Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple serious infections, referral from "Am I Infected?" forum


  • This topic is locked This topic is locked
20 replies to this topic

#1 ND_Fan

ND_Fan

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 11 November 2014 - 10:55 PM

Hello.

 

Broni, BC Advisor, referred me here from the "Am I Infected? What do I do?' forum, where after following his instructions he confirmed I'm "very seriously infected and your computer will require elevated help."

 

I'm very concerned and would really appreciate help cleaning my machine. 

 

Thanks!

ND_Fan

 

 

The infected PC is running:

Windows Vista Home Premium

32-bit OS

 

Previous posts from "Am I Infected?" Forum:

http://www.bleepingcomputer.com/forums/t/555494/im-under-attack-by-various-trojans-please-help/?hl=%2Bnd_fan#entry3534045

 

 

Recent DDS Log below and Attach.txt attached.

 

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16584

Run by tXXXXman1 at 21:28:02 on 2014-11-11

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1976.605 [GMT -6:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}

SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe

C:\Program Files\Acer\Empowering Technology\Service\ETService.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Acer\Mobility Center\MobilityService.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\RtHDVCpl.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\TXXXXM~1\AppData\Local\Temp\RtkBtMnt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\servicing\TrustedInstaller.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxps://login.comcast.net/login?ts=e53461c9&s=wnamp

mStart Page = hxxps://www.yahoo.com

mDefault_Page_URL = hxxps://www.yahoo.com

uURLSearchHooks: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - <orphaned>

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: ShowBarObj Class: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Acer eDataSecurity Management: {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [RtHDVCpl] RtHDVCpl.exe

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - <no file>

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

.

INFO: HKLM has more than 50 listed domains.

   If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224957127295

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{6C52974E-1239-4256-9C33-13DB8EB71C02} : DHCPNameServer = 75.75.75.75 75.75.76.76

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: igfxcui - igfxdev.dll

LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg

Hosts: 127.0.0.1            www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]

R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 95920]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-9-11 770168]

.

=============== Created Last 30 ================

.

2014-11-12 03:22:44       62576   ----a-w-  c:\programdata\microsoft\microsoft antimalware\definition updates\{1d6f197a-0822-4e76-9b0b-8041bbcc5621}\offreg.dll

2014-11-11 05:22:21       --------    d-----w-  c:\programdata\Malwarebytes' Anti-Malware (portable)

2014-11-11 03:03:24       908840  ----a-w-  c:\programdata\microsoft\microsoft antimalware\definition updates\{537007df-15f6-4d0a-b9cd-d52531bdca98}\gapaengine.dll

2014-11-11 02:58:06       8901368            ----a-w-  c:\programdata\microsoft\microsoft antimalware\definition updates\{1d6f197a-0822-4e76-9b0b-8041bbcc5621}\mpengine.dll

2014-11-10 05:31:32       --------    d-----w-  c:\users\tXXXXman1\appdata\local\Acworks

2014-11-10 05:30:18       --------    d-----w-  c:\programdata\LevquRpoho

2014-11-10 05:30:00       --------    d-----w-  c:\programdata\MayigEjuvk

2014-11-09 23:50:19       --------    d-----w-  c:\programdata\RomrAgudc

2014-11-09 23:50:01       --------    d-----w-  c:\programdata\SihnUhagv

2014-11-09 21:40:15       8901368            ----a-w-  c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2014-11-09 21:12:38       --------    d-----w-  c:\users\tXXXXman1\appdata\local\Iflsoft

2014-11-09 21:10:08       --------    d-----w-  c:\programdata\VuvuNalsu

2014-11-09 21:09:43       --------    d-----w-  c:\programdata\WadlAgedq

2014-11-09 19:41:07       --------    d-----w-  c:\users\tXXXXman1\appdata\roaming\FrameworkUpdate7

2014-11-09 16:38:24       --------    d-----w-  c:\users\tXXXXman1\appdata\local\{dc6c5feb-bf94-1352-780a-8855d40d6240}

2014-10-16 08:10:53       81560   ----a-w-  c:\windows\system32\mscories.dll

2014-10-16 08:10:53       156824  ----a-w-  c:\windows\system32\mscorier.dll

2014-10-16 08:10:52       1131664            ----a-w-  c:\windows\system32\dfshim.dll

2014-10-16 08:07:46       2054656            ----a-w-  c:\windows\system32\win32k.sys

2014-10-16 08:03:37       143360  ----a-w-  c:\windows\system32\drivers\fastfat.sys

2014-10-16 08:01:10       66560   ----a-w-  c:\windows\system32\packager.dll

2014-10-15 21:30:58       1810432            ----a-w-  c:\windows\system32\jscript9.dll

.

==================== Find3M  ====================

.

2014-11-11 05:22:14       115928  ----a-w-  c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-11-11 05:20:13       79576   ----a-w-  c:\windows\system32\drivers\mbamchameleon.sys

2014-10-30 11:24:45       229000  ------w-   c:\windows\system32\MpSigStub.exe

2014-10-01 17:11:20       51928   ----a-w-  c:\windows\system32\drivers\mwac.sys

2014-10-01 17:11:10       23256   ----a-w-  c:\windows\system32\drivers\mbam.sys

2014-09-24 02:48:43       71344   ----a-w-  c:\windows\system32\FlashPlayerCPLApp.cpl

2014-09-24 02:48:43       701104  ----a-w-  c:\windows\system32\FlashPlayerApp.exe

2014-09-19 22:38:15       1129472            ----a-w-  c:\windows\system32\wininet.dll

2014-09-19 22:37:34       1427968            ----a-w-  c:\windows\system32\inetcpl.cpl

2014-09-19 22:36:04       142848  ----a-w-  c:\windows\system32\ieUnatt.exe

2014-09-19 22:35:46       421376  ----a-w-  c:\windows\system32\vbscript.dll

2014-09-19 22:34:25       2382848            ----a-w-  c:\windows\system32\mshtml.tlb

2014-09-19 22:34:22       11776   ----a-w-  c:\windows\system32\mshta.exe

2014-08-23 01:03:46       297984  ----a-w-  c:\windows\system32\gdi32.dll

.

============= FINISH: 21:29:43.72 ===============

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:03 PM

Posted 26 November 2014 - 12:02 PM

Hi ND_Fan,
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 27 November 2014 - 06:05 PM

xXToffeeXx --
 
Thanks for re-opening this post.  Below are the Farbar logs you requested.  Please review and advise on next steps. 
 
Thanks,
ND_Fan
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-11-2014 01
Ran by tXXXXman1 (administrator) on TXXXXMAN1-PC on 27-11-2014 16:57:16
Running from C:\Users\tXXXXman1\Desktop
Loaded Profile: tXXXXman1 (Available profiles: tXXXXman1)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Agere Systems) C:\Windows\System32\agrsmsvc.exe
(Egis Incorporated) C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
() C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
() C:\Program Files\Canon\IJPLM\ijplmsvc.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\Acer\Mobility Center\MobilityService.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Realtek Semiconductor Corp.) C:\Users\tXXXXman1\AppData\Local\Temp\RtkBtMnt.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-25] (Synaptics, Inc.)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [6183456 2008-06-13] (Realtek Semiconductor)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-10-19] (Google Inc.)
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ChromeUpdate] => C:\Users\tXXXXman1\AppData\Roaming\FrameworkUpdate7\ChromeUpdate.exe                                                             
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ucilluo] => rundll32 "C:\Users\tXXXXman1\AppData\Local\ucilluo.dll",ucilluo <===== ATTENTION
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.comcast.net/login?ts=e53461c9&s=wnamp
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.yahoo.com
URLSearchHook: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> DefaultScope {5E68D55A-2FBE-4077-8080-0967B0D3FC3A} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=242154&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {5E68D55A-2FBE-4077-8080-0967B0D3FC3A} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=242154&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {96bd48dd-741b-41ae-ac4a-aff96ba00f7e} URL = http://search.coupons.com/search.asp?p=df&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {B84A2185-980B-462B-AFE7-C5E25B5BFBDE} URL = https://search.yahoo.com/search?p={searchTerms}&fr=chr
SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {C8AE4B6E-3E17-479E-A346-56274B6276E9} URL = http://isearch.shopathome.com?user_id={19D2592F-C8C4-456A-BD1D-268E159B1C9F}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-iobit
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: ShowBarObj Class -> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} -> C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - No Name - {0BF43445-2F28-4351-9252-17FE6E806AA0} -  No File
Toolbar: HKLM - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224957127295
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-05-17]
 
