Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple dllhost.exe processes - suspect malware infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 Grendel_J

Grendel_J

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 30 September 2014 - 04:01 PM

My father has a desktop computer running Windows 7. Recently, the computer has been slowing down and almost coming to a halt. When I checked the Task Manager, there are multiple (10-20+) "dllhost.exe *32" processes running. CPU and memory usage both go as high as 100% and the machine freezes up completely, to the point where a hard shutdown must be performed.
 

I suspect a malware infection, but I have run full scans with Malwarebytes and Norton and neither one has found anything. What steps should I take to resolve this?

DDS log is as follows:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17280
Run by Manson at 17:32:04 on 2014-09-30
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3839.2116 [GMT -5:00]
.
AV: Norton Internet Security *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton Internet Security *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\21.5.0.19\NIS.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Norton Internet Security\Engine\21.5.0.19\NIS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Users\Manson\AppData\Roaming\Spotify\spotify.exe
C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Brownie\BrStsW64.exe
C:\Program Files (x86)\Brownie\brpjp04a.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\syswow64\dllhost.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\Dwm.exe
C:\Windows\splwow64.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Users\Manson\AppData\Local\Temp\kglbfxk.exe
C:\Program Files (x86)\Hewlett-Packard\MediaSmart\Photo\CpuChecker.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Manson\AppData\LocalLow\EmieSiteList\pzimsixksob\Sltytnkib\Dbfwyhsgfbl.exe
C:\Users\Manson\AppData\LocalLow\EmieSiteList\pzimsixksob\Sltytnkib\Dbfwyhsgfbl.exe
C:\Users\Manson\AppData\LocalLow\EmieSiteList\pzimsixksob\Sltytnkib\Dbfwyhsgfbl.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.yahoo.com/
mWinlogon: Userinit = userinit.exe,
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\21.5.0.19\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\21.5.0.19\ips\ipsbho.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.5.0.19\coieplg.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.5.0.19\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Spotify] "C:\Users\Manson\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
uRun: [Spotify Web Helper] "C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [Gltbtrbvlyml] C:\Users\Manson\AppData\Local\Temp\b6c\AppData\Local\Microsoft\Gltbtrbvlyml.exe
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{D100BE2D-93EE-4535-95AF-6B2C26704548} : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.5.0.19\coieplg.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.5.0.19\coieplg.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-RunOnce: [NCPluginUpdater] "c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe" Update
x64-IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2013-3-31 82600]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2013-3-31 42664]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1505000.013\symds64.sys [2014-8-16 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1505000.013\symefa64.sys [2014-8-16 1148120]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\BASHDefs\20140912.003\BHDrvx64.sys [2014-9-12 1586904]
R1 ccSet_NIS;NIS Settings Manager;C:\Windows\System32\drivers\NISx64\1505000.013\ccsetx64.sys [2014-8-16 162392]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\IPSDefs\20140929.001\IDSviA64.sys [2014-9-29 633560]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1505000.013\ironx64.sys [2014-8-16 264280]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1505000.013\symnets.sys [2014-8-16 593112]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2014-4-13 204288]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2012-12-6 2350176]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-4-21 471144]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2014-4-13 38456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-4-13 59392]
.
=============== File Associations ===============
.
ShellExec: Opera.exe: open="C:\Program Files (x86)\Opera\Launcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-09-30 19:41:53 -------- d-sh--w- C:\found.002
2014-09-27 14:26:37 -------- d-----w- C:\Users\Manson\AppData\Local\Adobe
2014-09-26 02:35:54 -------- d-sh--w- C:\found.001
2014-09-24 14:12:32 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2014-09-24 14:12:32 2048 ----a-w- C:\Windows\System32\tzres.dll
2014-09-23 20:51:25 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-09-23 20:51:01 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-09-23 20:51:01 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-09-23 20:51:01 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-09-23 20:51:01 -------- d-----w- C:\ProgramData\Malwarebytes
2014-09-23 20:51:01 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-23 20:50:33 -------- d-----w- C:\Users\Manson\AppData\Local\Programs
2014-09-17 15:04:38 -------- d-sh--w- C:\found.000
2014-09-13 23:34:27 -------- d-----w- C:\Users\Manson\AppData\Local\Diagnostics
2014-09-12 08:01:28 2777088 ----a-w- C:\Windows\System32\msmpeg2vdec.dll
2014-09-12 08:01:28 2285056 ----a-w- C:\Windows\SysWow64\msmpeg2vdec.dll
2014-09-12 02:25:46 1031168 ----a-w- C:\Windows\System32\TSWorkspace.dll
2014-09-12 02:25:44 793600 ----a-w- C:\Windows\SysWow64\TSWorkspace.dll
2014-09-12 02:25:36 2565120 ----a-w- C:\Windows\System32\d3d10warp.dll
2014-09-12 02:25:35 1987584 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2014-09-12 02:25:19 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-09-12 02:25:19 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-09-12 02:25:19 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-09-12 02:25:18 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-09-12 02:25:18 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-09-12 02:25:10 578048 ----a-w- C:\Windows\System32\aepdu.dll
2014-09-12 02:25:10 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-09-02 16:34:41 -------- d-----w- C:\Users\Manson\AppData\Local\Spotify
2014-09-02 16:33:47 -------- d-----w- C:\Users\Manson\AppData\Roaming\Spotify
.
==================== Find3M  ====================
.
2014-09-24 16:22:19 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-24 16:22:19 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-08-23 02:07:00 404480 ----a-w- C:\Windows\System32\gdi32.dll
2014-08-23 01:45:55 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2014-08-23 00:59:01 3163648 ----a-w- C:\Windows\System32\win32k.sys
2014-08-18 22:29:49 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-08-18 22:29:35 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-08-18 22:19:53 5833728 ----a-w- C:\Windows\System32\jscript9.dll
2014-08-18 22:15:34 547328 ----a-w- C:\Windows\System32\vbscript.dll
2014-08-18 22:15:09 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-08-18 22:14:38 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-08-18 22:14:10 83968 ----a-w- C:\Windows\System32\MshtmlDac.dll
2014-08-18 22:08:55 4232704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-08-18 22:03:47 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-08-18 22:03:37 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-08-18 22:03:01 758272 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-08-18 21:57:44 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-08-18 21:56:17 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-08-18 21:46:26 454656 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-08-18 21:45:23 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-08-18 21:45:12 72704 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-08-18 21:44:44 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-08-18 21:44:09 61952 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2014-08-18 21:36:07 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-08-18 21:35:24 597504 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-08-18 21:23:17 2104832 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-08-18 21:23:16 1249280 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-08-18 21:22:48 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-08-18 21:15:13 2310656 ----a-w- C:\Windows\System32\wininet.dll
2014-08-18 21:08:54 2014208 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-08-18 21:07:44 1068032 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-08-18 20:46:48 1812992 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-07-25 07:35:46 875688 ----a-w- C:\Windows\SysWow64\msvcr120_clr0400.dll
2014-07-25 04:47:06 869544 ----a-w- C:\Windows\System32\msvcr120_clr0400.dll
2014-07-14 02:02:45 1216000 ----a-w- C:\Windows\System32\rpcrt4.dll
2014-07-14 01:40:58 664064 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2014-07-09 02:03:23 7168 ----a-w- C:\Windows\System32\KBDYAK.DLL
2014-07-09 02:03:22 7168 ----a-w- C:\Windows\System32\KBDBASH.DLL
2014-07-09 01:31:42 7168 ----a-w- C:\Windows\SysWow64\KBDYAK.DLL
2014-07-09 01:31:41 6656 ----a-w- C:\Windows\SysWow64\KBDBASH.DLL
.
============= FINISH: 18:04:27.72 ===============


 


Edited by Grendel_J, 30 September 2014 - 06:52 PM.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:22 PM

Posted 04 October 2014 - 06:23 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi Grendel_J,
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 Grendel_J

Grendel_J
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 04 October 2014 - 01:01 PM

Thank you for helping me, Toffee. I have run the FRST and the results are as follows.

Here is FRST.txt:
 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-10-2014 01
Ran by Manson (administrator) on MANSON-HP on 04-10-2014 12:31:36
Running from C:\Users\Manson\Desktop
Loaded Profile: Manson (Available profiles: Manson)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\nis.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\nis.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Spotify Ltd) C:\Users\Manson\AppData\Roaming\Spotify\spotify.exe
(Spotify Ltd) C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(brother) C:\Program Files (x86)\Brownie\BrStsW64.exe
(brother) C:\Program Files (x86)\Brownie\brpjp04a.exe
(Hewlett-Packard Company) C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
() C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [611896 2010-09-15] ()
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [102400 2010-05-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [664600 2010-09-28] (PDF Complete Inc)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [BrStsWnd] => C:\Program Files (x86)\Brownie\BrstsW64.exe [3695928 2009-08-19] (brother)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-09-26] (Hewlett-Packard)
HKU\S-1-5-21-571345625-3983636709-847068036-1000\...\Run: [Spotify] => C:\Users\Manson\AppData\Roaming\Spotify\Spotify.exe [6553144 2014-10-02] (Spotify Ltd)
HKU\S-1-5-21-571345625-3983636709-847068036-1000\...\Run: [Spotify Web Helper] => C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-02] (Spotify Ltd)
HKU\S-1-5-21-571345625-3983636709-847068036-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-04-13] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
ShortcutTarget: Snapfish PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NIS&chn=retail&geo=US&ver=21&locale=en_US&gct=sb&qsrc=2869
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKCU - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpWinExt,version=5.0 -> C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @hulu.com/Hulu Desktop -> C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\npHDPlg.dll (Hulu LLC)
FF HKLM-x32\...\Firefox\Extensions: [msntoolbar@msn.com] - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\Firefox
FF Extension: Bing Bar - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\Firefox [2014-04-13]
FF HKLM-x32\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2014-04-13]
FF HKLM-x32\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension
FF Extension: Default Manager - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension [2014-04-13]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\coFFPlgn [2014-10-03]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\IPSFF [2014-04-13]

