17 19:55 - 2014-09-17 20:00 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-17 19:54 - 2014-09-17 19:54 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-17 19:54 - 2014-09-17 19:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-17 19:54 - 2014-09-17 19:54 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-17 19:54 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-17 19:54 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-17 19:54 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-17 19:53 - 2014-09-17 19:53 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Admin\Desktop\mbam-setup-2.0.2.1012.exe
2014-09-17 13:49 - 2014-09-17 13:50 - 00000000 ____D () C:\Users\Admin\Desktop\dt2
2014-09-15 02:55 - 2014-09-15 02:55 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieUserList
2014-09-15 02:55 - 2014-09-15 02:55 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieSiteList
2014-09-14 06:28 - 2014-09-14 06:28 - 00000000 ____D () C:\Users\Admin\Documents\Nero
2014-09-12 01:04 - 2014-09-16 18:40 - 00000000 ____D () C:\Users\Admin\Desktop\ENEW
2014-09-11 22:44 - 2014-08-20 00:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-11 22:44 - 2014-08-19 05:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-11 22:44 - 2014-08-19 05:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-11 22:44 - 2014-08-19 04:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-11 22:44 - 2014-08-19 04:57 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-11 22:44 - 2014-08-19 04:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-11 22:44 - 2014-08-19 04:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-11 22:44 - 2014-08-19 04:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-11 22:44 - 2014-08-19 04:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-11 22:44 - 2014-08-19 04:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-11 22:44 - 2014-08-19 04:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-11 22:44 - 2014-08-19 04:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-11 22:44 - 2014-08-19 04:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-11 22:44 - 2014-08-19 04:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-11 22:44 - 2014-08-19 04:36 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-11 22:44 - 2014-08-19 04:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-11 22:44 - 2014-08-19 04:30 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-11 22:44 - 2014-08-19 04:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-11 22:44 - 2014-08-19 04:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-11 22:44 - 2014-08-19 04:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-11 22:44 - 2014-08-19 04:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-11 22:44 - 2014-08-19 04:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-11 22:44 - 2014-08-19 04:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-11 22:44 - 2014-08-19 04:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-11 22:44 - 2014-08-19 04:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-11 22:44 - 2014-08-19 04:08 - 00673792 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-11 22:44 - 2014-08-19 04:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-11 22:44 - 2014-08-19 03:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-11 22:44 - 2014-08-19 03:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-11 22:44 - 2014-08-19 03:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-11 22:35 - 2014-07-01 05:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2014-09-11 22:35 - 2014-06-06 13:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2014-09-11 22:35 - 2014-03-10 04:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2014-09-11 22:35 - 2014-03-10 04:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2014-09-11 22:25 - 2014-05-30 13:36 - 00338944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-09-11 22:17 - 2014-07-14 08:42 - 00654336 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2014-09-11 22:17 - 2014-06-16 08:44 - 00730048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2014-09-11 22:17 - 2014-06-16 08:44 - 00219072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2014-09-11 22:17 - 2014-06-16 08:40 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2014-09-11 22:13 - 2014-03-26 21:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2014-09-11 22:13 - 2014-03-26 21:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-09-11 22:13 - 2014-03-26 21:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2014-09-11 22:13 - 2014-03-26 21:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-09-11 22:12 - 2014-07-07 08:40 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-11 22:12 - 2014-07-07 08:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-11 22:09 - 2014-08-23 08:46 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-09-11 22:09 - 2014-08-23 07:42 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-09-11 22:07 - 2014-07-16 09:46 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-11 22:07 - 2014-06-18 08:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-09-11 22:03 - 2014-06-06 16:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-09-11 22:03 - 2014-06-03 16:30 - 00101824 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2014-09-11 22:03 - 2014-06-03 16:29 - 02363392 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-09-11 22:03 - 2014-06-03 16:29 - 01805824 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-09-11 22:03 - 2014-06-03 16:29 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-09-11 22:03 - 2014-04-05 09:25 - 01294272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-09-11 22:03 - 2014-04-05 09:24 - 00187840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2014-09-11 21:55 - 2014-05-08 16:06 - 00919040 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-09-11 21:55 - 2014-04-25 09:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2014-09-11 21:05 - 2014-05-14 23:23 - 01973728 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-09-11 21:05 - 2014-05-14 23:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-09-11 21:05 - 2014-05-14 23:23 - 00054240 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-09-11 21:05 - 2014-05-14 23:23 - 00045536 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-09-11 21:05 - 2014-05-14 23:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-09-11 21:05 - 2014-05-14 23:17 - 02425856 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-09-11 21:05 - 2014-05-14 23:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-09-11 21:05 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-09-11 21:05 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-09-11 21:04 - 2014-09-11 22:34 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-09-11 21:04 - 2014-09-11 22:34 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-09-11 20:41 - 2014-09-11 20:41 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-11 20:06 - 2014-09-11 20:06 - 00027082 _____ () C:\ComboFix.txt
2014-09-07 00:28 - 2014-09-07 01:05 - 00000000 ____D () C:\LEE
2014-09-07 00:02 - 2014-09-07 00:02 - 00000000 __RSH () C:\MSDOS.SYS
2014-09-07 00:02 - 2014-09-07 00:02 - 00000000 __RSH () C:\IO.SYS
2014-09-06 23:50 - 2014-09-06 23:52 - 00000000 ____D () C:\ProgramData\SecTaskMan
2014-09-06 23:50 - 2014-09-06 23:50 - 00000000 ____D () C:\Program Files\Security Task Manager
2014-09-06 23:49 - 2014-09-06 23:49 - 02365840 _____ () C:\Users\Admin\Desktop\SecurityTaskManager_Setup.exe
2014-08-23 23:50 - 2014-08-23 23:50 - 00147056 _____ () C:\Windows\Minidump\082314-10530-01.dmp

