Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probably infected with Malware


  • This topic is locked This topic is locked
26 replies to this topic

#1 rods

rods

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 02 December 2014 - 04:02 PM

Hello,

 

I've been getting some web redirects the past several days.  I ran a Malwarebyte's scan last night and it didn't find anything and then today I was on Newegg browsing for Motherboards and when I clicked on Motherboard I was redirected to a site on www.mykitchenworld.net and I received the message that I attached.

 

Please let me know what I should do next.

 

Thanks in advance for your help!

 

Attached Files



BC AdBot (Login to Remove)

 


#2 rods

rods
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 02 December 2014 - 06:25 PM

I just ran malwarebytes anti-rootkit and the scan finished with no malware found.



#3 rods

rods
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 02 December 2014 - 08:19 PM

Since my last post about running anti-rootkit the redirect has happened 2 more times...once right before entering this post while on the bleepingcomputer.com website. I clicked on forums and I was redirected to buy Norton Anti-virus.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 07 December 2014 - 10:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#5 rods

rods
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 09 December 2014 - 11:19 PM

Hello,

 

Thank you for your help.  Just and FYI.  I ran AdwClean scan and chose to clean it excpe for they Skype Click to call services, which you'll see in my Adware log.  I rebooted and ran FRST and then came to this webiste and when I pressed the Login button, I got redirected to a Anti-Malware website, so whatever it is, it's still on my computer.  I'm currently using Internet Explorer.

 

Here is my AdwClean log file:

# AdwCleaner v4.105 - Report created 09/12/2014 at 19:59:10
# Updated 08/12/2014 by Xplode
# Database : 2014-12-08.2 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Rod - RODWIN7
# Running from : C:\Users\Rod\Downloads\adwcleaner_4.105.exe
# Option : Clean

***** [ Services ] *****

[x] Not Deleted : c2cautoupdatesvc
[x] Not Deleted : c2cpnrsvc

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Firefox Packages
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\en.softonic.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.ask.com

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420

-\\ Google Chrome v39.0.2171.71

*************************

AdwCleaner[R0].txt - [2438 octets] - [18/10/2014 07:19:42]
AdwCleaner[R1].txt - [2118 octets] - [08/12/2014 19:41:07]
AdwCleaner[R2].txt - [2178 octets] - [09/12/2014 17:58:03]
AdwCleaner[S0].txt - [2199 octets] - [18/10/2014 07:22:11]
AdwCleaner[S1].txt - [2119 octets] - [09/12/2014 19:59:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2179 octets] ##########

 

Here is the FRST.txt file:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-12-2014
Ran by Rod (administrator) on RODWIN7 on 09-12-2014 20:04:55
Running from C:\
Loaded Profiles: Rod & UpdatusUser (Available profiles: Rod & UpdatusUser & Parna)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
() C:\Program Files\D-Link\SharePort Plus\Spnuhelper.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Spiceworks, Inc.) C:\Program Files (x86)\Spiceworks\bin\spiceworks.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Apache Software Foundation) C:\Program Files (x86)\Spiceworks\httpd\bin\spiceworks-httpd.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Apache Software Foundation) C:\Program Files (x86)\Spiceworks\httpd\bin\spiceworks-httpd.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(BitTorrent Inc.) C:\Users\Rod\AppData\Roaming\uTorrent\uTorrent.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Users\Rod\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(PFU LIMITED) C:\Windows\SSDriver\fi5110\SsWiaChecker.exe
(PowerISO Computing, Inc.) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(PFU LIMITED) C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 9\Snagit32.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(D-Link Corp.) C:\Program Files\D-Link\SharePort Plus\SharePortPlus.exe
(Helios Software Solutions) C:\Program Files (x86)\TextPad 4\TextPad.exe
(PFU LIMITED) C:\Program Files (x86)\PFU\ScanSnap\SSFolder\SSFolderTray.exe
(Python Software Foundation) C:\Program Files (x86)\Plex\Plex Media Server\PlexScriptHost.exe
(Microsoft Corporation) C:\Windows\System32\PrintIsolationHost.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 9\TscHelp.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 9\SnagPriv.exe
(TechSmith Corporation) C:\Program Files (x86)\TechSmith\Snagit 9\SnagitEditor.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\PlexDlnaServer.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [403328 2012-08-23] (Acronis)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickFinder Scheduler] => c:\Program Files (x86)\Corel\WordPerfect Office X6\Programs\QFSCHD160.EXE [169416 2012-07-30] (Corel Corporation)
HKLM-x32\...\Run: [ScanSnap WIA Service Checker] => C:\Windows\SSDriver\fi5110\SsWiaChecker.exe [86016 2009-09-30] (PFU LIMITED)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [180224 2010-04-12] (PowerISO Computing, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [311616 2014-02-14] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [6010264 2012-08-23] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [941440 2012-07-24] (Acronis)
HKLM-x32\...\Run: [RUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-20] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3499920 2014-09-12] (Adobe Systems Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5226600 2014-12-02] (AVAST Software)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22869088 2014-10-21] (Google)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [KiesAirMessage] => C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [GoogleChromeAutoLaunch_5D23115B3472A07EC056C924025ED1D4] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [856904 2014-11-24] (Google Inc.)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [uTorrent] => C:\Users\Rod\AppData\Roaming\uTorrent\uTorrent.exe [1385808 2014-11-25] (BitTorrent Inc.)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [4525192 2014-08-01] (Plex, Inc.)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-08-07] (Apple Inc.)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [AppleIEDAV] => C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe [1080104 2014-08-04] (Apple Inc.)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [43816 2014-08-15] (Apple Inc.)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [22065760 2014-10-01] (Skype Technologies S.A.)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Run: [SkyDrive] => C:\Users\Rod\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe [277672 2014-12-02] (Microsoft Corporation)
HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\MountPoints2: {609ced18-7f05-11e4-b3c7-002215fd5f7c} - G:\HPLauncher.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ScanSnap Manager.lnk
ShortcutTarget: ScanSnap Manager.lnk -> C:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exe (PFU LIMITED)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Snagit 9.lnk
ShortcutTarget: Snagit 9.lnk -> C:\Program Files (x86)\TechSmith\Snagit 9\Snagit32.exe (TechSmith Corporation)
Startup: C:\Users\Rod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Rod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SharePort Plus.lnk
ShortcutTarget: SharePort Plus.lnk -> C:\Program Files\D-Link\SharePort Plus\SharePortPlus.exe (D-Link Corp.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll (Acronis)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKU\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-153314184-682568810-1827683989-1003\Software\Microsoft\Internet Explorer\Main,Local Page =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-153314184-682568810-1827683989-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitBHO64.dll (TechSmith Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll (LastPass)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll (LastPass)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll (LastPass)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll (LastPass)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://dell.webex.com/client/WBXclient-T29L10NSP4EP2-2/support/ieatgpc1.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{7D7BC893-C6E0-494A-B081-E9892A9EB1F4}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{9F28CE45-FA4C-4AB6-A1B4-946D2E63E4B8}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{A1E2ED0F-88FF-4E9E-A072-9C9DD70283E6}: [NameServer] 8.8.8.8,8.8.8.8
Tcpip\..\Interfaces\{C8890CA4-CCCC-404E-B515-A95F02468626}: [NameServer] 8.8.8.8,8.8.8.8