Chrome:
=======
CHR HomePage: Default -> 1DD3362B754EE7714B3C4A5055E59727DDA9699ECDD4D1CED4D929B8ACB0061A
CHR DefaultSearchKeyword: Default -> 060CAE3F6309815FA54786AD696474299781DB3144570F83BCC873FC58C3E6FD
CHR DefaultSearchURL: Default -> 6C0034D0C1416974ECCB15500EC4A5D56682F21743B45978E069C90BB3B9BF2B
CHR Profile: C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-21]
CHR Extension: (Google Drive) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-21]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-30]
CHR Extension: (YouTube) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-21]
CHR Extension: (Google Search) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-21]
CHR Extension: (Norton Identity Safe for Google Chrome™) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2014-04-21]
CHR Extension: (Google Wallet) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-21]
CHR Extension: (Gmail) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-21]
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-01]
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-01]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-05-19] (Hewlett-Packard Company) [File not signed]
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1119768 2010-09-28] (PDF Complete Inc)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\BASHDefs\20140912.003\BHDrvx64.sys [1586904 2014-09-12] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1506000.020\ccSetx64.sys [162392 2014-02-24] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-19] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\IPSDefs\20141003.001\IDSvia64.sys [633560 2014-08-29] (Symantec Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20141003.017\ENG64.SYS [129752 2014-09-19] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20141003.017\EX64.SYS [2137304 2014-09-19] (Symantec Corporation)
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
R1 SRTSP; C:\Windows\System32\Drivers\NISx64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NISx64\1506000.020\SYMDS64.SYS [493656 2013-10-30] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1506000.020\SYMEFA64.SYS [1148120 2014-03-03] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-04-13] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NISx64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NISx64\1506000.020\SYMNETS.SYS [593112 2014-02-17] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-04 12:29 - 2014-10-04 12:00 - 02109440 _____ (Farbar) C:\Users\Manson\Desktop\FRST64.exe
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00032366.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00030252.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029529.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029467.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029354.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00028285.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00027634.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00026395.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00026358.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00023522.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00023122.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00021282.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00020213.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00019224.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00013530.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00013196.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00011928.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00010366.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00009761.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00009274.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00008720.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00006493.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00006232.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00005037.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00004520.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00003940.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00003522.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001385.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001267.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001170.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001085.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00032391.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00031322.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00030333.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00029358.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00028253.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00028145.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00027644.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00026962.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00026299.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00025667.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00025547.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00024464.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00023811.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00023281.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00021726.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019912.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019895.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019718.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00018716.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017673.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017421.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017035.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00016827.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00015724.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00015141.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00014771.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00014604.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00012382.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011942.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011538.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011478.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00009961.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00009894.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00007711.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00006868.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005705.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005447.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005436.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00004827.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00004664.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00003902.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00002995.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00001869.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00000491.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00000292.tmp
2014-10-04 12:05 - 2014-10-04 12:31 - 00020007 _____ () C:\Users\Manson\Desktop\FRST.txt
2014-10-04 12:05 - 2014-10-04 12:31 - 00000000 ____D () C:\FRST
2014-10-01 20:50 - 2014-10-01 20:50 - 00000000 ____D () C:\Windows\System32\Tasks\Norton Internet Security
2014-10-01 06:10 - 2014-09-24 21:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-01 06:10 - 2014-09-24 20:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-30 18:07 - 2014-09-30 18:06 - 00004572 _____ () C:\Users\Manson\Desktop\attach.txt
2014-09-30 18:07 - 2014-09-30 18:04 - 00016707 _____ () C:\Users\Manson\Desktop\dds.txt
2014-09-30 17:31 - 2014-09-30 16:06 - 00688992 ____R (Swearware) C:\Users\Manson\Desktop\dds.com
2014-09-30 14:41 - 2014-09-30 14:41 - 00000000 __SHD () C:\found.002
2014-09-27 09:51 - 2014-09-27 09:51 - 00000000 ____D () C:\Users\Manson\Documents\Fax
2014-09-27 09:28 - 2014-09-27 09:28 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-09-27 09:28 - 2014-09-27 09:28 - 00001981 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-09-27 09:28 - 2014-09-27 09:28 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-09-27 09:27 - 2014-09-27 09:50 - 00000000 ____D () C:\ProgramData\Adobe
2014-09-27 09:26 - 2014-09-27 09:38 - 00000000 ____D () C:\Users\Manson\AppData\Local\Adobe
2014-09-25 21:35 - 2014-09-25 21:35 - 00000000 __SHD () C:\found.001
2014-09-24 09:12 - 2014-09-09 17:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-24 09:12 - 2014-09-09 16:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-09-23 15:51 - 2014-09-27 21:06 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-23 15:51 - 2014-09-23 15:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-23 15:51 - 2014-09-23 15:51 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-23 15:51 - 2014-09-23 15:51 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-23 15:51 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-23 15:51 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-23 15:51 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-17 15:53 - 2014-10-03 20:22 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForManson
2014-09-17 15:53 - 2014-10-03 20:22 - 00000336 _____ () C:\Windows\Tasks\HPCeeScheduleForManson.job
2014-09-17 10:04 - 2014-09-17 10:04 - 00000000 __SHD () C:\found.000
2014-09-15 16:37 - 2014-09-27 21:07 - 00000000 ____D () C:\Windows\Minidump
2014-09-15 16:37 - 2014-09-15 16:37 - 767305118 _____ () C:\Windows\MEMORY.DMP
2014-09-15 16:37 - 2014-09-15 16:37 - 01418656 _____ () C:\Windows\Minidump\091514-63742-01.dmp
2014-09-12 03:09 - 2014-08-19 13:05 - 00374968 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-12 03:09 - 2014-08-19 12:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-09-12 03:09 - 2014-08-18 18:01 - 23591424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-12 03:09 - 2014-08-18 17:29 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-12 03:09 - 2014-08-18 17:29 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-12 03:09 - 2014-08-18 17:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-09-12 03:09 - 2014-08-18 17:20 - 02793984 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-12 03:09 - 2014-08-18 17:19 - 05833728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-12 03:09 - 2014-08-18 17:15 - 00547328 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-12 03:09 - 2014-08-18 17:15 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-12 03:09 - 2014-08-18 17:14 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-12 03:09 - 2014-08-18 17:14 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-12 03:09 - 2014-08-18 17:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-09-12 03:09 - 2014-08-18 17:08 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-12 03:09 - 2014-08-18 17:08 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-12 03:09 - 2014-08-18 17:05 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-12 03:09 - 2014-08-18 17:03 - 00758272 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-12 03:09 - 2014-08-18 17:03 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-12 03:09 - 2014-08-18 17:03 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-12 03:09 - 2014-08-18 16:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-09-12 03:09 - 2014-08-18 16:56 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-12 03:09 - 2014-08-18 16:51 - 00446464 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-12 03:09 - 2014-08-18 16:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-09-12 03:09 - 2014-08-18 16:45 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-12 03:09 - 2014-08-18 16:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-09-12 03:09 - 2014-08-18 16:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-09-12 03:09 - 2014-08-18 16:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-09-12 03:09 - 2014-08-18 16:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-09-12 03:09 - 2014-08-18 16:40 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-12 03:09 - 2014-08-18 16:39 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-12 03:09 - 2014-08-18 16:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-09-12 03:09 - 2014-08-18 16:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-09-12 03:09 - 2014-08-18 16:38 - 00289280 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-12 03:09 - 2014-08-18 16:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-09-12 03:09 - 2014-08-18 16:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-09-12 03:09 - 2014-08-18 16:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-09-12 03:09 - 2014-08-18 16:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-09-12 03:09 - 2014-08-18 16:25 - 00727040 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-12 03:09 - 2014-08-18 16:25 - 00707072 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-12 03:09 - 2014-08-18 16:23 - 02104832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-12 03:09 - 2014-08-18 16:23 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-12 03:09 - 2014-08-18 16:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-09-12 03:09 - 2014-08-18 16:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-09-12 03:09 - 2014-08-18 16:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-09-12 03:09 - 2014-08-18 16:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-09-12 03:09 - 2014-08-18 16:16 - 13588480 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-12 03:09 - 2014-08-18 16:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-09-12 03:09 - 2014-08-18 16:15 - 02310656 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-12 03:09 - 2014-08-18 16:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-09-12 03:09 - 2014-08-18 16:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-09-12 03:09 - 2014-08-18 16:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-09-12 03:09 - 2014-08-18 15:55 - 01447424 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-12 03:09 - 2014-08-18 15:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-09-12 03:09 - 2014-08-18 15:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-09-12 03:09 - 2014-08-18 15:38 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-12 03:09 - 2014-08-18 15:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-09-12 03:01 - 2014-06-26 21:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-09-12 03:01 - 2014-06-26 20:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2014-09-11 21:25 - 2014-09-04 21:10 - 00578048 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-09-11 21:25 - 2014-09-04 21:05 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-09-11 21:25 - 2014-08-01 06:53 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-09-11 21:25 - 2014-08-01 06:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll
2014-09-11 21:25 - 2014-07-06 21:06 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-11 21:25 - 2014-07-06 21:06 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-11 21:25 - 2014-07-06 20:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-09-11 21:25 - 2014-07-06 20:40 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-09-11 21:25 - 2014-07-06 20:39 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-09-11 21:25 - 2014-06-23 22:29 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-09-11 21:25 - 2014-06-23 21:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-04 12:22 - 2014-09-02 11:33 - 00000000 ____D () C:\Users\Manson\AppData\Roaming\Spotify
2014-10-04 12:22 - 2014-06-02 00:01 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-04 12:06 - 2014-04-21 23:31 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-04 12:05 - 2009-07-14 00:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-04 12:05 - 2009-07-13 23:45 - 00018736 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-04 12:05 - 2009-07-13 23:45 - 00018736 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-04 11:38 - 2014-04-13 00:06 - 01681711 _____ () C:\Windows\WindowsUpdate.log
2014-10-04 11:02 - 2014-05-13 08:57 - 00000000 ____D () C:\Users\Manson\AppData\Local\CrashDumps
2014-10-04 10:06 - 2014-04-21 23:31 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-03 20:22 - 2014-08-15 03:37 - 00003220 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForMANSON-HP$
2014-10-03 20:22 - 2014-08-15 03:37 - 00000344 _____ () C:\Windows\Tasks\HPCeeScheduleForMANSON-HP$.job
2014-10-03 13:57 - 2014-04-14 16:51 - 00000329 _____ () C:\Windows\Brownie.ini
2014-10-03 13:56 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-03 13:56 - 2009-07-13 23:51 - 00033619 _____ () C:\Windows\setupact.log
2014-10-03 09:34 - 2014-04-13 10:32 - 00000000 ____D () C:\Users\Manson\Desktop\Toastmasters
2014-10-03 03:14 - 2014-09-02 11:34 - 00000000 ____D () C:\Users\Manson\AppData\Local\Spotify
2014-10-02 09:46 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-01 20:44 - 2014-04-13 10:17 - 00003234 _____ () C:\Windows\System32\Tasks\Norton WSC Integration
2014-10-01 20:44 - 2014-04-13 10:16 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
2014-10-01 20:44 - 2014-04-13 03:19 - 00002463 _____ () C:\Users\Public\Desktop\Norton Internet Security.lnk
2014-10-01 20:44 - 2014-04-13 01:19 - 00000000 ____D () C:\Windows\system32\Drivers\NISx64
2014-10-01 03:02 - 2014-04-13 00:56 - 00000000 ____D () C:\ProgramData\PDFC
2014-09-30 17:04 - 2014-04-13 10:30 - 00000000 ____D () C:\Users\Manson\Desktop\Lonestar Agenda Information
2014-09-30 15:32 - 2014-04-15 21:39 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-09-27 21:19 - 2014-04-13 02:29 - 00216052 _____ () C:\Windows\PFRO.log
2014-09-27 21:18 - 2014-06-01 12:14 - 00000000 ____D () C:\Program Files (x86)\Opera
2014-09-27 09:53 - 2014-04-14 16:52 - 00000426 _____ () C:\Windows\BRWMARK.INI
2014-09-27 09:53 - 2009-07-14 00:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-09-27 09:38 - 2014-04-13 01:04 - 00000000 ____D () C:\Users\Manson\AppData\Roaming\Adobe
2014-09-26 10:33 - 2014-06-12 17:45 - 00003832 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1401642871
2014-09-25 22:25 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-09-24 21:15 - 2014-04-21 23:31 - 00002145 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-09-24 11:22 - 2014-06-02 00:01 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-09-24 11:22 - 2014-04-14 10:03 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-09-24 11:22 - 2014-04-14 10:03 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-23 15:08 - 2014-04-22 20:19 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-09-17 15:53 - 2014-04-13 00:52 - 00000000 ____D () C:\Users\Manson
2014-09-17 15:14 - 2014-04-13 10:32 - 00000000 ____D () C:\Users\Manson\Desktop\Texas Stars Agenda
2014-09-15 16:35 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-09-12 03:08 - 2014-04-20 03:04 - 00773536 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-09-12 03:06 - 2014-04-13 01:49 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-12 03:02 - 2014-04-13 01:49 - 101694776 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-09-12 03:01 - 2014-05-07 03:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-09-10 00:56 - 2014-04-13 00:56 - 00003712 _____ () C:\Windows\System32\Tasks\Registration