Chrome:
=======
CHR Profile: C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-21]
CHR Extension: (Google Search) - C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-21]
CHR Extension: (Gmail) - C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-21]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-03-21] () [File not signed]
R2 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [97432 2007-04-13] () [File not signed]
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed]
R2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe [110592 2007-12-06] () [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
S1 dxpzteaq; \??\C:\Windows\system32\drivers\dxpzteaq.sys [X]
S1 imrglaea; \??\C:\Windows\system32\drivers\imrglaea.sys [X]
S3 Inspect; system32\DRIVERS\inspect.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S1 rxmskqmc; \??\C:\Windows\system32\drivers\rxmskqmc.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-27 16:57 - 2014-11-27 16:57 - 00010981 _____ () C:\Users\tXXXXman1\Desktop\FRST.txt
2014-11-27 16:56 - 2014-11-27 16:56 - 01109504 _____ (Farbar) C:\Users\tXXXXman1\Desktop\FRST.exe
2014-11-24 12:28 - 2014-11-27 16:47 - 00009884 _____ () C:\Windows\PFRO.log
2014-11-20 10:38 - 2014-10-23 19:03 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-12 11:08 - 2014-10-09 19:00 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-12 11:07 - 2014-10-09 19:01 - 00449536 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-12 11:07 - 2014-10-09 19:00 - 01259008 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-12 11:07 - 2014-10-09 17:22 - 00619520 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-12 11:07 - 2014-08-26 18:55 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-12 11:07 - 2014-08-26 18:55 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-12 11:06 - 2014-10-23 19:04 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-12 11:06 - 2014-09-18 18:50 - 00278528 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-12 11:05 - 2014-08-11 20:25 - 00729600 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-12 11:04 - 2014-10-02 19:17 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-12 11:03 - 2014-10-17 19:08 - 00564224 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-12 11:03 - 2014-10-02 19:18 - 00274432 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-12 11:03 - 2014-10-02 19:17 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-12 11:03 - 2014-10-02 19:17 - 00170496 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-12 10:56 - 2014-10-12 17:34 - 02054656 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-11 21:49 - 2014-11-11 21:49 - 00001510 _____ () C:\Users\tXXXXman1\Desktop\attach.zip
2014-11-11 21:43 - 2014-10-27 13:02 - 09739776 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-11 21:43 - 2014-10-27 12:59 - 01139712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-11 21:43 - 2014-10-27 12:59 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-11 21:43 - 2014-10-27 12:58 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-11 21:43 - 2014-10-27 12:57 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-11-11 21:43 - 2014-10-27 12:57 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-11 21:43 - 2014-10-27 12:56 - 01802752 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-11 21:43 - 2014-10-27 12:56 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-11-11 21:43 - 2014-10-27 12:56 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-11 21:43 - 2014-10-27 12:56 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-11 21:43 - 2014-10-27 12:56 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-11 21:43 - 2014-10-27 12:55 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-11 21:43 - 2014-10-27 12:55 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-11 21:43 - 2014-10-27 12:55 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-11 21:43 - 2014-10-27 12:55 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-11 21:43 - 2014-10-27 12:55 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-11-11 21:43 - 2014-10-27 12:55 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-11-11 21:43 - 2014-10-27 12:55 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-11-11 21:43 - 2014-10-27 12:54 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-11 21:42 - 2014-10-27 13:10 - 12366848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-11 21:42 - 2014-10-27 13:05 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-11 21:30 - 2014-11-11 21:30 - 00003260 _____ () C:\Users\tXXXXman1\Desktop\attach.txt
2014-11-11 21:30 - 2014-11-11 21:29 - 00009566 _____ () C:\Users\tXXXXman1\Desktop\dds.txt
2014-11-11 21:26 - 2014-11-11 21:26 - 00688992 ____R (Swearware) C:\Users\tXXXXman1\Desktop\dds.com
2014-11-11 00:08 - 2014-11-11 00:12 - 00003692 _____ () C:\Users\tXXXXman1\Desktop\Rkill.txt
2014-11-11 00:08 - 2014-11-11 00:08 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\tXXXXman1\Desktop\rkill.exe
2014-11-10 23:22 - 2014-11-11 14:34 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-11-10 23:19 - 2014-11-11 00:01 - 00000000 ____D () C:\Users\tXXXXman1\Desktop\mbar
2014-11-10 23:18 - 2014-11-10 23:18 - 14439144 _____ (Malwarebytes Corp.) C:\Users\tXXXXman1\Desktop\mbar-1.08.0.1001.exe
2014-11-10 22:00 - 2014-11-10 22:06 - 00027650 _____ () C:\Users\tXXXXman1\Desktop\Result.txt
2014-11-10 21:59 - 2014-11-10 21:59 - 00401920 _____ (Farbar) C:\Users\tXXXXman1\Desktop\MiniToolBox.exe
2014-11-10 21:57 - 2014-11-10 21:57 - 00002730 _____ () C:\Users\tXXXXman1\Desktop\FSS.txt
2014-11-10 21:56 - 2014-11-10 21:56 - 00415232 _____ (Farbar) C:\Users\tXXXXman1\Desktop\FSS.exe
2014-11-10 21:54 - 2014-11-10 21:54 - 00000964 _____ () C:\Users\tXXXXman1\Desktop\checkup.txt
2014-11-10 21:42 - 2014-11-10 21:42 - 00000000 ____D () C:\ProgramData\WindowsSearch
2014-11-10 21:34 - 2014-11-10 21:34 - 00854448 _____ () C:\Users\tXXXXman1\Desktop\SecurityCheck.exe
2014-11-09 23:31 - 2014-11-09 23:31 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\Acworks
2014-11-09 23:30 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\MayigEjuvk
2014-11-09 23:30 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\LevquRpoho
2014-11-09 17:50 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\SihnUhagv
2014-11-09 17:50 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\RomrAgudc
2014-11-09 15:12 - 2014-11-10 23:01 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\Iflsoft
2014-11-09 15:10 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\VuvuNalsu
2014-11-09 15:10 - 2014-11-09 15:10 - 00004214 _____ () C:\Users\tXXXXman1\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:10 - 2014-11-09 15:10 - 00000272 _____ () C:\Users\tXXXXman1\DECRYPT_INSTRUCTION.URL
2014-11-09 15:09 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\WadlAgedq
2014-11-09 15:08 - 2014-11-09 15:08 - 00004214 _____ () C:\Users\tXXXXman1\Downloads\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:08 - 2014-11-09 15:08 - 00004214 _____ () C:\Users\tXXXXman1\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:08 - 2014-11-09 15:08 - 00000272 _____ () C:\Users\tXXXXman1\Downloads\DECRYPT_INSTRUCTION.URL
2014-11-09 15:08 - 2014-11-09 15:08 - 00000272 _____ () C:\Users\tXXXXman1\Documents\DECRYPT_INSTRUCTION.URL
2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXXman1\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXXman1\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXXman1\AppData\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXXman1\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXXman1\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXXman1\AppData\DECRYPT_INSTRUCTION.URL
2014-11-09 15:04 - 2014-11-09 15:04 - 00004214 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:04 - 2014-11-09 15:04 - 00000272 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL
2014-11-09 15:01 - 2014-11-09 15:01 - 00004214 _____ () C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:01 - 2014-11-09 15:01 - 00004214 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:01 - 2014-11-09 15:01 - 00000272 _____ () C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.URL
2014-11-09 15:01 - 2014-11-09 15:01 - 00000272 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL
2014-11-09 13:42 - 2014-11-09 13:42 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-09 13:41 - 2014-11-10 23:01 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Roaming\FrameworkUpdate7
2014-11-09 13:41 - 2014-11-09 13:42 - 00000424 _____ () C:\ProgramData\@system.temp
2014-11-09 13:41 - 2014-11-09 13:41 - 00000448 ____H () C:\Users\tXXXXman1\AppData\Roaming\麽鎒駓覜
2014-11-09 13:38 - 2014-11-09 23:30 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-11-09 10:38 - 2014-11-10 21:29 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\{dc6c5feb-bf94-1352-780a-8855d40d6240}
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-27 16:57 - 2014-09-17 22:11 - 00000000 ____D () C:\FRST
2014-11-27 16:55 - 2006-11-02 04:33 - 00759582 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-27 16:53 - 2008-01-28 21:56 - 02065193 _____ () C:\Windows\WindowsUpdate.log
2014-11-27 16:48 - 2012-10-19 22:11 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-27 16:48 - 2012-04-09 13:13 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-27 16:48 - 2008-01-28 22:16 - 00000000 _____ () C:\Windows\system32\LogConfigTemp.xml
2014-11-27 16:47 - 2006-11-02 07:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-27 16:47 - 2006-11-02 06:47 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-27 16:47 - 2006-11-02 06:47 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-27 15:47 - 2006-11-02 07:01 - 00032646 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-11-27 15:26 - 2011-02-13 11:52 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-11-27 15:25 - 2012-10-19 22:11 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-26 10:50 - 2012-04-09 13:13 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-11-26 10:50 - 2011-05-17 09:11 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-11-23 23:10 - 2014-09-13 13:57 - 00015872 _____ () C:\Users\tXXXXman1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-11-23 23:00 - 2011-03-08 21:20 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\CrashDumps
2014-11-17 00:05 - 2008-02-08 21:16 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-11-12 11:53 - 2006-11-02 05:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-11-12 11:42 - 2006-11-02 05:18 - 00000000 ____D () C:\Windows\rescache
2014-11-12 11:26 - 2006-11-02 06:47 - 00304152 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-12 11:02 - 2013-08-15 10:47 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-12 10:58 - 2006-11-02 04:24 - 100445232 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-11-11 00:03 - 2008-04-30 03:30 - 00000000 ____D () C:\Windows\ACER
2014-11-10 23:22 - 2014-09-13 15:22 - 00115928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-10 23:20 - 2014-09-13 15:21 - 00079576 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-10 22:13 - 2014-09-13 15:21 - 00000903 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-10 22:13 - 2014-09-13 15:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-10 22:13 - 2014-09-13 15:21 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-09 15:13 - 2008-02-03 16:41 - 00000000 ____D () C:\Users\tXXXXman1
2014-11-09 15:09 - 2012-11-16 23:09 - 00000000 ____D () C:\Users\tXXXXman1\Desktop\Steve Memory stick
2014-11-09 15:09 - 2009-04-22 18:07 - 00000000 ____D () C:\Users\tXXXXman1\Documents\Symantec
2014-11-09 15:08 - 2014-09-18 23:23 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Roaming\Philipp Winterberg
2014-11-09 15:08 - 2012-01-13 16:07 - 00000000 ____D () C:\Users\tXXXXman1\Desktop\2012_01_13
2014-11-09 15:08 - 2011-01-30 12:32 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Roaming\W Photo Studio Viewer
2014-11-09 15:08 - 2010-05-16 14:51 - 00000000 ____D () C:\Users\tXXXXman1\Desktop\Fighting Chance
2014-11-09 15:08 - 2009-02-13 13:57 - 00000000 ____D () C:\Users\tXXXXman1\Desktop\2009_02_13
2014-11-09 15:08 - 2008-02-06 10:32 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Roaming\Adobe
2014-11-09 15:08 - 2008-02-03 16:41 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Roaming\Acer GameZone Console
2014-11-09 15:05 - 2011-02-22 21:51 - 00000000 ____D () C:\Users\tXXXXman1\2011_02_22
2014-11-09 15:05 - 2008-02-09 14:03 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\Google
2014-11-09 15:05 - 2006-11-02 05:18 - 00000000 ___RD () C:\Users\Public
2014-11-09 15:01 - 2009-04-22 18:04 - 00000000 ____D () C:\Users\Public\Downloads\Norton
2014-11-09 15:00 - 2009-04-22 18:04 - 00000000 ____D () C:\ProgramData\Norton
2014-11-09 15:00 - 2008-06-28 16:21 - 00000000 ____D () C:\ProgramData\Kodak
2014-10-30 05:24 - 2010-05-17 16:31 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
Some content of TEMP:
====================
C:\Users\tXXXXman1\AppData\Local\Temp\RtkBtMnt.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-27 16:55
 
