Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i think i got infected


  • This topic is locked This topic is locked
9 replies to this topic

#1 Isdelft

Isdelft

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 28 November 2014 - 02:56 PM

mayb i think it happend the day before yesterday , my chrome got infected by some russian adware 

lately i downloaded genymotion for my project and i find that my comp started to run slowly

 

this is problem website

 

10807804_10205052690934940_1038895963_n.

 

 

 

 

here is a log from adwarecleaner

 

# AdwCleaner v4.102 - Report created 29/11/2014 at 02:17:43

# Updated 23/11/2014 by Xplode
# Database : 2014-11-27.1 [Live]
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : user - USER-PC
# Running from : C:\Users\user\Downloads\adwcleaner_4.102.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2974C985-8151-4DE5-B23C-B875F0A8522F}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v39.0.2171.71
 
 
*************************
 
AdwCleaner[R0].txt - [10834 octets] - [15/08/2014 03:13:29]
AdwCleaner[R10].txt - [1816 octets] - [29/11/2014 01:52:00]
AdwCleaner[R11].txt - [1938 octets] - [29/11/2014 02:03:11]
AdwCleaner[R12].txt - [896 octets] - [29/11/2014 02:17:43]
AdwCleaner[R1].txt - [8682 octets] - [17/10/2014 01:50:26]
AdwCleaner[R2].txt - [8742 octets] - [17/10/2014 01:57:08]
AdwCleaner[R3].txt - [1459 octets] - [28/11/2014 04:32:49]
AdwCleaner[R4].txt - [1519 octets] - [28/11/2014 04:37:45]
AdwCleaner[R5].txt - [1336 octets] - [28/11/2014 14:44:24]
AdwCleaner[R6].txt - [1456 octets] - [28/11/2014 15:14:49]
AdwCleaner[R7].txt - [1516 octets] - [28/11/2014 16:45:17]
AdwCleaner[R8].txt - [1635 octets] - [28/11/2014 17:39:12]
AdwCleaner[R9].txt - [1695 octets] - [28/11/2014 18:14:20]
AdwCleaner[S0].txt - [10479 octets] - [15/08/2014 03:16:57]
AdwCleaner[S1].txt - [8681 octets] - [17/10/2014 02:05:54]
AdwCleaner[S2].txt - [1588 octets] - [28/11/2014 04:40:14]
AdwCleaner[S3].txt - [1399 octets] - [28/11/2014 15:10:08]
AdwCleaner[S4].txt - [1566 octets] - [28/11/2014 16:54:31]
AdwCleaner[S5].txt - [1758 octets] - [28/11/2014 18:18:16]
AdwCleaner[S6].txt - [1879 octets] - [29/11/2014 01:56:06]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R12].txt - [1917 octets] ##########
 

 

malwarebyte not find any , only this adware cleaner found it

 

i tried to delete several time , but this key still persistent  

 

and last time i clean it and it change to another website , with popup and still redirect me to some website

 

 

the lower left popup , they still same popup as before

 

1462646_10205055294040016_67953579532889

 

 

please help , thank you



BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:11 AM

Posted 28 November 2014 - 03:07 PM

Hello,

Double click on AdwCleaner.exe to run the tool again. Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait a bit.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Isdelft

Isdelft
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 05 December 2014 - 04:24 AM

sorry for late reply , i just think the adware just removed completely , but it not

 

i found pum.dns in rouge killer , here is the log 

 

 

RogueKiller V10.0.8.0 [Nov 20 2014] by Adlice Software

 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Administrator]
Mode : Scan -- Date : 12/05/2014  16:15:36
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 5 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{38479EF8-E453-47F9-A135-4BC8DE8DB593} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{38479EF8-E453-47F9-A135-4BC8DE8DB593} | DhcpNameServer : 172.20.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{38479EF8-E453-47F9-A135-4BC8DE8DB593} | DhcpNameServer : 94.249.192.104 8.8.8.8 [(Unknown Country?) (XX)]  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEKT-75F3T0 ATA Device +++++
--- User ---
[MBR] 8285fab94520109224ce0a0db798ba05
[BSP] 1ce4ca2699585ee626528585cebbde67 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 149900 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 307202048 | Size: 155243 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_DEL_11292014_104000.log - RKreport_DEL_11292014_104021.log - RKreport_DEL_11292014_104420.log - RKreport_DEL_11292014_104503.log
RKreport_DEL_11292014_104530.log - RKreport_DEL_11292014_104533.log - RKreport_DEL_11292014_104537.log - RKreport_DEL_11292014_104543.log
RKreport_DEL_11292014_234448.log - RKreport_DEL_12022014_235340.log - RKreport_DEL_12022014_235613.log - RKreport_DEL_12032014_170402.log
RKreport_DEL_12032014_171740.log - RKreport_DEL_12032014_171745.log - RKreport_DEL_12032014_171750.log - RKreport_DEL_12032014_215132.log
RKreport_DEL_12042014_151940.log - RKreport_DEL_12042014_151955.log - RKreport_DEL_12042014_151956.log - RKreport_DEL_12052014_142806.log
RKreport_SCN_11292014_103835.log - RKreport_SCN_11292014_104335.log - RKreport_SCN_11292014_234425.log - RKreport_SCN_11292014_234736.log
RKreport_SCN_12022014_235327.log - RKreport_SCN_12022014_235603.log - RKreport_SCN_12032014_170329.log - RKreport_SCN_12032014_171725.log
RKreport_SCN_12032014_215023.log - RKreport_SCN_12032014_215330.log - RKreport_SCN_12042014_151558.log - RKreport_SCN_12042014_152154.log
RKreport_SCN_12042014_193554.log - RKreport_SCN_12052014_142112.log - RKreport_SCN_12052014_142550.log - RKreport_SCN_12052014_151156.log

 

and this is FRST log

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-12-2014

Ran by user (administrator) on USER-PC on 05-12-2014 16:17:26
Running from C:\Users\user\Downloads
Loaded Profile: user (Available profiles: user)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
() C:\Program Files (x86)\Garena Plus\ggdllhost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(TunnelBear) C:\Program Files (x86)\TunnelBear\TBear.Client.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(AVG Technologies) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(AVG Technologies) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Users\user\Downloads\RogueKiller.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11780712 2011-02-24] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [RemoteControl11] => C:\Program Files (x86)\CyberLink\PowerDVD11\PDVD11Serv.exe [234792 2011-04-20] (CyberLink Corp.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [136488 2010-08-20] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\CyberLink\YouCam\YouCamTray.exe [162912 2010-08-20] (CyberLink Corp.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3653136 2014-11-09] (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\Run: [FlashGet 3] => C:\Program Files (x86)\FlashGet Network\FlashGet 3\FlashGet3.exe [3090056 2012-03-15] (Trend Media Corporation Limited)
HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3671904 2012-08-28] (DT Soft Ltd)
HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\Run: [GarenaPlus] => C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe [9883440 2013-10-24] ()
HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20472992 2013-10-02] (Skype Technologies S.A.)
HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\Run: [Line] => C:\Program Files (x86)\Naver\LINE\Line.exe [3965288 2014-08-22] (LINE Corporation)
HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [1940160 2014-11-19] (Valve Corporation)
IFEO\effectextractor.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\flashget3.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\line.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\lineuninst.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\magiclk7.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\skype.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\thsdict.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\uninst.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
IFEO\youcam.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe"
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MagicLinker.lnk
ShortcutTarget: MagicLinker.lnk -> C:\Program Files (x86)\ThaiSoftware Enterprise\ThaiSoftware Dictionary v.7.0\Bin\MagicLk7.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_20\bin\ssv.dll (Oracle Corporation)
BHO: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_20\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: FlashGetBHO -> {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} -> C:\Users\user\AppData\Roaming\FlashGetBHO\FlashGetBHO.dll (Trend Media Group)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {2B6F3D45-8258-4A13-85B8-58C62DFDB4EA} https://secure1.playfps.com/play/ava/ax/WebLauncher.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\sysWOW64\urlmon.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 172.20.10.1
 
FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\9ftw91sm.default-1356539406158
FF SearchEngineOrder.3: Bing 
FF Homepage: user_pref("browser.startup.homepage", );
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @java.com/DTPlugin,version=11.20.2 -> C:\Program Files\Java\jre1.8.0_20\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.20.2 -> C:\Program Files\Java\jre1.8.0_20\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll ( Garena)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-3133892873-2707905542-3707845760-1000: @eximion.com/KalydoPlayer -> C:\Users\user\AppData\Roaming\Kalydo\KalydoPlayer\bin2\npkalydo.dll (Eximion B.V.)
FF Plugin HKU\S-1-5-21-3133892873-2707905542-3707845760-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Extension: No Name - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\9ftw91sm.default-1356539406158\Extensions\firefox-hotfix@mozilla.org [2014-03-26]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013-04-18]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013-04-25]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
 