Some content of TEMP:
====================
C:\Users\Manson\AppData\Local\Temp\avudpkg.dll
C:\Users\Manson\AppData\Local\Temp\egnyael.dll
C:\Users\Manson\AppData\Local\Temp\gnmcd1ey.dll
C:\Users\Manson\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Manson\AppData\Local\Temp\kglbfxk.exe
C:\Users\Manson\AppData\Local\Temp\maystaj.dll
C:\Users\Manson\AppData\Local\Temp\ndgnoyi.dll
C:\Users\Manson\AppData\Local\Temp\ngbakgk.dll
C:\Users\Manson\AppData\Local\Temp\Resource.exe
C:\Users\Manson\AppData\Local\Temp\smdldwz.dll
C:\Users\Manson\AppData\Local\Temp\sp58915.exe
C:\Users\Manson\AppData\Local\Temp\sp64126.exe
C:\Users\Manson\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Manson\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Manson\AppData\Local\Temp\yhfcyao.dll
C:\Users\Manson\AppData\Local\Temp\{7979394A-B638-4F57-83DE-76F19406A3ED}-35.0.1916.153_35.0.1916.114_chrome_updater_alt.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-09-26 00:32

==================== End Of Log ============================



And here is Addition.txt:
 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 04-10-2014 01
Ran by Manson at 2014-10-04 12:32:02
Running from C:\Users\Manson\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton Internet Security (Enabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
AS: Norton Internet Security (Enabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security (Enabled) {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.3.9130 - Adobe Systems Inc.)
Adobe AIR (x32 Version: 1.5.3.9130 - Adobe Systems Inc.) Hidden
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Agatha Christie - Peril at End House (x32 Version: 2.2.0.95 - WildTangent) Hidden
ATI Catalyst Install Manager (HKLM\...\{7C7A5A92-046C-A38C-AE0F-8F9CCA0F67A8}) (Version: 3.0.774.0 - ATI Technologies, Inc.)
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bing Bar (HKLM-x32\...\{08234a0d-cf39-4dca-99f0-0c5cb496da81}) (Version: 6.0.2282.0 - Microsoft Corporation)
Bing Bar Platform (x32 Version: 6.0.2282.0 - Microsoft Corporation) Hidden
Bing Rewards Client Installer (x32 Version: 16.0.345.0 - Microsoft Corporation) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blasterball 3 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blio (HKLM-x32\...\{504CC891-B140-4E1B-860B-5E4C1DFBA9E3}) (Version: 2.0.5350 - K-NFB Reading Technology, Inc.)
Bounce Symphony (x32 Version: 2.2.0.95 - WildTangent) Hidden
Brother HL-4040CN (HKLM-x32\...\{E9A8FC29-A7D9-4790-866C-FEB46FA0147A}) (Version: 1.00 - Brother)
Build-a-lot 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cake Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
Catalyst Control Center - Branding (x32 Version: 1.00.0000 - ATI) Hidden
Catalyst Control Center Core Implementation (x32 Version: 2010.0511.2153.37435 - ATI) Hidden
Catalyst Control Center Graphics Full Existing (x32 Version: 2010.0511.2153.37435 - ATI) Hidden
Catalyst Control Center Graphics Full New (x32 Version: 2010.0511.2153.37435 - ATI) Hidden
Catalyst Control Center Graphics Light (x32 Version: 2010.0511.2153.37435 - ATI) Hidden
Catalyst Control Center Graphics Previews Vista (x32 Version: 2010.0511.2153.37435 - ATI) Hidden
Catalyst Control Center InstallProxy (x32 Version: 2010.0511.2153.37435 - ATI Technologies, Inc.) Hidden
Catalyst Control Center Localization All (x32 Version: 2010.0511.2153.37435 - ATI) Hidden
CCC Help Chinese Standard (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Chinese Traditional (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Czech (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Danish (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Dutch (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help English (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Finnish (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help French (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help German (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Greek (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Hungarian (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Italian (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Japanese (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Korean (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Norwegian (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Polish (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Portuguese (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Russian (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Spanish (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Swedish (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Thai (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
CCC Help Turkish (x32 Version: 2010.0511.2152.37435 - ATI) Hidden
ccc-core-static (x32 Version: 2010.0511.2153.37435 - ATI) Hidden
ccc-utility64 (Version: 2010.0511.2153.37435 - ATI) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
CyberLink DVD Suite Deluxe (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 7.0.3210 - CyberLink Corp.)
CyberLink DVD Suite Deluxe (x32 Version: 7.0.3210 - CyberLink Corp.) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Diner Dash 2 Restaurant Rescue (x32 Version: 2.2.0.95 - WildTangent) Hidden
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
DVD Menu Pack for HP MediaSmart Video (HKLM-x32\...\InstallShield_{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}) (Version: 4.2.4412 - Hewlett-Packard)
DVD Menu Pack for HP MediaSmart Video (x32 Version: 4.2.4412 - Hewlett-Packard) Hidden
Escape Rosecliff Island (x32 Version: 2.2.0.95 - WildTangent) Hidden
Farm Frenzy (x32 Version: 2.2.0.95 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.95 - WildTangent) Hidden
Final Drive Nitro (x32 Version: 2.2.0.95 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 37.0.2062.124 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
Heroes of Hellas 2 - Olympia (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Auto (Version: 1.0.12494.3472 - Hewlett-Packard Company) Hidden
HP Client Services (Version: 1.0.12656.3472 - Hewlett-Packard) Hidden
HP Customer Experience Enhancements (x32 Version: 6.0.1.8 - Hewlett-Packard) Hidden
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.1.5 - WildTangent)
HP MediaSmart DVD (HKLM-x32\...\InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}) (Version: 4.2.4521 - Hewlett-Packard)
HP MediaSmart DVD (x32 Version: 4.2.4521 - Hewlett-Packard) Hidden
HP MediaSmart Music (HKLM-x32\...\InstallShield_{91A34181-9FAD-43AB-A35F-E7A8945B7E1C}) (Version: 4.2.4517 - Hewlett-Packard)
HP MediaSmart Music (x32 Version: 4.2.4517 - Hewlett-Packard) Hidden
HP MediaSmart Photo (HKLM-x32\...\InstallShield_{6DAF8CDC-9B04-413B-A0F2-BCC13CF8A5BF}) (Version: 4.2.4513 - Hewlett-Packard)
HP MediaSmart Photo (x32 Version: 4.2.4513 - Hewlett-Packard) Hidden
HP MediaSmart SmartMenu (HKLM\...\{A40F60B1-F1E1-452E-96A5-FF97F9A2D102}) (Version: 3.1.2.4 - Hewlett-Packard)
HP MediaSmart Video (HKLM-x32\...\InstallShield_{D12E3E7F-1B13-4933-A915-16C7DD37A095}) (Version: 4.2.4522 - Hewlett-Packard)
HP MediaSmart Video (x32 Version: 4.2.4522 - Hewlett-Packard) Hidden
HP MediaSmart/TouchSmart Netflix (HKLM-x32\...\{2EA3D6B2-157E-4112-A3AB-BF17E16661C3}) (Version: 1.0.4.0 - Hewlett-Packard)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0.2 - Hewlett-Packard)
HP MovieStore (x32 Version: 1.0.027 - Hewlett-Packard) Hidden
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{53469506-A37E-4314-A9D9-38724EC23A75}) (Version: 8.4.4400.3525 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.0.12844.3519 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}) (Version: 7.4.45.4 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Update (HKLM-x32\...\{DE77FE3F-A33D-499A-87AD-5FC406617B40}) (Version: 5.002.003.003 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.1.6.0 - Hewlett-Packard)
Hulu Desktop (HKCU\...\HuluDesktop) (Version: 0.9.13 - Hulu LLC)
Jewel Quest Solitaire 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kobo (HKLM-x32\...\Kobo) (Version: 1.6 - Kobo Inc.)
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3130 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.3130 - CyberLink Corp.) Hidden
LightScribe System Software (HKLM-x32\...\{46BA053F-57B3-4153-BDB6-D37EEC8B12D7}) (Version: 1.18.15.1 - LightScribe)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Default Manager (x32 Version: 2.2.114.0 - Microsoft Corporation) Hidden
Microsoft Office Standard Edition 2003 (HKLM-x32\...\{91120409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Search Enhancement Pack (x32 Version: 3.0.131.0 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (x32 Version: 3.0.5305.0 - Microsoft Corp.) Hidden
Movie Theme Pack for HP MediaSmart Video (HKLM-x32\...\InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}) (Version: 4.2.4412 - Hewlett-Packard)
Movie Theme Pack for HP MediaSmart Video (x32 Version: 4.2.4412 - Hewlett-Packard) Hidden
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 24.5.0 - Mozilla)
Mozilla Thunderbird 24.6.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 24.6.0 (x86 en-US)) (Version: 24.6.0 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery P.I. - The London Caper (x32 Version: 2.2.0.95 - WildTangent) Hidden
