Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe wont start automatically on previously infected computer


  • This topic is locked This topic is locked
22 replies to this topic

#1 frab49

frab49

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 23 October 2014 - 05:12 PM

Hi,

 

On my dad's computer he had been running on Mcafee but some malware had gotten through which was supposedly cleaned.

 

However, since then his explorer.exe will not start automatically, and after entering the password he just gets a black screen.

 

The only way I have found to force explorer.exe to start for him is to:

 

Open task manager

Go to processes

Show processes from all users (this part is essential)

Go to applications

Create new task

Enter explorer.exe

OK

and explorer.exe will bring up his desktop

 

Occasionally the desktop will go and he has to retsrt it, and the internet sometimes freezes or he encounters keystroke lag.

I think he may still have some infections present, so can you please check and advise if there is something causing explorer.exe not to work properly?

 

I have since uninstalled Mcafee and installed Security Essentials as the subscription ran out.

 

Your help is greatly appreciated.

 

 

DDS.txt

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16584  BrowserJavaVersion: 10.71.2
Run by Teddy at 22:50:10 on 2014-10-23
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2814.1182 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\explorer.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
uURLSearchHooks: {ecce0073-a837-45a2-95b9-600420505f7e} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - <orphaned>
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [(default)] <no file>
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print 2.0\smartprintsetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{DB8955E7-808C-47AA-BE7C-E236FFDEE09C} : DHCPNameServer = 192.168.0.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2014-7-31 206520]
R1 MpKsl8e46a08b;MpKsl8e46a08b;c:\programdata\microsoft\microsoft antimalware\definition updates\{72282f3a-24b9-4047-afb4-22fd9068b799}\MpKsl8e46a08b.sys [2014-10-23 39464]
R1 RapportCerberus_80049;RapportCerberus_80049;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_80049.sys [2014-9-1 433240]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2014-7-31 251928]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2014-7-31 332792]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2014-7-17 95920]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2014-7-31 1919256]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2013-11-2 152216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [2010-2-24 91520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-1-23 228408]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-4 361808]
S4 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-4 1245064]
.
=============== Created Last 30 ================
.
2014-10-23 14:15:09 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{72282f3a-24b9-4047-afb4-22fd9068b799}\MpKsl8e46a08b.sys
2014-10-22 22:03:52 908840 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{20e1d2a5-9e46-47d7-a852-c4bfc25b6523}\gapaengine.dll
2014-10-22 22:03:34 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{72282f3a-24b9-4047-afb4-22fd9068b799}\mpengine.dll
2014-10-22 21:59:47 -------- d-----w- c:\program files\Microsoft Security Client
2014-10-22 21:34:41 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-10-21 11:41:58 8901368 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0a5dcdff-b345-449d-81d9-16695e1b6f11}\mpengine.dll
2014-10-17 11:43:54 81560 ----a-w- c:\windows\system32\mscories.dll
2014-10-17 11:43:54 156824 ----a-w- c:\windows\system32\mscorier.dll
2014-10-17 11:43:54 1131664 ----a-w- c:\windows\system32\dfshim.dll
2014-10-17 11:38:23 2054656 ----a-w- c:\windows\system32\win32k.sys
2014-10-17 11:07:20 143360 ----a-w- c:\windows\system32\drivers\fastfat.sys
2014-10-17 11:00:55 66560 ----a-w- c:\windows\system32\packager.dll
2014-09-24 22:18:37 2048 ----a-w- c:\windows\system32\tzres.dll
.
==================== Find3M  ====================
.
2014-10-22 21:22:16 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-22 21:22:16 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-10-02 14:53:02 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-09-19 22:44:32 1810432 ----a-w- c:\windows\system32\jscript9.dll
2014-09-19 22:38:15 1129472 ----a-w- c:\windows\system32\wininet.dll
2014-09-19 22:37:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-19 22:36:04 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-09-19 22:35:46 421376 ----a-w- c:\windows\system32\vbscript.dll
2014-09-19 22:34:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-19 22:34:22 11776 ----a-w- c:\windows\system32\mshta.exe
2014-08-23 01:03:46 297984 ----a-w- c:\windows\system32\gdi32.dll
2014-07-31 14:57:58 206520 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
============= FINISH: 22:52:41.51 ===============

 

 

I had also run Adwcleaner which showed the following log:

 

# AdwCleaner v4.001 - Report created 22/10/2014 at 23:54:25
# DB v2014-10-21.1
# Updated 20/10/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Teddy - TEDDY-PC
# Running from : C:\Users\Teddy\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16584

*************************

AdwCleaner[R0].txt - [5507 octets] - [16/10/2013 12:29:12]
AdwCleaner[R1].txt - [919 octets] - [01/11/2013 20:19:55]
AdwCleaner[R2].txt - [987 octets] - [23/11/2013 13:01:18]
AdwCleaner[R3].txt - [1071 octets] - [14/12/2013 13:39:06]
AdwCleaner[R4].txt - [1132 octets] - [21/12/2013 12:04:53]
AdwCleaner[R5].txt - [1192 octets] - [02/02/2014 11:34:55]
AdwCleaner[R6].txt - [1252 octets] - [16/02/2014 01:17:35]
AdwCleaner[R7].txt - [1312 octets] - [26/03/2014 22:56:42]
AdwCleaner[R8].txt - [1447 octets] - [22/10/2014 23:50:40]
AdwCleaner[S0].txt - [5694 octets] - [16/10/2013 12:35:35]
AdwCleaner[S1].txt - [981 octets] - [01/11/2013 20:20:48]
AdwCleaner[S2].txt - [1049 octets] - [23/11/2013 13:05:04]
AdwCleaner[S3].txt - [1363 octets] - [22/10/2014 23:54:25]

########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1423 octets] ##########

 

Attached Files


Edited by frab49, 23 October 2014 - 05:14 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 28 October 2014 - 05:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/553079 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 frab49

frab49
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 29 October 2014 - 03:20 PM

Hi,

The computer had been infected with a number of items, detected by Malwarebytes as Trojan.Agent as explorer.exe, and variuos other PUPs.

 

After logging on, the computer comes to a blank screen and explorer.exe does not start.
To start explorer you have to:
Open task manager
Go to processes
Show processes from all users
Go to applications
Create new task
Enter explorer.exe
OK

and explorer.exe will bring up the desktop.
Occasionally the desktop will go and have to be restarted.

 

A major irritation is occasional freezing internet, keystroke lag, and the way certain pages continuously flash (like in facebook) while you're trying to read them.