Chrome: 
=======
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-11-28]
CHR Extension: (Google Docs) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-28]
CHR Extension: (Lucidchart Diagrams - Online) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apboafhkiegglekeafbckfjldecefkhn [2014-11-28]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-28]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-28]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-28]
CHR Extension: (Google Search) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-28]
CHR Extension: (ViewThisGlobal) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlndelonmlbmbigehnbnaohofacpecja [2014-11-30]
CHR Extension: (グランブルーファンタジー[ChromeApps版]) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eablgejicbklomgaiclcolfilbkckngf [2014-11-28]
CHR Extension: (Block site) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eiimnmioipafcokbfikbljfdeojpcgbh [2014-11-28]
CHR Extension: (Google Sheets) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-28]
CHR Extension: (User-Agent Switcher) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkmofgnohbedopheiphabfhfjgkhfcgf [2014-11-28]
CHR Extension: (Muffin Knight) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngcgpajmidlcgbkpjaopbcglkjepkbaa [2014-11-28]
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-28]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-28]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3488784 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 CLHNServiceForPowerDVD; C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [83240 2011-04-20] ()
R2 CyberLink PowerDVD 11.0 Monitor Service; C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [70952 2011-03-31] (CyberLink)
R2 CyberLink PowerDVD 11.0 Service; C:\Program Files (x86)\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe [312616 2011-03-31] (CyberLink)
S2 KMService; C:\Windows\SysWOW64\srvany.exe [8192 2012-08-13] () [File not signed]
S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [279848 2007-06-27] (Nero AG)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [4566840 2012-08-31] (INCA Internet Co., Ltd.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [2604856 2014-11-24] (AVG Technologies)
S3 TunnelBearMaintenance; C:\Program Files (x86)\TunnelBear\TBear.Maintenance.exe [25536 2014-04-14] ()
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [263960 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-12-24] (DT Soft Ltd)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32512 2014-10-17] ()
R1 ISODrive; C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [104912 2007-11-07] (EZB Systems, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-11-28] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-12-05] ()
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [14112 2014-11-24] (TuneUp Software)
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312}; C:\Program Files (x86)\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [148976 2011-04-12] (CyberLink Corp.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 X6va009; \??\C:\Windows\SysWOW64\Drivers\X6va009 [X]
S3 X6va010; \??\C:\Windows\SysWOW64\Drivers\X6va010 [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-05 16:17 - 2014-12-05 16:18 - 00020138 _____ () C:\Users\user\Downloads\FRST.txt
2014-12-05 16:17 - 2014-12-05 16:17 - 00000000 ____D () C:\FRST
2014-12-05 15:39 - 2014-12-05 15:40 - 02117632 _____ (Farbar) C:\Users\user\Downloads\FRST64.exe
2014-12-05 15:30 - 2014-12-05 15:30 - 00000000 _____ () C:\Windows\setuperr.log
2014-12-05 13:48 - 2014-12-05 13:48 - 00003694 _____ () C:\Windows\System32\Tasks\Adobe Reader and Acrobat Manager
2014-12-05 13:22 - 2014-11-24 12:48 - 00040248 _____ (AVG Technologies) C:\Windows\system32\TURegOpt.exe
2014-12-05 13:22 - 2014-11-24 12:48 - 00029496 _____ (AVG Technologies) C:\Windows\system32\authuitu.dll
2014-12-05 13:22 - 2014-11-24 12:48 - 00025400 _____ (AVG Technologies) C:\Windows\SysWOW64\authuitu.dll
2014-12-05 13:21 - 2014-12-05 13:21 - 00002233 _____ () C:\Users\Public\Desktop\AVG 1-Click Maintenance.lnk
2014-12-05 13:21 - 2014-12-05 13:21 - 00002219 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp 2015.lnk
2014-12-05 13:21 - 2014-12-05 13:21 - 00002207 _____ () C:\Users\Public\Desktop\AVG PC TuneUp 2015.lnk
2014-12-05 13:21 - 2014-12-05 13:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG PC TuneUp 2015
2014-12-05 13:19 - 2014-12-05 13:19 - 00000000 ____D () C:\Users\user\AppData\Roaming\AVG
2014-12-05 13:16 - 2014-12-05 13:16 - 00000000 ____D () C:\Users\user\AppData\Local\Avg
2014-12-05 13:14 - 2014-12-05 13:22 - 00000000 ____D () C:\ProgramData\AVG
2014-12-05 13:11 - 2014-12-05 13:13 - 90844984 _____ (AVG Technologies) C:\Users\user\Downloads\avg_tuh_stf_all_2015_238_24c28.exe
2014-12-05 03:32 - 2014-12-05 03:32 - 00000000 ____D () C:\Users\user\AppData\Roaming\AVG2015
2014-12-05 03:30 - 2014-12-05 03:30 - 00000969 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-12-05 03:30 - 2014-12-05 03:30 - 00000000 ____D () C:\Users\user\AppData\Roaming\TuneUp Software
2014-12-05 03:30 - 2014-12-05 03:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-12-05 03:29 - 2014-12-05 03:31 - 00000000 ____D () C:\ProgramData\AVG2015
2014-12-05 03:29 - 2014-12-05 03:29 - 00000000 ___HD () C:\$AVG
2014-12-05 03:28 - 2014-12-05 13:19 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-12-05 03:24 - 2014-12-05 12:15 - 00000000 ____D () C:\ProgramData\MFAData
2014-12-05 03:24 - 2014-12-05 03:35 - 00000000 ____D () C:\Users\user\AppData\Local\Avg2015
2014-12-05 03:24 - 2014-12-05 03:24 - 00000000 ____D () C:\Users\user\AppData\Local\MFAData
2014-12-05 03:23 - 2014-12-05 03:23 - 04637504 _____ (AVG Technologies) C:\Users\user\Downloads\avg_free_stb_all_2015_5557_cnet.exe
2014-12-04 15:01 - 2014-12-04 15:01 - 00022340 _____ () C:\ComboFix.txt
2014-12-04 02:35 - 2014-12-04 02:35 - 00358861 _____ () C:\Users\user\Downloads\SpeechToTextDemo.zip
2014-12-03 00:10 - 2014-12-03 00:10 - 00003086 _____ () C:\Users\user\Downloads\texttospeech-master.zip
2014-12-01 21:27 - 2014-12-01 21:27 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-USER-PC-Microsoft-Windows-7-Ultimate-(64-bit).dat
2014-12-01 21:24 - 2014-12-01 21:24 - 00000000 ____D () C:\RegBackup
2014-12-01 21:08 - 2014-12-01 21:08 - 00001080 _____ () C:\Users\Public\Desktop\Oracle VM VirtualBox.lnk
2014-12-01 21:08 - 2014-12-01 21:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox
2014-12-01 21:08 - 2013-04-12 11:41 - 00237840 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxDrv.sys
2014-12-01 21:08 - 2013-04-12 11:40 - 00120080 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
2014-12-01 21:07 - 2014-12-01 21:07 - 00000000 ____D () C:\Program Files\Oracle
2014-12-01 20:34 - 2014-12-01 20:34 - 00000000 ____D () C:\Users\user\AppData\Local\CrashDumps
2014-11-29 23:33 - 2014-12-05 16:08 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-11-29 23:31 - 2014-12-04 15:08 - 00004370 _____ () C:\Users\user\Desktop\Rkill.txt
2014-11-29 23:31 - 2014-11-29 23:33 - 15196248 _____ () C:\Users\user\Downloads\RogueKiller.exe
2014-11-29 23:30 - 2014-11-29 23:31 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\user\Downloads\rkill.exe
2014-11-29 23:07 - 2014-11-29 23:15 - 00000000 ____D () C:\Users\user\Pavark
2014-11-29 20:25 - 2014-11-29 20:25 - 00000000 ____D () C:\ProgramData\Sophos
2014-11-29 20:24 - 2014-11-29 20:24 - 00000000 ____D () C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2014-11-29 20:24 - 2014-11-29 20:24 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-11-29 20:08 - 2011-06-26 13:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-11-29 20:08 - 2010-11-08 00:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-11-29 20:08 - 2009-04-20 11:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-11-29 20:08 - 2000-08-31 07:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-11-29 20:08 - 2000-08-31 07:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-11-29 20:08 - 2000-08-31 07:00 - 00098816 _____ () C:\Windows\sed.exe
