Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections: Poweliks, trojan.AdClicker, Exploit Toolkit Website 32, Tro


  • This topic is locked This topic is locked
20 replies to this topic

#1 mprich

mprich

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 03 December 2014 - 10:30 AM

Windows7, Norton360, Malwarebytes.

Norton blocks Poweliks, Exploit Toolkit Website 32, Trojan.AdClicker, Trojan.Swifi

Malwarebytes detects, blocks SysWOW64/dllhost.exe, rundll32.exe, systray.exe, wiaccmgr.exe, dvdugrd.exx, regsvr32.exe, msfeedssync.exe, logagent.exe,

also searchnet.blinkxcore.com

I get the Low on memory messages, Powershell has stopped working message, others.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17420  BrowserJavaVersion: 10.71.2
Run by admin at 9:29:03 on 2014-12-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3893.1615 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton 360 *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton 360 *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe
C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskeng.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.EXE
C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
C:\Program Files (x86)\System Explorer\SystemExplorer.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\windows\syswow64\dllhost.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files (x86)\Avanquest\PowerDesk\ContextMenuServer.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\windows\system32\Dwm.exe
C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.EXE
C:\windows\system32\wuauclt.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\msiexec.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\system32\vssvc.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\System Explorer\SystemExplorer.exe
C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\RunDll32.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} -
BHO: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} -
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\PlusIEContextMenu.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\IPS\ipsbho.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: ZeonIEEventHelper Class: {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - C:\Program Files (x86)\Nuance\PDFCreate\bin\ZeonIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: NCH EN Toolbar: {37483b40-c254-4a72-bda4-22ee90182c1e} -
TB: DocuCom PDF: {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files (x86)\Nuance\PDFCreate\bin\ZeonIEFavClient.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\coieplg.dll
uRun: [Best Buy pc app] C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms
mRun: [UpdateLBPShortCut] "C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdatePDRShortCut] "C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\7.0"
mRun: [RemoteControl8] "C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [UpdatePPShortCut] "C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"
mRun: [UpdatePSTShortCut] "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [UCam_Menu] "C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
mRun: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
mRun: [AddressBookReminderApp] C:\Program Files (x86)\Creative Home\Hallmark Card Studio 2011\ReminderApp.exe
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [TaskTray] <no file>
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://qtinstall.apple.com/qtactivex/qtplugin.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{B35126D9-8E72-4EE0-9C15-4AD45CA1AA42} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{B35126D9-8E72-4EE0-9C15-4AD45CA1AA42}\2375942554633363 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{B35126D9-8E72-4EE0-9C15-4AD45CA1AA42}\2375942554638373 : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine64\21.6.0.32\CoIEPlg.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll
x64-BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\21.6.0.32\CoIEPlg.dll
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [IntelWirelessWiMAX] "C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" /tasktray /nosplash
x64-Run: [Broadcom Wireless Manager UI] C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe
x64-Run: [Logitech Download Assistant] C:\windows\System32\rundll32.exe C:\windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\r0ifi1fb.default\
.
============= SERVICES / DRIVERS ===============
.
R?3 SystemExplorerHelpService;System Explorer Service;C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe [2012-8-11 821096]
R0 SymDS;Symantec Data Store;C:\windows\System32\drivers\N360x64\1506000.020\SymDS64.sys [2014-11-8 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\windows\System32\drivers\N360x64\1506000.020\SymEFA64.sys [2014-11-8 1148120]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\BASHDefs\20141118.001\BHDrvx64.sys [2014-11-19 1587416]
R1 ccSet_N360;N360 Settings Manager;C:\windows\System32\drivers\N360x64\1506000.020\ccSetx64.sys [2014-11-8 162392]
R1 HWiNFO32;HWiNFO32 Kernel Driver;C:\Program Files (x86)\HWiNFO32\HWiNFO64A.SYS [2010-12-5 28032]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\IPSDefs\20141202.001\IDSviA64.sys [2014-12-2 637656]
R1 SABI;SAMSUNG Kernel Driver For Windows 7;C:\windows\System32\drivers\SABI.sys [2010-7-7 13824]
R1 SymIRON;Symantec Iron Driver;C:\windows\System32\drivers\N360x64\1506000.020\Ironx64.sys [2014-11-8 266968]