==================== End Of Log ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-11-2014 01
Ran by tXXXXman1 at 2014-11-27 16:58:05
Running from C:\Users\tXXXXman1\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Acer Assist (HKLM\...\Acer Assist) (Version:  - Acer Incorporated)
Acer eDataSecurity Management (HKLM\...\{A5633652-3795-4829-BB0B-644F0279E279}) (Version: 3.0.3062 - Egis Inc.)
Acer Empowering Technology (HKLM\...\{8F1B6239-FEA0-450A-A950-B05276CE177C}) (Version: 3.0.3006 - Acer Incorporated)
Acer ePower Management (HKLM\...\{58E5844B-7CE2-413D-83D1-99294BF6C74F}) (Version: 3.0.3012 - Acer Incorporated)
Acer eRecovery Management (HKLM\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 3.0.3013 - Acer Incorporated)
Acer eSettings Management (HKLM\...\{13D85C14-2B85-419F-AC41-C7F21E68B25D}) (Version: 3.0.3007 - Acer Incorporated)
Acer Mobility Center Plug-In (HKLM\...\{11316260-6666-467B-AC34-183FCB5D4335}) (Version: 3.0.3000 - Acer Inc.)
Acer Registration (HKLM\...\Acer Registration) (Version:  - Acer - Leader Technologies)
Acer ScreenSaver (HKLM\...\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}) (Version: 1.11.0805 - Acer Incorporated)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Adobe Reader X (10.1.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
Advanced WindowsCare Personal (HKLM\...\Advanced WindowsCare V2 Personal_is1) (Version: 2.9.0 - IObit)
Agere Systems HDA Modem (HKLM\...\Agere Systems Soft Modem) (Version:  - Agere Systems)
AusLogics Disk Defrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: version 1.4 - Auslogics Software Pty. Ltd.)
Belarc Advisor 7.2 (HKLM\...\Belarc Advisor) (Version:  - )
Canon MP Navigator EX 1.0 (HKLM\...\MP Navigator EX 1.0) (Version:  - )
Canon MX310 series (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series) (Version:  - )
Canon MX310 series User Registration (HKLM\...\Canon MX310 series User Registration) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 4.17 - Piriform)
Cole2k Media - Codec Pack (Advanced) 8.0.2 (HKLM\...\Cole2k Media - Codec Pack) (Version: 8.0.2 - Cole2k Media)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Eusing Free Registry Cleaner (HKLM\...\Eusing Free Registry Cleaner) (Version:  - Eusing Software)
Free AVI Player (HKLM\...\{7DED55EA-FB69-4101-AD5D-3D7F985E68A7}) (Version: 1.00.0000 - Media Freeware)
Free RAR Extract Frog (HKLM\...\Free RAR Extract Frog) (Version: 5.20 - Philipp Winterberg)
Free WMV Player (HKLM\...\Free WMV Player_is1) (Version: 1.0 - Free Converting)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - Intel Corporation)
LightScribe  1.4.142.1 (Version: 1.4.142.1 - http://www.lightscribe.com) Hidden
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Marvell Miniport Driver (HKLM\...\Marvell Miniport Driver) (Version: 10.55.3.3 - Marvell)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office XP Standard (HKLM\...\{90120409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.6626.0 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Works (HKLM\...\{6D52C408-B09A-4520-9B18-475B81D393F1}) (Version: 08.05.0818 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NTI Backup Now Standard (Version: 5.1.2.503 - NewTech Infosystems) Hidden
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
PIXMA Extended Survey Program (HKLM\...\CANONIJPLM100) (Version:  - )
Presto! PageManager 7.15.16 (HKLM\...\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}) (Version: 7.15.16 - NewSoft Technology Corporation)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5643 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM\...\{DC24971E-1946-445D-8A82-CE685433FA7D}) (Version: 3.0.1.3 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.94 (HKLM\...\Revo Uninstaller) (Version: 1.94 - VS Revo Group)
ScanSoft OmniPage SE 4 (HKLM\...\{B2F3DBD9-A9D2-4838-B45D-C917DAB32BC3}) (Version: 15.2.0020 - Nuance Communications, Inc.)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.0 - Safer Networking Limited)
SpywareBlaster 5.0 (HKLM\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 11.1.4.0 - Synaptics)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-1819874095-4173997821-445965943-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path
 
==================== Restore Points  =========================
 
16-11-2014 09:00:56 Windows Update
17-11-2014 18:52:39 Windows Update
18-11-2014 15:42:06 Windows Update
19-11-2014 15:31:02 Windows Update
20-11-2014 16:36:24 Windows Update
21-11-2014 16:38:29 Windows Update
23-11-2014 00:32:42 Windows Update
23-11-2014 21:31:34 Windows Update
24-11-2014 18:31:56 Windows Update
25-11-2014 16:34:50 Windows Update
26-11-2014 16:44:19 Windows Update
27-11-2014 19:13:39 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2006-11-02 04:23 - 2014-09-13 15:26 - 00450757 ___RA C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1         www.007guard.com
127.0.0.1         007guard.com
127.0.0.1         008i.com
127.0.0.1         www.008k.com
127.0.0.1         008k.com
127.0.0.1         www.00hq.com
127.0.0.1         00hq.com
127.0.0.1         010402.com
127.0.0.1         www.032439.com
127.0.0.1         032439.com
127.0.0.1         www.0scan.com
127.0.0.1         0scan.com
127.0.0.1         1000gratisproben.com
127.0.0.1         www.1000gratisproben.com
127.0.0.1         www.1001namen.com
127.0.0.1         1001namen.com
127.0.0.1         www.100888290cs.com
127.0.0.1         100888290cs.com
127.0.0.1         www.100sexlinks.com
127.0.0.1         100sexlinks.com
127.0.0.1         www.10sek.com
127.0.0.1         10sek.com
127.0.0.1         www.1-2005-search.com
127.0.0.1         1-2005-search.com
127.0.0.1         123haustiereundmehr.com
127.0.0.1         www.123haustiereundmehr.com
127.0.0.1         www.123simsen.com
127.0.0.1         123simsen.com
 
There are 1000 more lines.
 
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {3C2A4AFB-3808-4349-92F5-091C49E6AD35} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-10-19] (Google Inc.)
Task: {44F2F103-31B2-4CD9-929E-0F700656E685} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-08-21] (Piriform Ltd)
Task: {9633F92F-B919-4AE0-87E3-E992EADF2881} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-26] (Adobe Systems Incorporated)
Task: {F353DD4A-B8B0-4C5A-8BDA-EB39275FFDFB} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2012-10-19] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2008-04-30 03:56 - 2008-03-21 14:22 - 00024576 _____ () C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
2008-04-30 03:56 - 2008-04-30 03:56 - 00032768 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Model.Controller\3.0.3006.0__14bcaafdb44b5951\Framework.Model.Controller.dll
2008-04-30 03:56 - 2008-04-30 03:56 - 00020480 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Model.ControllerInterface\3.0.3006.0__d842b71b4d6ed079\Framework.Model.ControllerInterface.dll
2008-04-30 03:56 - 2008-04-30 03:56 - 00061440 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Library\3.0.3006.0__3036420f80dd6947\Framework.Library.dll
2008-04-30 03:56 - 2008-04-30 03:56 - 00028672 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Host\3.0.3006.0__672b450de5a7e94a\Framework.Host.dll
2008-04-30 03:56 - 2008-04-30 03:56 - 00016384 _____ () C:\Windows\assembly\GAC_MSIL\Framework.PluginInterface\3.0.3006.0__9ecdf03bb2054f94\Framework.PluginInterface.dll
2008-04-30 03:56 - 2008-04-30 03:56 - 00036864 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Utility\3.0.3006.0__4df5dcab8860d239\Framework.Utility.dll
2008-01-28 22:17 - 2008-05-26 16:40 - 00016384 _____ () C:\Program Files\Acer\Empowering Technology\eSettings\eSettings.ServicePlugin.dll
2008-01-28 22:17 - 2008-05-26 16:37 - 00016384 _____ () C:\Program Files\Acer\Empowering Technology\eSettings\eSettings.Logger.dll
2008-01-28 22:17 - 2008-05-26 16:39 - 00143360 _____ () C:\Program Files\Acer\Empowering Technology\eSettings\eSettings.Model.Computer.dll
2008-01-28 22:17 - 2008-05-26 16:37 - 00036864 _____ () C:\Program Files\Acer\Empowering Technology\Service\eSettings.Model.ComputerInterface.dll
2011-02-13 11:52 - 2007-04-13 10:20 - 00097432 _____ () C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
2008-01-28 22:18 - 2007-12-06 18:15 - 00110592 _____ () C:\Acer\Mobility Center\MobilityService.exe
2008-01-28 22:18 - 2007-11-27 17:08 - 00032768 _____ () C:\Acer\Mobility Center\MobilityInterface.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk => C:\Windows\pss\Kodak EasyShare software.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\Windows\pss\Microsoft Office.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^tXXXXman1^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Acer Product Registration.lnk => C:\Windows\pss\Acer Product Registration.lnk.Startup
MSCONFIG\startupreg: Acer Assist Launcher => C:\Program Files\Acer\Acer Assist\launcher.exe
MSCONFIG\startupreg: Acer Product Registration => "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: CanonMyPrinter => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
MSCONFIG\startupreg: CanonSolutionMenu => C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
MSCONFIG\startupreg: eDataSecurity Loader => C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
MSCONFIG\startupreg: ehTray.exe => C:\Windows\ehome\ehTray.exe
MSCONFIG\startupreg: ePower_DMC => C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: LManager => C:\PROGRA~1\LAUNCH~1\LManager.exe
MSCONFIG\startupreg: OpwareSE4 => "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: RtHDVCpl => RtHDVCpl.exe
MSCONFIG\startupreg: Skytel => Skytel.exe
MSCONFIG\startupreg: SpybotSD TeaTimer => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSCONFIG\startupreg: SSBkgdUpdate => "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: Windows Defender => %ProgramFiles%\Windows Defender\MSASCui.exe -hide
MSCONFIG\startupreg: WrtMon.exe => C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-1819874095-4173997821-445965943-500 - Administrator - Disabled)
Guest (S-1-5-21-1819874095-4173997821-445965943-501 - Limited - Disabled)
tXXXXman1 (S-1-5-21-1819874095-4173997821-445965943-1000 - Administrator - Enabled) => C:\Users\tXXXXman1
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (11/27/2014 04:48:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/27/2014 03:14:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/27/2014 01:10:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/26/2014 02:51:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/26/2014 10:40:58 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/25/2014 05:22:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/25/2014 01:38:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/25/2014 11:23:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/25/2014 10:31:37 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/24/2014 08:38:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
 
Microsoft Office Sessions:
=========================
Error: (11/27/2014 04:48:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/27/2014 03:14:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/27/2014 01:10:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/26/2014 02:51:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/26/2014 10:40:58 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/25/2014 05:22:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/25/2014 01:38:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/25/2014 11:23:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/25/2014 10:31:37 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (11/24/2014 08:38:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-11-27 16:57:53.475
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-27 16:57:52.975
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-27 16:57:52.461
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-27 16:57:51.946
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-10 23:40:56.758
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-10 23:40:55.828
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-10 23:40:54.637
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-10 23:40:53.674
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-10 23:35:49.238
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-10 23:35:48.583
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info ===========================
 
Processor: Intel® Pentium® Dual CPU T3200 @ 2.00GHz
Percentage of memory in use: 54%
Total physical RAM: 1976.12 MB
Available physical RAM: 901.61 MB
Total Pagefile: 4199.52 MB
Available Pagefile: 2814.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1902.86 MB
 
==================== Drives ================================
 
Drive c: (ACER) (Fixed) (Total:69.65 GB) (Free:29.38 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:69.64 GB) (Free:69.54 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 149.1 GB) (Disk ID: BDBE3D2D)
Partition 1: (Not Active) - (Size=9.8 GB) - (Type=27)
Partition 2: (Active) - (Size=69.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=69.6 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================


Edited by xXToffeeXx, 28 November 2014 - 03:28 PM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:03 PM

Posted 28 November 2014 - 03:40 PM

Hi ND_Fan,
 
I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.
 