2014-11-29 20:08 - 2000-08-31 07:00 - 00080412 _____ () C:\Windows\grep.exe
2014-11-29 20:08 - 2000-08-31 07:00 - 00068096 _____ () C:\Windows\zip.exe
2014-11-29 20:01 - 2014-11-29 20:03 - 107070744 _____ (Sophos Limited) C:\Users\user\Downloads\Sophos Virus Removal Tool.exe
2014-11-29 20:00 - 2014-12-02 23:29 - 05600127 ____R (Swearware) C:\Users\user\Downloads\ComboFix.exe
2014-11-29 10:02 - 2014-11-29 10:02 - 00000066 _____ () C:\Users\user\Desktop\key.txt
2014-11-29 01:16 - 2014-11-29 11:03 - 00000000 ____D () C:\Users\user\Desktop\rpr
2014-11-29 01:13 - 2014-11-29 01:14 - 13708848 _____ () C:\Users\user\Downloads\SysinternalsSuite.zip
2014-11-28 19:48 - 2014-11-29 23:33 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-11-28 17:56 - 2014-12-04 15:01 - 00000000 ____D () C:\Qoobox
2014-11-28 17:56 - 2014-11-29 20:21 - 00000000 ____D () C:\Windows\erdnt
2014-11-28 17:32 - 2014-11-28 17:32 - 00003424 ____N () C:\bootsqm.dat
2014-11-28 17:19 - 2014-11-28 17:20 - 00003938 _____ () C:\Users\user\Downloads\software_removal_tool.log
2014-11-28 17:04 - 2014-11-28 17:04 - 00002263 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-11-28 17:04 - 2014-11-28 17:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-11-28 17:03 - 2014-12-05 16:14 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-28 17:03 - 2014-12-05 15:31 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-28 17:03 - 2014-11-28 17:09 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-28 17:03 - 2014-11-28 17:09 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-28 15:45 - 2014-11-30 00:03 - 00000000 ____D () C:\Users\user\Desktop\Tweaking.com - Windows Repair
2014-11-28 15:44 - 2014-11-28 15:45 - 07871773 _____ () C:\Users\user\Downloads\tweaking.com_windows_repair_aio.zip
2014-11-28 04:31 - 2014-11-28 04:31 - 02148864 _____ () C:\Users\user\Downloads\adwcleaner_4.102.exe
2014-11-28 02:06 - 2014-11-29 19:54 - 00011741 _____ () C:\Users\user\Desktop\hijackthis.log
2014-11-27 22:57 - 2014-11-27 22:57 - 00001956 _____ () C:\Windows\SysWOW64\20141127225739.torrent.filelist
2014-11-27 22:57 - 2012-08-16 00:12 - 00019784 _____ () C:\Windows\SysWOW64\20141127225739.torrent
2014-11-26 16:04 - 2014-11-26 16:13 - 629145600 _____ () C:\Users\user\Downloads\e65867ace308c22f5dd272051c82443f.rar
2014-11-25 16:38 - 2014-12-04 14:48 - 00000000 ____D () C:\Users\user\AppData\Local\Genymobile
2014-11-25 16:37 - 2014-12-02 15:02 - 00000000 ____D () C:\Users\user\.VirtualBox
2014-11-24 20:04 - 2014-11-24 20:16 - 123177592 _____ (Genymobile ) C:\Users\user\Downloads\genymotion-2.3.1-vbox.exe
2014-11-24 14:31 - 2014-11-24 14:31 - 00000000 ____D () C:\Users\user\Documents\GitHub
2014-11-24 14:27 - 2014-11-24 14:27 - 00000000 ____D () C:\Users\user\.ssh
2014-11-23 20:55 - 2014-11-23 20:55 - 00595576 _____ () C:\Users\user\Downloads\SlideSSD.pptx
2014-11-22 12:39 - 2014-11-22 12:39 - 00000222 _____ () C:\Users\user\Desktop\NEKOPARA Vol. 1 Demo.url
2014-11-12 01:38 - 2014-11-12 01:38 - 00002176 _____ () C:\Users\user\Desktop\Git Shell.lnk
2014-11-12 01:37 - 2014-11-24 14:43 - 00000000 ____D () C:\Users\user\AppData\Roaming\GitHub
2014-11-12 01:37 - 2014-11-24 14:43 - 00000000 ____D () C:\Users\user\AppData\Local\GitHub
2014-11-12 01:37 - 2014-11-12 01:37 - 00000000 ____D () C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GitHub, Inc
2014-11-12 01:30 - 2014-11-12 01:31 - 00675936 _____ () C:\Users\user\Downloads\GitHubSetup.exe
2014-11-07 22:26 - 2014-11-10 17:22 - 00000000 ____D () C:\Users\user\Desktop\Cerberos with LOVE!!
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-05 15:44 - 2009-07-14 11:45 - 00023680 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-05 15:44 - 2009-07-14 11:45 - 00023680 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-05 15:35 - 2012-08-13 13:45 - 01733422 _____ () C:\Windows\WindowsUpdate.log
2014-12-05 15:35 - 2009-07-14 12:13 - 00783728 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-05 15:33 - 2014-05-08 17:42 - 00000000 ____D () C:\Users\user\AppData\Local\HockeyCrashes
2014-12-05 15:32 - 2013-06-16 22:28 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-12-05 15:30 - 2009-07-14 12:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-05 15:30 - 2009-07-14 11:51 - 00063485 _____ () C:\Windows\setupact.log
2014-12-05 14:35 - 2010-11-21 10:47 - 00286614 _____ () C:\Windows\PFRO.log
2014-12-05 13:58 - 2009-07-14 10:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-12-05 13:46 - 2013-05-08 20:45 - 00000000 ___RD () C:\Users\user\Desktop\Destop
2014-12-05 13:46 - 2013-04-18 02:28 - 00000000 ____D () C:\Users\user\AppData\Roaming\Skype
2014-12-05 13:46 - 2012-08-14 02:36 - 00000000 ____D () C:\Windows\Panther
2014-12-05 13:46 - 2012-08-13 12:26 - 00000000 ____D () C:\Users\user\Documents\Youcam
2014-12-05 13:46 - 2012-08-13 12:03 - 00000000 ____D () C:\ProgramData\Temp
2014-12-05 13:45 - 2014-05-14 16:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TunnelBear
2014-12-04 20:23 - 2014-05-14 16:02 - 00000000 ____D () C:\Program Files (x86)\TunnelBear
2014-12-04 20:18 - 2014-04-27 23:50 - 00000000 ____D () C:\Users\user\AppData\Roaming\Dropbox
2014-12-04 19:28 - 2014-08-15 03:13 - 00000000 ____D () C:\AdwCleaner
2014-12-04 15:01 - 2014-10-17 03:29 - 00000000 ____D () C:\Users\user\AppData\Local\Apps\2.0
2014-12-04 14:59 - 2009-07-14 09:34 - 00000215 _____ () C:\Windows\system.ini
2014-12-03 22:21 - 2012-08-16 00:26 - 00000000 ____D () C:\Users\user\AppData\Roaming\BITS
2014-12-02 14:50 - 2014-08-17 19:22 - 00000000 ____D () C:\Users\user\Desktop\Java
2014-12-02 14:50 - 2012-08-13 12:06 - 00000000 ____D () C:\Users\user\AppData\Roaming\TeraCopy
2014-12-01 20:33 - 2012-11-15 23:34 - 00000000 ____D () C:\Users\user\AppData\Roaming\codeblocks
2014-11-29 19:16 - 2012-08-13 12:29 - 00000000 ____D () C:\Users\user\Tracing
2014-11-29 19:16 - 2012-08-13 12:05 - 00112248 _____ () C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-29 19:15 - 2010-11-21 14:16 - 00000000 ____D () C:\Windows\CSC
2014-11-29 19:15 - 2009-07-14 11:45 - 05042096 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-29 11:20 - 2009-07-14 09:34 - 00000514 _____ () C:\Windows\win.ini
2014-11-29 11:03 - 2014-08-15 03:23 - 00000000 ____D () C:\Windows\ERUNT
2014-11-29 11:03 - 2013-03-31 00:38 - 00000000 ____D () C:\ProgramData\GarenaMessenger
2014-11-29 11:03 - 2012-08-17 02:52 - 00000000 ____D () C:\ProgramData\McAfee Security Scan
2014-11-29 11:03 - 2009-07-14 10:20 - 00000000 ____D () C:\Windows\registration
2014-11-28 17:04 - 2014-10-17 03:29 - 00000000 ____D () C:\Program Files (x86)\Google
2014-11-28 16:51 - 2012-08-14 01:43 - 00000000 ____D () C:\Users\user\AppData\Local\VirtualStore
2014-11-28 16:31 - 2009-07-14 09:34 - 00000855 _____ () C:\Windows\system32\Drivers\etc\hosts_bak_360
2014-11-28 15:15 - 2014-10-17 02:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-28 15:13 - 2012-08-16 20:19 - 00000996 _____ () C:\Windows\SysWOW64\secustat.dat
2014-11-27 18:51 - 2013-04-22 09:17 - 00000000 ____D () C:\Users\user\Desktop\BATT
2014-11-24 14:49 - 2014-08-17 19:39 - 00000000 ____D () C:\Users\user\.android
2014-11-24 14:28 - 2014-10-17 03:29 - 00000000 ____D () C:\Users\user\AppData\Local\Deployment
2014-11-17 13:18 - 2014-04-28 00:00 - 00001017 _____ () C:\Users\user\Desktop\Dropbox.lnk
2014-11-17 13:18 - 2014-04-27 23:52 - 00000000 ____D () C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-11-09 11:45 - 2014-09-13 10:03 - 00000000 ____D () C:\Users\user\Desktop\pixiv
 