Norton Internet Security (HKLM-x32\...\NIS) (Version: 21.6.0.32 - Symantec Corporation)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.1.17869 - Symantec Corporation)
Opera Stable 24.0.1558.64 (HKLM-x32\...\Opera 24.0.1558.64) (Version: 24.0.1558.64 - Opera Software ASA)
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.9 - PDF Complete, Inc)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
PhotoNow! (HKLM-x32\...\InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}) (Version: 1.1.7717 - CyberLink Corp.)
PhotoNow! (x32 Version: 1.1.7717 - CyberLink Corp.) Hidden
PictureMover (HKLM-x32\...\{264FE20A-757B-492a-B0C3-4009E2997D8A}) (Version: 3.5.0.33 - Hewlett-Packard Company)
Plants vs. Zombies (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.4329 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.4329 - CyberLink Corp.) Hidden
PowerDirector (HKLM-x32\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 8.0.3129 - CyberLink Corp.)
PowerDirector (x32 Version: 8.0.3129 - CyberLink Corp.) Hidden
PressReader (HKLM-x32\...\{912CED74-88D3-4C5B-ACB0-13231864975D}) (Version: 5.10.621.0 -  NewspaperDirect Inc.)
Ralink RT2860 Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}) (Version:  - Ralink)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6196 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.3219 - CyberLink Corp.) Hidden
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.101 - RoxioNow)
Spotify (HKCU\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Virtual Families (x32 Version: 2.2.0.95 - WildTangent) Hidden
Virtual Villagers 4 - The Tree of Life (x32 Version: 2.2.0.95 - WildTangent) Hidden
Wheel of Fortune 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Zinio Reader 4 (HKLM-x32\...\ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1) (Version: 4.0.3184 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.0.3184 - Zinio LLC) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-571345625-3983636709-847068036-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {100454B2-ED3D-4325-A9DC-1B4E0275BA85} - System32\Tasks\Opera scheduled Autoupdate 1401642871 => C:\Program Files (x86)\Opera\launcher.exe [2014-09-25] (Opera Software)
Task: {122FC1A3-EEB3-4EA0-80FA-72C41D65E291} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2014-09-03] (Hewlett-Packard)
Task: {3CB1A5BC-AE89-490D-8015-0B78A2292B6D} - System32\Tasks\HPCeeScheduleForMANSON-HP$ => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {45230641-11FD-4762-B2B8-CD35F61F9162} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {554A02E1-5FFD-41F9-A1C4-C36CE85F5109} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {726A485F-25C2-450B-8B5B-170CCBE0F212} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {7879908B-E807-4271-BA6B-A24865FCB004} - System32\Tasks\Registration => C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe [2010-09-27] ()
Task: {89623B0C-5EAA-4C00-8224-41A8594BD60E} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {8FD7F37A-C333-46C2-B46A-92383C2E3A85} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\WSCStub.exe [2014-09-21] (Symantec Corporation)
Task: {985E7DD5-AB6D-4559-952D-88894C8C6CED} - System32\Tasks\HPCeeScheduleForManson => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {B5C51E23-1C38-491F-AA62-4F061A20D812} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-21] (Google Inc.)
Task: {B73DEB5B-CEBF-4613-A5BE-22A31CB10E86} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {B85A080B-9582-48E0-9884-C610F7F5BEF3} - System32\Tasks\RMCreator => C:\Program Files (x86)\Hewlett-Packard\Recovery\Reminder.exe [2010-08-19] (CyberLink)
Task: {C25E0506-CA87-4980-B1CE-7EF01C65C8EC} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-24] (Adobe Systems Incorporated)
Task: {DA06D145-CC74-45E9-98B1-C4E0130E3CE6} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HPSAObjUtilTask => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\UtilTask.exe [2014-09-26] (Microsoft)
Task: {DD036BC8-1BF3-4DC0-9308-F3A58E79001B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2014-09-03] (Hewlett-Packard)
Task: {E54B7737-1F62-4841-9D74-573ADFDB0A85} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {E54E7EE7-E46F-464D-BEC4-86977F6D3F59} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-21] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForMANSON-HP$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\HPCeeScheduleForManson.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) =============

2010-09-15 12:31 - 2010-09-15 12:31 - 00611896 _____ () C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
2014-09-02 11:34 - 2014-10-02 18:20 - 00613944 _____ () C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
2009-06-08 18:45 - 2009-06-08 18:45 - 00098304 ____R () c:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2014-04-13 00:36 - 2014-04-13 00:36 - 00270336 _____ () C:\Windows\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2014-09-02 11:34 - 2014-10-02 18:20 - 36966968 _____ () C:\Users\Manson\AppData\Roaming\Spotify\Data\libcef.dll
2014-04-13 00:58 - 2010-09-28 13:59 - 12286008 _____ () C:\Users\Manson\AppData\Roaming\PictureMover\Bin\Core.dll
2009-07-13 16:03 - 2009-07-13 20:15 - 00364544 _____ () C:\Windows\SysWOW64\msjetoledb40.dll
2014-04-13 00:58 - 2010-09-28 14:10 - 01699384 _____ () C:\Users\Manson\AppData\Roaming\PictureMover\EN-US\Presentation.dll
2014-09-02 11:34 - 2014-10-02 18:20 - 00867896 _____ () C:\Users\Manson\AppData\Roaming\Spotify\Data\ffmpegsumo.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Manson\Desktop\Clydesdale Snowball Fight.mp2:SummaryInformation
AlternateDataStreams: C:\Users\Manson\Desktop\Clydesdale Snowball Fight.mp2:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Jecrvmbkc => rundll32.exe "C:\Users\Manson\AppData\Local\Temp\\2dd4\AppData\Local\Microsoft\Jecrvmbkc.dll",DllRegisterServer

========================= Accounts: ==========================

Administrator (S-1-5-21-571345625-3983636709-847068036-500 - Administrator - Disabled)
Guest (S-1-5-21-571345625-3983636709-847068036-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-571345625-3983636709-847068036-1002 - Limited - Enabled)
Manson (S-1-5-21-571345625-3983636709-847068036-1000 - Administrator - Enabled) => C:\Users\Manson

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/04/2014 11:02:22 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc00000fd
Fault offset: 0x000d4795
Faulting process id: 0x1e7c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/04/2014 10:47:50 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc00000fd
Fault offset: 0x000d4417
Faulting process id: 0xe24
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/04/2014 09:22:16 AM) (Source: SideBySide) (EventID: 63) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.

Error: (10/04/2014 08:46:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc0000005
Fault offset: 0x001032c5
Faulting process id: 0x2290
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/04/2014 06:39:02 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc0000005
Fault offset: 0x001032c5
Faulting process id: 0x323c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/04/2014 06:31:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc0000005
Fault offset: 0x001032c5
Faulting process id: 0x444
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/04/2014 05:35:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc0000005
Fault offset: 0x00140273
Faulting process id: 0x28dc
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/04/2014 05:13:45 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc0000005
Fault offset: 0x001032c5
Faulting process id: 0x1594
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/04/2014 04:06:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc0000005
Fault offset: 0x00140273
Faulting process id: 0x3aa8
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (10/03/2014 09:55:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17280, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 11.0.9600.17280, time stamp: 0x53f27d67
Exception code: 0xc00000fd
Fault offset: 0x000d4417
Faulting process id: 0x89c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

System errors:
=============
Error: (10/04/2014 00:26:17 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (10/04/2014 10:55:59 AM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (10/04/2014 06:06:53 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

Microsoft Office Sessions:
=========================
Error: (10/04/2014 11:02:22 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c00000fd000d47951e7c01cfdfeb75451edcC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dlld2914149-4bdf-11e4-8b0a-643150330c31

Error: (10/04/2014 10:47:50 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c00000fd000d4417e2401cfdfea5f7b20f5C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dllcac7a154-4bdd-11e4-8b0a-643150330c31

Error: (10/04/2014 09:22:16 AM) (Source: SideBySide) (EventID: 63) (User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3