--------------

We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ChromeUpdate] => C:\Users\tXXXXman1\AppData\Roaming\FrameworkUpdate7\ChromeUpdate.exe                                                             
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ucilluo] => rundll32 "C:\Users\tXXXXman1\AppData\Local\ucilluo.dll",ucilluo <===== ATTENTION
HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
S1 dxpzteaq; \??\C:\Windows\system32\drivers\dxpzteaq.sys [X]
S1 imrglaea; \??\C:\Windows\system32\drivers\imrglaea.sys [X]
S1 rxmskqmc; \??\C:\Windows\system32\drivers\rxmskqmc.sys [X]
C:\Users\tXXXXman1\AppData\Local\ucilluo.dll
C:\Windows\system32\drivers\rxmskqmc.sys
C:\Windows\system32\drivers\imrglaea.sys
C:\Windows\system32\drivers\dxpzteaq.sys
2014-11-10 21:42 - 2014-11-10 21:42 - 00000000 ____D () C:\ProgramData\WindowsSearch
2014-11-09 23:31 - 2014-11-09 23:31 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\Acworks
2014-11-09 23:30 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\MayigEjuvk
2014-11-09 23:30 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\LevquRpoho
2014-11-09 17:50 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\SihnUhagv
2014-11-09 17:50 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\RomrAgudc
2014-11-09 15:12 - 2014-11-10 23:01 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\Iflsoft
2014-11-09 15:10 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\VuvuNalsu
2014-11-09 15:10 - 2014-11-09 15:10 - 00004214 _____ () C:\Users\tXXXXman1\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:10 - 2014-11-09 15:10 - 00000272 _____ () C:\Users\tXXXXman1\DECRYPT_INSTRUCTION.URL
2014-11-09 15:09 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\WadlAgedq
2014-11-09 15:08 - 2014-11-09 15:08 - 00004214 _____ () C:\Users\tXXXXman1\Downloads\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:08 - 2014-11-09 15:08 - 00004214 _____ () C:\Users\tXXXXman1\Documents\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:08 - 2014-11-09 15:08 - 00000272 _____ () C:\Users\tXXXXman1\Downloads\DECRYPT_INSTRUCTION.URL
2014-11-09 15:08 - 2014-11-09 15:08 - 00000272 _____ () C:\Users\tXXXXman1\Documents\DECRYPT_INSTRUCTION.URL
2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXXman1\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXXman1\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXXman1\AppData\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXXman1\AppData\Roaming\DECRYPT_INSTRUCTION.URL
2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXXman1\AppData\Local\DECRYPT_INSTRUCTION.URL
2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXXman1\AppData\DECRYPT_INSTRUCTION.URL
2014-11-09 15:04 - 2014-11-09 15:04 - 00004214 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:04 - 2014-11-09 15:04 - 00000272 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL
2014-11-09 15:01 - 2014-11-09 15:01 - 00004214 _____ () C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:01 - 2014-11-09 15:01 - 00004214 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-11-09 15:01 - 2014-11-09 15:01 - 00000272 _____ () C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.URL
2014-11-09 15:01 - 2014-11-09 15:01 - 00000272 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL
2014-11-09 13:38 - 2014-11-09 23:30 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
CustomCLSID: HKU\S-1-5-21-1819874095-4173997821-445965943-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Fixlog.txt
  • New FRST.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 28 November 2014 - 06:47 PM

Hi xXToffeeXx - thanks for the instructions.  Below are my logs.

 

Ready for the next step.  Thanks

ND_Fan

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-11-2014 01

Ran by tXXXX1 at 2014-11-28 17:38:36 Run:1

Running from C:\Users\tXXXX1\Desktop

Loaded Profile: tXXXX1 (Available profiles: tXXXX1)

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ChromeUpdate] => C:\Users\tXXXX1\AppData\Roaming\FrameworkUpdate7\ChromeUpdate.exe                                                            

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ucilluo] => rundll32 "C:\Users\tXXXX1\AppData\Local\ucilluo.dll",ucilluo <===== ATTENTION

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...A8F59079A8D5}\localserver32:  <==== ATTENTION!

S1 dxpzteaq; \??\C:\Windows\system32\drivers\dxpzteaq.sys [X]

S1 imrglaea; \??\C:\Windows\system32\drivers\imrglaea.sys [X]

S1 rxmskqmc; \??\C:\Windows\system32\drivers\rxmskqmc.sys [X]

C:\Users\tXXXX1\AppData\Local\ucilluo.dll

C:\Windows\system32\drivers\rxmskqmc.sys

C:\Windows\system32\drivers\imrglaea.sys

C:\Windows\system32\drivers\dxpzteaq.sys

2014-11-10 21:42 - 2014-11-10 21:42 - 00000000 ____D () C:\ProgramData\WindowsSearch

2014-11-09 23:31 - 2014-11-09 23:31 - 00000000 ____D () C:\Users\tXXXX1\AppData\Local\Acworks

2014-11-09 23:30 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\MayigEjuvk

2014-11-09 23:30 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\LevquRpoho

2014-11-09 17:50 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\SihnUhagv

2014-11-09 17:50 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\RomrAgudc

2014-11-09 15:12 - 2014-11-10 23:01 - 00000000 ____D () C:\Users\tXXXX1\AppData\Local\Iflsoft

2014-11-09 15:10 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\VuvuNalsu

2014-11-09 15:10 - 2014-11-09 15:10 - 00004214 _____ () C:\Users\tXXXX1\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:10 - 2014-11-09 15:10 - 00000272 _____ () C:\Users\tXXXX1\DECRYPT_INSTRUCTION.URL

2014-11-09 15:09 - 2014-11-10 22:59 - 00000000 ____D () C:\ProgramData\WadlAgedq

2014-11-09 15:08 - 2014-11-09 15:08 - 00004214 _____ () C:\Users\tXXXX1\Downloads\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:08 - 2014-11-09 15:08 - 00004214 _____ () C:\Users\tXXXX1\Documents\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:08 - 2014-11-09 15:08 - 00000272 _____ () C:\Users\tXXXX1\Downloads\DECRYPT_INSTRUCTION.URL

2014-11-09 15:08 - 2014-11-09 15:08 - 00000272 _____ () C:\Users\tXXXX1\Documents\DECRYPT_INSTRUCTION.URL

2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXX1\AppData\Roaming\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXX1\AppData\Local\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:06 - 2014-11-09 15:06 - 00004214 _____ () C:\Users\tXXXX1\AppData\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXX1\AppData\Roaming\DECRYPT_INSTRUCTION.URL

2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXX1\AppData\Local\DECRYPT_INSTRUCTION.URL

2014-11-09 15:06 - 2014-11-09 15:06 - 00000272 _____ () C:\Users\tXXXX1\AppData\DECRYPT_INSTRUCTION.URL

2014-11-09 15:04 - 2014-11-09 15:04 - 00004214 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:04 - 2014-11-09 15:04 - 00000272 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.URL

2014-11-09 15:01 - 2014-11-09 15:01 - 00004214 _____ () C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:01 - 2014-11-09 15:01 - 00004214 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT

2014-11-09 15:01 - 2014-11-09 15:01 - 00000272 _____ () C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.URL

2014-11-09 15:01 - 2014-11-09 15:01 - 00000272 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.URL

2014-11-09 13:38 - 2014-11-09 23:30 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage

CustomCLSID: HKU\S-1-5-21-1819874095-4173997821-445965943-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

*****************

 

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ChromeUpdate => value deleted successfully.

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ucilluo => value deleted successfully.

"HKU\S-1-5-21-1819874095-4173997821-445965943-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.

"HKU\S-1-5-21-1819874095-4173997821-445965943-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.

dxpzteaq => Service deleted successfully.

imrglaea => Service deleted successfully.

rxmskqmc => Service deleted successfully.

"C:\Users\tXXXX1\AppData\Local\ucilluo.dll" => File/Directory not found.

"C:\Windows\system32\drivers\rxmskqmc.sys" => File/Directory not found.

"C:\Windows\system32\drivers\imrglaea.sys" => File/Directory not found.

"C:\Windows\system32\drivers\dxpzteaq.sys" => File/Directory not found.

C:\ProgramData\WindowsSearch => Moved successfully.

C:\Users\tXXXX1\AppData\Local\Acworks => Moved successfully.

C:\ProgramData\MayigEjuvk => Moved successfully.

C:\ProgramData\LevquRpoho => Moved successfully.

C:\ProgramData\SihnUhagv => Moved successfully.

C:\ProgramData\RomrAgudc => Moved successfully.

C:\Users\tXXXX1\AppData\Local\Iflsoft => Moved successfully.

C:\ProgramData\VuvuNalsu => Moved successfully.

C:\Users\tXXXX1\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\Users\tXXXX1\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\ProgramData\WadlAgedq => Moved successfully.

C:\Users\tXXXX1\Downloads\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\Users\tXXXX1\Documents\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\Users\tXXXX1\Downloads\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\Users\tXXXX1\Documents\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\Users\tXXXX1\AppData\Roaming\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\Users\tXXXX1\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\Users\tXXXX1\AppData\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\Users\tXXXX1\AppData\Roaming\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\Users\tXXXX1\AppData\Local\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\Users\tXXXX1\AppData\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\Users\Public\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\Users\Public\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\ProgramData\DECRYPT_INSTRUCTION.TXT => Moved successfully.

C:\Users\Public\Downloads\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\ProgramData\DECRYPT_INSTRUCTION.URL => Moved successfully.

C:\ProgramData\Windows Genuine Advantage => Moved successfully.

"HKU\S-1-5-21-1819874095-4173997821-445965943-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.

C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.

