Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe com surrogate


  • This topic is locked This topic is locked
8 replies to this topic

#1 larsfamily5

larsfamily5

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 15 October 2014 - 03:07 PM

Ran DSS in safe mode because would not run otherwise. After about 20 minutes was not complete.  Thanks for any help!!

 

DDS (Ver_2012-11-20.01) - NTFS_x86 MINIMAL
Internet Explorer: 11.0.9600.17280
Run by Abby at 14:07:02 on 2014-10-15
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2036.1056 [GMT -4:00]
.
AV: Norton 360 Premier Edition *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton 360 Premier Edition *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton 360 Premier Edition *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Bar = hxxps://www.yahoo.com?fr=hp-avast&type=odc169
uSearch Page = hxxps://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}
mStart Page = hxxps://www.yahoo.com?fr=hp-avast&type=odc169
mSearch Bar = hxxps://www.yahoo.com?fr=hp-avast&type=odc169
mSearch Page = hxxps://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton 360\engine\21.6.0.32\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton 360\engine\21.6.0.32\ips\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - 
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - 
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton 360\engine\21.6.0.32\CoIEPlg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SuiteTray] "c:\program files\egistec mywinlockersuite\x86\SuiteTray.exe"
mRun: [EgisTecPMMUpdate] "c:\program files\egistec ips\PmmUpdate.exe"
mRun: [EgisUpdate] "c:\program files\egistec ips\EgisUpdate.exe" -d
mRun: [Norton Online Backup] c:\program files\symantec\norton online backup\NOBuClient.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LManager] c:\program files\launch manager\LManager.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Power Management] c:\program files\acer\acer epower management\ePowerTray.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
StartupFolder: c:\users\abby\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\abby\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{C3AF8A0B-4EDD-4E8C-A366-BEC9852108FD} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1506000.020\SymDS.sys [2014-10-14 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1506000.020\SymEFA.sys [2014-10-14 936152]
S1 BHDrvx86;BHDrvx86;c:\program files\norton 360\nortondata\21.6.0.32\definitions\bashdefs\20140801.001\BHDrvx86.sys [2014-10-14 1101616]
S1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\n360\1506000.020\ccSetx86.sys [2014-10-14 127064]
S1 IDSVix86;IDSVix86;c:\program files\norton 360\nortondata\21.6.0.32\definitions\ipsdefs\20140717.001\IDSvix86.sys [2014-10-14 395992]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\drivers\mwlPSDFilter.sys [2011-3-24 19304]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\drivers\mwlPSDNserv.sys [2011-3-24 16744]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\drivers\mwlPSDVDisk.sys [2011-3-24 62048]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1506000.020\Ironx86.sys [2014-10-14 209624]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\1506000.020\symnets.sys [2014-10-14 447704]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-7-11 24184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 CouponPrinterService;Coupon Printer Service;c:\program files\coupons\CouponPrinterService.exe [2014-2-13 153072]
S2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2011-3-24 352336]
S2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer epower management\ePowerSvc.exe [2011-12-1 739944]
S2 GREGService;GREGService;c:\program files\acer\registration\GREGsvc.exe [2010-1-8 23584]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-3-24 13336]
S2 IconMan_R;IconMan_R;c:\program files\realtek\realtek pcie card reader\RIconMan.exe [2011-3-24 1751656]
S2 Live Updater Service;Live Updater Service;c:\program files\acer\acer updater\UpdaterService.exe [2011-3-24 244624]
S2 N360;Norton 360;c:\program files\norton 360\engine\21.6.0.32\N360.exe [2014-10-14 265040]
S2 NOBU;Norton Online Backup;c:\program files\symantec\norton online backup\NOBuAgent.exe [2010-6-1 2057560]
S2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2011-3-24 260640]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-3-2 183560]
S3 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files\common files\egistec\services\EgisTicketService.exe [2010-9-27 172912]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-9-18 108032]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\drivers\RtsPStor.sys [2011-3-24 250984]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-3-24 327784]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-1-26 1343400]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2014-10-14 20:03:15 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2014-10-14 20:03:14 -------- d-----w- c:\program files\common files\Symantec Shared
2014-10-14 20:02:36 936152 ----a-r- c:\windows\system32\drivers\n360\1506000.020\SymEFA.sys
2014-10-14 20:02:36 664792 ----a-r- c:\windows\system32\drivers\n360\1506000.020\srtsp.sys
2014-10-14 20:02:36 447704 ----a-r- c:\windows\system32\drivers\n360\1506000.020\symnets.sys
2014-10-14 20:02:36 367704 ----a-r- c:\windows\system32\drivers\n360\1506000.020\SymDS.sys
2014-10-14 20:02:36 32984 ----a-r- c:\windows\system32\drivers\n360\1506000.020\srtspx.sys
2014-10-14 20:02:36 21520 ----a-r- c:\windows\system32\drivers\n360\1506000.020\SymELAM.sys
2014-10-14 20:02:36 209624 ----a-r- c:\windows\system32\drivers\n360\1506000.020\Ironx86.sys
2014-10-14 20:02:35 127064 ----a-r- c:\windows\system32\drivers\n360\1506000.020\ccSetx86.sys
2014-10-14 20:02:03 30068 ----a-r- c:\windows\system32\drivers\n360\1506000.020\SymVTcer.dat
2014-10-14 20:02:03 -------- d-----w- c:\windows\system32\drivers\n360\1506000.020
2014-10-14 20:02:03 -------- d-----w- c:\windows\system32\drivers\N360
2014-10-14 20:01:59 -------- d-----w- c:\program files\Norton 360
2014-10-14 20:01:44 -------- d-----w- c:\program files\NortonInstaller
2014-10-14 19:07:25 -------- d-----w- c:\users\abby\appdata\local\CrashDumps
2014-10-14 19:07:10 -------- d-----w- c:\programdata\Symantec
2014-10-14 18:49:09 -------- d-----w- c:\programdata\NortonInstaller
2014-10-11 02:02:09 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-10-11 01:58:35 2048 ----a-w- c:\windows\system32\tzres.dll
2014-10-11 01:50:04 8806800 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2d952322-f96a-4187-92f2-96f07a4028ae}\mpengine.dll
2014-10-11 00:26:06 -------- d-----w- c:\programdata\Norton
2014-09-18 22:30:14 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f46a3140-3f3d-4a0d-bcfc-ed701751ea0a}\offreg.dll
2014-09-18 09:42:11 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-09-18 09:42:09 259584 ----a-w- c:\program files\internet explorer\IEShims.dll
2014-09-18 09:42:05 752640 ----a-w- c:\program files\common files\microsoft shared\vgx\VGX.dll
2014-09-18 09:42:03 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-18 09:40:57 143872 ----a-w- c:\program files\internet explorer\Timeline.dll
2014-09-18 09:40:48 1397248 ----a-w- c:\program files\internet explorer\MemoryAnalyzer.dll
2014-09-18 09:40:20 10747392 ----a-w- c:\program files\internet explorer\F12Resources.dll
2014-09-18 09:40:09 1904128 ----a-w- c:\program files\internet explorer\F12.dll
2014-09-18 09:40:07 1064960 ----a-w- c:\program files\internet explorer\networkinspection.dll
2014-09-18 09:40:01 696832 ----a-w- c:\program files\internet explorer\iedvtool.dll
2014-09-18 09:39:42 1812992 ----a-w- c:\windows\system32\wininet.dll
2014-09-18 09:39:33 222720 ----a-w- c:\program files\internet explorer\ielowutil.exe
2014-09-18 09:39:28 470016 ----a-w- c:\program files\internet explorer\ieinstal.exe
2014-09-18 09:39:20 4232704 ----a-w- c:\windows\system32\jscript9.dll
2014-09-18 09:39:09 812216 ----a-w- c:\program files\internet explorer\iexplore.exe
2014-09-18 09:39:01 2014208 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-18 09:11:12 2285056 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-09-17 20:13:41 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-09-17 20:13:40 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-09-17 20:12:29 1987584 ----a-w- c:\windows\system32\d3d10warp.dll
2014-09-17 20:12:25 793600 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-09-17 20:12:19 445952 ----a-w- c:\windows\system32\aepdu.dll
2014-09-17 20:12:16 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-09-17 09:52:19 8806800 ------w- c:\programdata\microsoft\windows defender\definition updates\{f46a3140-3f3d-4a0d-bcfc-ed701751ea0a}\mpengine.dll
2014-09-17 01:44:33 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-17 01:38:05 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-17 01:38:04 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-09-17 01:38:00 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-09-17 00:27:47 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-09-17 00:26:50 305152 ----a-w- c:\windows\system32\gdi32.dll
.
==================== Find3M  ====================
.
2014-09-15 13:06:04 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-08-18 21:57:30 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-08-18 21:46:26 454656 ----a-w- c:\windows\system32\vbscript.dll
2014-08-18 21:44:44 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-08-18 21:44:09 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-08-18 21:36:07 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-08-18 21:36:05 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-08-18 21:35:24 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-08-18 21:30:29 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-08-18 21:22:48 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-08-18 21:07:44 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-07-25 06:35:46 875688 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
.
============= FINISH: 14:09:11.74 ===============
 