FireFox:
========
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll (LastPass)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass.dll (LastPass)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @vmware.com/vmrc,version=2.5.0.00000 -> C:\Program Files (x86)\Common Files\VMware\VMware VMRC Plug-in\Firefox\np-vmware-vmrc.dll (VMware, Inc.)
FF Plugin-x32: @vmware.com/vmrc,version=5.5.0.00000 -> C:\Program Files (x86)\Common Files\VMware\VMware Remote Console Plug-in 5.5\Firefox\np-vmware-vmrc.dll (VMware, Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin HKU\S-1-5-21-153314184-682568810-1827683989-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Rod\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Users\Rod\AppData\Roaming\mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-10-21]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-12-02]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.com/", "hxxp://www.yahoo.com/"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-02-11]
CHR Extension: (Google Drive) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-11]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (YouTube) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-02-11]
CHR Extension: (Google Search) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-02-11]
CHR Extension: (Adobe Acrobat - Create PDF) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2014-10-21]
CHR Extension: (iCloud Bookmarks) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkepacicchenbjecpbpbclokcabebhah [2014-10-27]
CHR Extension: (Avast Online Security) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-09-02]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2014-09-09]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2014-11-12]
CHR Extension: (Google Wallet) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-11]
CHR Extension: (Gmail) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-02-11]
CHR HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2014-09-12]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-02]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-02] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [104416 2014-12-02] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [4012248 2014-12-02] (Avast Software)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 D-Link SharePort Plus Helper; C:\Program Files\D-Link\SharePort Plus\Spnuhelper.exe [49152 2014-09-11] () [File not signed]
R2 spiceworks; C:\Program Files (x86)\Spiceworks\bin\spiceworks.exe [47344 2014-11-26] (Spiceworks, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-12-02] ()
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [28184 2014-12-02] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-12-02] (AVAST Software)
R0 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [449936 2014-12-02] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-12-02] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-12-02] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-12-02] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-12-02] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-12-02] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-12-02] ()
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2012-05-03] (CACE Technologies, Inc.)
R3 rusb3hub; C:\Windows\System32\DRIVERS\rusb3hub.sys [114568 2012-08-27] (Renesas Electronics Corporation)
R3 rusb3xhc; C:\Windows\System32\DRIVERS\rusb3xhc.sys [230280 2012-08-27] (Renesas Electronics Corporation)
R2 sxuptp; C:\Windows\System32\DRIVERS\sxuptp.sys [310472 2014-09-11] (silex technology, Inc.)
R0 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [1093256 2014-04-29] (Acronis)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [271752 2014-12-02] (Avast Software)
R0 vidsflt; C:\Windows\System32\DRIVERS\vidsflt.sys [166024 2014-04-29] (Acronis)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2017-09-20 15:31 - 2017-09-20 15:31 - 00000000 ____D () C:\ProgramData\Malwarebytes
2017-09-20 15:31 - 2014-12-02 15:02 - 00135384 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-09-20 15:31 - 2014-12-02 15:01 - 00096472 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-09-20 15:31 - 2014-12-01 17:56 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2017-09-20 15:31 - 2014-12-01 17:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2017-09-20 15:31 - 2014-12-01 17:56 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2017-09-20 15:31 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2017-09-20 15:31 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2017-09-20 15:30 - 2017-09-20 15:31 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Rod\Downloads\mbam-setup-2.0.1.1004.exe
2014-12-09 20:04 - 2014-12-09 20:05 - 00026084 _____ () C:\FRST.txt
2014-12-09 20:02 - 2014-12-09 20:02 - 00000197 _____ () C:\Windows\system32\2014-12-10-04-02-19.037-AvastVBoxSVC.exe-3724.log
2014-12-09 17:56 - 2014-12-09 20:05 - 00000000 ____D () C:\FRST
2014-12-09 17:55 - 2014-12-09 17:55 - 02119680 _____ (Farbar) C:\FRST64.exe
2014-12-09 15:54 - 2014-12-09 15:54 - 00000000 ____D () C:\Users\Parna\AppData\Roaming\AVAST Software
2014-12-08 23:49 - 2014-12-08 23:49 - 00006531 _____ () C:\Users\Rod\Downloads\CHARLES-PC (1).rdp
2014-12-08 19:37 - 2014-12-08 19:40 - 02166272 _____ () C:\Users\Rod\Downloads\adwcleaner_4.105.exe
2014-12-08 14:44 - 2014-12-08 14:44 - 00000000 ___RD () C:\Users\Rod\AppData\Roaming\Brother
2014-12-08 14:37 - 2014-12-08 14:37 - 00001071 _____ () C:\Users\Rod\Desktop\Spiceworks Desktop.lnk
2014-12-08 14:32 - 2014-12-08 14:32 - 00000000 ____D () C:\Program Files\WinPcap
2014-12-08 14:31 - 2014-12-08 14:32 - 00000000 ____D () C:\Program Files (x86)\Spiceworks
2014-12-08 14:31 - 2014-12-08 14:31 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spiceworks
2014-12-08 10:23 - 2014-12-08 10:23 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\HP SimpleSave Application