 

==== End of Fixlog ====

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-11-2014 01

Ran by tXXXX1 (administrator) on TXXXX1-PC on 28-11-2014 17:40:23

Running from C:\Users\tXXXX1\Desktop

Loaded Profile: tXXXX1 (Available profiles: tXXXX1)

Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)

Internet Explorer Version 9

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe

(Agere Systems) C:\Windows\System32\agrsmsvc.exe

(Egis Incorporated) C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe

() C:\Program Files\Acer\Empowering Technology\Service\ETService.exe

(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe

(Microsoft Corporation) C:\Windows\ehome\ehtray.exe

() C:\Program Files\Canon\IJPLM\ijplmsvc.exe

(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe

() C:\Acer\Mobility Center\MobilityService.exe

(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe

(Realtek Semiconductor Corp.) C:\Users\tXXXX1\AppData\Local\Temp\RtkBtMnt.exe

(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

(Microsoft Corporation) C:\Windows\System32\wuauclt.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-25] (Synaptics, Inc.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [6183456 2008-06-13] (Realtek Semiconductor)

HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-10-19] (Google Inc.)

ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc.)

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.comcast.net/login?ts=e53461c9&s=wnamp

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.yahoo.com

URLSearchHook: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> DefaultScope {5E68D55A-2FBE-4077-8080-0967B0D3FC3A} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=242154&p={searchTerms}

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {5E68D55A-2FBE-4077-8080-0967B0D3FC3A} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=242154&p={searchTerms}

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {96bd48dd-741b-41ae-ac4a-aff96ba00f7e} URL = http://search.coupons.com/search.asp?p=df&q={searchTerms}

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {B84A2185-980B-462B-AFE7-C5E25B5BFBDE} URL = https://search.yahoo.com/search?p={searchTerms}&fr=chr

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {C8AE4B6E-3E17-479E-A346-56274B6276E9} URL = http://isearch.shopathome.com?user_id={19D2592F-C8C4-456A-BD1D-268E159B1C9F}&q={searchTerms}

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-iobit

BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File

BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

BHO: ShowBarObj Class -> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} -> C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)

BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKLM - No Name - {0BF43445-2F28-4351-9252-17FE6E806AA0} -  No File

Toolbar: HKLM - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224957127295

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)

Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

 

FireFox:

========

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-05-17]

 

Chrome:

=======

CHR Profile: C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (YouTube) - C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-21]

CHR Extension: (Google Search) - C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-21]

CHR Extension: (Gmail) - C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-21]

 

========================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-03-21] () [File not signed]

R2 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [97432 2007-04-13] () [File not signed]

R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed]

R2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe [110592 2007-12-06] () [File not signed]

R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)

R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)

S3 Inspect; system32\DRIVERS\inspect.sys [X]

S3 IpInIp; system32\DRIVERS\ipinip.sys [X]

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-11-27 16:58 - 2014-11-27 16:58 - 00024005 _____ () C:\Users\tXXXX1\Desktop\Addition.txt

2014-11-27 16:57 - 2014-11-28 17:40 - 00010283 _____ () C:\Users\tXXXX1\Desktop\FRST.txt

2014-11-27 16:56 - 2014-11-27 16:56 - 01109504 _____ (Farbar) C:\Users\tXXXX1\Desktop\FRST.exe

2014-11-24 12:28 - 2014-11-28 17:27 - 00011234 _____ () C:\Windows\PFRO.log

2014-11-20 10:38 - 2014-10-23 19:03 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2014-11-12 11:08 - 2014-10-09 19:00 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll

2014-11-12 11:07 - 2014-10-09 19:01 - 00449536 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll

2014-11-12 11:07 - 2014-10-09 19:00 - 01259008 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2014-11-12 11:07 - 2014-10-09 17:22 - 00619520 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll

2014-11-12 11:07 - 2014-08-26 18:55 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

2014-11-12 11:07 - 2014-08-26 18:55 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll

2014-11-12 11:06 - 2014-10-23 19:04 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll

2014-11-12 11:06 - 2014-09-18 18:50 - 00278528 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll

2014-11-12 11:05 - 2014-08-11 20:25 - 00729600 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL

2014-11-12 11:04 - 2014-10-02 19:17 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll

2014-11-12 11:03 - 2014-10-17 19:08 - 00564224 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll

2014-11-12 11:03 - 2014-10-02 19:18 - 00274432 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll

2014-11-12 11:03 - 2014-10-02 19:17 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll

2014-11-12 11:03 - 2014-10-02 19:17 - 00170496 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll

2014-11-12 10:56 - 2014-10-12 17:34 - 02054656 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2014-11-11 21:49 - 2014-11-11 21:49 - 00001510 _____ () C:\Users\tXXXX1\Desktop\attach.zip

2014-11-11 21:43 - 2014-10-27 13:02 - 09739776 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2014-11-11 21:43 - 2014-10-27 12:59 - 01139712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2014-11-11 21:43 - 2014-10-27 12:59 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2014-11-11 21:43 - 2014-10-27 12:58 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2014-11-11 21:43 - 2014-10-27 12:57 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll

2014-11-11 21:43 - 2014-10-27 12:57 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2014-11-11 21:43 - 2014-10-27 12:56 - 01802752 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2014-11-11 21:43 - 2014-10-27 12:56 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2014-11-11 21:43 - 2014-10-27 12:56 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2014-11-11 21:43 - 2014-10-27 12:56 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2014-11-11 21:43 - 2014-10-27 12:56 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2014-11-11 21:43 - 2014-10-27 12:55 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-11-11 21:43 - 2014-10-27 12:55 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2014-11-11 21:43 - 2014-10-27 12:55 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2014-11-11 21:43 - 2014-10-27 12:55 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2014-11-11 21:43 - 2014-10-27 12:55 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll

2014-11-11 21:43 - 2014-10-27 12:55 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe

2014-11-11 21:43 - 2014-10-27 12:55 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe

2014-11-11 21:43 - 2014-10-27 12:54 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2014-11-11 21:42 - 2014-10-27 13:10 - 12366848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-11-11 21:42 - 2014-10-27 13:05 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2014-11-11 21:30 - 2014-11-11 21:30 - 00003260 _____ () C:\Users\tXXXX1\Desktop\attach.txt

2014-11-11 21:30 - 2014-11-11 21:29 - 00009566 _____ () C:\Users\tXXXX1\Desktop\dds.txt

2014-11-11 21:26 - 2014-11-11 21:26 - 00688992 ____R (Swearware) C:\Users\tXXXX1\Desktop\dds.com

2014-11-11 00:08 - 2014-11-11 00:12 - 00003692 _____ () C:\Users\tXXXX1\Desktop\Rkill.txt

2014-11-11 00:08 - 2014-11-11 00:08 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\tXXXX1\Desktop\rkill.exe

2014-11-10 23:22 - 2014-11-11 14:34 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-11-10 23:19 - 2014-11-11 00:01 - 00000000 ____D () C:\Users\tXXXX1\Desktop\mbar

2014-11-10 23:18 - 2014-11-10 23:18 - 14439144 _____ (Malwarebytes Corp.) C:\Users\tXXXX1\Desktop\mbar-1.08.0.1001.exe

2014-11-10 22:00 - 2014-11-10 22:06 - 00027650 _____ () C:\Users\tXXXX1\Desktop\Result.txt

2014-11-10 21:59 - 2014-11-10 21:59 - 00401920 _____ (Farbar) C:\Users\tXXXX1\Desktop\MiniToolBox.exe

2014-11-10 21:57 - 2014-11-10 21:57 - 00002730 _____ () C:\Users\tXXXX1\Desktop\FSS.txt

2014-11-10 21:56 - 2014-11-10 21:56 - 00415232 _____ (Farbar) C:\Users\tXXXX1\Desktop\FSS.exe

2014-11-10 21:54 - 2014-11-10 21:54 - 00000964 _____ () C:\Users\tXXXX1\Desktop\checkup.txt

2014-11-10 21:34 - 2014-11-10 21:34 - 00854448 _____ () C:\Users\tXXXX1\Desktop\SecurityCheck.exe

2014-11-09 13:42 - 2014-11-09 13:42 - 00000160 ____H () C:\ProgramData\@system3.att

2014-11-09 13:41 - 2014-11-10 23:01 - 00000000 ____D () C:\Users\tXXXX1\AppData\Roaming\FrameworkUpdate7

2014-11-09 13:41 - 2014-11-09 13:42 - 00000424 _____ () C:\ProgramData\@system.temp

2014-11-09 13:41 - 2014-11-09 13:41 - 00000448 ____H () C:\Users\tXXXX1\AppData\Roaming\麽鎒駓覜

2014-11-09 10:38 - 2014-11-10 21:29 - 00000000 ____D () C:\Users\tXXXX1\AppData\Local\{dc6c5feb-bf94-1352-780a-8855d40d6240}

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-11-28 17:40 - 2014-09-17 22:11 - 00000000 ____D () C:\FRST

2014-11-28 17:38 - 2008-02-03 16:41 - 00000000 ____D () C:\Users\tXXXX1

2014-11-28 17:38 - 2006-11-02 05:18 - 00000000 ___RD () C:\Users\Public

2014-11-28 17:35 - 2006-11-02 04:33 - 00759582 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-11-28 17:32 - 2008-01-28 21:56 - 01084942 _____ () C:\Windows\WindowsUpdate.log

2014-11-28 17:28 - 2012-10-19 22:11 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-11-28 17:28 - 2008-01-28 22:16 - 00000000 _____ () C:\Windows\system32\LogConfigTemp.xml

2014-11-28 17:28 - 2006-11-02 06:47 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2014-11-28 17:28 - 2006-11-02 06:47 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2014-11-28 17:27 - 2006-11-02 07:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-11-28 17:05 - 2006-11-02 07:01 - 00032646 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

2014-11-28 16:48 - 2012-04-09 13:13 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2014-11-28 16:25 - 2012-10-19 22:11 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-11-27 15:26 - 2011-02-13 11:52 - 00000000 ____D () C:\ProgramData\CanonIJPLM

2014-11-26 10:50 - 2012-04-09 13:13 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe

2014-11-26 10:50 - 2011-05-17 09:11 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

2014-11-23 23:10 - 2014-09-13 13:57 - 00015872 _____ () C:\Users\tXXXX1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2014-11-23 23:00 - 2011-03-08 21:20 - 00000000 ____D () C:\Users\tXXXX1\AppData\Local\CrashDumps

2014-11-17 00:05 - 2008-02-08 21:16 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy

2014-11-12 11:53 - 2006-11-02 05:18 - 00000000 ____D () C:\Windows\Microsoft.NET

2014-11-12 11:42 - 2006-11-02 05:18 - 00000000 ____D () C:\Windows\rescache

2014-11-12 11:26 - 2006-11-02 06:47 - 00304152 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-11-12 11:02 - 2013-08-15 10:47 - 00000000 ____D () C:\Windows\system32\MRT

2014-11-12 10:58 - 2006-11-02 04:24 - 100445232 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe

2014-11-11 00:03 - 2008-04-30 03:30 - 00000000 ____D () C:\Windows\ACER

2014-11-10 23:22 - 2014-09-13 15:22 - 00115928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-11-10 23:20 - 2014-09-13 15:21 - 00079576 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-11-10 22:13 - 2014-09-13 15:21 - 00000903 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-11-10 22:13 - 2014-09-13 15:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-11-10 22:13 - 2014-09-13 15:21 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware

2014-11-09 15:09 - 2012-11-16 23:09 - 00000000 ____D () C:\Users\tXXXX1\Desktop\Steve Memory stick

2014-11-09 15:09 - 2009-04-22 18:07 - 00000000 ____D () C:\Users\tXXXX1\Documents\Symantec

2014-11-09 15:08 - 2014-09-18 23:23 - 00000000 ____D () C:\Users\tXXXX1\AppData\Roaming\Philipp Winterberg

2014-11-09 15:08 - 2012-01-13 16:07 - 00000000 ____D () C:\Users\tXXXX1\Desktop\2012_01_13

2014-11-09 15:08 - 2011-01-30 12:32 - 00000000 ____D () C:\Users\tXXXX1\AppData\Roaming\W Photo Studio Viewer

2014-11-09 15:08 - 2010-05-16 14:51 - 00000000 ____D () C:\Users\tXXXX1\Desktop\Fighting Chance

2014-11-09 15:08 - 2009-02-13 13:57 - 00000000 ____D () C:\Users\tXXXX1\Desktop\2009_02_13

2014-11-09 15:08 - 2008-02-06 10:32 - 00000000 ____D () C:\Users\tXXXX1\AppData\Roaming\Adobe

2014-11-09 15:08 - 2008-02-03 16:41 - 00000000 ____D () C:\Users\tXXXX1\AppData\Roaming\Acer GameZone Console

2014-11-09 15:05 - 2011-02-22 21:51 - 00000000 ____D () C:\Users\tXXXX1\2011_02_22

2014-11-09 15:05 - 2008-02-09 14:03 - 00000000 ____D () C:\Users\tXXXX1\AppData\Local\Google

2014-11-09 15:01 - 2009-04-22 18:04 - 00000000 ____D () C:\Users\Public\Downloads\Norton

2014-11-09 15:00 - 2009-04-22 18:04 - 00000000 ____D () C:\ProgramData\Norton

2014-11-09 15:00 - 2008-06-28 16:21 - 00000000 ____D () C:\ProgramData\Kodak

2014-10-30 05:24 - 2010-05-17 16:31 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

 

Some content of TEMP:

====================

C:\Users\tXXXX1\AppData\Local\Temp\RtkBtMnt.exe

 

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-11-28 17:35

 

==================== End Of Log ============================



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:03 PM

Posted 29 November 2014 - 05:32 AM

Hi ND_Fan,
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
2014-11-09 13:42 - 2014-11-09 13:42 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-09 13:41 - 2014-11-10 23:01 - 00000000 ____D () C:\Users\tXXXX1\AppData\Roaming\FrameworkUpdate7
2014-11-09 13:41 - 2014-11-09 13:42 - 00000424 _____ () C:\ProgramData\@system.temp
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Fixlog.txt
  • AdwCleaner scan log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 29 November 2014 - 01:27 PM

Hi xXToffeeXx -

 

Thanks for the reply.  Below are my scan logs.

 

Please Note #1: this morning was very difficult for me to access the internet.  I experienced multiple delays where the IE browser would just clock and clock.  Plus this morning we received a very suspicuous email claiming to be from our ISP provider saying we needed to click on a link to "verify our email profile to prevent closure before 24 hours".  Obviously we did not comply, but seems to be further evidence we are infected. 

 

Please Note #2: I accidently did not copy properly your fixlist code, since I intentionally mask the username with "XXXX" due to privacy concerns.  I forgot to overwrite my "XXXX" in the 1st run and received an error in the log that it could not find the 2nd file. 

 

Therefore I ran the fixlist code twice: 1st time moved the 1st and 3rd files successfully (where there was no username reference), then the 2nd time I overwrote the "XXXX" to the proper username, and ran it a 2nd time and moved the 2nd file successfully (hence why you see my latest fixlog only showing I moved the 2nd file successfully).

 

Please review my logs and advise on next steps. 

 

Thanks,

ND_Fan

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-11-2014 01

Ran by tXXXX1 at 2014-11-29 11:59:24 Run:3

Running from C:\Users\tXXXX1\Desktop

Loaded Profile: tXXXX1 (Available profiles: tXXXX1)

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

2014-11-09 13:42 - 2014-11-09 13:42 - 00000160 ____H () C:\ProgramData\@system3.att

2014-11-09 13:41 - 2014-11-10 23:01 - 00000000 ____D () C:\Users\tXXXX1\AppData\Roaming\FrameworkUpdate7

2014-11-09 13:41 - 2014-11-09 13:42 - 00000424 _____ () C:\ProgramData\@system.temp

*****************

 

"C:\ProgramData\@system3.att" => File/Directory not found.

C:\Users\tXXXX1\AppData\Roaming\FrameworkUpdate7 => Moved successfully.

"C:\ProgramData\@system.temp" => File/Directory not found.

 

==== End of Fixlog ====

 

# AdwCleaner v4.102 - Report created 29/11/2014 at 12:04:27

# Updated 23/11/2014 by Xplode

# Database : 2014-11-23.7 [Local]

# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)

# Username : tXXXX1 - TXXXX1-PC

# Running from : C:\Users\tXXXX1\Desktop\AdwCleaner.exe

# Option : Scan

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Found : C:\ProgramData\Tarma Installer

Folder Found : C:\Users\tXXXX1\AppData\LocalLow\Toolbar4

Folder Found : C:\Users\tXXXX1\AppData\LocalLow\visi_coupon

Folder Found : C:\Users\tXXXX1\AppData\Roaming\PerformerSoft

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Found : HKCU\Software\Microsoft\Babylon

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C8AE4B6E-3E17-479E-A346-56274B6276E9}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}

Key Found : HKLM\SOFTWARE\Classes\Prod.cap

Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho

Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Found : HKLM\SOFTWARE\Tarma Installer

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v9.0.8112.16592

 

 

-\\ Google Chrome v

 

[C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : dhdepfaagokllfmhfbcfmocaeigmoebo

[C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : fbmimoidopbghbcmdmpkjaffffmcbmbg

[C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : hphibigbodkkohoglgfkddblldpfohjl

[C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbej

[C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : kincjchfokkeneeofpeefomkikfkiedl

[C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : kkkeikdkpjenmoiicggnnodbkebafgpc

[C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : pgmfkblbflahhponhjmkcnpjinenhlnc

[C:\Users\tXXXX1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : geggofhlfbcmanadhknllmlajiafopoh

 

*************************

 

AdwCleaner[R0].txt - [3269 octets] - [29/11/2014 12:04:27]

 

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3329 octets] ##########



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:03 PM

Posted 29 November 2014 - 02:37 PM

Hi ND_Fan,
 
Emails like that do not always mean you are infected, more likely a spammer got your email address or they are making up random email addresses and your one happen to be included. IE not loading is a problem though, please reset it.
 
No worries on the username and fix having to be run twice, there's no harm done by it.
 
Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished.
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

--------------

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------
 
This scan can take a long time, so it is best done overnight or when you do not need the computer
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • AdwCleaner clean log
  • Emsisoft log
  • ESET log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 30 November 2014 - 12:04 PM

Hi xXToffeeXx -

 

I followed your steps successfully, including resetting IE. Below are my logs. Please review and advise on next steps.

 

Thanks,

ND_Fan

 

# AdwCleaner v4.102 - Report created 29/11/2014 at 23:09:37

# Updated 23/11/2014 by Xplode

# Database : 2014-11-23.7 [Local]

# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)

# Username : tXXXXman1 - TXXXXMAN1-PC

# Running from : C:\Users\tXXXXman1\Desktop\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Tarma Installer

Folder Deleted : C:\Users\tXXXXman1\AppData\LocalLow\Toolbar4

Folder Deleted : C:\Users\tXXXXman1\AppData\LocalLow\visi_coupon

Folder Deleted : C:\Users\tXXXXman1\AppData\Roaming\PerformerSoft

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AF175732-0D59-716D-F757-9F1492D808D9}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C8AE4B6E-3E17-479E-A346-56274B6276E9}

Key Deleted : HKCU\Software\Microsoft\Babylon

Key Deleted : HKLM\SOFTWARE\Tarma Installer

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16592

-\\ Google Chrome v

[C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : dhdepfaagokllfmhfbcfmocaeigmoebo

[C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : fbmimoidopbghbcmdmpkjaffffmcbmbg

[C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : hphibigbodkkohoglgfkddblldpfohjl

[C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbej

[C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : kincjchfokkeneeofpeefomkikfkiedl

[C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : kkkeikdkpjenmoiicggnnodbkebafgpc

[C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : pgmfkblbflahhponhjmkcnpjinenhlnc

[C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : geggofhlfbcmanadhknllmlajiafopoh

*************************

AdwCleaner[R0].txt - [3409 octets] - [29/11/2014 12:04:27]

AdwCleaner[R1].txt - [3248 octets] - [29/11/2014 23:06:49]

AdwCleaner[S0].txt - [3219 octets] - [29/11/2014 23:09:37]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3279 octets] ##########

Emsisoft Emergency Kit - Version 9.0

Last update: 11/29/2014 11:25:23 PM

User account: tXXXXman1-PC\tXXXXman1

Scan settings:

Scan type: Full Scan

Objects: Rootkits, Memory, Traces, C:\, D:\

Detect PUPs: On

Scan archives: On

ADS Scan: On

File extension filter: Off

Advanced caching: On

Direct disk access: Off

Scan start: 11/29/2014 11:26:24 PM

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\free registry cleaner detected: Application.AdStart (A)

C:\Users\tXXXXman1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\free registry cleaner detected: Application.AdStart (A)

C:\Program Files\eusing free registry cleaner detected: Application.AppInstall (A)

Key: HKEY_USERS\.DEFAULT\SOFTWARE\IBUPDATERSERVICE detected: Application.InstallAd (A)

Key: HKEY_USERS\S-1-5-18\SOFTWARE\IBUPDATERSERVICE detected: Application.InstallAd (A)

C:\FRST\Quarantine\C\Users\tXXXXman1\AppData\Local\Iflsoft\ASMoper216A.dll detected: Gen:Variant.Symmi.46872 (B)

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{393ADFD4-4594-C3DE-13D9-BF908DADBE42}-msiexec.exe -> (Quarantine-PE) detected: Trojan.GenericKDZ.26333 (B)

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{80C3D239-E937-5418-9282-3FC9EB5AE17A}-msiexec.exe -> (Quarantine-PE) detected: Trojan.GenericKDZ.26333 (B)