Error: (10/04/2014 08:46:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c0000005001032c5229001cfdfd88765c0e0C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dllc94b0576-4bcc-11e4-8b0a-643150330c31

Error: (10/04/2014 06:39:02 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c0000005001032c5323c01cfdfc7489d7b4eC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dll094646d5-4bbb-11e4-8b0a-643150330c31

Error: (10/04/2014 06:31:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c0000005001032c544401cfdfc60283619eC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dll0006008e-4bba-11e4-8b0a-643150330c31

Error: (10/04/2014 05:35:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c00000050014027328dc01cfdfbd9d15968aC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dll2e4dcdb8-4bb2-11e4-8b0a-643150330c31

Error: (10/04/2014 05:13:45 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c0000005001032c5159401cfdfbac4582256C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dll1f1e7ace-4baf-11e4-8b0a-643150330c31

Error: (10/04/2014 04:06:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c0000005001402733aa801cfdfb142600a2dC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dllcb88b0f3-4ba5-11e4-8b0a-643150330c31

Error: (10/03/2014 09:55:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe11.0.9600.172804a5bc6b7MSHTML.dll11.0.9600.1728053f27d67c00000fd000d441789c01cfdf7e16beefd0C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\MSHTML.dllf44b7ac1-4b71-11e4-8b0a-643150330c31

==================== Memory info ===========================

Processor: AMD Athlon™ II X4 640 Processor
Percentage of memory in use: 55%
Total physical RAM: 3839.28 MB
Available physical RAM: 1692.23 MB
Total Pagefile: 7846.57 MB
Available Pagefile: 5006.96 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:918.25 GB) (Free:801.75 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:13.16 GB) (Free:1.62 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (OLD SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: (OLD OS) (Fixed) (Total:918.13 GB) (Free:422.8 GB) NTFS
Drive h: (OLD HP_RECOVERY) (Fixed) (Total:13.28 GB) (Free:1.62 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: A05C7B44)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=918.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13.2 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: 99082D95)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=918.1 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13.3 GB) - (Type=07 NTFS)

==================== End Of Log ============================






 



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:22 PM

Posted 04 October 2014 - 01:21 PM

Hi Grendel_J,
 
You are welcome.
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-571345625-3983636709-847068036-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CHR HomePage: Default -> 1DD3362B754EE7714B3C4A5055E59727DDA9699ECDD4D1CED4D929B8ACB0061A
CHR DefaultSearchKeyword: Default -> 060CAE3F6309815FA54786AD696474299781DB3144570F83BCC873FC58C3E6FD
CHR DefaultSearchURL: Default -> 6C0034D0C1416974ECCB15500EC4A5D56682F21743B45978E069C90BB3B9BF2B
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00032366.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00030252.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029529.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029467.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029354.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00028285.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00027634.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00026395.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00026358.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00023522.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00023122.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00021282.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00020213.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00019224.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00013530.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00013196.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00011928.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00010366.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00009761.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00009274.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00008720.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00006493.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00006232.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00005037.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00004520.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00003940.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00003522.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001385.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001267.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001170.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001085.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00032391.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00031322.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00030333.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00029358.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00028253.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00028145.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00027644.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00026962.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00026299.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00025667.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00025547.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00024464.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00023811.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00023281.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00021726.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019912.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019895.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019718.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00018716.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017673.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017421.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017035.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00016827.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00015724.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00015141.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00014771.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00014604.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00012382.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011942.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011538.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011478.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00009961.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00009894.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00007711.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00006868.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005705.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005447.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005436.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00004827.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00004664.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00003902.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00002995.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00001869.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00000491.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00000292.tmp
C:\Users\Manson\AppData\Local\Temp\avudpkg.dll
C:\Users\Manson\AppData\Local\Temp\egnyael.dll
C:\Users\Manson\AppData\Local\Temp\gnmcd1ey.dll
C:\Users\Manson\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Manson\AppData\Local\Temp\kglbfxk.exe
C:\Users\Manson\AppData\Local\Temp\maystaj.dll
C:\Users\Manson\AppData\Local\Temp\ndgnoyi.dll
C:\Users\Manson\AppData\Local\Temp\ngbakgk.dll
C:\Users\Manson\AppData\Local\Temp\Resource.exe
C:\Users\Manson\AppData\Local\Temp\smdldwz.dll
C:\Users\Manson\AppData\Local\Temp\sp58915.exe
C:\Users\Manson\AppData\Local\Temp\sp64126.exe
C:\Users\Manson\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Manson\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Manson\AppData\Local\Temp\yhfcyao.dll
C:\Users\Manson\AppData\Local\Temp\{7979394A-B638-4F57-83DE-76F19406A3ED}-35.0.1916.153_35.0.1916.114_chrome_updater_alt.exe
C:\Users\Manson\AppData\Local\Temp\2dd4\AppData\Local\Microsoft\Jecrvmbkc.dll
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Fixlog.txt
  • AdwCleaner scan log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 Grendel_J

Grendel_J
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 04 October 2014 - 02:28 PM

Here is the Fixlog.txt:
 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-10-2014 01
Ran by Manson at 2014-10-04 14:16:47 Run:1
Running from C:\Users\Manson\Desktop
Loaded Profile: Manson (Available profiles: Manson)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-571345625-3983636709-847068036-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CHR HomePage: Default -> 1DD3362B754EE7714B3C4A5055E59727DDA9699ECDD4D1CED4D929B8ACB0061A
CHR DefaultSearchKeyword: Default -> 060CAE3F6309815FA54786AD696474299781DB3144570F83BCC873FC58C3E6FD
CHR DefaultSearchURL: Default -> 6C0034D0C1416974ECCB15500EC4A5D56682F21743B45978E069C90BB3B9BF2B
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00032366.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00030252.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029529.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029467.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00029354.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00028285.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00027634.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00026395.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00026358.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00023522.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00023122.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00021282.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00020213.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00019224.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00013530.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00013196.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00011928.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00010366.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00009761.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00009274.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00008720.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00006493.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00006232.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00005037.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00004520.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00003940.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00003522.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001385.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001267.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001170.tmp
2014-10-04 12:22 - 2014-10-04 12:22 - 01176168 ____T () C:\Windows\SysWOW64\00001085.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00032391.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00031322.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00030333.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00029358.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00028253.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00028145.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00027644.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00026962.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00026299.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00025667.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00025547.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00024464.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00023811.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00023281.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00021726.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019912.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019895.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00019718.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00018716.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017673.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017421.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00017035.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00016827.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00015724.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00015141.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00014771.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00014604.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00012382.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011942.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011538.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00011478.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00009961.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00009894.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00007711.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00006868.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005705.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005447.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00005436.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00004827.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00004664.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00003902.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00002995.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00001869.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00000491.tmp
2014-10-04 12:10 - 2014-10-04 12:10 - 01176168 ____T () C:\Windows\SysWOW64\00000292.tmp
C:\Users\Manson\AppData\Local\Temp\avudpkg.dll
C:\Users\Manson\AppData\Local\Temp\egnyael.dll
C:\Users\Manson\AppData\Local\Temp\gnmcd1ey.dll
C:\Users\Manson\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Manson\AppData\Local\Temp\kglbfxk.exe
C:\Users\Manson\AppData\Local\Temp\maystaj.dll
C:\Users\Manson\AppData\Local\Temp\ndgnoyi.dll
C:\Users\Manson\AppData\Local\Temp\ngbakgk.dll
C:\Users\Manson\AppData\Local\Temp\Resource.exe
C:\Users\Manson\AppData\Local\Temp\smdldwz.dll
C:\Users\Manson\AppData\Local\Temp\sp58915.exe
C:\Users\Manson\AppData\Local\Temp\sp64126.exe
C:\Users\Manson\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Manson\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Manson\AppData\Local\Temp\yhfcyao.dll
C:\Users\Manson\AppData\Local\Temp\{7979394A-B638-4F57-83DE-76F19406A3ED}-35.0.1916.153_35.0.1916.114_chrome_updater_alt.exe
C:\Users\Manson\AppData\Local\Temp\2dd4\AppData\Local\Microsoft\Jecrvmbkc.dll
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKU\S-1-5-21-571345625-3983636709-847068036-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-571345625-3983636709-847068036-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
Chrome HomePage deleted successfully.
Chrome DefaultSearchKeyword deleted successfully.
Chrome DefaultSearchURL deleted successfully.
"C:\Windows\SysWOW64\00032366.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00030252.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00029529.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00029467.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00029354.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00028285.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00027634.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00026395.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00026358.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00023522.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00023122.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00021282.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00020213.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00019224.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00013530.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00013196.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00011928.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00010366.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00009761.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00009274.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00008720.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00006493.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00006232.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00005037.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00004520.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00003940.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00003522.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00001385.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00001267.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00001170.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00001085.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00032391.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00031322.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00030333.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00029358.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00028253.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00028145.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00027644.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00026962.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00026299.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00025667.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00025547.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00024464.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00023811.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00023281.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00021726.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00019912.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00019895.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00019718.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00018716.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00017673.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00017421.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00017035.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00016827.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00015724.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00015141.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00014771.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00014604.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00012382.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00011942.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00011538.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00011478.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00009961.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00009894.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00007711.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00006868.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00005705.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00005447.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00005436.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00004827.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00004664.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00003902.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00002995.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00001869.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00000491.tmp" => File/Directory not found.
"C:\Windows\SysWOW64\00000292.tmp" => File/Directory not found.
C:\Users\Manson\AppData\Local\Temp\avudpkg.dll => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\egnyael.dll => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\gnmcd1ey.dll => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\HPHelpUpdater.exe => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\kglbfxk.exe => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\maystaj.dll => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\ndgnoyi.dll => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\ngbakgk.dll => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\Resource.exe => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\smdldwz.dll => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\sp58915.exe => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\sp64126.exe => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\UninstallHPSA.exe => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\UninstallHPTCA.exe => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\yhfcyao.dll => Moved successfully.
C:\Users\Manson\AppData\Local\Temp\{7979394A-B638-4F57-83DE-76F19406A3ED}-35.0.1916.153_35.0.1916.114_chrome_updater_alt.exe => Moved successfully.
"C:\Users\Manson\AppData\Local\Temp\2dd4\AppData\Local\Microsoft\Jecrvmbkc.dll" => File/Directory not found.