2014-12-08 09:56 - 2014-12-09 19:48 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-08 09:56 - 2014-12-09 11:48 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-08 09:52 - 2014-12-08 09:52 - 00000000 ___HD () C:\OneDriveTemp
2014-12-08 09:51 - 2014-12-08 09:52 - 00000197 _____ () C:\Windows\system32\2014-12-08-17-51-49.032-AvastVBoxSVC.exe-3612.log
2014-12-04 10:22 - 2014-12-04 10:22 - 00000536 _____ () C:\Users\Rod\Downloads\549MJG1.rdp
2014-12-04 10:18 - 2014-12-04 10:18 - 00000536 _____ () C:\Users\Rod\Downloads\283SMK1.rdp
2014-12-02 18:45 - 2014-12-02 18:45 - 00002231 _____ () C:\Users\Rod\Downloads\DomainDownloadList-229705139.csv
2014-12-02 15:21 - 2014-12-02 15:21 - 00000247 _____ () C:\Windows\system32\2014-12-02-23-21-07.074-aswFe.exe-8972.log
2014-12-02 15:17 - 2014-12-02 15:20 - 00000247 _____ () C:\Windows\system32\2014-12-02-23-17-15.010-aswFe.exe-10268.log
2014-12-02 15:17 - 2014-12-02 15:17 - 00000197 _____ () C:\Windows\system32\2014-12-02-23-17-07.053-AvastVBoxSVC.exe-2140.log
2014-12-02 15:02 - 2014-12-02 15:25 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-02 15:01 - 2014-12-02 15:01 - 00000000 ____D () C:\Users\Rod\Desktop\MBAR
2014-12-02 15:00 - 2014-12-02 15:01 - 16448208 _____ (Malwarebytes Corp.) C:\Users\Rod\Downloads\mbar-1.08.2.1001.exe
2014-12-02 14:59 - 2014-12-02 14:59 - 00000000 ____D () C:\Windows\SysWOW64\vbox
2014-12-02 14:59 - 2014-12-02 14:59 - 00000000 ____D () C:\Windows\system32\vbox
2014-12-02 13:18 - 2014-12-02 13:18 - 00001990 _____ () C:\Users\Public\Desktop\Avast SafeZone.lnk
2014-12-02 13:18 - 2014-12-02 13:18 - 00001930 _____ () C:\Users\Public\Desktop\Avast Internet Security.lnk
2014-12-02 13:18 - 2014-12-02 13:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2014-12-02 13:18 - 2014-12-02 13:17 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-12-02 13:17 - 2014-12-02 13:17 - 00449936 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNdisFlt.sys
2014-12-02 13:17 - 2014-12-02 13:17 - 00364512 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-12-02 13:17 - 2014-12-02 13:17 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-12-02 13:14 - 2014-12-02 13:14 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\AVAST Software
2014-12-02 13:13 - 2014-12-02 14:57 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2014-12-02 13:13 - 2014-12-02 13:18 - 01050432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2014-12-02 13:13 - 2014-12-02 13:17 - 00436624 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2014-12-02 13:13 - 2014-12-02 13:17 - 00267632 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2014-12-02 13:13 - 2014-12-02 13:17 - 00116728 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2014-12-02 13:13 - 2014-12-02 13:17 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2014-12-02 13:13 - 2014-12-02 13:17 - 00083280 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2014-12-02 13:13 - 2014-12-02 13:17 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2014-12-02 13:13 - 2014-12-02 13:17 - 00028184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2014-12-02 13:13 - 2014-12-02 13:13 - 00000000 ____D () C:\Program Files\AVAST Software
2014-12-01 17:22 - 2009-06-13 10:04 - 00000000 ____D () C:\Users\Rod\Desktop\IonObjects
2014-12-01 12:39 - 2014-12-01 12:39 - 00006811 _____ () C:\Users\Rod\Downloads\LE102.rdp
2014-12-01 12:39 - 2014-12-01 12:39 - 00006811 _____ () C:\Users\Rod\Downloads\LE102 (1).rdp
2014-11-21 15:45 - 2014-11-21 15:45 - 07113660 _____ () C:\Users\Rod\Downloads\28.1-83040-1-11.zip
2014-11-19 00:27 - 2014-11-10 19:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-19 00:27 - 2014-11-10 19:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-19 00:27 - 2014-11-10 18:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-19 00:27 - 2014-11-10 18:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-18 15:17 - 2014-11-18 15:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Apps Sync
2014-11-16 11:31 - 2014-11-16 11:31 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2014-11-16 09:55 - 2014-11-16 09:56 - 00012546 _____ () C:\StarBurn.log
2014-11-16 09:55 - 2014-11-16 09:55 - 00001091 _____ () C:\Users\UpdatusUser\Desktop\EasyDVDCopy.lnk
2014-11-16 09:55 - 2014-11-16 09:55 - 00001091 _____ () C:\Users\Rod\Desktop\EasyDVDCopy.lnk
2014-11-16 09:55 - 2014-11-16 09:55 - 00001091 _____ () C:\Users\Parna\Desktop\EasyDVDCopy.lnk
2014-11-12 16:10 - 2014-11-12 16:12 - 209955015 _____ () C:\Users\Rod\Downloads\X17-59186.iso.u5o3m17.partial
2014-11-12 14:17 - 2014-11-12 14:17 - 00000000 __SHD () C:\Users\Rod\AppData\Local\EmieBrowserModeList
2014-11-12 09:38 - 2014-11-12 09:38 - 00000536 _____ () C:\Users\Rod\Downloads\6688QL1.rdp
2014-11-11 15:10 - 2014-11-07 11:49 - 00388272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-11 15:10 - 2014-11-07 11:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-11 15:10 - 2014-11-05 20:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-11 15:10 - 2014-11-05 19:46 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-11 15:10 - 2014-11-05 19:35 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-11 15:10 - 2014-11-05 19:30 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-11 15:10 - 2014-11-05 19:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-11 15:10 - 2014-11-05 19:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-11 15:10 - 2014-11-05 19:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-11-11 15:10 - 2014-11-05 19:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-11 15:10 - 2014-11-05 19:07 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-11 15:10 - 2014-11-05 19:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-11 15:10 - 2014-11-05 19:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-11 15:10 - 2014-11-05 18:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-11-11 15:10 - 2014-11-05 18:41 - 00716800 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-11 15:10 - 2014-11-05 18:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-11 15:10 - 2014-11-05 18:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-11 15:10 - 2014-11-05 18:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-11 15:10 - 2014-11-05 18:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-11 15:10 - 2014-11-05 18:04 - 01550336 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-11 15:10 - 2014-11-05 17:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-11 15:10 - 2014-11-05 17:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-11-11 15:10 - 2014-11-05 09:56 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-11 15:10 - 2014-11-05 09:56 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-11 15:10 - 2014-11-05 09:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-11 15:10 - 2014-10-13 18:16 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-11 15:10 - 2014-10-13 18:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-11 15:10 - 2014-10-13 18:12 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-11 15:10 - 2014-10-13 18:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-11 15:10 - 2014-10-13 18:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-11 15:10 - 2014-10-13 17:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-11-11 15:10 - 2014-10-13 17:49 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-11-11 15:10 - 2014-10-13 17:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-11 15:10 - 2014-10-13 17:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-11 15:09 - 2014-11-05 20:03 - 25110016 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-11 15:09 - 2014-11-05 20:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-11 15:09 - 2014-11-05 19:47 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-11 15:09 - 2014-11-05 19:46 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-11 15:09 - 2014-11-05 19:44 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-11 15:09 - 2014-11-05 19:43 - 02884096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-11 15:09 - 2014-11-05 19:36 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-11 15:09 - 2014-11-05 19:31 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-11 15:09 - 2014-11-05 19:30 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-11 15:09 - 2014-11-05 19:29 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-11 15:09 - 2014-11-05 19:23 - 06040064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-11 15:09 - 2014-11-05 19:20 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-11 15:09 - 2014-11-05 19:16 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-11 15:09 - 2014-11-05 19:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-11-11 15:09 - 2014-11-05 19:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-11-11 15:09 - 2014-11-05 19:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-11 15:09 - 2014-11-05 19:02 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-11 15:09 - 2014-11-05 19:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-11-11 15:09 - 2014-11-05 19:00 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-11 15:09 - 2014-11-05 18:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-11-11 15:09 - 2014-11-05 18:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-11-11 15:09 - 2014-11-05 18:57 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-11 15:09 - 2014-11-05 18:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-11 15:09 - 2014-11-05 18:41 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-11 15:09 - 2014-11-05 18:39 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-11 15:09 - 2014-11-05 18:38 - 02124288 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-11 15:09 - 2014-11-05 18:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-11 15:09 - 2014-11-05 18:30 - 14390272 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-11 15:09 - 2014-11-05 18:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-11 15:09 - 2014-11-05 18:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-11-11 15:09 - 2014-11-05 18:17 - 02365440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-11 15:09 - 2014-11-05 18:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-11 15:09 - 2014-11-05 17:53 - 00799232 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-11-11 15:09 - 2014-11-05 17:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-11 15:08 - 2014-10-24 17:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-11 15:08 - 2014-10-24 17:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-11 15:08 - 2014-10-17 18:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-11 15:08 - 2014-10-17 17:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-11 15:08 - 2014-10-13 18:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-11 15:08 - 2014-10-13 17:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-11 15:08 - 2014-10-09 16:57 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-11 15:08 - 2014-10-02 18:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-11 15:08 - 2014-10-02 18:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-11 15:08 - 2014-10-02 18:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-11 15:08 - 2014-10-02 18:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-11 15:08 - 2014-10-02 18:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-11 15:08 - 2014-10-02 17:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-11 15:08 - 2014-10-02 17:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-11-11 15:08 - 2014-10-02 17:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-11-11 15:08 - 2014-09-19 01:42 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-11 15:08 - 2014-09-19 01:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-11 15:08 - 2014-09-19 01:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-11 15:08 - 2014-09-19 01:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-11 15:08 - 2014-09-19 01:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-11 15:08 - 2014-09-19 01:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-11 15:08 - 2014-09-19 01:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-11-11 15:08 - 2014-09-19 01:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-11 15:08 - 2014-09-19 01:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-11-11 15:08 - 2014-09-19 01:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-11-11 15:08 - 2014-09-19 01:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-11-11 15:08 - 2014-09-19 01:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-11-11 15:08 - 2014-08-20 22:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-11 15:08 - 2014-08-20 22:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-11 15:08 - 2014-08-20 22:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-11 15:08 - 2014-08-20 22:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-11-11 15:08 - 2014-08-11 18:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-11 15:08 - 2014-08-11 17:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-10 09:54 - 2014-11-10 09:54 - 00001252 _____ () C:\Users\Rod\Desktop\Total Audio Converter.