Some content of TEMP:
====================
C:\Users\user\AppData\Local\Temp\dllnt_dump.dll
C:\Users\user\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpf8xzot.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-07 21:00
 
==================== End Of Log ============================

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 03-12-2014

Ran by user at 2014-12-05 16:18:56
Running from C:\Users\user\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKLM-x32\...\uTorrent) (Version: 3.2.0 - )
7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Content Viewer (HKLM-x32\...\com.adobe.dmp.contentviewer) (Version: 1.4.0 - Adobe Systems Incorporated)
Adobe Creative Suite 6 Master Collection (HKLM-x32\...\{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}) (Version: 6 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Reader X (10.0.1) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA0000000001}) (Version: 10.0.1 - Adobe Systems Incorporated)
Adobe Shockwave Player 11 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11 - Adobe Systems, Inc.)
Adobe Story (HKLM-x32\...\com.adobe.AdobeStory.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.0.571 - Adobe Systems Incorporated)
Adobe Widget Browser (HKLM-x32\...\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1) (Version: 2.0 Build 230 - Adobe Systems Incorporated.)
Apple Application Support (HKLM-x32\...\{45C56AA7-ED1B-4800-A97F-EDDF3F3520B1}) (Version: 2.3.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2F72F540-1F60-4266-9506-952B21D6640D}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5577 - AVG Technologies)
AVG 2015 (Version: 15.0.4235 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5577 - AVG Technologies) Hidden
AVG PC TuneUp 2015 (en-US) (x32 Version: 15.0.1001.238 - AVG Technologies) Hidden
AVG PC TuneUp 2015 (HKLM-x32\...\AVG PC TuneUp) (Version: 15.0.1001.238 - AVG Technologies)
AVG PC TuneUp 2015 (x32 Version: 15.0.1001.238 - AVG Technologies) Hidden
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CB_0.25.0 (HKLM-x32\...\CB_Client_is1) (Version: 0.25.0 - Digicrafts Co.,Ltd.)
Chaos Online (HKLM-x32\...\Chaos Online_is1) (Version: 1.4.529.4 - )
CodeBlocks (HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\CodeBlocks) (Version: 10.05 - The Code::Blocks Team)
CosmicBreak_US (HKLM-x32\...\{DF46F74C-46D2-4740-99B0-6D89D81D389A}) (Version: 1.00.0000 - CyberStep, Inc.)
CyberLink PowerDVD 11 (HKLM-x32\...\InstallShield_{F232C87C-6E92-4775-8210-DFE90B7777D9}) (Version: 11.0.1620.51 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 4.0.0820 - CyberLink Corp.)
Dev-C++ 5 beta 9 release (4.9.9.2) (HKLM-x32\...\Dev-C++) (Version:  - )
Dropbox (HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\Dropbox) (Version: 2.10.52 - Dropbox, Inc.)
eco-niconico (HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\Kalydo App eco-niconico) (Version: 1.19.02.14 - )
EnglishToThai (HKLM-x32\...\ST6UNST #2) (Version:  - )
FlashGet3.7 (HKLM-x32\...\FlashGet3.7) (Version: 3.7.0.1203 - http://www.FlashGet.com)
GetAmped2 (HKLM-x32\...\Getamped2_Client_is1) (Version: 66.0 - Digicrafts Co.,Ltd.)
GetAmped2.131 (HKLM-x32\...\GetAmped_Client_is1) (Version: 2.131 - Digicrafts Co.,Ltd.)
GitHub (HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\5f7eb300e2ea4ebf) (Version: 2.6.4.1 - GitHub, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.71 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HiJackThis (HKLM-x32\...\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}) (Version: 1.0.0 - Trend Micro)
iTunes (HKLM\...\{0225AD21-F3E2-4916-BFF3-65D3F9052582}) (Version: 11.0.2.26 - Apple Inc.)
Java 8 Update 20 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418020F0}) (Version: 8.0.200 - Oracle Corporation)
Java SE Development Kit 8 Update 20 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180200}) (Version: 8.0.200.26 - Oracle Corporation)
Kalydo Player 6.04.00 (HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\KalydoPlayer) (Version: 6.04.00 - Eximion B.V.)
K-Lite Codec Pack (64-bit) v3.6.0 (HKLM\...\KLiteCodecPack64_is1) (Version: 3.6.0 - )
K-Lite Codec Pack 6.2.0 (Full) (HKLM-x32\...\KLiteCodecPack_is1) (Version: 6.2.0 - )
LINE (HKLM-x32\...\LINE) (Version: 3.7.4.97 - LINE Corporation)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Media Player Classic - Home Cinema v. 1.3.1249.0 (HKLM-x32\...\{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1) (Version:  - )
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft Speech SDK 5.1 (HKLM-x32\...\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}) (Version: 5.1.4324.0 - Microsoft)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
NEKOPARA Vol. 1 Demo (HKLM-x32\...\Steam App 334660) (Version:  - NEKO WORKs)
Nero 7 Ultra Edition (HKLM-x32\...\{91C0B95B-B83A-4828-A775-BBE2DD421054}) (Version: 7.02.9752 - Nero AG)
Oracle VM VirtualBox 4.2.12 (HKLM\...\{0C1DE303-E41B-44BA-8ABA-B7F09D857001}) (Version: 4.2.12 - Oracle Corporation)
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
PhotoScape (HKLM-x32\...\PhotoScape) (Version:  - )
PxMergeModule (x32 Version: 1.00.0000 - Your Company Name) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6316 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 3.0.8 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.0.8 - VS Revo Group, Ltd.)
RPG MAKER VX Ace RTP (HKLM-x32\...\RPGVXAce_RTP_is1) (Version: 1.00 - Enterbrain)
Sakura Spirit (HKLM-x32\...\Steam App 313740) (Version:  - Winged Cloud)
Skullgirls (HKLM-x32\...\Steam App 245170) (Version:  - Lab Zero Games)
Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.11.13307 - Skype Technologies S.A.)
Skype™ 6.9 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.9.106 - Skype Technologies S.A.)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.3 - Sophos Limited)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
TeraCopy 2.12 (HKLM\...\TeraCopy_is1) (Version:  - Code Sector Inc.)
Thai Translator Tool (HKLM-x32\...\ST6UNST #1) (Version:  - )
ThaiSoftware Dictionary v.7.0 (HKLM-x32\...\ThaiSoftware Dictionary) (Version: v.7.0 - ThaiSoftware Enterprise Co.,ltd)
TunnelBear (x32 Version: 2.2.19.0 - TunnelBear) Hidden
UltraISO Premium V9.3 (HKLM-x32\...\UltraISO_is1) (Version:  - )
Unholy Heights (HKLM-x32\...\Steam App 249330) (Version:  - Petit Depotto)
Unity Web Player (HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\...\UnityWebPlayer) (Version:  - Unity Technologies ApS)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Winamp PRO 5.54.2147 Remove and Unregister (HKLM-x32\...\Winamp PRO 5.54.2147_is1) (Version:  - )
WinRAR 4.00 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.00.0 - win.rar GmbH)
WinZip 12.0 (HKLM-x32\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}) (Version: 12.0.8252 - WinZip Computing, S.L. )
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{F7D4B6AD-AB5F-4fe8-9469-3A4697E41129}\InprocServer32 -> C:\Users\user\AppData\Roaming\Kalydo\KalydoPlayer\bin2\kalydoplayer64.dll (Eximion B.V.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\user\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
 
==================== Restore Points  =========================
 
05-12-2014 06:52:14 Windows Live Essentials
05-12-2014 06:54:58 WLSetup
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 09:34 - 2014-12-02 23:41 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {105B6C16-5D81-43E9-B98C-E874623D593D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-28] (Google Inc.)
Task: {24705114-E3D2-4B0B-B008-914F389DBCD0} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {32A441D9-7B69-4A21-9F54-61903DDEC7BB} - System32\Tasks\gg_uac_daemon_user => C:\Program Files (x86)\Garena Plus\ggdllhost.exe [2013-07-10] ()
Task: {3352555A-79C3-4BD6-8722-8F469F58BF52} - System32\Tasks\AdobeFlashPlayerUpdate => C:\Windows\SysWOW64\FlashPlayerUpdateService.exe
Task: {63902F9C-9D6D-49F2-A7C1-8A1ECA8876BB} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-11-28] (Google Inc.)
Task: {A9653FB0-1326-49E4-87F9-B49572641DE3} - System32\Tasks\TunnelBear => C:\Program Files (x86)\TunnelBear\TBear.Client.exe [2014-04-14] (TunnelBear)
Task: {B22A01B6-80ED-4224-A9E0-70F5459AB07F} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: {B55D9FD0-1DBA-4342-919A-DF591587136D} - System32\Tasks\Adobe Reader and Acrobat Manager => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-11-10] (Adobe Systems Incorporated)
Task: {CE847321-62F2-4BDE-BF93-CBEE7FC01995} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {D01F7127-B492-4312-9741-BCB4328A41C2} - System32\Tasks\AdobeFlashPlayerUpdate 2 => C:\Windows\SysWOW64\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2010-01-30 02:40 - 2010-01-30 02:40 - 04254560 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2012-08-13 13:54 - 2011-03-02 12:40 - 00164864 _____ () C:\Program Files\WinRAR\rarext.dll
2012-08-13 13:55 - 2009-06-21 07:52 - 00318976 _____ () C:\Program Files\TeraCopy\TeraCopyExt64.dll
2013-07-12 13:57 - 2013-07-10 18:54 - 00049456 _____ () C:\Program Files (x86)\Garena Plus\ggdllhost.exe
2012-08-13 12:03 - 2011-04-20 10:56 - 00083240 _____ () C:\Program Files (x86)\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe
2014-11-24 12:48 - 2014-11-24 12:48 - 00713528 _____ () C:\Program Files (x86)\AVG\AVG PC TuneUp\avgrepliba.dll
2014-11-24 12:49 - 2014-11-24 12:49 - 00856888 _____ () C:\Program Files (x86)\AVG\AVG PC TuneUp\tulnga.dll
2014-11-29 23:31 - 2014-11-29 23:33 - 15196248 _____ () C:\Users\user\Downloads\RogueKiller.exe
2013-03-19 15:55 - 2013-08-23 16:10 - 00553776 _____ () C:\Program Files (x86)\Garena Plus\ggspawn.dll
2010-01-30 02:41 - 2010-01-30 02:41 - 04254560 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2014-11-28 17:04 - 2014-11-25 13:39 - 01077064 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\libglesv2.dll
2014-11-28 17:04 - 2014-11-25 13:39 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\libegl.dll
2014-11-28 17:04 - 2014-11-25 13:39 - 09009480 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\pdf.dll
2014-11-28 17:04 - 2014-11-25 13:39 - 01677128 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\ProgramData\Microsoft:9goifrKsR54McabCZupsrIb8l7
AlternateDataStreams: C:\ProgramData\Microsoft:WPSNMxeL66w2HqVVBgs1eTYdr
AlternateDataStreams: C:\Users\user\AppData\Local\rg9elsMFmcgS:xZFaVIJuPmwgtCXU2Y8z
AlternateDataStreams: C:\Users\user\AppData\Local\Temp:jAh6iX5wsWU1mE8A2V4oEYqY6
AlternateDataStreams: C:\Users\user\AppData\Local\Temp:vMmoelZXKLSSgpmGpGKyEw
AlternateDataStreams: C:\Users\user\AppData\Local\Temporary Internet Files:Gmab6EeuHPpVk1NeT9nl
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-3133892873-2707905542-3707845760-500 - Administrator - Disabled)
Guest (S-1-5-21-3133892873-2707905542-3707845760-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3133892873-2707905542-3707845760-1002 - Limited - Enabled)
user (S-1-5-21-3133892873-2707905542-3707845760-1000 - Administrator - Enabled) => C:\Users\user
 