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:49 PM

Posted 15 October 2014 - 05:43 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 larsfamily5

larsfamily5
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 15 October 2014 - 06:55 PM

The log is below. I have attached the addition.txt file. Thanks so much for your assistance!!!!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-10-2014 02
Ran by Abby (administrator) on ABBY-PC on 15-10-2014 19:40:45
Running from D:\
Loaded Profile: Abby (Available profiles: Abby)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-06] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10025576 2011-02-11] (Realtek Semiconductor)
HKLM\...\Run: [SuiteTray] => C:\Program Files\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [340336 2010-09-27] (Egis Technology Inc.)
HKLM\...\Run: [EgisTecPMMUpdate] => C:\Program Files\EgisTec IPS\PmmUpdate.exe [407920 2010-09-17] (Egis Technology Inc.)
HKLM\...\Run: [EgisUpdate] => C:\Program Files\EgisTec IPS\EgisUpdate.exe [201584 2010-09-17] (Egis Technology Inc.)
HKLM\...\Run: [Norton Online Backup] => C:\Program Files\Symantec\Norton Online Backup\NOBuClient.exe [966488 2010-06-01] (Symantec Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [LManager] => C:\Program Files\Launch Manager\LManager.exe [1081424 2011-03-14] (Dritek System Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1934632 2010-10-08] (Synaptics Incorporated)
HKLM\...\Run: [Power Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [715368 2011-02-23] (Acer Incorporated)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [IJNetworkScanUtility] => C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-08-01] (Apple Inc.)
HKU\S-1-5-19\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-20\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
HKU\S-1-5-21-857305107-1278073829-2238757328-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-857305107-1278073829-2238757328-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-857305107-1278073829-2238757328-1000\...\MountPoints2: {ca552f45-52e4-11e3-94b3-e89a8f17612a} - D:\LaunchU3.exe -a
HKU\S-1-5-21-857305107-1278073829-2238757328-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid}
Startup: C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Abby\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
ShortcutTarget: Acer VCM.lnk -> C:\Program Files\Acer\Acer VCM\AcerVCM.exe (Acer Incorporated)
ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton 360\Engine\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton 360\Engine\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton 360\Engine\21.6.0.32\buShell.dll (Symantec Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.com?fr=hp-avast&type=odc169
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com?fr=hp-avast&type=odc169
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.com?fr=hp-avast&type=odc169
SearchScopes: HKLM - DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKCU - DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKCU - {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://inboxtoolbar.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80105&lng=en
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton 360\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton 360\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\IPSFF [2014-10-14]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\coFFPlgn [2014-10-15]
 