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-09 20:04 - 2014-04-07 15:28 - 00000000 ___RD () C:\Users\Rod\OneDrive
2014-12-09 20:04 - 2014-02-08 12:01 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\uTorrent
2014-12-09 20:02 - 2014-10-21 14:13 - 00000000 ___RD () C:\Users\Rod\iCloudDrive
2014-12-09 20:02 - 2014-03-31 20:24 - 00000000 ____D () C:\ProgramData\boost_interprocess
2014-12-09 20:02 - 2014-02-21 15:09 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\Skype
2014-12-09 20:02 - 2014-02-08 14:43 - 00000000 ___RD () C:\Users\Rod\Documents\Google Drive
2014-12-09 20:02 - 2014-02-08 14:30 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-09 20:01 - 2014-06-09 13:49 - 00065536 _____ () C:\Windows\system32\Ikeext.etl
2014-12-09 20:01 - 2014-01-21 22:56 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-12-09 20:01 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-09 20:01 - 2009-07-13 20:51 - 54738392 _____ () C:\Windows\setupact.log
2014-12-09 20:00 - 2010-11-20 19:47 - 00904478 _____ () C:\Windows\PFRO.log
2014-12-09 19:59 - 2014-10-18 07:19 - 00000000 ____D () C:\AdwCleaner
2014-12-09 19:59 - 2014-01-21 22:29 - 01849850 _____ () C:\Windows\WindowsUpdate.log
2014-12-09 19:39 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\tracing
2014-12-09 19:14 - 2014-02-08 14:30 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-09 17:48 - 2014-02-06 14:06 - 00000000 ____D () C:\Users\Rod\Documents\Outlook Files
2014-12-09 17:47 - 2014-10-20 17:23 - 00000000 ____D () C:\Users\Rod\AppData\Local\CrashDumps
2014-12-09 15:59 - 2010-08-02 07:22 - 00000000 ____D () C:\Users\Rod\Documents\Work
2014-12-09 15:54 - 2014-08-25 21:31 - 00119008 _____ () C:\Users\Parna\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-09 15:53 - 2014-08-25 21:31 - 00000000 ____D () C:\Users\Parna\AppData\Local\Adobe
2014-12-09 11:48 - 2014-02-06 14:07 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-09 11:48 - 2014-02-06 14:07 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-09 10:49 - 2009-07-13 20:45 - 00031952 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-09 10:49 - 2009-07-13 20:45 - 00031952 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-08 19:40 - 2014-02-10 09:46 - 00002090 ____H () C:\Users\Rod\Documents\Default.rdp
2014-12-08 19:38 - 2014-07-03 09:23 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\FileZilla
2014-12-08 19:13 - 2014-02-08 12:13 - 00000000 ____D () C:\Users\Rod\Downloads\Torrents
2014-12-08 15:59 - 2009-07-13 21:13 - 00786622 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-08 14:24 - 2014-05-13 11:38 - 00001953 _____ () C:\Users\Public\Desktop\Sonos.lnk
2014-12-08 14:24 - 2014-02-08 21:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sonos
2014-12-08 14:24 - 2014-02-08 21:50 - 00000000 ____D () C:\Program Files (x86)\Sonos
2014-12-08 14:24 - 2014-02-08 21:49 - 00000000 ____D () C:\ProgramData\Sonos,_Inc
2014-12-08 14:24 - 2014-02-08 21:47 - 00000000 ____D () C:\Users\Rod\AppData\Local\Downloaded Installations
2014-12-02 15:45 - 2014-04-07 15:28 - 00002167 _____ () C:\Users\Rod\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk
2014-12-02 13:11 - 2014-02-08 12:18 - 00000000 ____D () C:\ProgramData\AVAST Software
2014-12-02 13:01 - 2010-10-25 15:51 - 00000000 ____D () C:\Users\Rod\Documents\Personal
2014-12-01 18:30 - 2014-02-10 17:04 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\VMware
2014-12-01 17:44 - 2014-02-07 19:21 - 00000000 ____D () C:\ProgramData\PMS
2014-11-30 23:08 - 2014-02-08 16:41 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\vlc
2014-11-30 16:27 - 2009-07-13 21:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-11-25 19:16 - 2014-02-11 10:14 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-11-19 16:27 - 2014-10-21 13:11 - 00002453 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat XI Pro.lnk
2014-11-19 16:27 - 2014-10-21 13:11 - 00002210 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe FormsCentral.lnk
2014-11-19 16:27 - 2014-10-21 13:11 - 00002049 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller XI.lnk
2014-11-16 09:55 - 2014-08-26 17:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CoolUtils
2014-11-16 09:55 - 2014-08-17 19:28 - 00000000 ____D () C:\Program Files (x86)\CoolUtils
2014-11-12 14:09 - 2014-02-08 14:30 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-12 14:09 - 2014-02-08 14:30 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-12 09:12 - 2014-01-21 23:10 - 00119008 _____ () C:\Users\Rod\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-12 04:06 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-11-12 03:30 - 2009-07-13 20:45 - 00429312 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-12 03:27 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-12 03:10 - 2014-02-06 12:48 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-11-12 03:05 - 2014-02-06 11:06 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-12 03:01 - 2014-02-06 11:06 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-10 09:54 - 2014-08-17 19:28 - 00000000 ____D () C:\Users\Rod\AppData\Roaming\Softplicity
2014-11-09 20:57 - 2014-10-28 11:32 - 00010307 _____ () C:\Users\Rod\Documents\Coc.xlsx

