Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

POWELIKS infection - the "30 instances of DLLHOST.EXE" issue


  • This topic is locked This topic is locked
8 replies to this topic

#1 pembrook

pembrook

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 09 October 2014 - 07:50 PM

Yesterday I began having issues with 20-30 instances of dllhost.exe running at once and eating up ridiculous amounts of memory (sometimes as much as 800 mb each). In addition, somehow my computer was downloading tens of thousands of tiny temp files to internet explorer (a browser I never use and have never used).  

 

After running many different malware programs like MalwareBytes, Kapersky, and RogueKiller I seem to have fixed the dllhost.exe issue and things are running smooth. Malwarebytes and Kapersky don't find issues anymore. However RogueKiller still finds "tr.poweliks" in the registry and a lot of stuff pops up in green under the "AntiRootkit" tab. Every time I hit delete it says "error[2]" and sends me to this page: http://www.adlice.com/poweliks-removal-with-roguekiller/

 

After reading about this particular infection, it runs from the registry so it's apparently still there. How do I get rid of this pesky bugger?  :huh:

 

*EDIT* I should mention I also ran Combofix along with Malwarebytes, kapersky, and roguekiller to fix the dllhost.exe issue.

 

 

 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 10.45.2
Run by Kevin at 20:12:56 on 2014-10-09
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.16301.12208 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\Users\Kevin\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\AlarmClock.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\Explorer.exe
C:\Users\Kevin\Downloads\RogueKillerX64.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
uRun: [Spotify Web Helper] "C:\Users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
StartupFolder: C:\Users\Kevin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Kevin\AppData\Roaming\Dropbox\bin\Dropbox.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{BC97977B-87D2-4565-9267-56E757C2C4DB} : DHCPNameServer = 209.18.47.61 209.18.47.62
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
x64-BHO: GBHO.BHO: {45d30484-7ded-43d9-957a-d2fd1f046511} - 
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-RunOnce: [RPMKickstart] C:\Program Files\GIGABYTE\SMART6\Recovery\RPMKickstart.exe
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\8nvji50f.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Users\Kevin\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-12-24 55856]
R1 AppleCharger;AppleCharger;C:\Windows\System32\drivers\AppleCharger.sys [2011-12-23 21104]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-11-4 283200]
R2 Smart TimeLock;Smart TimeLock Service;C:\Program Files (x86)\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe [2011-12-23 114688]
R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\System32\Wacom_Tablet.exe [2012-3-23 6245744]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2011-5-25 52608]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2011-5-25 76160]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-12-23 533096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-12-22 79360]
S3 etdrv;etdrv;C:\Windows\etdrv.sys [2011-12-22 25640]
S3 GVTDrv64;GVTDrv64;C:\Windows\GVTDrv64.sys [2011-12-23 30528]
S3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-12-22 317440]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\System32\drivers\wacmoumonitor.sys [2012-3-23 18216]
.
=============== File Associations ===============
.
FileExt: .scr: SageThumbsImage.scr="%1" /S [UserChoice]
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS5.5\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-10-09 23:43:03 -------- d-----w- C:\FRST
2014-10-09 19:00:27 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{72ED3BDE-E0F8-41E4-89C3-C281441225C2}\offreg.dll
2014-10-09 07:09:19 -------- d-sh--w- C:\$RECYCLE.BIN
2014-10-09 06:46:55 98816 ----a-w- C:\Windows\sed.exe
2014-10-09 06:46:55 256000 ----a-w- C:\Windows\PEV.exe
2014-10-09 06:46:55 208896 ----a-w- C:\Windows\MBR.exe
2014-10-09 06:34:36 37624 ----a-w- C:\Windows\System32\drivers\TrueSight.sys
2014-10-09 06:34:34 -------- d-----w- C:\ProgramData\RogueKiller
2014-10-09 04:53:34 -------- d-sh--w- C:\Users\Kevin\AppData\Local\AddressBook
2014-10-09 04:53:33 -------- d-sh--w- C:\Users\Kevin\AppData\Roaming\Fontographer 5.2_is1
2014-10-01 23:20:30 -------- d-----w- C:\Program Files (x86)\JDownloader
2014-10-01 23:19:56 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-09-17 02:00:49 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-09-17 02:00:42 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-09-17 02:00:42 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-09-17 02:00:42 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
.
==================== Find3M  ====================
.
2014-10-09 19:00:24 25640 ----a-w- C:\Windows\gdrv.sys
2014-09-23 22:43:20 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-23 22:43:20 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 20:13:17.55 ===============