Chrome: 
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx []
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton 360\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-14]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 CouponPrinterService; C:\Program Files\Coupons\CouponPrinterService.exe [153072 2014-04-28] (Coupons.com Inc.)
S3 EgisTec Ticket Service; C:\Program Files\Common Files\EgisTec\Services\EgisTicketService.exe [172912 2010-09-27] (Egis Technology Inc. )
S2 ePowerSvc; C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [739944 2011-02-23] (Acer Incorporated)
S2 GREGService; C:\Program Files\Acer\Registration\GREGsvc.exe [23584 2010-01-08] (Acer Incorporated)
S2 IconMan_R; C:\Program Files\Realtek\Realtek PCIE Card Reader\RIconMan.exe [1751656 2011-01-13] (Realsil Microelectronics Inc.)
S2 Live Updater Service; C:\Program Files\Acer\Acer Updater\UpdaterService.exe [244624 2011-01-31] (Acer Incorporated)
S2 N360; C:\Program Files\Norton 360\Engine\21.6.0.32\N360.exe [265040 2014-09-21] (Symantec Corporation)
S2 NOBU; C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe [2057560 2010-06-01] (Symantec Corporation)
S2 RS_Service; C:\Program Files\Acer\Acer VCM\RS_Service.exe [260640 2010-01-29] (Acer Incorporated)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-07-11] ()
S1 BHDrvx86; C:\Program Files\Norton 360\NortonData\21.6.0.32\Definitions\BASHDefs\20140801.001\BHDrvx86.sys [1101616 2014-08-25] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360\1506000.020\ccSetx86.sys [127064 2014-02-20] (Symantec Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-08-26] (Symantec Corporation)
S1 IDSVix86; C:\Program Files\Norton 360\NortonData\21.6.0.32\Definitions\IPSDefs\20140717.001\IDSVix86.sys [395992 2014-08-25] (Symantec Corporation)
S1 mwlPSDFilter; C:\Windows\System32\DRIVERS\mwlPSDFilter.sys [19304 2011-03-24] (Egis Technology Inc.)
S1 mwlPSDNServ; C:\Windows\System32\DRIVERS\mwlPSDNServ.sys [16744 2011-03-24] (Egis Technology Inc.)
S1 mwlPSDVDisk; C:\Windows\System32\DRIVERS\mwlPSDVDisk.sys [62048 2011-03-24] (Egis Technology Inc.)
S3 NAVENG; C:\Program Files\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141010.001\NAVENG.SYS [95704 2014-08-11] (Symantec Corporation)
S3 NAVEX15; C:\Program Files\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141010.001\NAVEX15.SYS [1636696 2014-08-11] (Symantec Corporation)
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21784 2011-08-01] (Microsoft Corporation)
S3 RSPCIESTOR; C:\Windows\System32\DRIVERS\RtsPStor.sys [250984 2011-01-12] (Realtek Semiconductor Corp.)
S3 SRTSP; C:\Windows\system32\drivers\N360\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\N360\1506000.020\SYMDS.SYS [367704 2014-08-25] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360\1506000.020\SYMEFA.SYS [936152 2014-08-25] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-10-14] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
S1 SymNetS; C:\Windows\system32\drivers\N360\1506000.020\SYMNETS.SYS [447704 2014-08-25] (Symantec Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-15 19:40 - 2014-10-15 19:40 - 00000000 ____D () C:\FRST
2014-10-15 14:09 - 2014-10-15 14:09 - 00015345 _____ () C:\Users\Abby\Desktop\dds.txt
2014-10-15 14:09 - 2014-10-15 14:09 - 00014439 _____ () C:\Users\Abby\Desktop\attach.txt
2014-10-14 16:10 - 2014-10-14 16:10 - 00000000 ____D () C:\Users\Abby\Documents\Symantec
2014-10-14 16:03 - 2014-10-15 15:15 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2014-10-14 16:03 - 2014-10-14 16:03 - 00142936 _____ (Symantec Corporation) C:\Windows\system32\Drivers\SYMEVENT.SYS
2014-10-14 16:03 - 2014-10-14 16:03 - 00008194 _____ () C:\Windows\system32\Drivers\SYMEVENT.CAT
2014-10-14 16:03 - 2014-10-14 16:03 - 00002277 _____ () C:\Users\Public\Desktop\Norton 360.lnk
2014-10-14 16:02 - 2014-10-14 16:02 - 00000000 ____D () C:\Windows\system32\Drivers\N360
2014-10-14 16:01 - 2014-10-14 16:03 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton 360
2014-10-14 16:01 - 2014-10-14 16:02 - 00000000 ____D () C:\Program Files\Norton 360
2014-10-14 15:07 - 2014-10-15 14:55 - 00000000 ____D () C:\Users\Abby\AppData\Local\CrashDumps
2014-10-14 15:07 - 2014-10-14 15:07 - 00001302 _____ () C:\Users\Abby\Desktop\Norton Installation Files.lnk
2014-10-14 15:07 - 2014-10-14 15:07 - 00000000 ____D () C:\ProgramData\Symantec
2014-10-10 22:02 - 2014-09-24 21:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-10 21:58 - 2014-09-09 17:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-10-10 20:26 - 2014-10-14 16:08 - 00000000 ____D () C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
2014-10-10 20:26 - 2014-10-14 16:08 - 00000000 ____D () C:\ProgramData\Norton
2014-10-10 20:26 - 2014-10-10 20:26 - 00000000 ____D () C:\Users\Public\Downloads\Norton