 

DDS Log

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16584
Run by Teddy at 20:10:58 on 2014-10-29
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2814.1413 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\explorer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\WINDOWS\System32\notepad.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
uURLSearchHooks: {ecce0073-a837-45a2-95b9-600420505f7e} - <orphaned>
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - <orphaned>
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [(default)] <no file>
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print 2.0\smartprintsetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{DB8955E7-808C-47AA-BE7C-E236FFDEE09C} : DHCPNameServer = 192.168.0.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2014-7-31 206520]
R1 RapportCerberus_80049;RapportCerberus_80049;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_80049.sys [2014-9-1 433240]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2014-7-31 251928]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2014-7-31 332792]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2014-7-17 95920]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2014-7-31 1919256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-10-25 114904]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2013-11-2 152216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [2010-2-23 91520]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2014-4-3 315008]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]
S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-1-23 228408]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-8-4 361808]
S4 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-4 1245064]
.
=============== Created Last 30 ================
.
2014-10-29 19:20:46 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{264646bc-d302-476d-99d2-b71320ccd349}\mpengine.dll
2014-10-29 19:16:24 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-10-25 00:47:18 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-25 00:46:32 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-25 00:46:31 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-10-22 22:03:52 908840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{20e1d2a5-9e46-47d7-a852-c4bfc25b6523}\gapaengine.dll
2014-10-22 21:59:47 -------- d-----w- c:\program files\Microsoft Security Client
2014-10-21 11:41:58 8901368 ------w- c:\programdata\microsoft\windows defender\definition updates\{0a5dcdff-b345-449d-81d9-16695e1b6f11}\mpengine.dll
2014-10-17 11:43:54 81560 ----a-w- c:\windows\system32\mscories.dll
2014-10-17 11:43:54 156824 ----a-w- c:\windows\system32\mscorier.dll
2014-10-17 11:43:54 1131664 ----a-w- c:\windows\system32\dfshim.dll
2014-10-17 11:38:23 2054656 ----a-w- c:\windows\system32\win32k.sys
2014-10-17 11:07:20 143360 ----a-w- c:\windows\system32\drivers\fastfat.sys
2014-10-17 11:00:55 66560 ----a-w- c:\windows\system32\packager.dll
.
==================== Find3M  ====================
.
2014-10-22 21:22:16 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-22 21:22:16 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-10-02 15:53:02 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-10-01 10:11:14 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-01 10:11:10 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-09-19 22:44:32 1810432 ----a-w- c:\windows\system32\jscript9.dll
2014-09-19 22:38:15 1129472 ----a-w- c:\windows\system32\wininet.dll
2014-09-19 22:37:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-19 22:36:04 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2014-09-19 22:35:46 421376 ----a-w- c:\windows\system32\vbscript.dll
2014-09-19 22:34:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-19 22:34:22 11776 ----a-w- c:\windows\system32\mshta.exe
2014-09-09 06:24:46 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-23 01:03:46 297984 ----a-w- c:\windows\system32\gdi32.dll
.
============= FINISH: 20:12:59.78 ===============

 

 

 

Attached Files



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 30 October 2014 - 07:31 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi frab49,
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 frab49

frab49
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 30 October 2014 - 01:22 PM

Hi Toffee, Thank you for your assistance.

 

FRST logs below.... Note that it did seem to pause and showed as (Not Responding) for about 20 seconds, but then started running again.

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2014
Ran by Teddy (administrator) on TEDDY-PC on 30-10-2014 18:17:11
Running from C:\Users\Teddy\Desktop
Loaded Profiles: Teddy & UpdatusUser (Available profiles: Teddy & UpdatusUser)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\WINDOWS\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\WINDOWS\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\WINDOWS\System32\nvvsvc.exe
(Microsoft Corporation) C:\WINDOWS\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\WINDOWS\System32\wbem\unsecapp.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehmsas.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation)
HKLM\...\Run: [(default)] => [X]
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\Run: [] => [X]
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-21] (Microsoft Corporation)
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation)
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\MountPoints2: {0a353456-9818-11df-8a63-001f164aab58} - G:\KODAK_Software_Downloader.exe
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2926592 2009-04-10] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1609144255-1374065977-2133016267-1003\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-1609144255-1374065977-2133016267-1003\...\Run: [HPADVISOR] => [X]

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=EIE9HP&PC=UP68
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE9HP&PC=UP68
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
URLSearchHook: HKCU - (No Name) - {ecce0073-a837-45a2-95b9-600420505f7e} -  No File
SearchScopes: HKCU - DefaultScope {188ED644-C3B2-490B-A127-FA4A189622F5} URL = https://uk.search.yahoo.com/search?fr=mcafee&type=B011GB0D20140621&p={SearchTerms}
SearchScopes: HKCU - {188ED644-C3B2-490B-A127-FA4A189622F5} URL = https://uk.search.yahoo.com/search?fr=mcafee&type=B011GB0D20140621&p={SearchTerms}
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} ->  No File
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKLM - No Name - !{2318C2B1-4965-11d4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {ECCE0073-A837-45A2-95B9-600420505F7E} -  No File
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-gb.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-23]
FF HKLM\...\Firefox\Extensions: [{8BA61AA3-31A7-4D4F-A476-A7BA9570C327}] - C:\Users\Teddy\AppData\Local\{8BA61AA3-31A7-4D4F-A476-A7BA9570C327}
FF Extension: XULRunner - C:\Users\Teddy\AppData\Local\{8BA61AA3-31A7-4D4F-A476-A7BA9570C327} [2011-02-28]
FF HKLM\...\Firefox\Extensions: [{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}] - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF Extension: Firefox Synchronisation Extension - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension [2011-04-14]
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\SiteAdvisor
FF HKLM\...\Thunderbird\Extensions: [{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}] - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension
FF Extension: Thunderbird Address Book Synchronisation Extension - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension [2011-04-14]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx []

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ezSharedSvc; C:\Windows\System32\ezsvc7.dll [129992 2008-02-03] (EasyBits Sofware AS) [File not signed]
S4 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-04-15] (Hewlett-Packard) [File not signed]
S4 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2009-11-20] (Hewlett-Packard Company) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 RapportMgmtService; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [1919256 2014-07-31] (IBM Corp.)
S4 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [361808 2008-04-26] ()
S4 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-01-09] ()
S4 ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [632832 2011-03-21] (Nokia) [File not signed]
S4 Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [1245064 2008-08-04] ()
S4 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-09-28] (Ulead Systems, Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 emAudio; C:\Windows\System32\drivers\emAudio.sys [24576 2008-04-03] (eMPIA Technology, Inc.)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-10-30] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R1 MpKsl49a07f55; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{264646BC-D302-476D-99D2-B71320CCD349}\MpKsl49a07f55.sys [39464 2014-10-30] (Microsoft Corporation)
S2 PPSCAN; C:\Windows\system32\Drivers\PPSCAN.sys [91520 2002-03-29] (Hewlett-Packard Co.) [File not signed]
R1 RapportCerberus_80049; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_80049.sys [433240 2014-09-01] ()
R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [251928 2014-07-31] (IBM Corp.)
R3 RapportIaso; c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys [152216 2014-09-01] (IBM Corp.)
R0 RapportKELL; C:\Windows\System32\Drivers\RapportKELL.sys [206520 2014-07-31] (IBM Corp.)
R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [332792 2014-07-31] (IBM Corp.)
S3 Ser2pl; C:\Windows\System32\DRIVERS\ser2pl.sys [48640 2009-02-27] (Prolific Technology Inc.) [File not signed]
S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDA.sys [361728 2007-01-29] (eMPIA Technology, Inc.)
S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEM.sys [39680 2007-01-29] (eMPIA Technology, Inc.)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-30 18:17 - 2014-10-30 18:18 - 00012032 _____ () C:\Users\Teddy\Desktop\FRST.txt
2014-10-30 18:17 - 2014-10-30 18:17 - 00000000 ____D () C:\FRST
2014-10-30 18:16 - 2014-10-30 18:16 - 01105408 _____ (Farbar) C:\Users\Teddy\Desktop\FRST.exe
2014-10-30 01:03 - 2014-10-30 01:03 - 00000000 ___HD () C:\Windows\PIF
2014-10-26 13:11 - 2014-10-24 10:52 - 00176552 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-10-26 13:11 - 2014-10-24 10:52 - 00176552 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-10-25 00:52 - 2014-10-25 00:52 - 00000080 _____ () C:\Users\Teddy\AppData\Roaming\mbam.context.scan
2014-10-25 00:47 - 2014-10-30 00:26 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-25 00:47 - 2014-10-25 00:49 - 00000859 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-25 00:47 - 2014-10-25 00:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-25 00:46 - 2014-10-25 00:49 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-25 00:46 - 2014-10-01 10:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-23 22:39 - 2014-10-23 22:39 - 00000021 _____ () C:\Users\Teddy\Desktop\bleep.txt
2014-10-22 23:15 - 2014-10-22 23:15 - 00001503 _____ () C:\Users\Teddy\Desktop\AdwCleaner[S3].txt
2014-10-22 22:24 - 2014-10-22 22:27 - 03480040 _____ (McAfee, Inc.) C:\Users\Teddy\Desktop\MCPR.exe
2014-10-22 22:00 - 2014-10-22 22:00 - 00001786 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2014-10-22 21:59 - 2014-10-22 22:00 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-10-22 21:36 - 2014-10-24 10:52 - 00272296 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-10-19 13:55 - 2014-10-30 17:00 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cfeba45b31701a.job
2014-10-17 11:43 - 2014-06-15 22:18 - 01131664 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-17 11:43 - 2014-06-13 18:22 - 00156824 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-17 11:43 - 2014-06-13 18:22 - 00081560 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-17 11:38 - 2014-09-27 23:29 - 02054656 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-17 11:07 - 2014-09-04 23:27 - 00143360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fastfat.sys
2014-10-17 11:00 - 2014-09-16 16:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-16 20:16 - 2014-09-19 22:53 - 12364288 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-16 20:16 - 2014-09-19 22:44 - 01810432 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-16 20:16 - 2014-09-19 22:41 - 09739776 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-16 20:16 - 2014-09-19 22:39 - 01138688 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-16 20:16 - 2014-09-19 22:38 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-16 20:16 - 2014-09-19 22:37 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-16 20:16 - 2014-09-19 22:36 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-10-16 20:16 - 2014-09-19 22:36 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-10-16 20:16 - 2014-09-19 22:36 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-16 20:16 - 2014-09-19 22:35 - 01802752 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-16 20:16 - 2014-09-19 22:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-10-16 20:16 - 2014-09-19 22:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-16 20:16 - 2014-09-19 22:35 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-10-16 20:16 - 2014-09-19 22:35 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-10-16 20:16 - 2014-09-19 22:34 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-16 20:16 - 2014-09-19 22:34 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-16 20:16 - 2014-09-19 22:34 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-16 20:16 - 2014-09-19 22:34 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-16 20:16 - 2014-09-19 22:34 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-10-16 20:16 - 2014-09-19 22:34 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-10-16 20:16 - 2014-09-19 22:33 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-30 18:16 - 2006-11-02 10:33 - 00773446 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-30 18:14 - 2011-02-19 19:16 - 01899589 _____ () C:\Windows\WindowsUpdate.log
2014-10-30 18:09 - 2014-06-21 22:48 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf8da2e83af3b1.job
2014-10-30 18:08 - 2006-11-02 13:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-30 18:08 - 2006-11-02 12:47 - 00003344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-30 18:08 - 2006-11-02 12:47 - 00003344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-30 17:27 - 2006-11-02 13:01 - 00032554 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-30 17:22 - 2013-12-10 17:17 - 00000928 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1609144255-1374065977-2133016267-1000UA1cef5cbb4414fa9.job
2014-10-30 17:22 - 2013-07-01 14:38 - 00000906 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1609144255-1374065977-2133016267-1000Core.job
2014-10-30 17:01 - 2012-04-09 20:30 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-30 17:00 - 2014-06-21 22:48 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf8da2edd3ef71.job
2014-10-30 00:22 - 2010-08-11 21:08 - 00000000 ____D () C:\Users\Teddy\Documents\MyHeritage
2014-10-28 23:50 - 2010-01-20 22:02 - 00000000 ____D () C:\Users\Teddy
2014-10-28 23:28 - 2014-04-05 20:38 - 00020992 _____ () C:\Users\Teddy\Cassar Ancestry 05.04.2014.xls
2014-10-28 11:41 - 2010-02-17 00:01 - 00002569 _____ () C:\Users\Teddy\Desktop\Microsoft Office Word 2003.lnk
2014-10-26 13:11 - 2008-08-04 18:16 - 00000000 ____D () C:\Program Files\Java
2014-10-26 12:04 - 2010-05-16 10:31 - 00000000 ____D () C:\Users\Teddy\AppData\Roaming\Skype
2014-10-25 01:26 - 2012-05-06 23:24 - 00203734 _____ () C:\Windows\PFRO.log
2014-10-25 00:47 - 2011-02-28 22:17 - 00000000 ____D () C:\Users\Teddy\AppData\Roaming\Malwarebytes
2014-10-25 00:46 - 2011-02-28 22:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-24 19:19 - 2010-05-16 10:29 - 00000000 ____D () C:\ProgramData\Skype
2014-10-24 19:18 - 2014-09-05 10:01 - 00002487 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-10-24 19:18 - 2014-09-05 10:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-10-24 19:18 - 2013-01-26 16:50 - 00000000 ___RD () C:\Program Files\Skype
2014-10-24 10:54 - 2014-09-12 11:37 - 00000000 ____D () C:\ProgramData\Oracle
2014-10-22 22:54 - 2013-10-16 11:29 - 00000000 ____D () C:\AdwCleaner
2014-10-22 22:04 - 2011-02-23 00:02 - 00001945 _____ () C:\Windows\epplauncher.mif
2014-10-22 21:23 - 2010-02-17 00:49 - 00000000 ____D () C:\Users\Teddy\AppData\Local\Adobe
2014-10-22 21:22 - 2012-04-09 20:30 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-10-22 21:22 - 2011-06-21 07:09 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-10-22 20:31 - 2012-05-07 00:58 - 00121238 _____ () C:\Windows\setupact.log
2014-10-21 15:00 - 2010-05-09 18:25 - 00000021 _____ () C:\ProgramData\hpqp.txt
2014-10-17 19:00 - 2006-11-02 11:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-10-17 16:03 - 2006-11-02 12:47 - 00442832 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-17 11:37 - 2013-07-12 10:46 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-17 11:07 - 2006-11-02 10:24 - 100290944 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-10-02 15:53 - 2010-01-24 15:49 - 00231568 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-01 10:11 - 2013-11-02 11:27 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-01 10:11 - 2012-01-02 23:26 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

Some content of TEMP:
====================
C:\Users\Teddy\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Teddy\AppData\Local\Temp\Quarantine.exe
C:\Users\Teddy\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-30 18:14