Attached Files


Edited by pembrook, 09 October 2014 - 08:02 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:13 AM

Posted 13 October 2014 - 01:06 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 pembrook

pembrook
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 15 October 2014 - 02:38 AM

Here's the result:
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-10-2014 02
Ran by Kevin (administrator) on KEVIN-PC on 15-10-2014 03:20:32
Running from C:\Users\Kevin\Downloads
Loaded Profile: Kevin (Available profiles: Kevin & Guest)
Platform: Windows 7 Ultimate (X64) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Gigabyte Technology CO., LTD.) C:\Program Files (x86)\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe
(Wacom Technology, Corp.) C:\Windows\System32\Wacom_Tablet.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Wacom Technology, Corp.) C:\Windows\System32\WTablet\Wacom_TabletUser.exe
(Wacom Technology, Corp.) C:\Windows\System32\Wacom_Tablet.exe
(Gigabyte Technology CO.) C:\Program Files\GIGABYTE\SMART6\Recovery\RPMDaemon.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
(Dropbox, Inc.) C:\Users\Kevin\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Gigabyte Technology CO., LTD.) C:\Program Files (x86)\GIGABYTE\smart6\timelock\AlarmClock.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\ResophNotes\ResophNotes.exe
(Apache Software Foundation) X:\Copy\_ftp\UniServerZ\core\apache2\bin\httpd_z.exe
(Apache Software Foundation) X:\Copy\_ftp\UniServerZ\core\apache2\bin\httpd_z.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Google Inc.) C:\Users\Kevin\AppData\Local\Google\Chrome\Application\chrome.exe
(Spotify Ltd) C:\Users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
(Farbar) C:\Users\Kevin\Downloads\FRST64 (1).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [P17RunE] => RunDll32 P17RunE.dll,RunDLLEntry
HKLM-x32\...\Run: [VolPanel] => C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe [241789 2009-07-07] (Creative Technology Ltd)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [RPMKickstart] => C:\Program Files\GIGABYTE\SMART6\Recovery\RPMKickstart.exe [2552320 2011-03-30] (Gigabyte Technology CO., LTD.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2025942748-1801310357-1606160724-1000\...\Run: [Spotify Web Helper] => C:\Users\Kevin\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-13] (Spotify Ltd)
HKU\S-1-5-21-2025942748-1801310357-1606160724-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
Startup: C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Kevin\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xAEFB0F5252E3CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
SearchScopes: HKCU - {43523953-0755-409f-95BA-680212D6E186} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV
BHO: GBHO.BHO -> {45d30484-7ded-43d9-957a-d2fd1f046511} -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
BHO-x32: ContributeBHO Class -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
FireFox:
========
FF ProfilePath: C:\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\8nvji50f.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 -> C:\Users\Kevin\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 -> C:\Users\Kevin\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Extension: Firebug - C:\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\8nvji50f.default\Extensions\firebug@software.joehewitt.com.xpi [2012-03-15]
FF Extension: Screengrab  (fix version) - C:\Users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\8nvji50f.default\Extensions\{02450914-cdd9-410f-b1da-db004e18c671}.xpi [2012-03-15]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2014-07-23]