==== End of Fixlog ====



And here is the AdwCleaner scan log:
 

# AdwCleaner v3.311 - Report created 04/10/2014 at 14:19:43
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Manson - MANSON-HP
# Running from : C:\Users\Manson\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
Folder Found : C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17280

-\\ Google Chrome v37.0.2062.124

[ File : C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Found [Search Provider] : hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NIS&chn=retail&geo=US&ver=21&locale=en_US&gct=sb&qsrc=2869
Found [Search Provider] : hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
Found [Extension] : mkfokfffehpeedafpekjeddnmnjhmcmk

*************************

AdwCleaner[R0].txt - [3112 octets] - [04/10/2014 14:19:43]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3172 octets] ##########




 



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:22 PM

Posted 05 October 2014 - 06:03 AM

Hi Grendel_J,
 
Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished.
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • AdwCleaner clean log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 Grendel_J

Grendel_J
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 05 October 2014 - 10:44 AM

Toffee,

 

Here is the AdwCleaner clean log:
 

# AdwCleaner v3.311 - Report created 05/10/2014 at 10:32:52
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Manson - MANSON-HP
# Running from : C:\Users\Manson\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
[x] Not Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17280

-\\ Google Chrome v37.0.2062.124

[ File : C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NIS&chn=retail&geo=US&ver=21&locale=en_US&gct=sb&qsrc=2869
Deleted [Search Provider] : hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
Deleted [Extension] : mkfokfffehpeedafpekjeddnmnjhmcmk

*************************

AdwCleaner[R0].txt - [3284 octets] - [04/10/2014 14:19:43]
AdwCleaner[R1].txt - [3344 octets] - [04/10/2014 15:26:46]
AdwCleaner[R2].txt - [3404 octets] - [05/10/2014 10:23:42]
AdwCleaner[S0].txt - [2902 octets] - [05/10/2014 10:32:52]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2962 octets] ##########


 



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:22 PM

Posted 05 October 2014 - 02:36 PM

Hi Grendel_J,

 

How is the computer running now?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 Grendel_J

Grendel_J
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 05 October 2014 - 07:59 PM

Toffee,

It appears to be running much better. I have not seen the problem reoccur today, and the general performance of the system has improved..

Could you tell me what the machine was infected with, for my own reference/knowledge, if that information is available? I see that both the FRST cleanup and the AdwCleaner both appear to have removed different things, so I gather that there were multiple issues.
 



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:22 PM

Posted 06 October 2014 - 01:49 PM

Hi Grendel_J,
 
Very good, that is what I like to hear :)
 
You had a newish type of malware called poweliks (shown by this line: HKU\S-1-5-21-571345625-3983636709-847068036-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!) and you also had some adware in the form of ask and a bad chrome extension.
 
--------------
 
Also, please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 Grendel_J

Grendel_J
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 06 October 2014 - 09:31 PM

Toffee,

 

Thanks for the info as to what the infection was. Poweliks seems like a particularly persistent bit of malware from what I read about it, hiding itself in the registry.

 

The multiple "dllhost.exe *32" processes have not reappeared to date, and the computer is still running fine.

 

I ran the FRST scan again just now as requested - log is pasted below.
 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-10-2014 01
Ran by Manson (administrator) on MANSON-HP on 06-10-2014 21:11:11
Running from C:\Users\Manson\Desktop
Loaded Profile: Manson (Available profiles: Manson)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\nis.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\nis.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Spotify Ltd) C:\Users\Manson\AppData\Roaming\Spotify\spotify.exe
(Spotify Ltd) C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Hewlett-Packard Company) C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(brother) C:\Program Files (x86)\Brownie\BrStsW64.exe
(brother) C:\Program Files (x86)\Brownie\brpjp04a.exe
() C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [611896 2010-09-15] ()
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [102400 2010-05-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [664600 2010-09-28] (PDF Complete Inc)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [BrStsWnd] => C:\Program Files (x86)\Brownie\BrstsW64.exe [3695928 2009-08-19] (brother)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-09-26] (Hewlett-Packard)
HKU\S-1-5-21-571345625-3983636709-847068036-1000\...\Run: [Spotify] => C:\Users\Manson\AppData\Roaming\Spotify\Spotify.exe [6553144 2014-10-02] (Spotify Ltd)
HKU\S-1-5-21-571345625-3983636709-847068036-1000\...\Run: [Spotify Web Helper] => C:\Users\Manson\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-02] (Spotify Ltd)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-04-13] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
ShortcutTarget: Snapfish PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
SearchScopes: HKLM - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
SearchScopes: HKLM-x32 - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
SearchScopes: HKCU - {d944bb61-2e34-4dbf-a683-47e505c587dc} URL = http://rover.ebay.com/rover/1/711-111092-2357-0/4?satitle={searchTerms}&mfe=Desktops
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpWinExt,version=5.0 -> C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @hulu.com/Hulu Desktop -> C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\npHDPlg.dll (Hulu LLC)
FF HKLM-x32\...\Firefox\Extensions: [msntoolbar@msn.com] - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\Firefox
FF Extension: Bing Bar - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\Firefox [2014-04-13]
FF HKLM-x32\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2014-04-13]
FF HKLM-x32\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension
FF Extension: Default Manager - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension [2014-04-13]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\coFFPlgn [2014-10-05]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\IPSFF [2014-04-13]