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-17 21:09 - 2014-09-17 20:26 - 00008706 _____ () C:\Users\Admin\Desktop\FRST.txt
2014-09-17 21:09 - 2014-09-17 20:26 - 00000000 ____D () C:\FRST
2014-09-17 21:08 - 2014-09-17 20:27 - 00017958 _____ () C:\Users\Admin\Desktop\Addition.txt
2014-09-17 20:28 - 2011-08-13 17:39 - 00783114 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-17 20:27 - 2014-04-13 11:54 - 01442207 _____ () C:\Windows\WindowsUpdate.log
2014-09-17 20:24 - 2014-04-13 14:15 - 00011414 _____ () C:\Windows\PFRO.log
2014-09-17 20:24 - 2014-04-13 13:06 - 00042905 _____ () C:\Windows\setupact.log
2014-09-17 20:24 - 2009-07-14 11:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-17 20:23 - 2009-07-14 11:34 - 00009808 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-17 20:23 - 2009-07-14 11:34 - 00009808 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-17 20:22 - 2014-09-17 20:25 - 00001367 _____ () C:\Users\Admin\Desktop\AdwCleaner[S0].txt
2014-09-17 20:22 - 2014-09-17 20:22 - 00001412 _____ () C:\Users\Admin\Desktop\inst.txt
2014-09-17 20:22 - 2014-09-17 20:18 - 00000000 ____D () C:\AdwCleaner
2014-09-17 20:17 - 2014-09-17 20:17 - 01097728 _____ (Farbar) C:\Users\Admin\Desktop\FRST.exe
2014-09-17 20:16 - 2014-09-17 20:16 - 01373475 _____ () C:\Users\Admin\Desktop\adwcleaner_3.310.exe
2014-09-17 20:09 - 2014-09-17 20:09 - 00002484 _____ () C:\Users\Admin\Desktop\mbam-log-2014-09-17 (20-01-01).xml
2014-09-17 20:00 - 2014-09-17 19:55 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-17 19:54 - 2014-09-17 19:54 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-17 19:54 - 2014-09-17 19:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-17 19:54 - 2014-09-17 19:54 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-17 19:53 - 2014-09-17 19:53 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\Admin\Desktop\mbam-setup-2.0.2.1012.exe
2014-09-17 14:56 - 2014-04-13 12:26 - 00000069 _____ () C:\Windows\NeroDigital.ini
2014-09-17 13:50 - 2014-09-17 13:49 - 00000000 ____D () C:\Users\Admin\Desktop\dt2
2014-09-17 08:12 - 2009-07-14 09:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-09-15 21:28 - 2009-07-14 11:53 - 00032580 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-09-15 02:55 - 2014-09-15 02:55 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieUserList
2014-09-15 02:55 - 2014-09-15 02:55 - 00000000 __SHD () C:\Users\Admin\AppData\Local\EmieSiteList
2014-09-14 06:28 - 2014-09-14 06:28 - 00000000 ____D () C:\Users\Admin\Documents\Nero
2014-09-12 04:43 - 2009-07-14 09:37 - 00000000 ____D () C:\Windows\rescache
2014-09-12 04:14 - 2009-07-14 09:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-09-12 01:07 - 2009-07-14 11:33 - 00406952 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-09-12 01:06 - 2014-04-13 12:23 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-09-12 01:05 - 2009-07-14 14:50 - 00000000 ____D () C:\Program Files\Windows Journal
2014-09-11 22:49 - 2014-04-13 12:26 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-09-11 22:46 - 2009-07-14 09:37 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2014-09-11 22:42 - 2014-04-13 12:26 - 00000000 ____D () C:\Program Files\Microsoft Office
2014-09-11 22:41 - 2014-04-13 15:33 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-11 22:34 - 2014-09-11 21:04 - 00002117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-09-11 22:34 - 2014-09-11 21:04 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-09-11 22:34 - 2014-04-13 14:25 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-09-11 20:53 - 2014-04-13 12:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2014-09-11 20:41 - 2014-09-11 20:41 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-11 20:06 - 2014-09-11 20:06 - 00027082 _____ () C:\ComboFix.txt
2014-09-11 20:06 - 2014-04-15 01:42 - 00000000 ____D () C:\Qoobox