==================== Faulty Device Manager Devices =============
 
Name: VirtualBox Host-Only Ethernet Adapter
Description: VirtualBox Host-Only Ethernet Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Oracle Corporation
Service: VBoxNetAdp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/05/2014 03:33:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Local Hostname user-PC.local already in use; will try user-PC-2.local instead
 
Error: (12/05/2014 03:33:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: ProbeCount 2; will deregister    4 user-PC.local. Addr 192.168.1.6
 
Error: (12/05/2014 03:33:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.1.5:5353    4 user-PC.local. Addr 192.168.1.5
 
Error: (12/05/2014 10:32:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 13322
 
Error: (12/05/2014 10:32:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 13322
 
Error: (12/05/2014 10:32:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/05/2014 10:32:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12261
 
Error: (12/05/2014 10:32:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 12261
 
Error: (12/05/2014 10:32:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/05/2014 10:32:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 11247
 
 
System errors:
=============
Error: (12/05/2014 04:08:35 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (12/05/2014 03:33:42 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC        :0" could not be registered on the interface with IP address 192.168.1.6.
The computer with the IP address 192.168.1.5 did not allow the name to be claimed by
this computer.
 
Error: (12/05/2014 03:33:42 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC        :20" could not be registered on the interface with IP address 192.168.1.6.
The computer with the IP address 192.168.1.5 did not allow the name to be claimed by
this computer.
 
Error: (12/05/2014 03:33:42 PM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{38479EF8-E453-47F9-A135-4BC8DE8DB593} because another computer on the network has the same name.  The server could not start.
 
Error: (12/05/2014 03:32:15 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
 
Error: (12/05/2014 03:28:28 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/05/2014 03:28:28 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/05/2014 03:28:28 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/05/2014 03:28:20 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/05/2014 03:28:20 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
 
Microsoft Office Sessions:
=========================
Error: (12/05/2014 03:33:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Local Hostname user-PC.local already in use; will try user-PC-2.local instead
 
Error: (12/05/2014 03:33:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: ProbeCount 2; will deregister    4 user-PC.local. Addr 192.168.1.6
 
Error: (12/05/2014 03:33:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.1.5:5353    4 user-PC.local. Addr 192.168.1.5
 
Error: (12/05/2014 10:32:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 13322
 
Error: (12/05/2014 10:32:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 13322
 
Error: (12/05/2014 10:32:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/05/2014 10:32:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12261
 
Error: (12/05/2014 10:32:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 12261
 
Error: (12/05/2014 10:32:34 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/05/2014 10:32:33 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 11247
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-12-02 23:41:11.326
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-02 23:41:11.320
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-02 23:41:11.274
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-02 23:41:11.268
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-29 20:18:44.914
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-29 20:18:44.914
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-29 01:42:56.035
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-29 01:42:56.035
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-29 01:42:56.035
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-11-29 01:42:56.035
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5 CPU M 430 @ 2.27GHz
Percentage of memory in use: 84%
Total physical RAM: 1972.52 MB
Available physical RAM: 310.79 MB
Total Pagefile: 3945.05 MB
Available Pagefile: 2019.47 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
 
==================== Drives ================================
 
Drive c: (USER) (Fixed) (Total:146.39 GB) (Free:11.92 GB) NTFS
Drive d: (DATA) (Fixed) (Total:151.6 GB) (Free:10.71 GB) NTFS
Drive f: (ChaosLabyrinth) (CDROM) (Total:1.79 GB) (Free:0 GB) CDFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 07120712)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=146.4 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=151.6 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

 

sorry , but please help me again

 

thank you

 

Edit : add normal scan for FRST


Edited by Isdelft, 05 December 2014 - 04:26 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:11 AM

Posted 05 December 2014 - 12:10 PM

Sorry, these 2 tools were not requested as they are only run in a different section of the forum... I have now moved your topic there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 07 December 2014 - 10:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please run the RogueKiller tool and fix this item.

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{38479EF8-E453-47F9-A135-4BC8DE8DB593} | DhcpNameServer : 94.249.192.104 8.8.8.8 [(Unknown Country?) (XX)] -> Found


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3133892873-2707905542-3707845760-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-3133892873-2707905542-3707845760-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-28]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 X6va009; \??\C:\Windows\SysWOW64\Drivers\X6va009 [X]
S3 X6va010; \??\C:\Windows\SysWOW64\Drivers\X6va010 [X]
AlternateDataStreams: C:\ProgramData\Microsoft:9goifrKsR54McabCZupsrIb8l7
AlternateDataStreams: C:\ProgramData\Microsoft:WPSNMxeL66w2HqVVBgs1eTYdr
AlternateDataStreams: C:\Users\user\AppData\Local\rg9elsMFmcgS:xZFaVIJuPmwgtCXU2Y8z
AlternateDataStreams: C:\Users\user\AppData\Local\Temp:jAh6iX5wsWU1mE8A2V4oEYqY6
AlternateDataStreams: C:\Users\user\AppData\Local\Temp:vMmoelZXKLSSgpmGpGKyEw
AlternateDataStreams: C:\Users\user\AppData\Local\Temporary Internet Files:Gmab6EeuHPpVk1NeT9nl

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#6 Isdelft

Isdelft
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 08 December 2014 - 02:47 PM

oh sorry , i got impatient and gone wild by myself and my laptop go BOOM (lol)[just unbootable] so i decide to reinstall my windows

(i not have many important data in that , so thats ok)

 

but i just got notice , my ill'bro comp and my andriod got infected by same thing too , only connection i recall them is my google account and same network (wifi) , how can i fix these then , and did factory reset help my andriod?

 