Some content of TEMP:
====================
C:\Users\Rod\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe
C:\Users\Rod\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Rod\AppData\Local\Temp\Execute2App.exe
C:\Users\Rod\AppData\Local\Temp\ICReinstall_FileZilla_3.8.1_win32-setup.exe
C:\Users\Rod\AppData\Local\Temp\ICReinstall_FirefoxSetup.exe
C:\Users\Rod\AppData\Local\Temp\msvcp90.dll
C:\Users\Rod\AppData\Local\Temp\msvcr90.dll
C:\Users\Rod\AppData\Local\Temp\Quarantine.exe
C:\Users\Rod\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Rod\AppData\Local\Temp\spiceworks_redist.exe
C:\Users\Rod\AppData\Local\Temp\spiceworks_redist_10.exe
C:\Users\Rod\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-12-05 00:16

==================== End Of Log ============================

 

Attached is my Addition.txt file from FRST.

 

Pleae let me know what I should try next.

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 10 December 2014 - 08:39 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-153314184-682568810-1827683989-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Extension: (Google Wallet) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-11]
CHR HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
Task: {64A516D5-ED53-486F-92C3-8DD020353915} - \AutoKMS No Task File <==== ATTENTION
C:\Users\Rod\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe
C:\Users\Rod\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Rod\AppData\Local\Temp\Execute2App.exe
C:\Users\Rod\AppData\Local\Temp\ICReinstall_FileZilla_3.8.1_win32-setup.exe
C:\Users\Rod\AppData\Local\Temp\ICReinstall_FirefoxSetup.exe
C:\Users\Rod\AppData\Local\Temp\msvcp90.dll
C:\Users\Rod\AppData\Local\Temp\msvcr90.dll
C:\Users\Rod\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Rod\AppData\Local\Temp\spiceworks_redist.exe
C:\Users\Rod\AppData\Local\Temp\spiceworks_redist_10.exe
C:\Users\Rod\AppData\Local\Temp\sqlite3.dll

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#7 rods

rods
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 15 December 2014 - 11:35 AM

Sorry for the late response on this.

 

Here are the attached logs.  I'm still getting random redirects

 

Here's Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-12-2014
Ran by Rod at 2014-12-14 10:00:50 Run:1
Running from C:\
Loaded Profiles: Rod & UpdatusUser & Parna (Available profiles: Rod & UpdatusUser & Parna)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-153314184-682568810-1827683989-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Extension: (Google Wallet) - C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-11]
CHR HKU\S-1-5-21-153314184-682568810-1827683989-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
Task: {64A516D5-ED53-486F-92C3-8DD020353915} - \AutoKMS No Task File <==== ATTENTION
C:\Users\Rod\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe
C:\Users\Rod\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Rod\AppData\Local\Temp\Execute2App.exe
C:\Users\Rod\AppData\Local\Temp\ICReinstall_FileZilla_3.8.1_win32-setup.exe
C:\Users\Rod\AppData\Local\Temp\ICReinstall_FirefoxSetup.exe
C:\Users\Rod\AppData\Local\Temp\msvcp90.dll
C:\Users\Rod\AppData\Local\Temp\msvcr90.dll
C:\Users\Rod\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Rod\AppData\Local\Temp\spiceworks_redist.exe
C:\Users\Rod\AppData\Local\Temp\spiceworks_redist_10.exe
C:\Users\Rod\AppData\Local\Temp\sqlite3.dll

End
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-153314184-682568810-1827683989-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
C:\Users\Rod\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => Moved successfully.
"HKU\S-1-5-21-153314184-682568810-1827683989-1001\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{64A516D5-ED53-486F-92C3-8DD020353915}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{64A516D5-ED53-486F-92C3-8DD020353915}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => Key deleted successfully.
C:\Users\Rod\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\Execute2App.exe => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\ICReinstall_FileZilla_3.8.1_win32-setup.exe => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\ICReinstall_FirefoxSetup.exe => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\msvcp90.dll => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\msvcr90.dll => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\spiceworks_redist.exe => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\spiceworks_redist_10.exe => Moved successfully.
C:\Users\Rod\AppData\Local\Temp\sqlite3.dll => Moved successfully.