2014-09-11 20:05 - 2009-07-14 09:04 - 00000215 _____ () C:\Windows\system.ini
2014-09-07 01:05 - 2014-09-07 00:28 - 00000000 ____D () C:\LEE
2014-09-07 00:02 - 2014-09-07 00:02 - 00000000 __RSH () C:\MSDOS.SYS
2014-09-07 00:02 - 2014-09-07 00:02 - 00000000 __RSH () C:\IO.SYS
2014-09-06 23:52 - 2014-09-06 23:50 - 00000000 ____D () C:\ProgramData\SecTaskMan
2014-09-06 23:50 - 2014-09-06 23:50 - 00000000 ____D () C:\Program Files\Security Task Manager
2014-09-06 23:49 - 2014-09-06 23:49 - 02365840 _____ () C:\Users\Admin\Desktop\SecurityTaskManager_Setup.exe
2014-09-02 20:12 - 2014-04-27 16:55 - 00005632 _____ () C:\Users\Admin\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-08-29 13:01 - 2014-04-13 15:33 - 98758480 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-08-23 23:50 - 2014-08-23 23:50 - 00147056 _____ () C:\Windows\Minidump\082314-10530-01.dmp
2014-08-23 23:50 - 2014-04-28 14:17 - 00000000 ____D () C:\Windows\Minidump
2014-08-23 23:50 - 2014-04-28 14:16 - 261614941 _____ () C:\Windows\MEMORY.DMP
2014-08-23 08:46 - 2014-09-11 22:09 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-23 07:42 - 2014-09-11 22:09 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-20 00:39 - 2014-09-11 22:44 - 00327872 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-08-19 05:26 - 2014-09-11 22:44 - 17455104 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-08-19 05:08 - 2014-09-11 22:44 - 04232704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-08-19 04:57 - 2014-09-11 22:44 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-08-19 04:57 - 2014-09-11 22:44 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-08-19 04:46 - 2014-09-11 22:44 - 00454656 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-08-19 04:45 - 2014-09-11 22:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-08-19 04:44 - 2014-09-11 22:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-08-19 04:44 - 2014-09-11 22:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-08-19 04:42 - 2014-09-11 22:44 - 02185728 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-08-19 04:39 - 2014-09-11 22:44 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-08-19 04:39 - 2014-09-11 22:44 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-08-19 04:37 - 2014-09-11 22:44 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-08-19 04:36 - 2014-09-11 22:44 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-08-19 04:36 - 2014-09-11 22:44 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-08-19 04:35 - 2014-09-11 22:44 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-08-19 04:30 - 2014-09-11 22:44 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-08-19 04:27 - 2014-09-11 22:44 - 00365056 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-08-19 04:22 - 2014-09-11 22:44 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-08-19 04:19 - 2014-09-11 22:44 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-08-19 04:17 - 2014-09-11 22:44 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-08-19 04:17 - 2014-09-11 22:44 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-08-19 04:15 - 2014-09-11 22:44 - 11769856 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-08-19 04:09 - 2014-09-11 22:44 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-08-19 04:08 - 2014-09-11 22:44 - 02014208 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-08-19 04:08 - 2014-09-11 22:44 - 00673792 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-08-19 04:07 - 2014-09-11 22:44 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-08-19 03:46 - 2014-09-11 22:44 - 01812992 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-08-19 03:38 - 2014-09-11 22:44 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-08-19 03:36 - 2014-09-11 22:44 - 00678400 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