here is FRST log from my ill'bro comp

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-12-2014 01

Ran by user (administrator) on USER-PC on 09-12-2014 01:57:43
Running from C:\Users\user\Desktop
Loaded Profile: user (Available profiles: user)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
() C:\Windows\System32\srvany.exe
() C:\Windows\kmsem\KMService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Microsoft Corp.) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(ThaiSoftware Enterprise Co., Ltd.) C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe
(CyberLink) C:\Program Files\CyberLink\YouCam\YCMMirage.exe
(CyberLink Corp.) C:\Program Files\CyberLink\YouCam\YouCamTray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Research In Motion Limited) C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(WinZip Computing, S.L.) C:\Program Files\WinZip\WZQKPICK.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MagicLinker3] => C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe [155648 2003-03-07] (ThaiSoftware Enterprise Co., Ltd.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [YouCam Mirage] => C:\Program Files\CyberLink\YouCam\YCMMirage.exe [136488 2010-08-20] (CyberLink)
HKLM\...\Run: [YouCam Tray] => C:\Program Files\CyberLink\YouCam\YouCamTray.exe [162912 2010-08-20] (CyberLink Corp.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [10119784 2011-06-24] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-11-02] (Research In Motion Limited)
HKLM\...\Run: [SunJavaUpdateSched] => "C:\Program Files\Java\jre7\bin\jusched.exe"
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [Eps_Reg.exe] => C:\Users\user\AppData\Local\Temp\Eps_Reg.exe /L /NSmartCard2000 <===== ATTENTION
HKU\S-1-5-21-2350040085-256587299-2629325223-1000\...\Run: [Google Update] => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-12-07] (Google Inc.)
HKU\S-1-5-21-2350040085-256587299-2629325223-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\S-1-5-21-2350040085-256587299-2629325223-1000\...\Run: [Facebook Update] => C:\Users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2012-10-06] (Facebook Inc.)
HKU\S-1-5-21-2350040085-256587299-2629325223-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil32_15_0_0_223_Plugin.exe -update plugin
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2350040085-256587299-2629325223-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://th.msn.com/?ocid=iehp
HKU\S-1-5-21-2350040085-256587299-2629325223-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xA48BA41F9BA5CF01
HKU\S-1-5-21-2350040085-256587299-2629325223-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = th
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {20928C3E-84C1-4848-ACFD-6BBF3950B57E} URL = http://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {3E5645F9-1B45-4485-9379-36351CDC81E4} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {49DE0DB2-43D2-41B4-B860-8333D76F5EF8} URL = http://www.youtube.com/results?search_query={searchTerms}
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {5CC8F9B1-0D51-4332-8BB6-86042A463EEC} URL = http://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms}
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {78A36E83-B98D-4B8F-A7F7-E4A3D7190D55} URL = http://www.amazon.com/s?ie=UTF8&tag=amznsearch.ms-20&index=aps&linkFcode=qs&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {9D512A4C-D812-45AC-B74B-43175EB207CE} URL = http://www.facebook.com/search/?src=os&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {C1D35D5A-3DCF-45DF-A45A-7A0AA3F0F598} URL = http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&Description={searchTerms}
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Windows Live Toolbar Helper -> {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} -> C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 94.249.192.104 8.8.8.8
 
FireFox:
========
FF ProfilePath: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ju8f81td.default
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_239.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2350040085-256587299-2629325223-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\user\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF Plugin HKU\S-1-5-21-2350040085-256587299-2629325223-1000: @tools.google.com/Google Update;version=3 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2350040085-256587299-2629325223-1000: @tools.google.com/Google Update;version=9 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2350040085-256587299-2629325223-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\creativecommons.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\longdo.xml
FF HKU\S-1-5-21-2350040085-256587299-2629325223-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Java™ Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll No File
CHR Plugin: (Java™ Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-05-28]
CHR Extension: (McAfee Security Scan+) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh [2014-03-30]
CHR Extension: (ค้นหาโดย Google) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-05-28]
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-24]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-05-28]
CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
CHR StartMenuInternet: Google Chrome - C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMPPALR3; C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [509440 2011-12-05] (Intel Corporation)
R2 BTHSSecurityMgr; C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [104208 2011-12-05] (Intel® Corporation)
R2 KMService; C:\Windows\system32\srvany.exe [8192 2012-05-28] () [File not signed]
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [235696 2014-04-09] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [241936 2011-12-08] ()
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [722704 2011-12-08] (Intel® Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AMPPAL; C:\Windows\System32\DRIVERS\AMPPAL.sys [141312 2011-12-05] (Windows ® Win 7 DDK provider)
S3 AMPPALP; C:\Windows\System32\DRIVERS\amppal.sys [141312 2011-12-05] (Windows ® Win 7 DDK provider)
S3 eGateUSB; C:\Windows\System32\Drivers\eGateUSB.sys [73728 2007-05-09] (Gemalto)
S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [80752 2014-09-10] (FTDI Ltd.)
R1 ISODrive; C:\Program Files\UltraISO\drivers\ISODrive.sys [73728 2008-05-24] (EZB Systems, Inc.) [File not signed]
S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl.sys [18432 2011-08-02] (Apple Inc.) [File not signed]
R3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [10299904 2011-12-01] (Intel Corporation)
S3 NETwNv32; C:\Windows\System32\DRIVERS\NETwNv32.sys [7265792 2010-11-09] (Intel Corporation)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [44032 2012-07-09] (Apple, Inc.) [File not signed]
S3 AndNetDiag; system32\DRIVERS\lgandnetdiag.sys [X]
S3 ANDNetModem; system32\DRIVERS\lgandnetmodem.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-09 01:57 - 2014-12-09 01:58 - 00018030 _____ () C:\Users\user\Desktop\FRST.txt
2014-12-09 01:57 - 2014-12-09 01:57 - 00000000 ____D () C:\FRST
2014-12-09 00:57 - 2014-12-09 00:57 - 00688992 _____ (Swearware) C:\Users\user\Desktop\dds.com
2014-12-09 00:51 - 2014-12-09 00:51 - 01111040 _____ (Farbar) C:\Users\user\Desktop\FRST.exe
2014-12-09 00:12 - 2014-12-09 00:24 - 00000000 ____D () C:\Users\user\Desktop\win8
2014-12-09 00:00 - 2014-12-09 00:49 - 00000341 _____ () C:\Users\user\AppData\Roaming\burnaware.ini
2014-12-09 00:00 - 2014-12-09 00:14 - 00000031 _____ () C:\Users\user\AppData\Local\burnaware.ini
2014-12-08 23:59 - 2014-12-08 23:59 - 00001019 _____ () C:\Users\Public\Desktop\BurnAware Free.lnk
2014-12-08 23:59 - 2014-12-08 23:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BurnAware Free
2014-12-08 23:59 - 2014-12-08 23:59 - 00000000 ____D () C:\Program Files\BurnAware Free
2014-12-08 23:58 - 2014-12-08 23:58 - 07295512 _____ (Burnaware ) C:\Users\user\Desktop\burnaware_free.exe
2014-12-08 22:36 - 2014-12-08 22:36 - 00002504 _____ () C:\Users\user\Desktop\Windows 7 USB DVD Download Tool.lnk
2014-12-08 22:36 - 2014-12-08 22:36 - 00000000 ____D () C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 USB DVD Download Tool
2014-12-08 22:36 - 2014-12-08 22:36 - 00000000 ____D () C:\Users\user\AppData\Local\Apps\Windows 7 USB DVD Download Tool
2014-12-08 22:27 - 2014-12-08 22:27 - 02721168 _____ (Microsoft Corporation) C:\Users\user\Desktop\Windows7-USB-DVD-Download-Tool-Installer-en-US.exe
2014-12-08 21:16 - 2014-12-08 21:16 - 00003121 _____ () C:\Users\user\Desktop\Shortcut to SecureDownloadManager.exe.lnk
2014-12-08 21:16 - 2014-12-08 21:16 - 00000000 ____D () C:\Users\user\Desktop\e-academy Inc
2014-12-08 21:14 - 2014-12-08 21:14 - 00775168 _____ () C:\Users\user\Desktop\SDM_EN.msi
2014-12-08 18:50 - 2014-12-08 18:50 - 00271459 _____ () C:\Users\user\Desktop\hijacked.zip
2014-12-08 18:17 - 2014-12-08 18:50 - 00000000 ____D () C:\Users\user\Desktop\hijacked
2014-12-08 18:17 - 2014-12-08 18:17 - 00000000 ____D () C:\Users\user\New folder
2014-12-08 17:33 - 2014-12-08 17:33 - 00000548 _____ () C:\Users\user\Downloads\takeout-20141208T103322Z.zip
2014-11-14 18:40 - 2014-11-14 18:40 - 00000000 ____D () C:\Users\user\Desktop\LG TOOL
2014-11-12 14:05 - 2014-11-12 14:05 - 00000000 ____D () C:\Program Files\GUM1CF2.tmp
2014-11-11 13:55 - 2014-11-11 13:55 - 00023312 _____ (Microsoft Corporation) C:\Windows\system32\_shfoldr.dll
2014-11-11 13:55 - 2014-11-11 13:55 - 00001835 _____ () C:\ft_inst.log
2014-11-11 13:55 - 2014-11-11 13:55 - 00000000 ____D () C:\Program Files\Software Installation Information
2014-11-11 13:45 - 2014-11-11 14:09 - 00000000 ____D () C:\Program Files\LG Electronics
2014-11-11 13:44 - 2014-11-11 13:44 - 00000965 _____ () C:\Users\user\Desktop\LGE Tool.lnk
2014-11-11 13:44 - 2014-11-11 13:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LGETool
2014-11-11 13:44 - 2014-11-11 13:44 - 00000000 ____D () C:\Program Files\SgTool
2014-11-11 13:44 - 2012-07-24 17:35 - 00389120 _____ () C:\Windows\system32\actskn43.ocx
2014-11-11 13:43 - 2014-11-15 18:51 - 00000000 ____D () C:\Program Files\LGE Tool
2014-11-11 13:06 - 2014-11-11 13:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
2014-11-11 13:05 - 2014-11-11 13:05 - 00001822 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-11-11 13:05 - 2014-11-11 13:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-11-11 13:05 - 2014-11-11 13:05 - 00000000 ____D () C:\Program Files\QuickTime
2014-11-11 13:02 - 2014-11-11 13:02 - 00001760 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-11-11 13:02 - 2014-11-11 13:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-11-11 13:01 - 2014-11-11 13:02 - 00000000 ____D () C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-11-11 13:01 - 2014-11-11 13:02 - 00000000 ____D () C:\Program Files\iTunes
2014-11-11 13:01 - 2014-11-11 13:01 - 00000000 ____D () C:\Program Files\iPod
2014-11-11 12:48 - 2014-12-08 17:23 - 00005748 _____ () C:\Windows\setupact.log
2014-11-11 12:48 - 2014-11-11 12:48 - 00000000 _____ () C:\Windows\setuperr.log
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-09 01:57 - 2012-05-28 22:16 - 01802997 _____ () C:\Windows\WindowsUpdate.log
2014-12-09 01:57 - 2012-05-28 20:02 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-09 01:16 - 2012-05-28 20:02 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000UA.job
2014-12-09 01:16 - 2012-05-28 20:02 - 00000852 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000Core.job
2014-12-09 00:48 - 2012-05-28 20:21 - 00000000 ____D () C:\Users\user\AppData\Roaming\TeraCopy
2014-12-09 00:43 - 2012-10-06 23:16 - 00000000 ____D () C:\Users\user\AppData\Roaming\Skype
2014-12-09 00:02 - 2012-10-06 23:57 - 00000924 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000UA.job
2014-12-09 00:02 - 2012-10-06 23:57 - 00000902 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000Core.job
2014-12-08 22:58 - 2009-07-14 11:34 - 00023680 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-08 22:58 - 2009-07-14 11:34 - 00023680 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-08 22:30 - 2010-11-21 04:01 - 00717892 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-08 20:23 - 2012-05-28 20:02 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-12-08 20:23 - 2012-05-28 20:02 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-12-08 17:23 - 2009-07-14 11:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-14 11:54 - 2009-07-14 11:53 - 00032652 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-11-11 14:09 - 2012-05-28 20:23 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-11-11 13:06 - 2012-05-28 21:06 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-11-11 13:00 - 2012-11-12 06:27 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-11-11 12:53 - 2012-05-28 21:06 - 00000000 ____D () C:\ProgramData\Apple
 