2014-10-10 19:24 - 2014-10-10 20:05 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-09-18 05:42 - 2014-08-18 17:57 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-18 05:42 - 2014-08-18 17:45 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-18 05:41 - 2014-08-18 17:57 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-09-18 05:41 - 2014-08-18 17:46 - 00454656 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-09-18 05:41 - 2014-08-18 17:44 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-09-18 05:41 - 2014-08-18 17:44 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-09-18 05:41 - 2014-08-18 17:39 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-18 05:41 - 2014-08-18 17:39 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-18 05:41 - 2014-08-18 17:37 - 00440320 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-18 05:41 - 2014-08-18 17:36 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-09-18 05:41 - 2014-08-18 17:36 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-09-18 05:41 - 2014-08-18 17:35 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-09-18 05:41 - 2014-08-18 17:30 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-09-18 05:41 - 2014-08-18 17:27 - 00365056 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-18 05:41 - 2014-08-18 17:22 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-09-18 05:41 - 2014-08-18 17:19 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-18 05:41 - 2014-08-18 17:17 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-18 05:41 - 2014-08-18 17:17 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-18 05:41 - 2014-08-18 17:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-09-18 05:41 - 2014-08-18 16:36 - 00678400 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-09-18 05:40 - 2014-08-19 13:39 - 00327872 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-18 05:40 - 2014-08-18 17:09 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-18 05:40 - 2014-08-18 17:08 - 00673792 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-18 05:39 - 2014-08-18 18:08 - 04232704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-18 05:39 - 2014-08-18 17:42 - 02185728 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-18 05:39 - 2014-08-18 17:08 - 02014208 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-18 05:39 - 2014-08-18 16:46 - 01812992 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-18 05:39 - 2014-08-18 16:38 - 01190400 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-18 05:38 - 2014-08-18 18:26 - 17455104 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-18 05:38 - 2014-08-18 17:15 - 11769856 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-18 05:11 - 2014-06-26 21:45 - 02285056 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2vdec.dll
2014-09-17 16:13 - 2014-07-06 21:40 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-17 16:13 - 2014-07-06 21:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-17 16:12 - 2014-09-04 21:52 - 00445952 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-09-17 16:12 - 2014-09-04 21:47 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-09-17 16:12 - 2014-08-01 07:35 - 00793600 _____ (Microsoft Corporation) C:\Windows\system32\TSWorkspace.dll
2014-09-17 16:12 - 2014-06-23 22:59 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-09-16 21:44 - 2014-09-17 07:26 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-16 21:39 - 2014-09-16 21:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-16 21:38 - 2014-09-16 21:39 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-16 21:38 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-16 21:38 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-16 20:27 - 2014-08-22 20:42 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-09-16 20:26 - 2014-08-22 21:46 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-10-15 15:00 - 2011-12-01 07:08 - 01509526 _____ () C:\Windows\WindowsUpdate.log
2014-10-15 14:36 - 2012-07-01 11:25 - 00000000 ___RD () C:\Users\Abby\Dropbox
2014-10-15 14:36 - 2012-07-01 11:22 - 00000000 ____D () C:\Users\Abby\AppData\Roaming\Dropbox
2014-10-15 14:33 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-15 14:33 - 2009-07-14 00:39 - 00071934 _____ () C:\Windows\setupact.log
2014-10-15 14:05 - 2010-11-20 17:48 - 00559772 _____ () C:\Windows\PFRO.log
2014-10-14 16:09 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-14 15:34 - 2009-07-14 00:34 - 00029168 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-14 15:34 - 2009-07-14 00:34 - 00029168 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-14 15:04 - 2014-01-26 17:21 - 00000000 ____D () C:\Users\Abby\AppData\Roaming\AVAST Software
2014-10-14 15:04 - 2012-03-13 14:29 - 00000000 ____D () C:\Program Files\AVAST Software
2014-10-14 15:04 - 2009-07-13 22:04 - 00002577 _____ () C:\Windows\system32\config.nt
2014-10-14 14:06 - 2010-11-20 17:01 - 00781790 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-18 06:48 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-09-18 05:32 - 2012-02-14 21:57 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-09-18 05:10 - 2013-09-17 21:04 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-18 04:22 - 2012-03-13 14:16 - 98758480 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-09-18 04:17 - 2014-05-16 20:42 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-09-17 22:47 - 2012-12-23 21:48 - 00002084 _____ () C:\Windows\wininit.ini
2014-09-17 22:47 - 2012-07-01 11:25 - 00001017 _____ () C:\Users\Abby\Desktop\Dropbox.lnk
2014-09-17 22:47 - 2012-07-01 11:24 - 00000000 ____D () C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-09-17 04:21 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache
2014-09-17 03:40 - 2009-07-14 00:33 - 00412664 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-09-16 21:39 - 2013-01-14 18:45 - 00001024 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-16 21:38 - 2012-03-13 14:40 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-15 09:06 - 2012-03-13 14:46 - 00231568 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
Some content of TEMP:
====================
C:\Users\Abby\AppData\Local\Temp\ApnStub.exe
C:\Users\Abby\AppData\Local\Temp\AskSLib.dll
C:\Users\Abby\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4th2eq.dll
C:\Users\Abby\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpadhst0.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-09-17 04:10
 