FF HKLM-x32\...\Firefox\Extensions: [{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}] - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF Extension: Adobe Contribute Toolbar - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2011-12-25]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Kevin\AppData\Local\Google\Chrome\Application\37.0.2062.124\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Kevin\AppData\Local\Google\Chrome\Application\37.0.2062.124\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\Kevin\AppData\Local\Google\Chrome\Application\37.0.2062.124\gcswf32.dll No File
CHR Plugin: (Microsoft® Windows Media Player Firefox Plugin) - C:\PFiles\Plugins\np-mswmp.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\Kevin\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Profile: C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Awesome Screenshot: Capture & Annotate) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\alelhddbbhepgpmgidjdcjakblofbmce [2014-05-29]
CHR Extension: (Google Drive) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2012-06-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-31]
CHR Extension: (YouTube) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-22]
CHR Extension: (Google Search) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-22]
CHR Extension: (Dragdis) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiekimdgbphfmnlbiahcfdgcipcopmep [2014-04-22]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2014-04-22]
CHR Extension: (Premium Cookie Injector (Multi-Server)) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hglhnookgghcefjamdoakhhfamnhodpd [2012-06-04]
CHR Extension: (Google Keep - notes and lists) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmjkmjkepdijhoojdojkdfohbdgmmhki [2014-04-22]
CHR Extension: (ImageExchange) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\icjmigaccjelpcchpcllbbdooeneifhe [2012-09-16]
CHR Extension: (Resolution Test) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhfcdbheobinplaamokffboaccidbal [2013-01-10]
CHR Extension: (Cookie Manager) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbnfbcpkiaganjpcanopcgeoehkleeck [2011-12-26]
CHR Extension: (The Great Suspender) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg [2014-04-22]
CHR Extension: (EXIF Viewer) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lplmljfembbkocngnlkkdgabpnfokmnl [2011-12-25]
CHR Extension: (Capture Webpage Screenshot - FireShot) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbpblocgmgfnpjjppndjkmgjaogfceg [2013-11-02]
CHR Extension: (Google Wallet) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-06]
CHR Extension: (TabCloud) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\npecfdijgoblfcgagoijgmgejmcpnhof [2014-04-22]
CHR Extension: (Gmail) - C:\Users\Kevin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-22]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2011-12-22] (Creative Labs) [File not signed]
S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 Smart TimeLock; C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [114688 2009-10-13] (Gigabyte Technology CO., LTD.) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TabletServiceWacom; C:\Windows\system32\Wacom_Tablet.exe [6245744 2010-03-08] (Wacom Technology, Corp.)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21104 2011-01-10] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-11-04] (DT Soft Ltd)
S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2011-12-24] ()
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-15 03:20 - 2014-10-15 03:21 - 00015713 _____ () C:\Users\Kevin\Downloads\FRST.txt
2014-10-13 17:25 - 2014-10-13 17:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-10-13 16:39 - 2014-10-13 16:39 - 02110464 _____ (Farbar) C:\Users\Kevin\Downloads\FRST64 (1).exe
2014-10-09 21:19 - 2014-10-09 21:19 - 00000830 _____ () C:\Users\Kevin\Desktop\JRT.txt