Some content of TEMP:
====================
C:\Users\user\AppData\Local\Temp\GUREA4E.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-12-08 21:40
 
==================== End Of Log ============================

 

and additional

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 07-12-2014 01

Ran by user at 2014-12-09 01:59:26
Running from C:\Users\user\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 4.65 (HKLM\...\7-Zip) (Version:  - )
ACDSee Pro 4 (HKLM\...\{88D4FE78-6EA6-4DFB-9FC2-8BC316F0C2FD}) (Version: 4.0.198 - ACD Systems International Inc.)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 15.0.0.249 - Adobe Systems Incorporated)
Adobe Community Help (HKLM\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.4.980 - Adobe Systems Incorporated.)
Adobe Dreamweaver CS5.5 (HKLM\...\{0215A652-E081-4B09-9333-DC85AAB67FFA}) (Version: 11.5 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Adobe Shockwave Player 11 (HKLM\...\Adobe Shockwave Player) (Version: 11 - Adobe Systems, Inc.)
Adobe Widget Browser (HKLM\...\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1) (Version: 2.0 Build 230 - Adobe Systems Incorporated.)
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
BlackBerry Desktop Software 7.0 (HKLM\...\BlackBerry_Desktop) (Version: 7.0.0.59 - Research In Motion Ltd.)
BlackBerry Desktop Software 7.0 (Version: 7.0.0.59 - Research In Motion Ltd.) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
BurnAware Free 7.7 (HKLM\...\BurnAware Free_is1) (Version:  - Burnaware)
CodeBlocks (HKU\S-1-5-21-2350040085-256587299-2629325223-1000\...\CodeBlocks) (Version: 10.05 - The Code::Blocks Team)
Corona USB Driver (HKLM\...\{761C00F8-617F-4A37-AB38-33B4F43A69CA}) (Version: 1.0.0.0000 - LG Electronics)
CyberLink YouCam (HKLM\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 4.0.0820 - CyberLink Corp.)
Daum PotPlayer 1.5.32007 (HKLM\...\PotPlayer) (Version:  - )
Dev-C++ 5 beta 9 release (4.9.9.2) (HKLM\...\Dev-C++) (Version:  - )
EnglishToThai (HKLM\...\ST6UNST #2) (Version:  - )
Facebook Video Calling 3.1.0.521 (HKLM\...\{2091F234-EB58-4B80-8C96-8EB78C808CF7}) (Version: 3.1.521 - Skype Limited)
foobar2000 v1.1.11 (HKLM\...\foobar2000) (Version: 1.1.11 - Peter Pawlowski)
Google Chrome (HKU\S-1-5-21-2350040085-256587299-2629325223-1000\...\Google Chrome) (Version: 39.0.2171.71 - Google Inc.)
iCloud (HKLM\...\{AC6EE263-E4DD-4150-9014-689B1D4A3315}) (Version: 4.0.5.20 - Apple Inc.)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.2567 - Intel Corporation)
Intel® PROSet/Wireless for Bluetooth® 3.0 + High Speed (HKLM\...\{2C0E6BD4-65B1-4E82-B2AC-43EFFC8F100C}) (Version: 15.0.0.0059 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.0.1008 - Intel Corporation)
iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.)
Java 7 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.250 - Oracle)
K-Lite Codec Pack 6.2.0 (Full) (HKLM\...\KLiteCodecPack_is1) (Version: 6.2.0 - )
LG United Mobile Driver (HKLM\...\{2A3A4BD6-6CE0-4E2A-80D2-1D0FF6ACBFBA}) (Version: 3.6.0.0 - LG Electronics)
LG USB WML Modem Driver (HKLM\...\{FBA0CA60-8BF2-4381-B819-74F020E165A9}) (Version: 1.0 - LG Electronics)
LGE Tool 2.45 (HKLM\...\LGE Tool_is1) (Version:  - LGETool.com)
LINE (HKLM\...\LINE) (Version: 3.7.5.98 - LINE Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 32.0.3 (x86 th) (HKLM\...\Mozilla Firefox 32.0.3 (x86 th)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)
MSVCRT (Version: 14.0.1468.721 - Microsoft) Hidden
PhotoScape (HKLM\...\PhotoScape) (Version:  - )
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Ragnarok Online (HKLM\...\Ragnarok Online) (Version: 13.3.1 - AsiaSoft)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6400 - Realtek Semiconductor Corp.)
Scratch 2 Offline Editor (HKLM\...\edu.media.mit.Scratch2Editor) (Version: 425 - MIT Media Lab)
Scratch 2 Offline Editor (Version: 255 - MIT Media Lab) Hidden
Secure Download Manager (HKLM\...\{E040B65B-8683-4228-8C33-D44A141E40EA}) (Version: 3.1.60 - Kivuto Solutions Inc.)
Skype™ 5.10 (HKLM\...\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}) (Version: 5.10.116 - Skype Technologies S.A.)
TeraCopy 2.12 (HKLM\...\TeraCopy_is1) (Version:  - Code Sector Inc.)
Thai Translator Tool (HKLM\...\ST6UNST #1) (Version:  - )
ThaiSoftware Dictionary V5.0 (HKLM\...\ThaiSoftware Dictionary V5.0) (Version:  - )
UltraISO Premium V9.3 (HKLM\...\UltraISO_is1) (Version:  - )
Unity Web Player (HKU\S-1-5-21-2350040085-256587299-2629325223-1000\...\UnityWebPlayer) (Version:  - Unity Technologies ApS)
Winamp PRO 5.54.2147 Remove and Unregister (HKLM\...\Winamp PRO 5.54.2147_is1) (Version:  - )
Windows 7 USB/DVD Download Tool (HKLM\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
WinRAR 4.00 (32-bit) (HKLM\...\WinRAR archiver) (Version: 4.00.0 - win.rar GmbH)
WinZip 12.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}) (Version: 12.0.8252 - WinZip Computing, S.L. )
เครื่องมืออัปโหลดของ Windows Live (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
ซอฟต์แวร์ Intel® PROSet/Wireless WiFi (HKLM\...\{CFAAF1E3-8C21-491E-9DD9-D60ABAFAB2BC}) (Version: 15.00.0000.0642 - Intel Corporation)
ตัวช่วยในการลงชื่อเข้าใช้ Windows Live (HKLM\...\{AAE62F77-F3F3-4E9C-BFC1-3141EC42AD8A}) (Version: 5.000.818.5 - Microsoft Corporation)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.135\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{1FD1FE74-9E3C-4C1C-AEEB-AAB592AD770F}\localserver32 -> C:\Users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.23.9\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\user\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx (Unity Technologies ApS)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\delegate_execute.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{5E71E4F3-E8C7-4906-9626-973E418762B6}\InprocServer32 -> C:\Users\user\AppData\Local\Facebook\Update\1.2.205.0\goopdate.dll (Facebook Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.145\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.153\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{8B9F5BF4-0407-4BB2-9FED-4C0372DABD00}\localserver32 -> C:\Users\user\AppData\Local\Facebook\Video\Skype\FacebookVideoCallingProxy.exe (Skype Limited)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{91EFB276-CEFE-48EC-BB3A-57795A7B4008}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.149\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.165\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{CBE9C57E-FFA9-4123-8354-AD360D6DD3CC}\InprocServer32 -> C:\Users\user\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.65\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.25.11\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.22.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2350040085-256587299-2629325223-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\user\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File
 