==================== End Of Log ============================

Attached Files


Edited by larsfamily5, 15 October 2014 - 06:58 PM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:49 PM

Posted 18 October 2014 - 10:58 AM

Hello,

 

 

I am sorry about the delay. I was out of town for a couple of days so I couldn't reply earlier.

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#5 larsfamily5

larsfamily5
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 21 October 2014 - 12:00 PM

Here you go!  Thanks again for your assistance!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-10-2014
Ran by Abby at 2014-10-21 07:12:23 Run:1
Running from C:\Users\Abby\Desktop
Loaded Profile: Abby (Available profiles: Abby)
Boot Mode: Safe Mode (with Networking)

==============================================

Content of fixlist:
*****************
start
closeprocesses:
HKU\S-1-5-21-857305107-1278073829-2238757328-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
SearchScopes: HKCU - {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://inboxtoolbar.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80105&lng=en
emptytemp:
end
*****************

Processes closed successfully.
"HKU\S-1-5-21-857305107-1278073829-2238757328-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-857305107-1278073829-2238757328-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}" => Key deleted successfully.
"HKCR\CLSID\{C04B7D22-5AEC-4561-8F49-27F6269208F6}" => Key not found.



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:49 PM

Posted 21 October 2014 - 01:04 PM

Hello,

 

Nice work!