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{E1034591-E77C-8ADF-CA54-7E10EC58322D}-msiexec.exe -> (Quarantine-PE) detected: Gen:Variant.Kazy.491827 (B)

Scanned 178367

Found 9

Scan end: 11/30/2014 12:23:17 AM

Scan time: 0:56:53

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{E1034591-E77C-8ADF-CA54-7E10EC58322D}-msiexec.exe Quarantined Gen:Variant.Kazy.491827 (B)

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{80C3D239-E937-5418-9282-3FC9EB5AE17A}-msiexec.exe Quarantined Trojan.GenericKDZ.26333 (B)

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{393ADFD4-4594-C3DE-13D9-BF908DADBE42}-msiexec.exe Quarantined Trojan.GenericKDZ.26333 (B)

C:\FRST\Quarantine\C\Users\tXXXXman1\AppData\Local\Iflsoft\ASMoper216A.dll Quarantined Gen:Variant.Symmi.46872 (B)

Key: HKEY_USERS\S-1-5-18\SOFTWARE\IBUPDATERSERVICE Quarantined Application.InstallAd (A)

C:\Program Files\eusing free registry cleaner Quarantined Application.AppInstall (A)

C:\Users\tXXXXman1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\free registry cleaner Quarantined Application.AdStart (A)

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\free registry cleaner Quarantined Application.AdStart (A)

Quarantined 8

C:\AdwCleaner\Quarantine\C\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application

C:\FRST\Quarantine\C\ProgramData\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\FRST\Quarantine\C\Users\Public\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\FRST\Quarantine\C\Users\Public\Downloads\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\FRST\Quarantine\C\Users\tXXXXman1\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\FRST\Quarantine\C\Users\tXXXXman1\AppData\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\FRST\Quarantine\C\Users\tXXXXman1\AppData\Local\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\FRST\Quarantine\C\Users\tXXXXman1\AppData\Roaming\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\FRST\Quarantine\C\Users\tXXXXman1\Documents\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\FRST\Quarantine\C\Users\tXXXXman1\Downloads\DECRYPT_INSTRUCTION.TXT.xBAD Win32/Filecoder.CR trojan

C:\ProgramData\Kodak\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\ProgramData\Kodak\Registration\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\ProgramData\Microsoft\Office\Data\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\ProgramData\Norton\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\ProgramData\Spybot - Search & Destroy\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\ProgramData\Spybot - Search & Destroy\Recovery\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\All Users\Kodak\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\All Users\Kodak\Registration\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\All Users\Microsoft\Office\Data\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\All Users\Norton\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\All Users\Spybot - Search & Destroy\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\All Users\Spybot - Search & Destroy\Recovery\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\Public\Downloads\Norton\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\Public\Downloads\Norton\{3A7FA539-8005-4603-87D2-SOS1-NSS-v4}\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\Public\Pictures\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\Public\Pictures\Kodak Pictures\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\Public\Pictures\Kodak Pictures\8-25-2010\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\Public\Pictures\Kodak Pictures\New Album\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\2011_02_22\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Google\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Google\Chrome\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Internet Explorer\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Outlook\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Mail\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Mail\Backup\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Mail\Backup\new\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Mail\Local Folders\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Mail\Stationery\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Media\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Local\Microsoft\Windows Media\11.0\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\LocalLow\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\LocalLow\Sun\Java\jre1.6.0_18\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Acer GameZone Console\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Acer GameZone Console\icons\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Adobe\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Adobe\Flash Player\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Adobe\Flash Player\AssetCache\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Adobe\Flash Player\AssetCache\C3FLKFSF\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Microsoft\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Microsoft\Outlook\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Microsoft\Templates\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Microsoft\Windows Photo Gallery\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Philipp Winterberg\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\Philipp Winterberg\Free RAR Extract Frog\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\AppData\Roaming\W Photo Studio Viewer\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Desktop\2009_02_13\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Desktop\2012_01_13\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Desktop\Fighting Chance\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Desktop\Steve Memory stick\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Documents\Symantec\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Downloads\ccsetup416.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Users\tXXXXman1\Downloads\ccsetup417.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Users\tXXXXman1\Pictures\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\2011-01-30\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2010_11_04\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2011_02_13\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2011_02_23\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2012_01_08\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2012_01_13\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2012_06_28\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2012_11_09\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2013_06_02\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2013_06_21\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2013_07_09\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2014_02_06\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2014_05_09\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2014_07_06\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\2014_08_13\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\Mail_20110213\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\Mail_20121109\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\Mail_20130602\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\Mail_20140509\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\New Folder\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

C:\Users\tXXXXman1\Pictures\MP Navigator EX\New Folder\Mail_20110213\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan

D:\DECRYPT_INSTRUCTION.TXT Win32/Filecoder.CR trojan



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:03 PM

Posted 01 December 2014 - 12:52 PM

Hi ND_Fan,
 
How is IE working now?
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 01 December 2014 - 08:37 PM

Hi xXToffeeXx --

 

IE seems to be more responsive now.  The steps and IE reset seem to be making a positive impact!

 

Below is my new log.  Please review and advise on next steps.

 

Thanks,

ND_Fan

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-11-2014 01

Ran by tXXXXman1 at 2014-12-01 19:31:59 Run:4

Running from C:\Users\tXXXXman1\Desktop

Loaded Profile: tXXXXman1 (Available profiles: tXXXXman1)

Boot Mode: Normal

 

==============================================

 

Content of fixlist:

*****************

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy

*****************

 

C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy => Moved successfully.

 

==== End of Fixlog ====



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:03 PM

Posted 04 December 2014 - 11:22 AM

Hi ND_Fan,
 
Sorry about the delay. I am glad to hear that IE is working well.
 
Your version of Adobe Reader is out of date.
 
Please follow these steps to remove older version Adobe Reader components and update:

  • Download the latest version of Adobe Reader and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel, and double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Adobe Reader uninstaller.
  • Reboot your computer once Adobe Reader is removed.
  • Then from your desktop double-click on the Adobe Reader installer to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then run as Administrator.
  • If offered any unwanted software or toolbars during installation (such as the McAfee Security Plan Plus); just uncheck the box before continuing unless you want it.
  • Adobe Reader is updated frequently. If you want to be automatically notified of future updates, or automatically have them installed then make sure to check the option in the installer

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 04 December 2014 - 08:08 PM

Hi xXToffeeXx --

 

I followed your instructions and updated Adobe Reader.  Everything loaded successfully.

 

Ready for the next step.  Thanks!

 

ND_Fan



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:03 PM

Posted 06 December 2014 - 10:51 AM

Hi ND_Fan,

 

How is your computer running now?

 

Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 ND_Fan

ND_Fan
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 10 December 2014 - 10:48 PM

Hi xXToffeeXx -

 

My computer's performance has improved. IE opens more quickly and seems more responsive.

 

Below is my latest scan log. Please review and advise on next steps.

 

Thanks,

ND_Fan

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-12-2014 01

Ran by tXXXXman1 (administrator) on TXXXXMAN1-PC on 10-12-2014 21:40:42

Running from C:\Users\tXXXXman1\Desktop

Loaded Profile: tXXXXman1 (Available profiles: tXXXXman1)

Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) OS Language: English (United States)

Internet Explorer Version 9

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe

(Microsoft Corporation) C:\Windows\System32\SLsvc.exe

(Agere Systems) C:\Windows\System32\agrsmsvc.exe

(Egis Incorporated) C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe

() C:\Program Files\Acer\Empowering Technology\Service\ETService.exe

() C:\Program Files\Canon\IJPLM\ijplmsvc.exe

(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe

(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe

(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

(Microsoft Corporation) C:\Windows\ehome\ehtray.exe

() C:\Acer\Mobility Center\MobilityService.exe

(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe

(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Realtek Semiconductor Corp.) C:\Users\tXXXXman1\AppData\Local\Temp\RtkBtMnt.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

(Microsoft Corporation) C:\Windows\System32\wuauclt.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-25] (Synaptics, Inc.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)

HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [6183456 2008-06-13] (Realtek Semiconductor)

HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [919008 2012-07-27] (Adobe Systems Incorporated)

HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-10-19] (Google Inc.)

ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.yahoo.com

HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Local Page =

HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Local Page =

HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Local Page =

HKU\S-1-5-21-1819874095-4173997821-445965943-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.mail.comcast.net/zimbra/mail?app=mail#1

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> DefaultScope {5E68D55A-2FBE-4077-8080-0967B0D3FC3A} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=242154&p={searchTerms}

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {5E68D55A-2FBE-4077-8080-0967B0D3FC3A} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=242154&p={searchTerms}

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {96bd48dd-741b-41ae-ac4a-aff96ba00f7e} URL = http://search.coupons.com/search.asp?p=df&q={searchTerms}

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {B84A2185-980B-462B-AFE7-C5E25B5BFBDE} URL = https://search.yahoo.com/search?p={searchTerms}&fr=chr

SearchScopes: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-iobit

BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

BHO: ShowBarObj Class -> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} -> C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)

BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKLM - No Name - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

Toolbar: HKLM - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKU\S-1-5-21-1819874095-4173997821-445965943-1000 -> &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation)

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224957127295

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)

Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:

========

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.31010.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-05-17]

Chrome:

=======

CHR Profile: C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (YouTube) - C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-04-21]

CHR Extension: (Google Search) - C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-04-21]

CHR Extension: (Gmail) - C:\Users\tXXXXman1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-04-21]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ETService; C:\Program Files\Acer\Empowering Technology\Service\ETService.exe [24576 2008-03-21] () [File not signed]

R2 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [97432 2007-04-13] () [File not signed]

R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed]

R2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe [110592 2007-12-06] () [File not signed]

R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)

R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 cleanhlp; C:\EEK\bin\cleanhlp32.sys [50200 2014-11-30] (Emsisoft GmbH)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)

S3 Inspect; system32\DRIVERS\inspect.sys [X]

S3 IpInIp; system32\DRIVERS\ipinip.sys [X]

S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]

S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-10 21:40 - 2014-12-10 21:40 - 00000000 ____D () C:\Users\tXXXXman1\Desktop\FRST-OlderVersion

2014-12-10 10:41 - 2014-11-06 19:33 - 00974848 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll

2014-12-10 10:35 - 2014-12-02 20:06 - 00278528 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll

2014-12-09 17:38 - 2014-11-24 14:44 - 00367104 _____ (Microsoft Corporation) C:\Windows\system32\html.iec