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 30-10-2014
Ran by Teddy at 2014-10-30 18:19:06
Running from C:\Users\Teddy\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.189 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Adobe Shockwave Player (HKLM\...\{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}) (Version: 10.2.0.023 - Adobe Systems, Inc.)
Apple Application Support (HKLM\...\{553255F3-78FD-40F1-A6F8-6882140265FE}) (Version: 1.2.1 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Atheros Driver Installation Program (HKLM\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 5.2 - Atheros)
Broadcom 802.11 Wireless LAN Adapter (HKLM\...\Broadcom 802.11 Wireless LAN Adapter) (Version: 5.60.18.12 - Broadcom Corporation)
Broadcom 802.11 Wireless LAN Adapter (HKLM\...\Broadcom 802.11b Network Adapter) (Version: 5.10.79.5 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 4.09 - Piriform)
Cisco EAP-FAST Module (HKLM\...\{415B2719-AD3A-4944-B404-C472DB6085B3}) (Version: 2.1.6 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM\...\{83770D14-21B9-44B3-8689-F7B523F94560}) (Version: 1.0.12 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM\...\{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}) (Version: 1.0.13 - Cisco Systems, Inc.)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.58.1.0 - Conexant)
CyberLink DVD Suite (HKLM\...\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 5.5.1519 - CyberLink Corp.)
CyberLink YouCam (HKLM\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 2.0.2519 - CyberLink Corp.)
ESU for Microsoft Vista (HKLM\...\{3877C901-7B90-4727-A639-B6ED2DD59D43}) (Version: 1.0.0 - Hewlett-Packard)
Google Earth Plug-in (HKLM\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.25.5 - Google Inc.) Hidden
HDAUDIO Soft Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_HDAUDIO_HERMOSA_HSF) (Version:  - )
Hewlett-Packard Active Check for Health Check (Version: 1.1.15.2 - Hewlett-Packard) Hidden
Hewlett-Packard Asset Agent for Health Check (Version: 2.0.63.2 - HP) Hidden
HP Active Support Library (Version: 3.1.4.1 - Hewlett-Packard) Hidden
HP Advisor (HKLM\...\{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}) (Version: 3.3.12286.3436 - Hewlett-Packard)
HP Deskjet 2050 J510 series Basic Device Software (HKLM\...\{90BBACD9-526F-4AD5-8B92-80BB5F5E1A6D}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 2050 J510 series Help (HKLM\...\{7A3DF2E2-CF13-44FB-A93E-F71D5381DB3F}) (Version: 140.0.61.61 - Hewlett Packard)
HP Deskjet 2050 J510 series Product Improvement Study (HKLM\...\{B97BD710-382C-453D-B23C-C0663C6EDFA2}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Doc Viewer (HKLM\...\{082702D5-5DD8-4600-BCE5-48B15174687F}) (Version: 1.01.0005 - Hewlett-Packard)
HP DVD Play 3.7 (HKLM\...\{45D707E9-F3C4-11D9-A373-0050BAE317E1}) (Version: 3.7.2.6908 - Hewlett-Packard)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.3341 - HP Photo Creations Powered by RocketLife)
HP Quick Launch Buttons (HKLM\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.12.1 - Hewlett-Packard)
HP Update (HKLM\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
HP User Guides 0118 (HKLM\...\{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}) (Version: 1.00.0000 - Hewlett-Packard)
HP Wireless Assistant (HKLM\...\{1061DF04-CF33-40B0-8360-D07C9BBEB122}) (Version: 3.50.10.1 - Hewlett-Packard)
HPNetworkAssistant (Version: 1.1.70 - Hewlett-Packard.) Hidden
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
LightScribe System Software (HKLM\...\{7EACD74C-147F-478C-9389-F9F52EE3C88A}) (Version: 1.18.10.2 - LightScribe)
LiveUpdate (Symantec Corporation) (HKLM\...\PsuedoLiveUpdate) (Version: 3.4.1.232 - Symantec Corporation)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
McAfee Online Backup (Version:  - McAfee, Inc.) Hidden
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 2 (SP2) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM\...\{95140000-0081-0409-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 (HKLM\...\{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}) (Version: 9.0.21022.218 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
MSVC80_x86 (Version: 1.0.1.0 - Nokia) Hidden
MSVC80_x86_v2 (Version: 1.0.3.0 - Nokia) Hidden
MSVC90_x86 (Version: 1.0.1.2 - Nokia) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2721691) (HKLM\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB973685) (HKLM\...\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}) (Version: 4.30.2107.0 - Microsoft Corporation)
MyHeritage Family Tree Builder (HKLM\...\Family Tree Builder) (Version: 7.0.0.7128 - MyHeritage.com)
Nokia Connectivity Cable Driver (HKLM\...\{2D99A593-C841-43A7-B7C9-D6F3AE70B756}) (Version: 7.1.45.0 - Nokia)
Nokia Ovi Suite (HKLM\...\Nokia Ovi Suite) (Version: 3.0.0.290 - Nokia)
Nokia Ovi Suite (Version: 3.0.0.290 - Nokia) Hidden
Nokia Ovi Suite Software Updater (HKLM\...\{3553E875-F00E-4031-BDEC-75FB1DFEB093}) (Version: 02.06.006.44298 - Nokia Corporation)
Nokia PC Suite (HKLM\...\Nokia PC Suite) (Version: 7.1.51.0 - Nokia)
Nokia PC Suite (Version: 7.1.51.0 - Nokia) Hidden
Nokia Software Updater (HKLM\...\{889D48DA-457F-4C8B-9095-6458F2793B12}) (Version: 3.0.605 - Nokia Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.9 - NVIDIA Corporation)
NVIDIA Graphics Driver 307.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.83 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.18.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.18.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.12.1031 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.1031 - NVIDIA Corporation)
NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Ovi Desktop Sync Engine (Version: 1.5.161.0 - Nokia) Hidden
OviMPlatform (Version: 2.7.44.2 - Nokia) Hidden
PC Connectivity Solution (HKLM\...\{4B28C077-9958-45F1-8BB4-CBF90A69AD4E}) (Version: 11.4.15.0 - Nokia)
PL-2303 Vista Driver Installer (HKLM\...\{EEC010D0-1252-4E1D-BAD9-F1B8F414535C}) (Version: 3.0.1.0 - Prolific)
Power2Go (HKLM\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.3919 - CyberLink Corp.)
PowerDirector (HKLM\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 6.5.2719 - CyberLink Corp.)
PowerDirector (Version: 6.5.2719 - CyberLink Corp.) Hidden
PVSonyDll (Version: 1.00.0001 - NVIDIA Corporation) Hidden
QLBCASL (Version: 6.40.17.2 - Hewlett-Packard) Hidden
QuickTime 7 (HKLM\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Rapport (Version: 3.5.1403.67 - Trusteer) Hidden
Shared C Run-time for x86 (Version: 10.0.0 - McAfee) Hidden
Skype™ 6.20 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
Sp5 (Version: 5.1.4324.0 - Microsoft) Hidden
Sp5Intl (Version: 5.1.4324.0 - Microsoft) Hidden
Sp5TTInt (Version: 5.1.4324.0 - Microsoft) Hidden
SpCommon (Version: 5.1.4324.0 - Microsoft) Hidden
SpPhones (Version: 6.0.3122.0 - Microsoft) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 11.1.3.0 - Synaptics)
Trusteer Endpoint Protection (HKLM\...\Rapport_msi) (Version: 3.5.1403.67 - Trusteer)
Ulead VideoStudio SE DVD (HKLM\...\{8F8D9297-FDD2-405A-97E7-E52C7B2F97B3}) (Version: 10.0 - Ulead Systems)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
USB TV Device Driver (HKLM\...\InstallShield_{BCC5DC79-2275-4171-8CEA-39F0DD9ADF58}) (Version: 1.00.0000 - EETI)
USB TV Device Driver (Version: 1.00.0000 - EETI) Hidden
Windows Driver Package - Nokia Modem  (06/09/2010 4.5) (HKLM\...\34EA302E7F4CBD17A19E33BBCB72363234956D7E) (Version: 06/09/2010 4.5 - Nokia)
Windows Driver Package - Nokia Modem  (06/09/2010 7.01.0.7) (HKLM\...\EEEE705096F837B7907659F100C9FE6DA001970F) (Version: 06/09/2010 7.01.0.7 - Nokia)
Windows Driver Package - Nokia pccsmcfd  (08/22/2008 7.0.0.0) (HKLM\...\504244733D18C8F63FF584AEB290E3904E791693) (Version: 08/22/2008 7.0.0.0 - Nokia)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
12-10-2014 10:31:36 Scheduled Checkpoint
14-10-2014 09:56:16 Windows Update
17-10-2014 10:17:40 Windows Update
17-10-2014 11:00:13 Windows Update
19-10-2014 14:01:25 Scheduled Checkpoint
20-10-2014 09:14:35 Scheduled Checkpoint
20-10-2014 22:04:01 Scheduled Checkpoint
21-10-2014 11:37:48 Windows Update
22-10-2014 21:30:36 Installed Java 7 Update 71
23-10-2014 21:33:11 Scheduled Checkpoint
24-10-2014 19:09:26 Installed Kaspersky Security Scan.
25-10-2014 01:20:44 First Restore Point
25-10-2014 02:04:47 Windows Update
25-10-2014 20:27:08 Scheduled Checkpoint
26-10-2014 13:09:20 Removed Java 7 Update 71
26-10-2014 13:14:50 Removed Java 8 Update 25
26-10-2014 13:31:44 Windows Backup
27-10-2014 12:34:21 Scheduled Checkpoint
28-10-2014 22:57:43 Windows Update
30-10-2014 00:58:46 Windows Backup
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2006-11-02 10:23 - 2013-12-25 23:27 - 00450597 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
 