 

The infection seems to be removed but if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKillerX.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Wait for the prescan to complete and then press the Scan button.
  • When done press the Report button.
  • Please copy and past the results in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.
 

  • Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#7 larsfamily5

larsfamily5
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 21 October 2014 - 04:56 PM

Step 1

 

Rkill Log:

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/21/2014 03:47:38 PM in x86 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 10/21/2014 03:55:50 PM
Execution time: 0 hours(s), 8 minute(s), and 11 seconds(s)

 

Step 2

 

RogueKillerX report

 

RogueKiller V10.0.2.0 [Oct 16 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Abby [Administrator]
Mode : Scan -- Date : 10/21/2014  16:26:08

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[Hidden.From.SCM] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EraserUtilDrv11410 (\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11410.sys) -> Found
[PUM.HomePage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : https://www.yahoo.com?fr=hp-avast&type=odc169  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-857305107-1278073829-2238757328-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/  -> Found
[PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : https://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-857305107-1278073829-2238757328-1000\Software\Microsoft\Internet Explorer\Main | Search Page : https://search.yahoo.com/yhs/search?type=odc169&hspart=avast&hsimp=yhs-001&p={searchTerms}  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 136 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0xafd6f7e8
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x86de0198
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x83f59438
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x86552c00
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x879af7e8
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x879d7c20
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x8446cdf0
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0xafce9398
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x876082b8
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x86577900
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x84060570
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x8445acd0
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x86c78890
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0xafc9cf58
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x8655f608
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x8799fef8
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x86eb02d0
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x83f95458
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x87924e10
[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x97423678
[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x845e0de8
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x84189288
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x84619f78
[SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x842a1820
[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0xafce0f78
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0xafcc0798
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x84393920
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x8647ff10
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x83fe7268
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0xad9af368
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0xafcfdb18
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[371] : Unknown @ 0xad814c38
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x86e1a090
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x86df4b60
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_DevNode_Status : C:\Windows\system32\CFGMGR32.dll @ 0x757c7498
[IAT:Addr] (explorer.exe @ POWRPROF.dll) SETUPAPI.dll - CM_Get_Device_IDW : C:\Windows\system32\CFGMGR32.dll @ 0x757c86ef
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x75dee599
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x75dff150
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x75e054ad
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x75e19d0b
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x75de5ea5
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x75deeb17
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x75e115d5
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x75dfa72f
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x75dff1eb
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x75dfef03
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x75e122ec
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - FreePropVariantArray : C:\Windows\system32\ole32.dll @ 0x75de2d6d
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x75e109ad
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x75e60cc2
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x75e1ea4c
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x75e26f41
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x75df503c
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x75e186d3
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (explorer.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (explorer.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\version.DLL @ 0x74bf1b72
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (explorer.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (explorer.exe @ ieframe.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (explorer.exe @ acppage.dll) sfc.dll - SfcIsFileProtected : C:\Windows\system32\sfc_os.DLL @ 0x72721e56
[IAT:Addr] (iexplore.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ IEFRAME.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ IEFRAME.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ IEFRAME.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x75dee599
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x75dff150
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x75e054ad
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x75e19d0b
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x75de5ea5
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x75deeb17
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x75e115d5
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x75dfa72f
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x75dff1eb
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x75dfef03
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x75e122ec
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - FreePropVariantArray : C:\Windows\system32\ole32.dll @ 0x75de2d6d
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x75e109ad
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x75e60cc2
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x75e1ea4c
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x75e26f41
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x75df503c
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x75e186d3
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\version.DLL @ 0x74bf1b72
[IAT:Addr] (iexplore.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ iertutil.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ IEFRAME.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ IEFRAME.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ IEFRAME.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromString : C:\Windows\system32\ole32.dll @ 0x75dee599
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUnmarshalInterface : C:\Windows\system32\ole32.dll @ 0x75dff150
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetClassObject : C:\Windows\system32\ole32.dll @ 0x75e054ad
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateInstance : C:\Windows\system32\ole32.dll @ 0x75e19d0b
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoSetProxyBlanket : C:\Windows\system32\ole32.dll @ 0x75de5ea5
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromCLSID : C:\Windows\system32\ole32.dll @ 0x75deeb17
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoCreateGuid : C:\Windows\system32\ole32.dll @ 0x75e115d5
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetTreatAsClass : C:\Windows\system32\ole32.dll @ 0x75dfa72f
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoGetMarshalSizeMax : C:\Windows\system32\ole32.dll @ 0x75dff1eb
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoMarshalInterface : C:\Windows\system32\ole32.dll @ 0x75dfef03
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - StringFromGUID2 : C:\Windows\system32\ole32.dll @ 0x75e122ec
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - FreePropVariantArray : C:\Windows\system32\ole32.dll @ 0x75de2d6d
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoInitializeEx : C:\Windows\system32\ole32.dll @ 0x75e109ad
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoFreeUnusedLibraries : C:\Windows\system32\ole32.dll @ 0x75e60cc2
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemAlloc : C:\Windows\system32\ole32.dll @ 0x75e1ea4c
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoTaskMemFree : C:\Windows\system32\ole32.dll @ 0x75e26f41
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CLSIDFromProgID : C:\Windows\system32\ole32.dll @ 0x75df503c
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-ole32-l1-1-0.dll - CoUninitialize : C:\Windows\system32\ole32.dll @ 0x75e186d3
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ urlmon.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueA : C:\Windows\system32\version.DLL @ 0x74bf1b72
[IAT:Addr] (iexplore.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ WININET.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ MSHTML.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15
[IAT:Addr] (iexplore.exe @ MSHTML.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ MSHTML.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ jscript9.dll) api-ms-win-downlevel-version-l1-1-0.dll - VerQueryValueW : C:\Windows\system32\version.DLL @ 0x74bf1b51
[IAT:Addr] (iexplore.exe @ jscript9.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoSizeExW : C:\Windows\system32\version.DLL @ 0x74bf18e9
[IAT:Addr] (iexplore.exe @ jscript9.dll) api-ms-win-downlevel-version-l1-1-0.dll - GetFileVersionInfoExW : C:\Windows\system32\version.DLL @ 0x74bf1a15