==================== Restore Points  =========================
 
11-11-2014 06:45:16 Installed LG USB Modem driver
11-11-2014 06:46:30 Installed LG USB WML Modem Driver
11-11-2014 06:58:01 Installed Corona USB Driver
11-11-2014 06:59:13 Device Driver Package Install: LG Electronics Inc. Universal Serial Bus controllers
11-11-2014 07:08:56 Installed LG United Mobile Driver
15-11-2014 11:45:28 Installed LG United Mobile Driver
08-12-2014 14:15:55 Installed Secure Download Manager
08-12-2014 15:35:35 Installed Windows 7 USB/DVD Download Tool
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 09:04 - 2009-06-11 04:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {152EC1AC-6079-4B06-BD7F-CB6A81A23DC6} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000UA => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2014-12-07] (Google Inc.)
Task: {19EB61DA-6E35-4AD6-B027-8CACF0FF62A9} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-08] (Adobe Systems Incorporated)
Task: {3CE2DC17-0098-448E-A58F-A80478A10F91} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {3D37D607-BC72-49F6-851F-E2A994943FE1} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {856E564D-EF42-4526-9368-6F6C9D0F6507} - System32\Tasks\AdobeAAMUpdater-1.0-user-PC-user => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2011-03-15] (Adobe Systems Incorporated)
Task: {8EDB1ED5-866F-4327-8320-E0046138FE4F} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000Core => C:\Users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-06] (Facebook Inc.)
Task: {CA83944B-8A8E-427E-9971-8281A7057DD4} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000Core => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2014-12-07] (Google Inc.)
Task: {EB7AB4AE-63A0-4CD2-A7E1-DA6B00C0FDA1} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000UA => C:\Users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-10-06] (Facebook Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000Core.job => C:\Users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000UA.job => C:\Users\user\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000Core.job => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2350040085-256587299-2629325223-1000UA.job => C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2012-05-28 20:31 - 1998-06-08 02:00 - 00027648 _____ () C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\ActWndHk.dll
2010-01-30 02:41 - 2010-01-30 02:41 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2012-05-28 19:39 - 2011-03-02 12:40 - 00140288 _____ () C:\Program Files\WinRAR\rarext.dll
2012-05-28 19:57 - 2009-06-21 23:26 - 00305664 _____ () C:\Program Files\TeraCopy\TeraCopyExt.dll
2012-05-28 19:57 - 2009-07-13 20:50 - 00325120 _____ () C:\Program Files\TeraCopy\TeraCopy.dll
2014-10-11 13:06 - 2014-10-11 13:06 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2012-05-28 20:19 - 2012-05-28 20:18 - 00008192 ___SH () C:\Windows\system32\srvany.exe
2012-05-28 20:19 - 2012-05-28 20:18 - 00151552 ___SH () C:\Windows\kmsem\KMService.exe
2012-05-29 06:03 - 2012-05-29 06:03 - 00169472 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\0d288350c26a4fac94c8e1f2ee3e945c\IsdiInterop.ni.dll
2012-05-29 06:02 - 2010-11-05 23:50 - 00058880 _____ () C:\Program Files\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2014-10-05 23:28 - 2014-10-05 23:28 - 03715184 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-2350040085-256587299-2629325223-500 - Administrator - Disabled)
Guest (S-1-5-21-2350040085-256587299-2629325223-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2350040085-256587299-2629325223-1002 - Limited - Enabled)
user (S-1-5-21-2350040085-256587299-2629325223-1000 - Administrator - Enabled) => C:\Users\user
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/09/2014 01:15:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 416726
 
Error: (12/09/2014 01:15:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 416726
 
Error: (12/09/2014 01:15:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/09/2014 01:15:49 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 414994
 
Error: (12/09/2014 01:15:49 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 414994
 
Error: (12/09/2014 01:15:49 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/09/2014 01:09:07 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9985
 
Error: (12/09/2014 01:09:07 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9985
 
Error: (12/09/2014 01:09:07 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/08/2014 10:53:38 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Local Hostname user-PC.local already in use; will try user-PC-2.local instead
 
 
System errors:
=============
Error: (12/09/2014 01:57:23 AM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "USER-PC        :0" could not be registered on the interface with IP address 192.168.1.8.
The computer with the IP address 192.168.1.6 did not allow the name to be claimed by
this computer.
 
Error: (12/09/2014 01:57:14 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
 
Error: (12/09/2014 00:34:51 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
 
Error: (12/09/2014 00:34:51 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
 
Error: (12/09/2014 00:34:50 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
 
Error: (12/08/2014 11:28:05 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (12/08/2014 11:28:05 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (12/08/2014 11:28:04 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (12/08/2014 11:28:04 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (12/08/2014 11:28:03 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
 
Microsoft Office Sessions:
=========================
Error: (12/09/2014 01:15:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 416726
 
Error: (12/09/2014 01:15:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 416726
 
Error: (12/09/2014 01:15:51 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/09/2014 01:15:49 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 414994
 
Error: (12/09/2014 01:15:49 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 414994
 
Error: (12/09/2014 01:15:49 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/09/2014 01:09:07 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9985
 
Error: (12/09/2014 01:09:07 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9985
 
Error: (12/09/2014 01:09:07 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/08/2014 10:53:38 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Local Hostname user-PC.local already in use; will try user-PC-2.local instead
 
 
==================== Memory info =========================== 
 
Processor: Intel® Atom™ CPU N570 @ 1.66GHz
Percentage of memory in use: 76%
Total physical RAM: 1013.3 MB
Available physical RAM: 233.52 MB
Total Pagefile: 2037.3 MB
Available Pagefile: 821.02 MB
Total Virtual: 2047.88 MB
Available Virtual: 1888.72 MB
 
==================== Drives ================================
 
Drive c: (WIN7_OS) (Fixed) (Total:114 GB) (Free:78.51 GB) NTFS
Drive d: (DATA_BACKUP) (Fixed) (Total:168.49 GB) (Free:165.52 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 9CBEAF3C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=114 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=168.5 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=15.5 GB) - (Type=27)
 
==================== End Of Log ============================

 

i think they have some common with them , what if another comp infected again , how can i identify it?

we have some link with ref in it , maybe we can know who behind this too , but its too much for me

 

 

http://vktarget.ru/?ref=162125

 

sorry for more works for you

thanks

 

ps. this malware insert source code to browser too , as attached filesAttached File  hijacked.zip   265.1KB   1 downloads



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 09 December 2014 - 08:17 AM

http://vktarget.ru/?ref=162125
ps. this malware insert source code to browser too , as attached filesAttached File hijacked.zip


Delete everything that you find associated with that site. It's bad.


This process running from a \Temp folder is suspicious.
HKLM\...\Run: [Eps_Reg.exe] => C:\Users\user\AppData\Local\Temp\Eps_Reg.exe /L /NSmartCard2000 <===== ATTENTION

It might be for your SmartCard 2000.
Can you confirm this?
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
CHR Plugin: (Native Client) - C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Java™ Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll No File
CHR Plugin: (Java™ Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-24]
CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
S3 AndNetDiag; system32\DRIVERS\lgandnetdiag.sys [X]
S3 ANDNetModem; system32\DRIVERS\lgandnetmodem.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

If the problem persist

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html
===

How is the computer running now?

Edited by nasdaq, 09 December 2014 - 08:17 AM.


#8 Isdelft

Isdelft
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 10 December 2014 - 10:22 AM

ah well , i think its ok now ,  i do everything you suggested , and not find any hijacked 

 

here is fixlog

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-12-2014 01

Ran by user at 2014-12-10 21:53:14 Run:1
Running from C:\Users\user\Desktop
Loaded Profile: user (Available profiles: user)
Boot Mode: Safe Mode (minimal)
 
==============================================
 
Content of fixlist:
*****************
start
SearchScopes: HKU\S-1-5-21-2350040085-256587299-2629325223-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
CHR Plugin: (Native Client) - C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Java™ Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll No File
CHR Plugin: (Java™ Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Users\user\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Extension: (Google Wallet) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-24]
CHR HKLM\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
S3 AndNetDiag; system32\DRIVERS\lgandnetdiag.sys [X]
S3 ANDNetModem; system32\DRIVERS\lgandnetmodem.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
HKLM\...\Run: [Eps_Reg.exe] => C:\Users\user\AppData\Local\Temp\Eps_Reg.exe /L /NSmartCard2000 <===== ATTENTION
end
*****************
 
"HKU\S-1-5-21-2350040085-256587299-2629325223-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\ppGoogleNaClPluginChrome.dll not found.
C:\Users\user\AppData\Local\Google\Chrome\Application\39.0.2171.71\gcswf32.dll not found.
C:\Windows\system32\Macromed\Flash\NPSWF32.dll not found.
C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll not found.
C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll not found.
C:\Users\user\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found.
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh" => Key not found.
AndNetDiag => Service deleted successfully.
ANDNetModem => Service deleted successfully.
VGPU => Service deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Eps_Reg.exe => Value not found.
 
==== End of Fixlog ====

 

i dont know that smartcard , since it's my ill'bro comp

and im reset my home router too 

 

thanks



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 10 December 2014 - 02:17 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,242 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 16 December 2014 - 10:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users