==== End of Fixlog ====

 

Below is the secuirty check checkup.txt file.  I notieced it says my Avast has expired, but when I open the interface it says it's active and that I am protected.

 Results of screen317's Security Check version 0.99.93 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
avast! Antivirus  
 Antivirus out of date! 
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 2.0.3.1025 
 Google Chrome (39.0.2171.71)
 Google Chrome (39.0.2171.95)
````````Process Check: objlist.exe by Laurent```````` 
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast afwServ.exe 
 AVAST Software Avast ng vbox\AvastVBoxSVC.exe
 AVAST Software Avast ng ngservice.exe
 AVAST Software Avast avastui.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 5%
````````````````````End of Log``````````````````````
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 15 December 2014 - 01:51 PM

avast! Antivirus
Antivirus out of date!

Just make sure you have the latest update.

===

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>

If that fails to stop the redirects continue:

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is it now?

#9 rods

rods
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 18 December 2014 - 02:45 PM

I did everything you mentioned this morning, except for Ipconfig /release /renew since I assigned a static IP on Sunday to my computer.  The static IP I gave was different than the Dynamic IP I had, so the effect is the same.  I did reset settings on IE and Chrome (I don't have Firefox installed)

 

Then right before I posted this message I pressed the Download button on Teamviewer's website to download TV10 and I was redirected...so the issue still persists...grrr.

 

What else can I try?



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 19 December 2014 - 08:28 AM

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html
===

If that fails continue, or you can do this one first.

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Click Next at the Welcome Screen, Click Next on Step 1 Screen
  • Click Next on Step 2 Screen, Click Do it on Step 3 Screen, After is has completed click Next
  • On Step 4 Under System Restore Click Create, Then under registry back-up Click Backup When you have completed this click Next
  • Click on Repairs
  • Click Open repairs - Icon in the bottom right corner
  • Click the Unselect All button then select just the item(s) below

  • 13 - Repair Winsock & DNS Cache
    14 - Remove Temp Files
    15 - Repair Proxy Settings
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    How is it now?


#11 rods

rods
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 19 December 2014 - 01:51 PM

Hmm, I just got this router on November 30.  It's an Asus RT-AC68P and I updated the firmware immediately.  It was an unopened item and it was in factory settings.  I changed the admin password right away and I performed all the steps that are in the ehow article when I initially configured the router.  BTW I am an IT consultant for SMB's so I have fairly decent technical knowledge.  I probably should have mentioned this earlier.

 

Also, I have U-verse so I had to changes some settings on the 2wire modem to allow the ASUS to act as my firewall.

 

I know there was an issue with ASUS routers being hacked into earlier this year, but I thought that issue was resolved which is why I was comfortable in purchasing this router now.

 

I'm going to try the Tweaking.com Windows Repair tool now.  I'll give an update at the end of the weekend.

 

Thanks for all your help so far!  I really appreciate it!



#12 rods

rods
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 22 December 2014 - 01:42 AM

Ok, so I tried everything in your last post, except for resetting my firewall to the default settings since it's a new router.

 

I'm still getting redirects.  Should I still try to reset my router?  Should I try something else?  I'm also going to start using a laptop more the next couple of days to see if I'm getting the same search redirects from that.  If my router is infected, then I should get redirets from that as well right?

 

Also, I do use an ipad a lot for searches and I haven't had a redirect on that.

 

Am I stuck with just performing an OS re-install?



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 22 December 2014 - 09:37 AM

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

And lets check deeper.

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Wait for further instructions.

#14 rods

rods
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:46 PM

Posted 27 December 2014 - 02:57 AM

Hi Nasdaq,

 

Hope you had a Merry Christmas!  I finally had a chance to run all 3.

 

Below is the result from the RogueKiller scan.  I didn't delete anything because the only thing that was selected from the scan was the backup.bat file, but this is a safe file.  it's a backup script to backup my hard drives. Also, I noticed with the possible infected Kernel.Filter was for a rusb3xhc.sys file, but i have a USB 3 card so this may have something to do with that file.