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS545025B9A300 +++++
--- User ---
[MBR] 3f333db41e4e95440966b2387b3aa870
[BSP] 22a5e909620411aa17965b0d0346df6c : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 27265024 | Size: 100 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 27469824 | Size: 225061 MB
User = LL1 ... OK
User = LL2 ... OK

 

Step 3

 

Link to pastebin

 

http://pastebin.com/nm48HqMG

 

Step 4

 

Malwarebytes ran and did not find anything. I was unable to resize the scan log to save it. (This is an Aspire One with a very small screen.)

 

Step 5

 

Hitman Pro Log

 

HitmanPro 3.7.9.225
www.hitmanpro.com
   Computer name . . . . : ABBY-PC
   Windows . . . . . . . : 6.1.1.7601.X86/4
   User name . . . . . . : Abby-PC\Abby
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free
   Scan date . . . . . . : 2014-10-21 17:39:37
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 4m 42s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 24
   Objects scanned . . . : 1,530,676
   Files scanned . . . . : 35,017
   Remnants scanned  . . : 784,216 files / 711,443 keys
Cookies _____________________________________________________________________
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\0D5X031F.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\3AGXGWFP.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\4D2UQ3HH.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\4M5EVP4K.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\51ECF04X.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\6ITJ4IIM.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\7RYAW8A3.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\B2OL34QK.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\B7DUP60N.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\DERBWR2K.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\DKQZ7O55.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\GK9HJE63.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\HW4SBCM9.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\IETYXT9L.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\J55BRSYT.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\JA5YQ21L.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\MS83GKQY.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\PE5I91WO.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\SEG4NH23.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\U1OQEJ9J.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\WGZVECYW.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\WRVUPCKP.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\ZJL5MZOF.txt
   C:\Users\Abby\AppData\Roaming\Microsoft\Windows\Cookies\ZKOX8GGP.txt

 

Step 6

 

Security Check document

 