There are 1000 more lines.
 
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {0867FF73-671E-49FD-A73E-AA9E6074A991} - System32\Tasks\GoogleUpdateTaskMachineUA1cfeba45b31701a => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)
Task: {0B5B9149-6A20-414A-984D-D266A56B5597} - System32\Tasks\{7D64C24F-64D4-4F2B-BCD7-B8413A33E31A} => Iexplore.exe http://ui.skype.com/ui/0/5.8.0.158/en/abandoninstall?page=tsMain
Task: {183C3112-1FC5-42D6-BCC6-6E32AFAD8068} - System32\Tasks\{D611CC61-89BB-4125-AF14-C76F697999ED} => Iexplore.exe http://www.skype.com/go/downloading?source=lightinstaller&amp;ver=5.5.0.119.259&amp;LastError=12029
Task: {18A492D1-5DC6-4A5B-AC02-5CD3F9B819CF} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\netsh.exe [2006-11-02] (Microsoft Corporation)
Task: {1ADE6B2D-AECF-439D-A5C6-87D8F2FC2F41} - System32\Tasks\{DA12D694-DEAB-42E1-B6D5-FCEC9AA93E5A} => Iexplore.exe http://ui.skype.com/ui/0/5.1.0.112/en/abandoninstall?page=tsDownload&amp;installinfo=google-toolbar:notoffered;toolbarpresent,google-chrome:notoffered;alreadyoffered
Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {240491BE-EB7C-4217-ADE7-9B8D4A4143D5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-12-17] (Piriform Ltd)
Task: {27CC4B5B-3704-4BF9-9F27-A1D88BFDE51F} - System32\Tasks\{AF94ADF4-D470-4FF7-964A-A9744F3BE3CF} => Iexplore.exe http://ui.skype.com/ui/0/5.1.0.112/en/abandoninstall?page=tsMain&amp;installinfo=google-toolbar:notoffered;toolbarpresent,google-chrome:offered-installed;madedefault
Task: {320124A7-D70F-41DE-A9D1-D5E8E19D5D91} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {37224802-D82F-47DB-BD60-4630B7DF533F} - System32\Tasks\Registration => C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe [2008-04-15] ()
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {3CAB2910-6EC1-472E-889A-9CD231076A25} - System32\Tasks\Microsoft\Windows\WindowsCalendar\Reminders - Teddy => C:\Program Files\Windows Calendar\wincal.exe [2009-04-10] (Microsoft Corporation)
Task: {3DE4A2B8-1E17-4A44-94B8-B59E4B2D60C4} - System32\Tasks\{79C514A8-B387-4B6B-9C3D-459A401AADB8} => Iexplore.exe http://ui.skype.com/ui/0/5.5.0.114/en/abandoninstall?page=tsChrome&amp;installinfo=google-toolbar:notoffered;toolbarpresent,google-chrome:offered-installed;madedefault
Task: {427A3004-75F9-4DDD-B2E2-01266A1F0DBF} - System32\Tasks\{FFEBF11A-A9E5-47F1-A73B-59090562AA2A} => Iexplore.exe http://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=12002
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-21] (Microsoft Corporation)
Task: {48675EB8-A2AE-4B6B-8AAB-15D7281E136E} - System32\Tasks\{325EA399-E76C-402C-A87B-C299B724E0B9} => Iexplore.exe http://ui.skype.com/ui/0/5.8.0.158/en/abandoninstall?page=tsMain
Task: {61B964AF-1B60-4362-BA8B-C7DE204E427A} - System32\Tasks\{6570A546-0F48-4B69-A285-DA8187F4F8F7} => Iexplore.exe http://www.skype.com/go/downloading?source=lightinstaller&amp;ver=6.11.0.102&amp;LastError=12002
Task: {6E218A51-06FE-44B0-BE27-5C7549BDB620} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {75F13278-6AB8-43D6-9F7C-9F00B7DA4415} - System32\Tasks\GoogleUpdateTaskMachineUA1cf8da2edd3ef71 => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)
Task: {7B104B5D-711D-425F-9D95-3AE3152697D2} - System32\Tasks\ExtendedServicePlan => C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe [2008-04-15] ()
Task: {8B622CC6-FE45-48B8-AC6D-EC92B5D7D120} - System32\Tasks\{116797D2-15C6-445E-9998-549A72D499A4} => C:\Program Files\Skype\Phone\Skype.exe [2014-08-27] (Skype Technologies S.A.)
Task: {980A401E-FEAF-4DC7-B280-C23998C1EA73} - System32\Tasks\Toolbox.exe_{A11E1C36-F374-4C4C-8AB7-6B2C950BA71F} => C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\Toolbox.exe [2012-10-02] (Hewlett-Packard Co.)
Task: {99BBAE03-ACBF-48F3-87A7-4214DDFEC38B} - System32\Tasks\ServicePlan => C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe [2008-04-15] ()
Task: {9FF463D8-2A6B-4337-9D2F-ADA144BC9EDF} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {A45C0D38-5729-49C3-BBA5-DD6E85CDFDF4} - System32\Tasks\HP Health Check => c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2008-04-15] (Hewlett-Packard)
Task: {AB5A0CE5-DAB6-414C-B626-CAC457F24AA7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-22] (Adobe Systems Incorporated)
Task: {ACAC0298-E667-45A1-9D62-098721A34B4F} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1609144255-1374065977-2133016267-1000UA1cef5cbb4414fa9 => C:\Users\Teddy\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {ADDE6683-8642-4A2D-BB65-B1D388981303} - System32\Tasks\HPCustPartic.exe_{4B6FC31D-5A5E-4CC2-AFD8-45FBC9449778} => C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2012-10-02] (Hewlett-Packard Co.)
Task: {AF245759-6704-4E82-8BD4-C42C06C25DDE} - System32\Tasks\HPCustParticipation HP Deskjet 2050 J510 series => C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\HPCustPartic.exe [2012-10-02] (Hewlett-Packard Co.)
Task: {B1A9CD5A-5889-428A-8047-77DA73CBE6A0} - System32\Tasks\Microsoft\Windows\MemDiag => C:\Windows\system32\mdres.exe [2006-11-02] (Microsoft Corporation)
Task: {B296B5C1-F01E-48A2-8BAD-FCCC9498B437} - System32\Tasks\{CAE99A96-76AC-4961-B0DA-A98A5F78F358} => Iexplore.exe http://www.skype.com/go/downloading?source=lightinstaller&amp;ver=5.5.59.119&amp;LastError=12029
Task: {B647FED6-FC5D-43EB-BBFA-BF4BF94D9D98} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1609144255-1374065977-2133016267-1000Core => C:\Users\Teddy\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {B6830CDC-1EEC-45E7-B6BA-370C9099397C} - System32\Tasks\GoogleUpdateTaskMachineCore1cf8da2e83af3b1 => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)
Task: {BCAE9A2C-5F0C-48D3-9982-E308C5B2A709} - System32\Tasks\HP Deskjet 2050 J510 series.exe_{0479973C-74B6-4AA4-B1A9-14E1D8304310} => C:\Program Files\HP\HP Deskjet 2050 J510 series\Bin\HP Deskjet 2050 J510 series.exe [2012-10-02] (Hewlett-Packard Co.)
Task: {BEB756B5-8DB7-47AB-ABBF-3778A1CD414A} - System32\Tasks\RecoveryCD => C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe [2008-04-15] ()
Task: {D7892C59-1CEE-405A-96E7-81A717689384} - System32\Tasks\{2B28665A-2B17-40B0-A0A6-42372C0E5288} => C:\Program Files\Skype\Phone\Skype.exe [2014-08-27] (Skype Technologies S.A.)
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-21] ()
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1609144255-1374065977-2133016267-1000Core.job => C:\Users\Teddy\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1609144255-1374065977-2133016267-1000UA1cef5cbb4414fa9.job => C:\Users\Teddy\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf8da2e83af3b1.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf8da2edd3ef71.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cfeba45b31701a.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2010-01-23 21:16 - 2009-09-08 14:18 - 00066856 _____ () C:\Program Files\HP\QuickPlay\Kernel\Common\MCEMediaStatus.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: Com4QLBEx => 3
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: hpqwmiex => 3
MSCONFIG\Services: LightScribeService => 2
MSCONFIG\Services: nvsvc => 2
MSCONFIG\Services: RapportMgmtService => 2
MSCONFIG\Services: RichVideo => 2
MSCONFIG\Services: SBSDWSCService => 2
MSCONFIG\Services: ServiceLayer => 3
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: UleadBurningHelper => 2
MSCONFIG\Services: XAudioService => 2
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: ArcSoft Connection Service => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
MSCONFIG\startupreg: Facebook Update => "C:\Users\Teddy\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
MSCONFIG\startupreg: Family Tree Builder Update => C:\MyHeritage\Bin\FTBCheckUpdates.exe
MSCONFIG\startupreg: HP Health Check Scheduler => c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSCONFIG\startupreg: HP Software Update => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: McAfeeWrapperApplication => "C:\Program Files\McAfeeMOBK\WrapperTrayIcon.exe"
MSCONFIG\startupreg: mcui_exe => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
MSCONFIG\startupreg: NokiaMServer => C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
MSCONFIG\startupreg: NSU_agent => "C:\Program Files\Nokia\Nokia Software Updater\nsu3ui_agent.exe"
MSCONFIG\startupreg: NvCplDaemon => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
MSCONFIG\startupreg: QPService => "C:\Program Files\HP\QuickPlay\QPService.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: Skype => "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: SpybotSD TeaTimer => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SynTPEnh => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
MSCONFIG\startupreg: UCam_Menu => "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
MSCONFIG\startupreg: UVS10 Preload => C:\Program Files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe
MSCONFIG\startupreg: WirelessAssistant => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-1609144255-1374065977-2133016267-500 - Administrator - Disabled)
Guest (S-1-5-21-1609144255-1374065977-2133016267-501 - Limited - Enabled)
Teddy (S-1-5-21-1609144255-1374065977-2133016267-1000 - Administrator - Enabled) => C:\Users\Teddy
UpdatusUser (S-1-5-21-1609144255-1374065977-2133016267-1003 - Limited - Enabled) => C:\Users\UpdatusUser
 