R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\System32\drivers\N360x64\1506000.020\symnets.sys [2014-11-8 593112]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};Power Control [2010/07/08 12:00:36];C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [2010-1-12 146928]
R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [2010-6-7 408576]
R2 Fitbit Connect;Fitbit Connect Service;C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [2014-1-10 1435680]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-6-28 14624]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-11-8 1871160]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe [2014-11-8 265040]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [2011-7-22 138600]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-7-7 2320920]
R2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [2010-6-7 911872]
R3 bpenum;bpenum;C:\windows\System32\drivers\bpenum.sys [2010-5-16 71168]
R3 bpmp;Intel® Centrino® WiMAX 6050 Series;C:\windows\System32\drivers\bpmp.sys [2010-5-16 175104]
R3 bpusb;bpusb;C:\windows\System32\drivers\bpusb.sys [2010-5-16 81920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-11-8 142640]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\System32\drivers\HECIx64.sys [2010-7-8 56344]
R3 Impcd;Impcd;C:\windows\System32\drivers\Impcd.sys [2010-7-8 158976]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2010-7-8 271872]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\windows\System32\drivers\LEqdUsb.sys [2011-9-2 76056]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\windows\System32\drivers\LHidEqd.sys [2011-9-2 15128]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2014-11-8 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\windows\System32\drivers\MBAMSwissArmy.sys [2014-11-8 129752]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\windows\System32\drivers\mwac.sys [2014-11-8 63704]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\windows\System32\drivers\NETw5s64.sys [2010-5-30 7689216]
R3 stdriver;Sound tap driver Upper Class Filter Driver v2.0.0.0;C:\windows\System32\drivers\stdriver64.sys [2010-12-7 59480]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
R3 wdkmd;Intel WiDi KMD;C:\windows\System32\drivers\WDKMD.sys [2010-6-17 39832]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\System32\drivers\yk62x64.sys [2009-9-28 395264]
S2 AQFileRestoreSrv;AQFileRestoreSrv;"C:\Program Files (x86)\Avanquest\SystemSuite\AQFileRestoreSrv.exe" --> C:\Program Files (x86)\Avanquest\SystemSuite\AQFileRestoreSrv.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-11-8 969016]
S3 fssfltr;fssfltr;C:\windows\System32\drivers\fssfltr.sys [2010-12-5 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\windows\System32\ieetwcollector.exe [2014-11-12 114688]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-3-4 340240]
S3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2014-9-16 56832]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2010-12-5 1255736]
.
=============== Created Last 30 ================
.
2014-12-03 14:26:35 -------- d-----w- C:\Users\admin\AppData\Local\Logishrd
2014-12-03 14:19:35 -------- d-----w- C:\Users\admin\AppData\Local\Best Buy pc app
2014-12-03 14:19:10 -------- d-----w- C:\Users\admin\AppData\Roaming\Logishrd
2014-12-01 22:38:03 -------- d-----w- C:\NPE
2014-11-20 10:15:37 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2014-11-20 10:15:37 728064 ----a-w- C:\windows\System32\kerberos.dll
2014-11-20 10:15:37 550912 ----a-w- C:\windows\SysWow64\kerberos.dll
2014-11-20 10:15:37 241152 ----a-w- C:\windows\System32\pku2u.dll
2014-11-20 10:15:37 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2014-11-20 10:15:37 186880 ----a-w- C:\windows\SysWow64\pku2u.dll
2014-11-20 10:15:37 155064 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2014-11-20 10:15:37 1460736 ----a-w- C:\windows\System32\lsasrv.dll
2014-11-12 21:59:26 878080 ----a-w- C:\windows\System32\IMJP10K.DLL
2014-11-09 02:39:14 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2014-11-09 02:27:46 129752 ----a-w- C:\windows\System32\drivers\MBAMSwissArmy.sys
2014-11-09 02:27:13 93400 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys
2014-11-09 02:27:13 63704 ----a-w- C:\windows\System32\drivers\mwac.sys
2014-11-09 02:27:13 25816 ----a-w- C:\windows\System32\drivers\mbam.sys
2014-11-09 02:27:13 -------- d-----w- C:\ProgramData\Malwarebytes
2014-11-09 02:27:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-09 02:07:07 177752 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS
2014-11-09 02:07:07 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2014-11-09 02:06:46 876248 ----a-r- C:\windows\System32\drivers\N360x64\1506000.020\srtsp64.sys
2014-11-09 02:06:46 593112 ----a-r- C:\windows\System32\drivers\N360x64\1506000.020\symnets.sys
2014-11-09 02:06:46 493656 ----a-r- C:\windows\System32\drivers\N360x64\1506000.020\SymDS64.sys
2014-11-09 02:06:46 37592 ----a-r- C:\windows\System32\drivers\N360x64\1506000.020\srtspx64.sys
2014-11-09 02:06:46 266968 ----a-r- C:\windows\System32\drivers\N360x64\1506000.020\Ironx64.sys
2014-11-09 02:06:46 23568 ----a-r- C:\windows\System32\drivers\N360x64\1506000.020\SymELAM.sys
2014-11-09 02:06:46 1148120 ----a-r- C:\windows\System32\drivers\N360x64\1506000.020\SymEFA64.sys
2014-11-09 02:06:45 162392 ----a-r- C:\windows\System32\drivers\N360x64\1506000.020\ccSetx64.sys