 Results of screen317's Security Check version 0.99.89 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Norton 360 Premier Edition  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
````````Process Check: objlist.exe by Laurent```````` 
 Symantec Norton Online Backup NOBuAgent.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````
 



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:49 PM

Posted 22 October 2014 - 06:47 AM

Hello,

 

 

Nicely done ! :bananas: This is the end of our journey if you don't have any more questions.
Thank you for following my instructions perfectly. smile.png
I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

 

 

 

STEP 1 - UPDATING TASKS

 

 

  • It is possible for some programs on your computer to have security vulnerability that can allow malware to infect you.
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

 

 
Visit Microsoft's Windows Update Site Frequently

 

  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

 

 

STEP 2 - CLEANUP
 

 
To remove all of the tools we used and the files and folders they created, please do the following:

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

  • Next please download Delfix.exe by Xplode and save it to your desktop.
  • Please start it and check the box next to "Remove disinfection tools" and click on the run button.
  • The tool will delete itself once it finishes.

 

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


 
STEP 3 - SECURITY ADVICES


Change all your passwords !


Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately including those for bank accounts, credit cards and home loans, PIN codes etc)!! (just in case).

 

If you're storing password in the browser to access websites than they are non encrypted well. Only if you use Firefox with master password protection activated provide better security...then you can add Secure Login to prevent Java and other exploits when log-in.

 

So I strongly recommend to change as much password as possible. Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use Password Generator - Norton Identity Safe to create random passwords and then install an application like KeePass Password Safe to store them for easy access.If you do Online Banikng please read this article: Online Banking Protection Against Identity Theft
 

 

 

Keep your antivirus software turned on and up-to-date

 

  • Make sure that you keep it updated
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  • Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Note: You should scan your computer with an antimalware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.
  • Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.

 

 

Install HIPS based software if needed (or use Limited Account with UAC enabled)

 

I usually recommend to users to install HIPS based software (like Comodo Firewall, OnlineArmor, PrivateFirewall or Outpost Security Suite FREE) to prevent an unknown malware from gaining access but since you use Norton 360 Premier Edition you can skip this step.

Norton 360 Premier Edition is not only antivirus software, but also includes smart firewall protection, file Insight, SONAR technology, reputation analysis etc. This application offer many proactive features.
More information about HIPS can be found here: What is Host Intrusion Prevention System (HIPS) and how does it work?

 

If these kind of programs are difficult for you to use then you can use a standard user account with UAC enabled. If you need administrative privileges to perform some tasks, then you can use Run As or log on as the administrator account for that specific task.

 

 

 

Be prepared for CryptoLocker and similar threats:


CryptoLocker Ransomware Information Guide and FAQ
Cryptolocker Ransomware: What You Need To Know
New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
CryptoWall - A new ransomware from the creators of CryptoDefense

Analysis of ‘TorrentLocker’ – A New Strain of Ransomware Using Components of CryptoLocker and CryptoWall

 

 

Since the prevention is better than cure you can use gpedit built-in Windows or CryptoPrevent (described in the first link) to secure the PC against these lockers.
Another way is to use Comodo Internet Security and to add all local disks to Protected Files and Folders (if you decide to install it). Also Comodo Internet Security offers a sandbox that will help you prevent being infected. Note that you should uninstall Norton 360 Premier Edition if you decide to install Comodo Internet Security.

 

You may want to check Malwarebytes Anti-Exploit and add install it to be safe when surfing the net. It work with the most popular browsers and it is very effective. See the article here.

 

HitmanPro.Alert.CryptoGuard provides similar protection but it failed in the latest test here. However the tool is still under development and will be improved a lot in the future so you can keep an eye on it and its progress.

 

Note: However keep in mind that HitmanPro.Alert is not fully compatible with Malwarebytes' Anti-Exploit and you should choose only one between both of them.

 

EMET and VoodooShield are another great tools which should lock the computer against exploits but they are too confusing to use for home users. However you can take a look at them if you want.
 
I would not install them all because they could render your pc unusable and will slow it down like a turtle.
Having more than one "real-time" program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

 

 

Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that.  Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • .exe, .com, .bat, .pif, .scr, .cmd or .vbs do not open the attachment unless you know for a fact that it is clean.  For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is.  The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message  or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you.  We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window.  If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
  • You may want to install unchecky to prevent adware bundled into many free programs to install.

 

 

Tweak your browsers
 

MOZILLA FIREFOX

 

To prevent further infections be sure to install the following add-ons NoScript and AdBlock Plus
 

Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.

 

 

Adblock Plus can be found here.
 
Do not add to many filters subscriptions because it will slow down your browser startup time.
 
erfxUim.jpg
 

NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.

 

 

NoScript can be found here
 
You can find the optimal settings here
A tutorial on how to use it can be found here

 

 

Google Chrome

 
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.

However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access


 
For Internet Explorer 9/10/11 read the articles below:


Security and privacy features in Internet Explorer 9
Enhanced Protected Mode
Use Tracking Protection in Internet Explorer
Security in Internet Explorer 10

 

 
 
Immunize your browsers with SpywareBlaster 5 and Spybot Search and Destroy 1.6 and MVPS HOSTS.

Also you can change your DNS settings 8.26.56.26 and 8.20.247.20 to use Comodo Secure DNS for free (to prevent phishing attacks)

 

 

Make the extensions for known file types visible:
 
 
Be wary of files with a double extension such as jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.


 
Disable Autorun and Windows Scripting Host:
 
 
It's a good idea to disable the Autorun functionality using the following tool to prevent spreading of the infections from USB flash drives.

 

If you don't use any script files then you can go ahead and disable Windows Scripting Host using the tool provided by Symantec - NoScript.exe. Simple download and run it and click on the Disable button and reboot the computer. If you need to run any js. or vbs scripts at a later stage you should run NoScript again and select Enable, then reboot the computer.
 

 

 
Create an image of your system (you can use the built-in Windows software as well if you prefer)

  • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorial on how to create an system image can be found here.
  • The tutorial on how to restore an system image can be found here.
  • Be sure to read the tutorial first.

 

 

Follow this list and your potential for being infected again will reduce dramatically.

 

Safe Surfing ! :)

 

Regards,

Georgi


cXfZ4wS.png


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:49 PM

Posted 25 October 2014 - 04:07 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users