==================== Faulty Device Manager Devices =============
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Tun Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunmp
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Tun Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunmp
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/30/2014 06:08:54 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/30/2014 04:47:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 9.0.8112.16584, time stamp 0x541caffd, faulting module nvwgf2um.dll, version 9.18.13.783, time stamp 0x510a1f81, exception code 0xc0000005, fault offset 0x000fec21,
process id 0x3de8, application start time 0xiexplore.exe0.
 
Error: (10/30/2014 01:47:12 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 9.0.8112.16584, time stamp 0x541caffd, faulting module nvwgf2um.dll, version 9.18.13.783, time stamp 0x510a1f81, exception code 0xc0000005, fault offset 0x00101a6f,
process id 0xc, application start time 0xiexplore.exe0.
 
Error: (10/30/2014 10:41:40 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/30/2014 00:02:55 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\TEDDY\DOCUMENTS\MYHERITAGE\CASSAR Z\SYNC\SYNCLOG.HTM> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (10/30/2014 00:02:55 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\TEDDY\DOCUMENTS\MYHERITAGE\CASSAR Z\SYNC\SYNCLOG.HTM> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (10/29/2014 10:51:50 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\TEDDY\DOCUMENTS\MYHERITAGE\CASSAR Z\SYNC\SYNCLOG.HTM.TSZ> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (10/29/2014 10:51:50 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\TEDDY\DOCUMENTS\MYHERITAGE\CASSAR Z\SYNC\SYNCLOG.HTM> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (10/29/2014 10:51:50 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\TEDDY\DOCUMENTS\MYHERITAGE\CASSAR Z\SYNC\SYNCLOG.HTM> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
Error: (10/29/2014 10:49:20 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\USERS\TEDDY\DOCUMENTS\MYHERITAGE\CASSAR Z\SYNC\SYNCLOG.HTM> in the hash map cannot be updated.
 
Context:  Application, SystemIndex Catalog
 
 
Details:
A device attached to the system is not functioning.   (0x8007001f)
 
 
System errors:
=============
Error: (10/30/2014 06:13:08 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {28778B62-8481-400D-8E8A-A4C81ED3F65C}
 
Error: (10/30/2014 06:12:13 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.2 for the Network Card with network address 00234DD7F083 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
 
Error: (10/30/2014 06:08:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058
 
Error: (10/30/2014 06:08:51 PM) (Source: Print) (EventID: 19) (User: NT AUTHORITY)
Description: The print spooler failed to share printer Send To OneNote 2007 with shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used by others on the network.
 