 

 

RogueKiller V10.1.1.0 (x64) [Dec 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Rod [Administrator]
Mode : Scan -- Date : 12/26/2014  23:28:21

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR (\??\C:\Users\Rod\AppData\Local\Temp\aswMBR.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswMBR (\??\C:\Users\Rod\AppData\Local\Temp\aswMBR.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https://duckduckgo.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https://duckduckgo.com/  -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_L_05D9\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_L_05D9\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\RK_Rod_ON_L_06F6\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\RK_Rod_ON_L_06F6\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_L_05D9\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_L_05D9\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_L_05D9\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_L_05D9\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \\Backup Data -- C:\Users\Rod\Desktop\backup.bat -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\DRIVERS\rusb3xhc.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103UJ ATA Device +++++
--- User ---
[MBR] 3cb8f7535f445f940c67e2018a102069
[BSP] 473f7bb44679f4a452c22adbc6dbea80 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 14 | Size: 953868 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST2000DX001-1CM164 ATA Device +++++
--- User ---
[MBR] 30f41a05c8d304fc17153f8653bafbeb
[BSP] 97e97517eac4e9e41ee6d8466e87558a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 511899 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1048576000 | Size: 1395727 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_12252014_114342.log - RKreport_SCN_10182014_083359.log - RKreport_SCN_12242014_164046.log

 

-----------------------------------------------------------------------------

TDSSKiller didn't find anything

 

Here's the log file from the Avast aswMBR scan:

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2014-12-25 16:55:24
-----------------------------
16:55:24.624    OS Version: Windows x64 6.1.7601 Service Pack 1
16:55:24.624    Number of processors: 4 586 0x170A
16:55:24.624    ComputerName: RODWIN7  UserName: Rod
16:55:26.215    Initialize success
16:55:26.262    VM: initialized successfully
16:55:26.262    VM: Intel CPU supported virtualized
16:55:43.080    VM: supported disk I/O ataport.SYS
16:55:46.856    AVAST engine defs: 13121700
16:56:17.681    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-4
16:56:17.681    Disk 0 Vendor: SAMSUNG_HD103UJ 1AA01113 Size: 953869MB BusType: 3
16:56:17.728    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-3
16:56:17.728    Disk 1 Vendor: ST2000DX001-1CM164 CC43 Size: 1907729MB BusType: 3
16:56:17.775    Disk 1 MBR read successfully
16:56:17.775    Disk 1 MBR scan
16:56:17.775    Disk 1 Windows 7 default MBR code
16:56:17.790    Disk 1 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
16:56:17.822    Disk 1 default boot code
16:56:17.837    Disk 1 Partition 2 00     07    HPFS/NTFS NTFS       511899 MB offset 206848
16:56:17.837    Disk 1 Partition 3 00     07    HPFS/NTFS NTFS      1395727 MB offset 1048576000
16:56:17.853    Disk 1 scanning C:\Windows\system32\drivers
16:56:21.753    Service scanning
16:56:29.787    Modules scanning
16:56:29.787    Disk 1 trace - called modules:
16:56:29.787    ntoskrnl.exe fltsrv.sys tdrpman.sys CLASSPNP.SYS disk.sys vidsflt.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
16:56:29.802    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa80065c2060]
16:56:29.802    3 CLASSPNP.SYS[fffff8800199a43f] -> nt!IofCallDriver -> [0xfffffa8006450e10]
16:56:29.802    5 vidsflt.sys[fffff88000e565cd] -> nt!IofCallDriver -> [0xfffffa8006323520]
16:56:29.818    7 ACPI.sys[fffff88000f997a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0xfffffa800631f680]
16:56:30.582    AVAST engine scan C:\Windows
16:56:32.236    AVAST engine scan C:\Windows\system32
16:56:33.172    File: C:\Windows\system32\aeinv.dll  **INFECTED** Win32:Evo-gen [Susp]
16:58:27.069    AVAST engine scan C:\Windows\system32\drivers
16:58:32.872    AVAST engine scan C:\Users\Rod
17:38:17.719    File: C:\Users\Rod\Documents\Work\Cary Goldstein\CWG_Data\Security\Station 1\TSREMOTE\tsdb0132.DLL  **INFECTED** Win32:Evo-gen [Susp]
17:41:26.754    File: C:\Users\Rod\Documents\Work\Cary Goldstein\CWG_Data\Station 1\Corel\Suite8\Programs\CCWin\Aim\osconfig.ocm  **INFECTED** Win32:Evo-gen [Susp]
17:41:39.202    File: C:\Users\Rod\Documents\Work\Cary Goldstein\CWG_Data\Station 1\Corel\Suite8\Programs\Viewers\trzD4AD.tmp  **INFECTED** Win32:Evo-gen [Susp]
18:01:00.337    File: C:\Users\Rod\Documents\Work\Cary Goldstein\CWG_Data\Timeslips-old\TSSystem\Tsdbap32.dll  **INFECTED** Win32:Evo-gen [Susp]
18:23:33.382    AVAST engine scan C:\ProgramData
18:35:48.467    Disk 1 statistics 6667968/0/0 @ 0.60 MB/s
18:35:48.482    Scan finished successfully
22:55:42.973    Disk 1 MBR has been saved successfully to "C:\Users\Rod\Desktop\MBR.dat"
22:55:42.988    The log file has been saved successfully to "C:\Users\Rod\Desktop\aswMBR.txt"

 

And I zipped and attached the MBR.dat file.

 



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:46 PM

Posted 27 December 2014 - 09:05 AM

Please run the RogueKiller tool and fix these items.
 

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswMBR (\??\C:\Users\Rod\AppData\Local\Temp\aswMBR.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswMBR (\??\C:\Users\Rod\AppData\Local\Temp\aswMBR.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https://duckduckgo.com/ -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https://duckduckgo.com/ -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_L_05D9\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_L_05D9\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\RK_Rod_ON_L_06F6\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\RK_Rod_ON_L_06F6\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-153314184-682568810-1827683989-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found


===

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif

lesestoff.png


Is the problem persisting?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users