Some content of TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2011-08-13 20:26] - [2010-11-20 03:21] - 0811520 ____A (Microsoft Corporation) BE8C64439F1E2AF088063218C16EB9FE

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-09-16 05:31

==================== End Of Log ============================

 

The Addition.txt file is attached as per your instruction.

 

Thanks.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:25 PM

Posted 17 September 2014 - 10:38 AM

I suggest that your remove these items found by the AdwCleaner too.
 

[x] Not Deleted : C:\ProgramData\SecTaskMan
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASAPI32
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASMANCS
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskPIP_FF__RASAPI32
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskPIP_FF__RASMANCS


===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.duckduckgo.com/
FF Homepage: www.duckduckgo.com
FF Plugin: @microsoft.com/GENUINE -> disabled No File
S2 RichVideo; "C:\Program Files\CyberLink\Shared files\RichVideo.exe" [X]
S3 catchme; \??\C:\Users\Admin\AppData\Local\Temp\catchme.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#5 PCMan55

PCMan55
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 17 September 2014 - 10:42 AM

Thanks for replying, computer is running fine but those locked keys got me worried.

 

Never seen those locked before, including that last one.

 

I will follow your instructions and get back to you shortly.

 

Thanks.



#6 PCMan55

PCMan55
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 17 September 2014 - 11:12 AM

Here is the fixlist :

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-09-2014
Ran by Admin at 2014-09-17 22:48:41 Run:1
Running from C:\Users\Admin\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.duckduckgo.com/
FF Homepage: www.duckduckgo.com
FF Plugin: @microsoft.com/GENUINE -> disabled No File
S2 RichVideo; "C:\Program Files\CyberLink\Shared files\RichVideo.exe" [X]
S3 catchme; \??\C:\Users\Admin\AppData\Local\Temp\catchme.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

End
*****************

HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
Firefox homepage deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
RichVideo => Service deleted successfully.
catchme => Service deleted successfully.
clwvd => Service deleted successfully.
VGPU => Service deleted successfully.

==== End of Fixlog ====

 

The checkup log:

 

Results of screen317's Security Check version 0.99.87  
 Windows 7 Service Pack 1 x86 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 CCleaner     
  Adobe Flash Player     13.0.0.182 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox 29.0.1 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

Thanks.

 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:25 PM

Posted 17 September 2014 - 12:34 PM

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 PCMan55

PCMan55
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:25 AM

Posted 17 September 2014 - 01:11 PM

OK, I have installed the latest version of Flash Player.

 

Since the computer is running fine, I suppose all is well.

 

Thanks again for your help and advice.


Edited by PCMan55, 18 September 2014 - 03:40 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:25 PM

Posted 18 September 2014 - 06:58 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users