Error: (10/30/2014 03:02:35 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {6295DF2D-35EE-11D1-8707-00C04FD93327}
 
Error: (10/30/2014 10:46:56 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {28778B62-8481-400D-8E8A-A4C81ED3F65C}
 
Error: (10/30/2014 10:46:02 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.2 for the Network Card with network address 00234DD7F083 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
 
Error: (10/30/2014 10:41:41 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058
 
Error: (10/29/2014 09:29:01 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {6295DF2D-35EE-11D1-8707-00C04FD93327}
 
Error: (10/29/2014 07:35:20 PM) (Source: Schannel) (EventID: 4106) (User: )
Description: An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2014-10-30 18:18:54.169
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:53.374
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:52.547
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:51.720
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:50.675
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:49.864
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:49.068
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:48.241
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:18.336
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-30 18:18:17.478
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\RapportKELL.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: AMD Athlon Dual-Core QL-60
Percentage of memory in use: 45%
Total physical RAM: 2813.69 MB
Available physical RAM: 1545.59 MB
Total Pagefile: 5861.8 MB
Available Pagefile: 4511.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1873.05 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:223.53 GB) (Free:92.49 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (HP_RECOVERY) (Fixed) (Total:9.35 GB) (Free:0.01 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: AF98AF98)
Partition 1: (Active) - (Size=223.5 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=9.4 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

Attached Files


Edited by xXToffeeXx, 30 October 2014 - 01:55 PM.


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 30 October 2014 - 02:06 PM

Hi frab49,
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKLM\...\Run: [] => [X]
HKLM\...\Run: [(default)] => [X]
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\Run: [] => [X]
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2926592 2009-04-10] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1609144255-1374065977-2133016267-1003\...\Run: [HPADVISOR] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
URLSearchHook: HKCU - (No Name) - {ecce0073-a837-45a2-95b9-600420505f7e} -  No File
SearchScopes: HKCU - DefaultScope {188ED644-C3B2-490B-A127-FA4A189622F5} URL = https://uk.search.yahoo.com/search?fr=mcafee&type=B011GB0D20140621&p={SearchTerms}
SearchScopes: HKCU - {188ED644-C3B2-490B-A127-FA4A189622F5} URL = https://uk.search.yahoo.com/search?fr=mcafee&type=B011GB0D20140621&p={SearchTerms}
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} ->  No File
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKLM - No Name - !{2318C2B1-4965-11d4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {ECCE0073-A837-45A2-95B9-600420505F7E} -  No File
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx []
C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 frab49

frab49
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 30 October 2014 - 02:21 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-10-2014
Ran by Teddy at 2014-10-30 19:12:08 Run:1
Running from C:\Users\Teddy\Desktop
Loaded Profiles: Teddy & UpdatusUser (Available profiles: Teddy & UpdatusUser)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [] => [X]
HKLM\...\Run: [(default)] => [X]
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\Run: [] => [X]
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2926592 2009-04-10] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1609144255-1374065977-2133016267-1003\...\Run: [HPADVISOR] => [X]
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
URLSearchHook: HKCU - (No Name) - {ecce0073-a837-45a2-95b9-600420505f7e} -  No File
SearchScopes: HKCU - DefaultScope {188ED644-C3B2-490B-A127-FA4A189622F5} URL = https://uk.search.yahoo.com/search?fr=mcafee&type=B011GB0D20140621&p={SearchTerms}
SearchScopes: HKCU - {188ED644-C3B2-490B-A127-FA4A189622F5} URL = https://uk.search.yahoo.com/search?fr=mcafee&type=B011GB0D20140621&p={SearchTerms}
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} ->  No File
Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKLM - No Name - !{2318C2B1-4965-11d4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {ECCE0073-A837-45A2-95B9-600420505F7E} -  No File
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx []
C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\(default) => value deleted successfully.
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\S-1-5-21-1609144255-1374065977-2133016267-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.
HKU\S-1-5-21-1609144255-1374065977-2133016267-1003\Software\Microsoft\Windows\CurrentVersion\Run\\HPADVISOR => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Secondary Start Pages => value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{ecce0073-a837-45a2-95b9-600420505f7e} => value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{188ED644-C3B2-490B-A127-FA4A189622F5}" => Key deleted successfully.
"HKCR\CLSID\{188ED644-C3B2-490B-A127-FA4A189622F5}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => Key deleted successfully.
"HKCR\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\!{2318C2B1-4965-11d4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\!{2318C2B1-4965-11d4-9B18-009027A5CD4F}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{ECCE0073-A837-45A2-95B9-600420505F7E} => value deleted successfully.
"HKCR\CLSID\{ECCE0073-A837-45A2-95B9-600420505F7E}" => Key not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho" => Key deleted successfully.
"C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx" => File/Directory not found.
"C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx" => File/Directory not found.

==== End of Fixlog ====



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 30 October 2014 - 02:27 PM

Hi frab49,

 

Any luck on explorer starting automatically?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 frab49

frab49
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 30 October 2014 - 02:48 PM

Still the same unfortunately.

I had to open task manager, show processes from all users, new task, explorer.exe

It actually seemed a bit slower to load up, and when it did it show the desktop it also opened up the folder Computer/Documents for some reason.

I opened up facebook and it only started flashing once I started to scroll down the page.

Before it would continuously flash as it logged on to your facebook page.

 

 

 

Actually, have just logged on to facebook a second time and its still flashing as before.


Edited by frab49, 30 October 2014 - 03:00 PM.


#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 30 October 2014 - 03:47 PM

Hi frab49,
 
Download Windows Repair (All in One) from this site
 
Install the program then run it.
 
NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.

 
Go to Step 3 and click on Check button next to 1. See If Check Disk Is Needed.
If the tool indicates that the Check Disk is needed click on Do It button next to 2. Check Disk, then restart your computer.
 
1406373241-3-o.png
 
 
Once the above is done, go to Step 4 and allow it to run System File Check by clicking on the Do It button.
 
1406373250-4-o.png
 
 
Go to Step 5 and under"System Restore" click on Create button.
 
1406373259-5-o.png
 
 
Go to Start Repairs tab and click the Start button.
 
1406373267-start1-o.png
 
 
Leave the check marks as they are.
NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.
 
Click on Start Repairs button.
 
1406373275-start2-o.png
 
 
After the repair finished, you may be prompted to restart the computer. Please allow it to do so.
 
Please post the Windows Repair log which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 frab49

frab49
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 30 October 2014 - 07:16 PM

Hi Toffee,

 

Have just restarted the computer and Explorer started by itself :) :) :)

Thank you so much!

 

IE did hang for a bit when I just opened it, and it still seems to be freezing on some pages though.

 

 

Here's the log as requested:

 

Tweaking.com - Windows Repair v2.10.0
--------------------------------------------------------------------------------

System Variables
--------------------------------------------------------------------------------
OS: Windows Vista ™ Home Premium
OS Architecture: 32-bit
OS Version: 6.0.6002
OS Service Pack: Service Pack 2
Computer Name: TEDDY-PC
Windows Drive: C:\
Windows Path: C:\Windows
Program Files: C:\Program Files
Current Profile: C:\Users\Teddy
Current Profile SID: S-1-5-21-1609144255-1374065977-2133016267-1000
Current Profile Classes: S-1-5-21-1609144255-1374065977-2133016267-1000_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\Windows\ServiceProfiles
Local Settings AppData: C:\Users\Teddy\AppData\Local
--------------------------------------------------------------------------------

System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:10:47

Process Count: 54
Commit Total: 1.05 GB
Commit Limit: 5.73 GB
Commit Peak: 1.09 GB
Handle Count: 14433
Kernel Total: 185.85 MB
Kernel Paged: 138.80 MB
Kernel Non Paged: 47.04 MB
System Cache: 1.92 GB
Thread Count: 665
--------------------------------------------------------------------------------

Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 2.75 GB
Memory Used: 1.15 GB(41.7491%)
Memory Avail.: 1.60 GB
--------------------------------------------------------------------------------

Cleaning Memory Before Starting Repairs...

Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 2.75 GB
Memory Used: 900.24 MB(31.9949%)
Memory Avail.: 1.87 GB
--------------------------------------------------------------------------------

Starting Repairs...
   Started at (30/10/2014 23:25:10)

Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
Total Missing 'InstallDate' Fixed: 84
 
01 - Reset Registry Permissions 01/03
   HKEY_CURRENT_USER & Sub Keys
   Start (30/10/2014 23:25:15)
   Running Repair Under Current User Account
   Done (30/10/2014 23:26:33)

01 - Reset Registry Permissions 02/03
   HKEY_LOCAL_MACHINE & Sub Keys
   Start (30/10/2014 23:26:33)
   Running Repair Under System Account
   Done (30/10/2014 23:41:49)

01 - Reset Registry Permissions 03/03
   HKEY_CLASSES_ROOT & Sub Keys
   Start (30/10/2014 23:41:49)
   Running Repair Under System Account
   Done (30/10/2014 23:44:45)

03 - Reset Service Permissions
   Start (30/10/2014 23:44:45)
   Running Repair Under System Account
   Done (30/10/2014 23:46:05)

04 - Register System Files
   Start (30/10/2014 23:46:05)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:47:16)

05 - Repair WMI
   Start (30/10/2014 23:47:16)

   Starting Security Center So We Can Export The Security Info.

   Exporting Antivirus Info...
   Microsoft Security Essentials Exported.

   Exporting AntiSpyware Info...
   Microsoft Security Essentials Exported.
   Windows Defender Exported.

   Exporting 3rd Party Firewall Info...
   No Firewall Products Reported.

   Running Repair Under Current User Account
   Done (30/10/2014 23:52:01)

06 - Repair Windows Firewall
   Start (30/10/2014 23:52:01)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:52:44)

07 - Repair Internet Explorer
   Start (30/10/2014 23:52:44)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:53:33)

08 - Repair MDAC/MS Jet
   Start (30/10/2014 23:53:33)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:54:01)

09 - Repair Hosts File
   Start (30/10/2014 23:54:01)
   Running Repair Under System Account
   Done (30/10/2014 23:54:03)

10 - Remove Policies Set By Infections
   Start (30/10/2014 23:54:04)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:54:07)

11 - Repair Start Menu Icons Removed By Infections
   Start (30/10/2014 23:54:07)
   Running Repair Under System Account
   Done (30/10/2014 23:54:09)

12 - Repair Icons
   Start (30/10/2014 23:54:09)
   Running Repair Under Current User Account
   Done (30/10/2014 23:54:16)

13 - Repair Winsock & DNS Cache
   Start (30/10/2014 23:54:17)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:54:44)

15 - Repair Proxy Settings
   Start (30/10/2014 23:54:44)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:54:48)

17 - Repair Windows Updates
   Start (30/10/2014 23:54:49)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
   Done (30/10/2014 23:55:46)

18 - Repair CD/DVD Missing/Not Working
   Start (30/10/2014 23:55:46)
   iTunes not found, not applying UpperFilters iTunes Reg Key
   Done (30/10/2014 23:55:46)

19 - Repair Volume Shadow Copy Service
   Start (30/10/2014 23:55:46)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:56:27)

21 - Repair MSI (Windows Installer)
   Start (30/10/2014 23:56:27)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:56:42)

23.01 - Repair bat Association
   Start (30/10/2014 23:56:42)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:56:45)

23.02 - Repair cmd Association
   Start (30/10/2014 23:56:45)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:56:49)

23.03 - Repair com Association
   Start (30/10/2014 23:56:49)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:56:52)

23.04 - Repair Directory Association
   Start (30/10/2014 23:56:52)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:56:56)

23.05 - Repair Drive Association
   Start (30/10/2014 23:56:56)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:56:59)

23.06 - Repair exe Association
   Start (30/10/2014 23:56:59)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:02)

23.07 - Repair Folder Association
   Start (30/10/2014 23:57:02)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:06)

23.08 - Repair inf Association
   Start (30/10/2014 23:57:06)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:09)

23.09 - Repair lnk (Shortcuts) Association
   Start (30/10/2014 23:57:09)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:12)

23.10 - Repair msc Association
   Start (30/10/2014 23:57:12)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:15)

23.11 - Repair reg Association
   Start (30/10/2014 23:57:15)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:19)

23.12 - Repair scr Association
   Start (30/10/2014 23:57:19)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:22)

24 - Repair Windows Safe Mode
   Start (30/10/2014 23:57:22)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:25)

25 - Repair Print Spooler
   Start (30/10/2014 23:57:25)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:57:43)

26 - Restore Important Windows Services
   Start (30/10/2014 23:57:43)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:58:00)

27 - Set Windows Services To Default Startup
   Start (30/10/2014 23:58:00)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:58:19)

   Skipping Repair.
   Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
   Current version: 6.0

   Skipping Repair.
   Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
   Current version: 6.0

   Skipping Repair.
   Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
   Current version: 6.0

31 - Repair Windows 'New' Submenu
   Start (30/10/2014 23:58:19)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (30/10/2014 23:58:22)

Cleaning up empty logs...

All Selected Repairs Done.
   Done at (30/10/2014 23:58:22)
   Total Repair Time: 00:33:14

...YOU MUST RESTART YOUR SYSTEM...



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 31 October 2014 - 06:39 AM

Hi frab49,

 

I'm glad to hear explorer is now loading properly :)

 

See here on how to reset IE and let me know if still freezes and hangs.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 frab49

frab49
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 31 October 2014 - 03:00 PM

Hi there.

 

I did as you said and the internet seemed to be running a lot quicker, but I went on facebook and it was still hanging and flashing.

I wondered if my anti-keylogging software - IBM Trusteer Rapport had anything to do with this so I tried uninstalling it, as the facebook site was set to protect its password.

It was quite stubborn to remove and took 3 goes using the windows uninstall programme feature.

However, I succeeded in uninstalling it and the hanging and flashing seems to have stopped! :) :) :)

 

Do you think I had some infection corrupting some files?

 

One message I am getting conyinuously now is that there is low disk space on the D Drive - HP Recovery

 

Many Thanks

Frab49



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 31 October 2014 - 03:11 PM

Hi frab49,

 

Sometimes, anti-keylogger software can cause big problems. A good antivirus and anti-malware protection should be more than enough to protect you from keyloggers.

 

I think you may have had some windows corruption, but I do not believe it was down to any infections.

 

Is windows producing that message, or it is another tool? A screenshot of the message would be most useful.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 frab49

frab49
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:06 AM

Posted 31 October 2014 - 03:41 PM

In looking at the D drive properties, there is 8.83mb free of 9.34gb.

 

The anti-keylogging software was suggested by a couple of banking websites, for it to run alongside your anti-virus here in the UK.

Attached Files


Edited by frab49, 31 October 2014 - 03:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users