2014-10-09 21:17 - 2014-10-09 21:17 - 00000000 ____D () C:\Windows\ERUNT
2014-10-09 21:15 - 2014-10-09 21:15 - 01705755 _____ (Thisisu) C:\Users\Kevin\Downloads\JRT.exe
2014-10-09 20:16 - 2014-10-09 20:16 - 00011369 _____ () C:\Users\Kevin\Documents\DDS.txt
2014-10-09 20:16 - 2014-10-09 20:16 - 00009768 _____ () C:\Users\Kevin\Documents\Attach.txt
2014-10-09 20:13 - 2014-10-09 20:13 - 00011369 _____ () C:\Users\Kevin\Desktop\dds.txt
2014-10-09 20:13 - 2014-10-09 20:13 - 00009768 _____ () C:\Users\Kevin\Desktop\attach.txt
2014-10-09 20:11 - 2014-10-09 20:11 - 00688992 ____R (Swearware) C:\Users\Kevin\Downloads\dds.com
2014-10-09 19:43 - 2014-10-15 03:20 - 00000000 ____D () C:\FRST
2014-10-09 19:21 - 2014-10-09 19:22 - 18482776 _____ () C:\Users\Kevin\Downloads\RogueKillerX64.exe
2014-10-09 14:39 - 2014-10-09 14:39 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\Kevin\Downloads\tdsskiller.exe
2014-10-09 03:09 - 2014-10-09 03:09 - 00021436 _____ () C:\ComboFix.txt
2014-10-09 02:46 - 2014-10-09 03:09 - 00000000 ____D () C:\Qoobox
2014-10-09 02:46 - 2014-10-09 03:08 - 00000000 ____D () C:\Windows\erdnt
2014-10-09 02:46 - 2014-10-09 02:46 - 05582481 ____R (Swearware) C:\Users\Kevin\Downloads\ComboFix.exe
2014-10-09 02:46 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-10-09 02:46 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-10-09 02:46 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-10-09 02:46 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-10-09 02:46 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-10-09 02:46 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-10-09 02:46 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-10-09 02:46 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-10-09 02:39 - 2014-10-09 02:39 - 02109952 _____ (Farbar) C:\Users\Kevin\Downloads\FRST64.exe
2014-10-09 02:34 - 2014-10-09 19:28 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-09 02:34 - 2014-10-09 02:34 - 15670360 _____ () C:\Users\Kevin\Downloads\RogueKiller.exe
2014-10-09 02:34 - 2014-10-09 02:34 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-09 00:53 - 2014-10-09 01:47 - 00000000 __SHD () C:\Users\Kevin\AppData\Local\AddressBook
2014-10-09 00:53 - 2014-10-09 00:53 - 00000000 __SHD () C:\Users\Kevin\AppData\Roaming\Fontographer 5.2_is1
2014-10-09 00:53 - 2014-10-09 00:53 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-02 22:56 - 2014-10-02 22:56 - 00065618 _____ () C:\Users\Kevin\Downloads\T0021-airpair-angularjs-tutorial-master.zip
2014-10-01 19:20 - 2014-10-01 19:37 - 00000000 ____D () C:\Program Files (x86)\JDownloader
2014-10-01 19:20 - 2014-10-01 19:20 - 00002005 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JDownloader.lnk
2014-10-01 19:20 - 2014-10-01 19:20 - 00001949 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JDownloader Uninstaller.lnk
2014-10-01 19:20 - 2014-10-01 19:20 - 00001928 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JDownloader Update.lnk
2014-10-01 19:19 - 2014-10-01 19:19 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-10-01 19:19 - 2014-10-01 19:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-10-01 19:18 - 2014-10-01 19:18 - 00165072 _____ () C:\Users\Kevin\Downloads\installer_jdownloader_one.exe
2014-09-17 22:13 - 2014-09-17 22:13 - 00001534 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk
2014-09-17 22:13 - 2014-09-17 22:13 - 00001522 _____ () C:\Users\Public\Desktop\Adobe Application Manager.lnk
2014-09-16 22:00 - 2014-10-09 20:58 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-16 22:00 - 2014-09-16 22:11 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-16 22:00 - 2014-09-16 22:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-16 22:00 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-16 22:00 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
 