2014-11-09 02:06:30 -------- d-----w- C:\Program Files (x86)\Norton 360
2014-11-09 02:06:23 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2014-11-09 01:03:10 -------- d-----w- C:\ProgramData\ZapmObetl
2014-11-09 01:03:10 -------- d-----w- C:\ProgramData\XojfoPinej
2014-11-09 00:44:07 98216 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-11-08 23:11:27 -------- d-----w- C:\ProgramData\NortonRnR
.
==================== Find3M  ====================
.
2014-11-26 05:02:10 71344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-26 05:02:10 701104 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2014-11-06 04:04:03 2724864 ----a-w- C:\windows\System32\mshtml.tlb
2014-11-06 04:03:50 4096 ----a-w- C:\windows\System32\ieetwcollectorres.dll
2014-11-06 03:47:03 66560 ----a-w- C:\windows\System32\iesetup.dll
2014-11-06 03:46:12 580096 ----a-w- C:\windows\System32\vbscript.dll
2014-11-06 03:46:12 48640 ----a-w- C:\windows\System32\ieetwproxystub.dll
2014-11-06 03:44:28 88064 ----a-w- C:\windows\System32\MshtmlDac.dll
2014-11-06 03:30:22 144384 ----a-w- C:\windows\System32\ieUnatt.exe
2014-11-06 03:30:08 114688 ----a-w- C:\windows\System32\ieetwcollector.exe
2014-11-06 03:29:18 814080 ----a-w- C:\windows\System32\jscript9diag.dll
2014-11-06 03:28:20 2724864 ----a-w- C:\windows\SysWow64\mshtml.tlb
2014-11-06 03:23:57 6040064 ----a-w- C:\windows\System32\jscript9.dll
2014-11-06 03:20:18 968704 ----a-w- C:\windows\System32\MsSpellCheckingFacility.exe
2014-11-06 03:13:43 501248 ----a-w- C:\windows\SysWow64\vbscript.dll
2014-11-06 03:13:36 62464 ----a-w- C:\windows\SysWow64\iesetup.dll
2014-11-06 03:12:44 47616 ----a-w- C:\windows\SysWow64\ieetwproxystub.dll
2014-11-06 03:10:58 64000 ----a-w- C:\windows\SysWow64\MshtmlDac.dll
2014-11-06 03:07:29 77824 ----a-w- C:\windows\System32\JavaScriptCollectionAgent.dll
2014-11-06 02:59:36 115712 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2014-11-06 02:58:38 620032 ----a-w- C:\windows\SysWow64\jscript9diag.dll
2014-11-06 02:42:36 60416 ----a-w- C:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-06 02:39:39 1359360 ----a-w- C:\windows\System32\mshtmlmedia.dll
2014-11-06 02:38:25 2124288 ----a-w- C:\windows\System32\inetcpl.cpl
2014-11-06 02:21:49 4298240 ----a-w- C:\windows\SysWow64\jscript9.dll
2014-11-06 02:21:25 2051072 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2014-11-06 02:20:37 1155072 ----a-w- C:\windows\SysWow64\mshtmlmedia.dll
2014-11-06 02:17:24 2365440 ----a-w- C:\windows\System32\wininet.dll
2014-11-06 01:52:35 1892864 ----a-w- C:\windows\SysWow64\wininet.dll
2014-11-05 17:56:54 304640 ----a-w- C:\windows\System32\generaltel.dll
2014-11-05 17:56:36 228864 ----a-w- C:\windows\System32\aepdu.dll
2014-11-05 17:52:22 424448 ----a-w- C:\windows\System32\aeinv.dll
2014-10-25 01:57:59 77824 ----a-w- C:\windows\System32\packager.dll
2014-10-25 01:32:37 67584 ----a-w- C:\windows\SysWow64\packager.dll
2014-10-18 02:05:23 861696 ----a-w- C:\windows\System32\oleaut32.dll
2014-10-18 01:33:18 571904 ----a-w- C:\windows\SysWow64\oleaut32.dll
2014-10-14 02:13:06 683520 ----a-w- C:\windows\System32\termsrv.dll
2014-10-14 02:13:00 3241984 ----a-w- C:\windows\System32\msi.dll
2014-10-14 02:09:31 146432 ----a-w- C:\windows\System32\msaudite.dll
2014-10-14 02:07:31 681984 ----a-w- C:\windows\System32\adtschema.dll
2014-10-14 01:50:41 2363904 ----a-w- C:\windows\SysWow64\msi.dll
2014-10-14 01:47:30 146432 ----a-w- C:\windows\SysWow64\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- C:\windows\SysWow64\adtschema.dll
2014-10-10 00:57:42 3198976 ----a-w- C:\windows\System32\win32k.sys
2014-10-03 02:12:00 500224 ----a-w- C:\windows\System32\AUDIOKSE.dll
2014-10-03 02:11:54 284672 ----a-w- C:\windows\System32\EncDump.dll
2014-10-03 02:11:51 680960 ----a-w- C:\windows\System32\audiosrv.dll
2014-10-03 02:11:51 440832 ----a-w- C:\windows\System32\AudioEng.dll
2014-10-03 02:11:51 296448 ----a-w- C:\windows\System32\AudioSes.dll
2014-10-03 01:44:42 442880 ----a-w- C:\windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44:26 374784 ----a-w- C:\windows\SysWow64\AudioEng.dll
2014-10-03 01:44:26 195584 ----a-w- C:\windows\SysWow64\AudioSes.dll
2014-09-25 02:08:38 371712 ----a-w- C:\windows\System32\qdvd.dll
2014-09-25 01:40:50 519680 ----a-w- C:\windows\SysWow64\qdvd.dll
2014-09-19 09:42:52 210944 ----a-w- C:\windows\System32\wdigest.dll
2014-09-19 09:42:51 86528 ----a-w- C:\windows\System32\TSpkg.dll
2014-09-19 09:42:49 342016 ----a-w- C:\windows\System32\schannel.dll
2014-09-19 09:42:47 314880 ----a-w- C:\windows\System32\msv1_0.dll
2014-09-19 09:42:47 309760 ----a-w- C:\windows\System32\ncrypt.dll
2014-09-19 09:42:41 22016 ----a-w- C:\windows\System32\credssp.dll
2014-09-19 09:23:55 172032 ----a-w- C:\windows\SysWow64\wdigest.dll
2014-09-19 09:23:52 65536 ----a-w- C:\windows\SysWow64\TSpkg.dll
2014-09-19 09:23:49 248832 ----a-w- C:\windows\SysWow64\schannel.dll
2014-09-19 09:23:46 221184 ----a-w- C:\windows\SysWow64\ncrypt.dll
2014-09-19 09:23:45 259584 ----a-w- C:\windows\SysWow64\msv1_0.dll
2014-09-19 09:23:36 17408 ----a-w- C:\windows\SysWow64\credssp.dll
2014-09-16 23:45:03 18960 ----a-w- C:\windows\System32\drivers\LNonPnP.sys
2014-09-09 22:11:04 2048 ----a-w- C:\windows\System32\tzres.dll
2014-09-09 21:47:10 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2014-09-05 02:11:09 6584320 ----a-w- C:\windows\System32\mstscax.dll
2014-09-05 01:52:41 5703168 ----a-w- C:\windows\SysWow64\mstscax.dll
.
============= FINISH:  9:33:23.33 ===============