2014-12-09 17:38 - 2014-11-24 14:41 - 12369920 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2014-12-09 17:38 - 2014-11-24 14:40 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2014-12-09 17:38 - 2014-11-24 14:37 - 09740800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2014-12-09 17:38 - 2014-11-24 14:35 - 01139712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2014-12-09 17:38 - 2014-11-24 14:35 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2014-12-09 17:38 - 2014-11-24 14:34 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2014-12-09 17:38 - 2014-11-24 14:34 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll

2014-12-09 17:38 - 2014-11-24 14:33 - 01802752 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2014-12-09 17:38 - 2014-11-24 14:33 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2014-12-09 17:38 - 2014-11-24 14:33 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2014-12-09 17:38 - 2014-11-24 14:33 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2014-12-09 17:38 - 2014-11-24 14:33 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2014-12-09 17:38 - 2014-11-24 14:33 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2014-12-09 17:38 - 2014-11-24 14:33 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll

2014-12-09 17:38 - 2014-11-24 14:32 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2014-12-09 17:38 - 2014-11-24 14:32 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2014-12-09 17:38 - 2014-11-24 14:32 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2014-12-09 17:38 - 2014-11-24 14:32 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2014-12-09 17:38 - 2014-11-24 14:32 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2014-12-09 17:38 - 2014-11-24 14:32 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe

2014-12-09 17:38 - 2014-11-24 14:32 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe

2014-12-04 19:03 - 2014-12-04 19:03 - 00001896 _____ () C:\Users\Public\Desktop\Adobe Reader X.lnk

2014-12-04 19:03 - 2014-12-04 19:03 - 00001804 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk

2014-12-04 19:03 - 2014-12-04 19:03 - 00000000 ____D () C:\Program Files\Common Files\Adobe

2014-12-04 19:03 - 2014-12-04 19:03 - 00000000 ____D () C:\Program Files\Adobe

2014-12-04 10:41 - 2014-12-04 10:41 - 00000104 _____ () C:\Users\tXXXXman1\Desktop\Games - Shortcut.lnk

2014-11-30 10:48 - 2014-11-30 10:48 - 00009472 _____ () C:\Users\tXXXXman1\Desktop\ESETScan(11-29-14).txt

2014-11-30 01:00 - 2014-11-30 01:00 - 00000000 ____D () C:\Program Files\ESET

2014-11-30 00:55 - 2014-11-30 00:55 - 00005144 _____ () C:\Users\tXXXXman1\Desktop\a2scan_141129-232624.txt

2014-11-29 23:22 - 2014-11-29 23:22 - 00000701 _____ () C:\Users\tXXXXman1\Desktop\Start Emsisoft Emergency Kit.lnk

2014-11-29 23:21 - 2014-11-29 23:23 - 00000000 ____D () C:\EEK

2014-11-29 23:19 - 2014-11-29 23:20 - 161125248 _____ () C:\Users\tXXXXman1\Desktop\EmsisoftEmergencyKit.exe

2014-11-29 23:12 - 2014-11-29 23:12 - 00003359 _____ () C:\Users\tXXXXman1\Desktop\AdwCleaner[S0].txt

2014-11-29 12:04 - 2014-11-29 23:09 - 00000000 ____D () C:\AdwCleaner

2014-11-29 11:35 - 2014-11-29 11:35 - 02148864 _____ () C:\Users\tXXXXman1\Desktop\AdwCleaner.exe

2014-11-27 16:58 - 2014-11-27 16:58 - 00024005 _____ () C:\Users\tXXXXman1\Desktop\Addition.txt

2014-11-27 16:57 - 2014-12-10 21:40 - 00010660 _____ () C:\Users\tXXXXman1\Desktop\FRST.txt

2014-11-27 16:56 - 2014-12-10 21:40 - 01111040 _____ (Farbar) C:\Users\tXXXXman1\Desktop\FRST.exe

2014-11-24 12:28 - 2014-12-10 17:14 - 00121256 _____ () C:\Windows\PFRO.log

2014-11-20 10:38 - 2014-10-23 19:03 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2014-11-12 11:08 - 2014-10-09 19:00 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll

2014-11-12 11:07 - 2014-10-09 19:01 - 00449536 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll

2014-11-12 11:07 - 2014-10-09 19:00 - 01259008 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2014-11-12 11:07 - 2014-10-09 17:22 - 00619520 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll

2014-11-12 11:07 - 2014-08-26 18:55 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

2014-11-12 11:07 - 2014-08-26 18:55 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll

2014-11-12 11:06 - 2014-10-23 19:04 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll

2014-11-12 11:05 - 2014-08-11 20:25 - 00729600 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL

2014-11-12 11:04 - 2014-10-02 19:17 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll

2014-11-12 11:03 - 2014-10-17 19:08 - 00564224 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll

2014-11-12 11:03 - 2014-10-02 19:18 - 00274432 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll

2014-11-12 11:03 - 2014-10-02 19:17 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll

2014-11-12 11:03 - 2014-10-02 19:17 - 00170496 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll

2014-11-12 10:56 - 2014-10-12 17:34 - 02054656 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2014-11-11 21:49 - 2014-11-11 21:49 - 00001510 _____ () C:\Users\tXXXXman1\Desktop\attach.zip

2014-11-11 21:30 - 2014-11-11 21:30 - 00003260 _____ () C:\Users\tXXXXman1\Desktop\attach.txt

2014-11-11 21:30 - 2014-11-11 21:29 - 00009566 _____ () C:\Users\tXXXXman1\Desktop\dds.txt

2014-11-11 21:26 - 2014-11-11 21:26 - 00688992 ____R (Swearware) C:\Users\tXXXXman1\Desktop\dds.com

2014-11-11 00:08 - 2014-11-11 00:12 - 00003692 _____ () C:\Users\tXXXXman1\Desktop\Rkill.txt

2014-11-11 00:08 - 2014-11-11 00:08 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\tXXXXman1\Desktop\rkill.exe

2014-11-10 23:22 - 2014-11-11 14:34 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-11-10 23:19 - 2014-11-11 00:01 - 00000000 ____D () C:\Users\tXXXXman1\Desktop\mbar

2014-11-10 23:18 - 2014-11-10 23:18 - 14439144 _____ (Malwarebytes Corp.) C:\Users\tXXXXman1\Desktop\mbar-1.08.0.1001.exe

2014-11-10 22:00 - 2014-11-10 22:06 - 00027650 _____ () C:\Users\tXXXXman1\Desktop\Result.txt

2014-11-10 21:59 - 2014-11-10 21:59 - 00401920 _____ (Farbar) C:\Users\tXXXXman1\Desktop\MiniToolBox.exe

2014-11-10 21:57 - 2014-11-10 21:57 - 00002730 _____ () C:\Users\tXXXXman1\Desktop\FSS.txt

2014-11-10 21:56 - 2014-11-10 21:56 - 00415232 _____ (Farbar) C:\Users\tXXXXman1\Desktop\FSS.exe

2014-11-10 21:54 - 2014-11-10 21:54 - 00000964 _____ () C:\Users\tXXXXman1\Desktop\checkup.txt

2014-11-10 21:34 - 2014-11-10 21:34 - 00854448 _____ () C:\Users\tXXXXman1\Desktop\SecurityCheck.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-10 21:40 - 2014-09-17 22:11 - 00000000 ____D () C:\FRST

2014-12-10 21:25 - 2012-10-19 22:11 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-12-10 21:14 - 2006-11-02 06:47 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2014-12-10 21:14 - 2006-11-02 06:47 - 00003216 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2014-12-10 20:48 - 2012-04-09 13:13 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2014-12-10 17:21 - 2006-11-02 04:33 - 00759582 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-12-10 17:19 - 2008-01-28 21:56 - 02048438 _____ () C:\Windows\WindowsUpdate.log

2014-12-10 17:14 - 2012-10-19 22:11 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-12-10 17:14 - 2008-01-28 22:16 - 00000000 _____ () C:\Windows\system32\LogConfigTemp.xml

2014-12-10 17:14 - 2006-11-02 07:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-12-10 15:05 - 2006-11-02 07:01 - 00032620 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

2014-12-10 10:58 - 2012-01-13 11:09 - 00000000 ____D () C:\Program Files\Microsoft Silverlight

2014-12-10 10:48 - 2012-04-09 13:13 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe

2014-12-10 10:48 - 2011-05-17 09:11 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

2014-12-10 10:41 - 2013-08-15 10:47 - 00000000 ____D () C:\Windows\system32\MRT

2014-12-10 10:37 - 2006-11-02 04:24 - 109818608 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe

2014-12-10 10:34 - 2012-01-13 11:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

2014-12-08 17:13 - 2011-03-08 21:20 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\CrashDumps

2014-12-07 02:08 - 2006-11-02 06:37 - 00000000 ___RD () C:\Users\Public\Recorded TV

2014-12-04 19:05 - 2008-02-08 20:59 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\Adobe

2014-12-04 19:03 - 2008-04-30 01:25 - 00000000 ____D () C:\ProgramData\Adobe

2014-11-30 23:17 - 2014-09-13 13:57 - 00014848 _____ () C:\Users\tXXXXman1\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2014-11-28 17:38 - 2008-02-03 16:41 - 00000000 ____D () C:\Users\tXXXXman1

2014-11-28 17:38 - 2006-11-02 05:18 - 00000000 ___RD () C:\Users\Public

2014-11-27 15:26 - 2011-02-13 11:52 - 00000000 ____D () C:\ProgramData\CanonIJPLM

2014-11-17 00:05 - 2008-02-08 21:16 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy

2014-11-12 11:53 - 2006-11-02 05:18 - 00000000 ____D () C:\Windows\Microsoft.NET

2014-11-12 11:42 - 2006-11-02 05:18 - 00000000 ____D () C:\Windows\rescache

2014-11-12 11:26 - 2006-11-02 06:47 - 00304152 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-11-11 00:03 - 2008-04-30 03:30 - 00000000 ____D () C:\Windows\ACER

2014-11-10 23:22 - 2014-09-13 15:22 - 00115928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-11-10 23:20 - 2014-09-13 15:21 - 00079576 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-11-10 22:13 - 2014-09-13 15:21 - 00000903 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-11-10 22:13 - 2014-09-13 15:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-11-10 22:13 - 2014-09-13 15:21 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware

2014-11-10 21:29 - 2014-11-09 10:38 - 00000000 ____D () C:\Users\tXXXXman1\AppData\Local\{dc6c5feb-bf94-1352-780a-8855d40d6240}

Some content of TEMP:

====================

C:\Users\tXXXXman1\AppData\Local\Temp\Quarantine.exe

C:\Users\tXXXXman1\AppData\Local\Temp\RtkBtMnt.exe

C:\Users\tXXXXman1\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-12-10 17:20

==================== End Of Log ============================


Edited by xXToffeeXx, 11 December 2014 - 11:48 AM.
Removed formatting for ease~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users