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-15 02:45 - 2011-12-22 22:23 - 00002368 _____ () C:\Users\Kevin\Desktop\Google Chrome.lnk
2014-10-15 02:45 - 2011-12-22 22:22 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025942748-1801310357-1606160724-1000UA.job
2014-10-15 02:43 - 2012-08-18 03:51 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-15 02:24 - 2012-11-07 08:27 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-15 02:00 - 2011-12-24 05:38 - 00000000 ____D () C:\Users\Kevin\AppData\Local\Adobe
2014-10-15 01:08 - 2013-01-27 23:48 - 422376448 _____ () C:\Users\Kevin\AppData\Local\SageThumbs.db3
2014-10-15 00:48 - 2011-12-25 03:11 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\Spotify
2014-10-14 11:55 - 2013-01-26 05:02 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\foobar2000
2014-10-14 11:54 - 2012-11-07 08:27 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-14 11:52 - 2014-02-17 22:57 - 02049168 _____ () C:\Windows\WindowsUpdate.log
2014-10-14 11:50 - 2011-12-22 22:22 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025942748-1801310357-1606160724-1000Core.job
2014-10-14 00:05 - 2011-12-25 03:11 - 00000000 ____D () C:\Users\Kevin\AppData\Local\Spotify
2014-10-13 18:27 - 2011-12-25 12:05 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\Skype
2014-10-13 17:25 - 2014-03-29 12:53 - 00002515 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-10-13 17:25 - 2011-12-25 12:05 - 00000000 ___RD () C:\Program Files (x86)\Skype
2014-10-13 17:25 - 2011-12-25 12:05 - 00000000 ____D () C:\ProgramData\Skype
2014-10-13 12:51 - 2009-07-14 01:13 - 00779724 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-12 23:40 - 2011-12-22 14:47 - 00085368 _____ () C:\Users\Kevin\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-12 20:31 - 2013-02-22 12:19 - 00000000 ___RD () C:\Users\Kevin\Google Drive
2014-10-12 01:33 - 2009-07-14 00:45 - 00014016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-12 01:33 - 2009-07-14 00:45 - 00014016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-09 21:19 - 2013-11-10 11:37 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\Copy
2014-10-09 15:00 - 2013-11-07 01:10 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\Dropbox
2014-10-09 15:00 - 2012-03-23 20:21 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\WTablet
2014-10-09 15:00 - 2011-12-23 10:49 - 00025640 _____ (Windows ® Server 2003 DDK provider) C:\Windows\gdrv.sys
2014-10-09 15:00 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-09 03:09 - 2011-12-22 22:22 - 00000000 ____D () C:\Users\Kevin\AppData\Local\Apps\2.0
2014-10-09 03:09 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-10-09 03:08 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-10-09 01:48 - 2009-07-14 00:45 - 05235568 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-09 01:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\security
2014-10-03 16:33 - 2013-11-10 13:05 - 00001017 _____ () C:\Users\Kevin\Desktop\Dropbox.lnk
2014-10-03 16:33 - 2013-11-10 12:54 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-10-01 20:56 - 2012-10-08 22:20 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\FileZilla
2014-10-01 19:19 - 2012-11-13 20:20 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-10-01 19:19 - 2012-11-13 20:20 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-10-01 19:19 - 2012-11-13 20:20 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-10-01 19:19 - 2011-12-26 02:48 - 00000000 ____D () C:\Program Files (x86)\Java
2014-09-23 18:43 - 2012-08-18 03:51 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-09-23 18:43 - 2012-08-18 03:51 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-09-23 18:43 - 2011-12-22 22:11 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-23 16:07 - 2014-07-23 03:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-09-23 14:39 - 2014-09-14 09:02 - 00000000 ____D () C:\Users\Kevin\Documents\_BUSINESS
2014-09-17 22:17 - 2011-12-25 02:06 - 00000000 ____D () C:\Program Files\Adobe
2014-09-16 22:00 - 2013-02-22 12:33 - 00000000 ____D () C:\Users\Kevin\AppData\Roaming\Malwarebytes
2014-09-16 22:00 - 2013-02-22 12:18 - 00000000 ____D () C:\ProgramData\Malwarebytes
 