Chrome:
=======
CHR HomePage: Default ->
CHR Profile: C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-21]
CHR Extension: (Google Drive) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-21]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-30]
CHR Extension: (YouTube) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-21]
CHR Extension: (Google Search) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-21]
CHR Extension: (No Name) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2014-04-21]
CHR Extension: (Google Wallet) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-21]
CHR Extension: (Gmail) - C:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-21]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-05-19] (Hewlett-Packard Company) [File not signed]
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1119768 2010-09-28] (PDF Complete Inc)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\BASHDefs\20141003.001\BHDrvx64.sys [1587416 2014-10-03] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1506000.020\ccSetx64.sys [162392 2014-02-24] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-19] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\IPSDefs\20141003.001\IDSvia64.sys [633560 2014-08-29] (Symantec Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20141005.001\ENG64.SYS [129752 2014-09-19] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20141005.001\EX64.SYS [2137304 2014-09-19] (Symantec Corporation)
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
R1 SRTSP; C:\Windows\System32\Drivers\NISx64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NISx64\1506000.020\SYMDS64.SYS [493656 2013-10-30] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1506000.020\SYMEFA64.SYS [1148120 2014-03-03] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-04-13] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NISx64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NISx64\1506000.020\SYMNETS.SYS [593112 2014-02-17] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-06 21:11 - 2014-10-06 21:12 - 00017867 _____ () C:\Users\Manson\Desktop\FRST.txt
2014-10-06 21:11 - 2014-10-06 21:11 - 00000000 ____D () C:\Users\Manson\Desktop\FRST-OlderVersion
2014-10-04 15:23 - 2014-10-06 21:10 - 00000000 ____D () C:\Users\Manson\Desktop\Computer Cleaning
2014-10-04 14:20 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-10-04 14:19 - 2014-10-05 10:32 - 00000000 ____D () C:\AdwCleaner
2014-10-04 14:16 - 2014-10-06 21:11 - 00000000 ____D () C:\FRST
2014-10-04 14:15 - 2014-10-06 21:11 - 02109952 _____ (Farbar) C:\Users\Manson\Desktop\FRST64.exe
2014-10-01 20:50 - 2014-10-01 20:50 - 00000000 ____D () C:\Windows\System32\Tasks\Norton Internet Security
2014-10-01 06:10 - 2014-09-24 21:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-01 06:10 - 2014-09-24 20:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-30 14:41 - 2014-09-30 14:41 - 00000000 __SHD () C:\found.002
2014-09-27 09:51 - 2014-09-27 09:51 - 00000000 ____D () C:\Users\Manson\Documents\Fax
2014-09-27 09:28 - 2014-09-27 09:28 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-09-27 09:28 - 2014-09-27 09:28 - 00001981 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-09-27 09:28 - 2014-09-27 09:28 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-09-27 09:27 - 2014-09-27 09:50 - 00000000 ____D () C:\ProgramData\Adobe
2014-09-27 09:26 - 2014-09-27 09:38 - 00000000 ____D () C:\Users\Manson\AppData\Local\Adobe
2014-09-25 21:35 - 2014-09-25 21:35 - 00000000 __SHD () C:\found.001
2014-09-24 09:12 - 2014-09-09 17:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-24 09:12 - 2014-09-09 16:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-09-23 15:51 - 2014-09-27 21:06 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-23 15:51 - 2014-09-23 15:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-23 15:51 - 2014-09-23 15:51 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-23 15:51 - 2014-09-23 15:51 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-23 15:51 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-23 15:51 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-23 15:51 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-17 15:53 - 2014-10-03 20:22 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForManson
2014-09-17 15:53 - 2014-10-03 20:22 - 00000336 _____ () C:\Windows\Tasks\HPCeeScheduleForManson.job
2014-09-17 10:04 - 2014-09-17 10:04 - 00000000 __SHD () C:\found.000
2014-09-15 16:37 - 2014-09-27 21:07 - 00000000 ____D () C:\Windows\Minidump
2014-09-15 16:37 - 2014-09-15 16:37 - 767305118 _____ () C:\Windows\MEMORY.DMP
2014-09-15 16:37 - 2014-09-15 16:37 - 01418656 _____ () C:\Windows\Minidump\091514-63742-01.dmp
2014-09-12 03:09 - 2014-08-19 13:05 - 00374968 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-12 03:09 - 2014-08-19 12:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-09-12 03:09 - 2014-08-18 18:01 - 23591424 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-12 03:09 - 2014-08-18 17:29 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-12 03:09 - 2014-08-18 17:29 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-12 03:09 - 2014-08-18 17:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-09-12 03:09 - 2014-08-18 17:20 - 02793984 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-12 03:09 - 2014-08-18 17:19 - 05833728 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-12 03:09 - 2014-08-18 17:15 - 00547328 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-12 03:09 - 2014-08-18 17:15 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-12 03:09 - 2014-08-18 17:14 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-12 03:09 - 2014-08-18 17:14 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-12 03:09 - 2014-08-18 17:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-09-12 03:09 - 2014-08-18 17:08 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-12 03:09 - 2014-08-18 17:08 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-12 03:09 - 2014-08-18 17:05 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-12 03:09 - 2014-08-18 17:03 - 00758272 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-12 03:09 - 2014-08-18 17:03 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-12 03:09 - 2014-08-18 17:03 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-12 03:09 - 2014-08-18 16:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-09-12 03:09 - 2014-08-18 16:56 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-12 03:09 - 2014-08-18 16:51 - 00446464 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-12 03:09 - 2014-08-18 16:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-09-12 03:09 - 2014-08-18 16:45 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-12 03:09 - 2014-08-18 16:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-09-12 03:09 - 2014-08-18 16:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-09-12 03:09 - 2014-08-18 16:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-09-12 03:09 - 2014-08-18 16:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-09-12 03:09 - 2014-08-18 16:40 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-12 03:09 - 2014-08-18 16:39 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-12 03:09 - 2014-08-18 16:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-09-12 03:09 - 2014-08-18 16:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-09-12 03:09 - 2014-08-18 16:38 - 00289280 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-12 03:09 - 2014-08-18 16:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-09-12 03:09 - 2014-08-18 16:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-09-12 03:09 - 2014-08-18 16:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-09-12 03:09 - 2014-08-18 16:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-09-12 03:09 - 2014-08-18 16:25 - 00727040 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-12 03:09 - 2014-08-18 16:25 - 00707072 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-12 03:09 - 2014-08-18 16:23 - 02104832 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-12 03:09 - 2014-08-18 16:23 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-12 03:09 - 2014-08-18 16:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-09-12 03:09 - 2014-08-18 16:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-09-12 03:09 - 2014-08-18 16:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-09-12 03:09 - 2014-08-18 16:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-09-12 03:09 - 2014-08-18 16:16 - 13588480 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-12 03:09 - 2014-08-18 16:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-09-12 03:09 - 2014-08-18 16:15 - 02310656 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-12 03:09 - 2014-08-18 16:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-09-12 03:09 - 2014-08-18 16:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-09-12 03:09 - 2014-08-18 16:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-09-12 03:09 - 2014-08-18 15:55 - 01447424 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-12 03:09 - 2014-08-18 15:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-09-12 03:09 - 2014-08-18 15:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-09-12 03:09 - 2014-08-18 15:38 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-12 03:09 - 2014-08-18 15:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-09-12 03:01 - 2014-06-26 21:08 - 02777088 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-09-12 03:01 - 2014-06-26 20:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2vdec.dll
2014-09-11 21:25 - 2014-09-04 21:10 - 00578048 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-09-11 21:25 - 2014-09-04 21:05 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-09-11 21:25 - 2014-08-01 06:53 - 01031168 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-09-11 21:25 - 2014-08-01 06:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSWorkspace.dll
2014-09-11 21:25 - 2014-07-06 21:06 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-11 21:25 - 2014-07-06 21:06 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-11 21:25 - 2014-07-06 20:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-09-11 21:25 - 2014-07-06 20:40 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-09-11 21:25 - 2014-07-06 20:39 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-09-11 21:25 - 2014-06-23 22:29 - 02565120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-09-11 21:25 - 2014-06-23 21:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-06 21:10 - 2014-09-02 11:33 - 00000000 ____D () C:\Users\Manson\AppData\Roaming\Spotify
2014-10-06 21:10 - 2014-06-02 00:01 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-06 21:10 - 2014-04-21 23:31 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-06 21:10 - 2014-04-13 00:06 - 01840158 _____ () C:\Windows\WindowsUpdate.log
2014-10-06 13:12 - 2014-04-13 10:32 - 00000000 ____D () C:\Users\Manson\Desktop\Toastmasters
2014-10-06 10:06 - 2014-04-21 23:31 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-06 09:03 - 2014-09-02 11:34 - 00000000 ____D () C:\Users\Manson\AppData\Local\Spotify
2014-10-05 10:42 - 2009-07-13 23:45 - 00018736 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-05 10:42 - 2009-07-13 23:45 - 00018736 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-05 10:35 - 2014-04-14 16:51 - 00000329 _____ () C:\Windows\Brownie.ini
2014-10-05 10:35 - 2014-04-13 02:29 - 00216362 _____ () C:\Windows\PFRO.log
2014-10-05 10:35 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-05 10:35 - 2009-07-13 23:51 - 00033787 _____ () C:\Windows\setupact.log
2014-10-04 12:05 - 2009-07-14 00:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-04 11:02 - 2014-05-13 08:57 - 00000000 ____D () C:\Users\Manson\AppData\Local\CrashDumps
2014-10-03 20:22 - 2014-08-15 03:37 - 00003220 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForMANSON-HP$
2014-10-03 20:22 - 2014-08-15 03:37 - 00000344 _____ () C:\Windows\Tasks\HPCeeScheduleForMANSON-HP$.job
2014-10-02 09:46 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-01 20:44 - 2014-04-13 10:17 - 00003234 _____ () C:\Windows\System32\Tasks\Norton WSC Integration
2014-10-01 20:44 - 2014-04-13 10:16 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
2014-10-01 20:44 - 2014-04-13 03:19 - 00002463 _____ () C:\Users\Public\Desktop\Norton Internet Security.lnk
2014-10-01 20:44 - 2014-04-13 01:19 - 00000000 ____D () C:\Windows\system32\Drivers\NISx64
2014-10-01 03:02 - 2014-04-13 00:56 - 00000000 ____D () C:\ProgramData\PDFC
2014-09-30 17:04 - 2014-04-13 10:30 - 00000000 ____D () C:\Users\Manson\Desktop\Lonestar Agenda Information
2014-09-30 15:32 - 2014-04-15 21:39 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-09-27 21:18 - 2014-06-01 12:14 - 00000000 ____D () C:\Program Files (x86)\Opera
2014-09-27 09:53 - 2014-04-14 16:52 - 00000426 _____ () C:\Windows\BRWMARK.INI
2014-09-27 09:53 - 2009-07-14 00:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-09-27 09:38 - 2014-04-13 01:04 - 00000000 ____D () C:\Users\Manson\AppData\Roaming\Adobe
2014-09-26 10:33 - 2014-06-12 17:45 - 00003832 _____ () C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1401642871
2014-09-25 22:25 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-09-24 21:15 - 2014-04-21 23:31 - 00002145 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-09-24 11:22 - 2014-06-02 00:01 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-09-24 11:22 - 2014-04-14 10:03 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-09-24 11:22 - 2014-04-14 10:03 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-23 15:08 - 2014-04-22 20:19 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-09-17 15:53 - 2014-04-13 00:52 - 00000000 ____D () C:\Users\Manson
2014-09-17 15:14 - 2014-04-13 10:32 - 00000000 ____D () C:\Users\Manson\Desktop\Texas Stars Agenda
2014-09-15 16:35 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-09-12 03:08 - 2014-04-20 03:04 - 00773536 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-09-12 03:06 - 2014-04-13 01:49 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-12 03:02 - 2014-04-13 01:49 - 101694776 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-09-12 03:01 - 2014-05-07 03:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-09-10 00:56 - 2014-04-13 00:56 - 00003712 _____ () C:\Windows\System32\Tasks\Registration

Some content of TEMP:
====================
C:\Users\Manson\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-06 00:40

==================== End Of Log ============================


 



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:22 PM

Posted 08 October 2014 - 10:49 AM

Hi Grendel_J,
 
Indeed, Poweliks is persistent and only using the registry (has no files).
 
Good to hear, just a few more scans to make sure you are all clean:
 
Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------

This scan can take a long time, so it is best done overnight or when you do not need the computer
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Emsisoft log
  • ESET log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 Grendel_J

Grendel_J
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 10 October 2014 - 09:51 AM

Toffee,

 

First off, my father would like me to pass along his thanks as well for helping with all of this. The poor performance of the computer was really causing him a lot of problems.

 

Here are the logs you requested from the Emsisoft and ESET scans. (That ESET scan took 14 hours overnight - thanks for the advance warning that it would take a long time!)

Emsisoft log:

 

Emsisoft Emergency Kit - Version 9.0
Last update: 10/8/2014 5:16:31 PM
User account: Manson-HP\Manson

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\, F:\, G:\, H:\

Detect PUPs: Off
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 10/8/2014 5:17:22 PM
C:\FRST\Quarantine\C\Users\Manson\AppData\Local\Temp\kglbfxk.exe.xBAD  detected: Trojan.GenericKD.1895337 (B)
C:\FRST\Quarantine\C\Users\Manson\AppData\Local\Temp\ndgnoyi.dll.xBAD  detected: Trojan.GenericKD.1864882 (B)
C:\Users\Manson\Desktop\Manson\AppData\Local\genienext\nengine.dll  detected: Adware.Win32.Agent (A)
C:\Users\Manson\Desktop\Manson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7EF2MRIW\hasm[1].zip -> cbddss.dll  detected: Trojan.Generic.11182994 (B)
C:\Users\Manson\Desktop\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll  detected: Adware.Win32.Agent (A)
G:\Users\Manson\AppData\Local\genienext\nengine.dll  detected: Adware.Win32.Agent (A)
G:\Users\Manson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7EF2MRIW\hasm[1].zip -> cbddss.dll  detected: Trojan.Generic.11182994 (B)
G:\Users\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll  detected: Adware.Win32.Agent (A)