Some content of TEMP:
====================
C:\Users\Kevin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpipreti.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-10-09 05:28
 
==================== End Of Log ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:13 AM

Posted 17 October 2014 - 10:07 AM

Sorry for this delay. I had technical difficulties.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR Plugin: (Google Update) - C:\Users\Kevin\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
C:\Users\Kevin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpipreti.dll
AlternateDataStreams: C:\Users\Kevin\Local Settings:8Hl6raOp4jByNsdFbjP2W
AlternateDataStreams: C:\Users\Kevin\Local Settings:Gi3ok52FYS1PfwFizMwZsK0xJU
AlternateDataStreams: C:\Users\Kevin\AppData\Local:8Hl6raOp4jByNsdFbjP2W
AlternateDataStreams: C:\Users\Kevin\AppData\Local:Gi3ok52FYS1PfwFizMwZsK0xJU
AlternateDataStreams: C:\Users\Kevin\AppData\Local\Application Data:8Hl6raOp4jByNsdFbjP2W
AlternateDataStreams: C:\Users\Kevin\AppData\Local\Application Data:Gi3ok52FYS1PfwFizMwZsK0xJU

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:13 AM

Posted 23 October 2014 - 10:04 AM

Are you still with me?

#6 pembrook

pembrook
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 23 October 2014 - 10:55 PM

Hello sorry for the delay, I ran both the fixlist and security check, here are the logs:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-10-2014
Ran by Kevin at 2014-10-23 16:32:11 Run:1
Running from C:\Users\Kevin\Downloads
Loaded Profile: Kevin (Available profiles: Kevin & Guest)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=SPLBR1&pc=SPLH
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR Plugin: (Google Update) - C:\Users\Kevin\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
C:\Users\Kevin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpipreti.dll
AlternateDataStreams: C:\Users\Kevin\Local Settings:8Hl6raOp4jByNsdFbjP2W
AlternateDataStreams: C:\Users\Kevin\Local Settings:Gi3ok52FYS1PfwFizMwZsK0xJU
AlternateDataStreams: C:\Users\Kevin\AppData\Local:8Hl6raOp4jByNsdFbjP2W
AlternateDataStreams: C:\Users\Kevin\AppData\Local:Gi3ok52FYS1PfwFizMwZsK0xJU
AlternateDataStreams: C:\Users\Kevin\AppData\Local\Application Data:8Hl6raOp4jByNsdFbjP2W
AlternateDataStreams: C:\Users\Kevin\AppData\Local\Application Data:Gi3ok52FYS1PfwFizMwZsK0xJU
 
End
*****************
 
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
C:\Users\Kevin\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll not found.
"C:\Users\Kevin\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpipreti.dll" => File/Directory not found.
"C:\Users\Kevin\Local Settings" => ":8Hl6raOp4jByNsdFbjP2W" ADS not found.
"C:\Users\Kevin\Local Settings" => ":Gi3ok52FYS1PfwFizMwZsK0xJU" ADS not found.
C:\Users\Kevin\AppData\Local => ":8Hl6raOp4jByNsdFbjP2W" ADS removed successfully.
C:\Users\Kevin\AppData\Local => ":Gi3ok52FYS1PfwFizMwZsK0xJU" ADS removed successfully.
"C:\Users\Kevin\AppData\Local\Application Data" => ":8Hl6raOp4jByNsdFbjP2W" ADS not found.
"C:\Users\Kevin\AppData\Local\Application Data" => ":Gi3ok52FYS1PfwFizMwZsK0xJU" ADS not found.
 
==== End of Fixlog ====

 

 

 

 

 Results of screen317's Security Check version 0.99.89  
 Windows 7  x64 (UAC is enabled)  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Java™ 6 Update 37  
 Java 7 Update 45  
 Java version out of Date! 
 Adobe Flash Player 15.0.0.152  
 Adobe Reader 10.1.2 Adobe Reader out of Date!  
 Mozilla Firefox 32.0.2 Firefox out of Date!  
 Google Chrome 37.0.2062.124  
 Google Chrome 38.0.2125.104  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:13 AM

Posted 24 October 2014 - 08:03 AM

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u67.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 6 Update 37
Java 7 Update 4


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

Restart the com;uter normally.
===

For your added security install Window 7 Service Pack 1.
How to:
http://windows.microsoft.com/en-CA/windows7/install-windows-7-service-pack-1

How is the computer running now?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:13 AM

Posted 30 October 2014 - 09:25 AM

Are you still with me?
If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,954 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:13 AM

Posted 05 November 2014 - 08:15 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users