Scanned 1392416
Found 8

Scan end: 10/9/2014 3:53:09 AM
Scan time: 10:35:47

G:\Users\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll Quarantined Adware.Win32.Agent (A)
G:\Users\Manson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7EF2MRIW\hasm[1].zip Quarantined Trojan.Generic.11182994 (B)
G:\Users\Manson\AppData\Local\genienext\nengine.dll Quarantined Adware.Win32.Agent (A)
C:\Users\Manson\Desktop\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll Quarantined Adware.Win32.Agent (A)
C:\Users\Manson\Desktop\Manson\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7EF2MRIW\hasm[1].zip Quarantined Trojan.Generic.11182994 (B)
C:\Users\Manson\Desktop\Manson\AppData\Local\genienext\nengine.dll Quarantined Adware.Win32.Agent (A)
C:\FRST\Quarantine\C\Users\Manson\AppData\Local\Temp\ndgnoyi.dll.xBAD Quarantined Trojan.GenericKD.1864882 (B)
C:\FRST\Quarantine\C\Users\Manson\AppData\Local\Temp\kglbfxk.exe.xBAD Quarantined Trojan.GenericKD.1895337 (B)

Quarantined 8


ESET log:

G:\Windows\System32\AdpeakProxy64.dll Win64/Adware.Adpeak.A application 
C:\Users\Manson\Desktop\Manson\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.1.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.2.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Conduit\Chrome\CT3153924\CHUninstaller.exe a variant of Win32/Conduit.SearchProtect.N potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Conduit\Chrome\CT3153924\UninstallerUI.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\CRE\jonjajmpblmjkhjemkalbddhodlehkfg.crx a variant of Win32/Toolbar.Conduit.AA potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg\10.26.4.512_0\APISupport\APISupport.dll a variant of Win32/Conduit.SearchProtect.P potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg\10.26.4.512_0\nativeMessaging\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.1.36.zip a variant of Android/Mobserv.A potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\MUServer.apk a variant of Android/Mobserv.A potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\NativeMessaging\CT3153924\1_0_0_6\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Local\Temp\nsh81CE.tmp\OCSetupHlp.dll Win32/OpenCandy potentially unsafe application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\entrusted\hk64tbentr.dll a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\entrusted\hktbentr.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\entrusted\ldrtbentr.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\entrusted\tbentr.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\entrusted\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll a variant of Win32/PriceGong.A potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\Productivity_3.1\hk64tbPro2.dll Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\Productivity_3.1\hktbPro2.dll Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\Productivity_3.1\ldrtbPro2.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\Productivity_3.1\ldrtbProd.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\Productivity_3.1\tbPro1.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\Productivity_3.1\tbPro2.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\Productivity_3.1\tbProd.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\LocalLow\Productivity_3.1\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll a variant of Win32/PriceGong.A potentially unwanted application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Roaming\OpenCandy\4240A831E2124EF09CA00C4437721182\dlm.exe a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Roaming\OpenCandy\66287F96089645EDA5DDCAEB1586A359\dlm.exe a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
C:\Users\Manson\Desktop\Manson\AppData\Roaming\OpenCandy\E5C26082C5B74D5493AA72D7008C0264\dlm.exe a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\ox0.dll a variant of Win32/Poweliks.B trojan cleaned by deleting - quarantined
G:\MANSON-HP\Backup Set 2014-04-13 142345\Backup Files 2014-04-13 142345\Backup files 10.zip a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-04-13 142345\Backup Files 2014-04-13 142345\Backup files 175.zip a variant of Win32/Exploit.CVE-2013-0074.Q trojan deleted - quarantined
G:\MANSON-HP\Backup Set 2014-04-13 142345\Backup Files 2014-04-13 142345\Backup files 176.zip a variant of Android/Mobserv.A potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-04-13 142345\Backup Files 2014-04-13 142345\Backup files 6.zip Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-04-13 142345\Backup Files 2014-04-13 142345\Backup files 7.zip a variant of Win32/Conduit.SearchProtect.P potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-04-13 142345\Backup Files 2014-04-13 142345\Backup files 8.zip a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-04-13 142345\Backup Files 2014-04-13 142345\Backup files 9.zip a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-06-01 190007\Backup Files 2014-06-01 190007\Backup files 150.zip a variant of Win32/Exploit.CVE-2013-0074.Q trojan deleted - quarantined
G:\MANSON-HP\Backup Set 2014-06-01 190007\Backup Files 2014-06-01 190007\Backup files 151.zip a variant of Android/Mobserv.A potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-06-01 190007\Backup Files 2014-06-01 190007\Backup files 4.zip Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-06-01 190007\Backup Files 2014-06-01 190007\Backup files 5.zip a variant of Win32/Conduit.SearchProtect.P potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-06-01 190007\Backup Files 2014-06-01 190007\Backup files 6.zip a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-06-01 190007\Backup Files 2014-06-01 190007\Backup files 7.zip a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-06-01 190007\Backup Files 2014-06-01 190007\Backup files 8.zip a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-08-10 223250\Backup Files 2014-08-10 223250\Backup files 153.zip a variant of Win32/Exploit.CVE-2013-0074.Q trojan deleted - quarantined
G:\MANSON-HP\Backup Set 2014-08-10 223250\Backup Files 2014-08-10 223250\Backup files 154.zip a variant of Android/Mobserv.A potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-08-10 223250\Backup Files 2014-08-10 223250\Backup files 5.zip Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-08-10 223250\Backup Files 2014-08-10 223250\Backup files 6.zip a variant of Win32/Conduit.SearchProtect.P potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-08-10 223250\Backup Files 2014-08-10 223250\Backup files 7.zip a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-08-10 223250\Backup Files 2014-08-10 223250\Backup files 8.zip a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
G:\MANSON-HP\Backup Set 2014-08-10 223250\Backup Files 2014-08-10 223250\Backup files 9.zip a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
G:\Program Files (x86)\entrusted\hk64tbentr.dll a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
G:\Program Files (x86)\entrusted\hktbentr.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
G:\Program Files (x86)\entrusted\ldrtbentr.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
G:\Program Files (x86)\entrusted\prxtbentr.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
G:\Program Files (x86)\entrusted\tbentr.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
G:\Program Files (x86)\MarkKit\136.dll a variant of Win32/AdWare.AddLyrics.AG application cleaned by deleting - quarantined
G:\Program Files (x86)\Productivity_3.1\ldrtbProd.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
G:\Program Files (x86)\Productivity_3.1\Productivity_3.1ToolbarHelper.exe Win32/Toolbar.Conduit.Q potentially unwanted application deleted - quarantined
G:\Program Files (x86)\Productivity_3.1\prxtbProd.dll Win32/Toolbar.Conduit.O potentially unwanted application deleted - quarantined
G:\Program Files (x86)\Productivity_3.1\tbProd.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
G:\ProgramData\Conduit\Multi\CT3153924\UninstallerUI.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
G:\ProgramData\Conduit\Multi\CT3281675\UninstallerUI.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.1.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.2.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Conduit\Chrome\CT3153924\CHUninstaller.exe a variant of Win32/Conduit.SearchProtect.N potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Conduit\Chrome\CT3153924\UninstallerUI.exe a variant of Win32/Toolbar.Conduit.AJ potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\CRE\jonjajmpblmjkhjemkalbddhodlehkfg.crx a variant of Win32/Toolbar.Conduit.AA potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg\10.26.4.512_0\APISupport\APISupport.dll a variant of Win32/Conduit.SearchProtect.P potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg\10.26.4.512_0\nativeMessaging\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.1.36.zip a variant of Android/Mobserv.A potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\MUServer.apk a variant of Android/Mobserv.A potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe a variant of Win32/Mobogenie.A potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\NativeMessaging\CT3153924\1_0_0_6\TBMessagingHost.exe a variant of Win32/Toolbar.Conduit.AH potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Local\Temp\nsh81CE.tmp\OCSetupHlp.dll Win32/OpenCandy potentially unsafe application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\entrusted\hk64tbentr.dll a variant of Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\entrusted\hktbentr.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\entrusted\ldrtbentr.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\entrusted\tbentr.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\entrusted\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll a variant of Win32/PriceGong.A potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\Productivity_3.1\hk64tbPro2.dll Win64/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\Productivity_3.1\hktbPro2.dll Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\Productivity_3.1\ldrtbPro2.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\Productivity_3.1\ldrtbProd.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\Productivity_3.1\tbPro1.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\Productivity_3.1\tbPro2.dll a variant of Win32/Toolbar.Conduit.X potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\Productivity_3.1\tbProd.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\LocalLow\Productivity_3.1\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll a variant of Win32/PriceGong.A potentially unwanted application deleted - quarantined
G:\Users\Manson\AppData\Roaming\OpenCandy\4240A831E2124EF09CA00C4437721182\dlm.exe a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
G:\Users\Manson\AppData\Roaming\OpenCandy\66287F96089645EDA5DDCAEB1586A359\dlm.exe a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined
G:\Users\Manson\AppData\Roaming\OpenCandy\E5C26082C5B74D5493AA72D7008C0264\dlm.exe a variant of Win32/OpenCandy.A potentially unsafe application deleted - quarantined


 



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,041 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:22 PM

Posted 10 October 2014 - 11:40 AM

Hi Grendel_J,
 
Your father is most welcome, I am glad to have been of help :)
 
Yes, ESET scans the whole drive and takes ages normally. It's a good tool though.

 
Anyway, I believe we are done here:
 
Your machine is clean! Feel free to enjoy the use of your cleaned computer. Please take the time to follow this last post which tells you how to remove the tools we have used and how to keep your computer clean   :thumbsup:
 
---------------
 
Download 51a5ce45263de-delfix.pngDelfix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.
 
Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore
  • Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't need to copy and paste it into your next reply.
 
--------------
 
Also, feel free to delete any leftover desktop icons and other various files which have been created throughout the process.
 
---------------
 
I have also compiled a list of links which you may be interested in:

This topic will be left open for 3 days in case you have any problems, otherwise it will closed after that time.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 Grendel_J

Grendel_J
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:22 PM

Posted 11 October 2014 - 07:21 PM

Toffee,

 

Great to hear that we're all clean now. I ran Delfix to clean out the tools and logfiles. I will take a look at the links you posted, I'm sure I can learn from them.

 

Once again, I truly appreciate your help.

 

Grendel_J






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users