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 05 December 2014 - 08:14 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 mprich

mprich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 06 December 2014 - 02:00 PM

Georgi,

Thanks for your help.

I download FRST.exe, 64 bit, since I have a 64 bit version of windows7, but Norton intercepts the download, tells me it is a malicious file and deletes it. 

I tried this both as a user and administrator. Do I turn off Norton360, or is there an issue with FRST?



#4 mprich

mprich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 07 December 2014 - 05:14 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-12-2014 01
Ran by Mary (administrator) on BIGRED on 07-12-2014 16:24:59
Running from C:\Users\Mary\Desktop\Downloads
Loaded Profile: Mary (Available profiles: Mary & admin)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRYSVC.EXE
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\BCMWLTRY.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Intel® Corporation) C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Red Bend Ltd.) C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
(SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
(SAMSUNG Electronics) C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel® Corporation) C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.EXE
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
(cyberlink) C:\Program Files (x86)\CyberLink\Shared files\brs.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\ControlCenter3\BrccMCtl.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
(Mister Group) C:\Program Files (x86)\System Explorer\SystemExplorer.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brmfcmon\BrMfimon.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(Mister Group) C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9644576 2009-12-14] (Realtek Semiconductor)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1928976 2010-03-04] (Intel® Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2074408 2010-02-26] (Synaptics Incorporated)
HKLM\...\Run: [IntelWirelessWiMAX] => C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe [1441792 2010-06-08] (Intel® Corporation)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\WLTRAY.exe [5392896 2010-07-07] (Broadcom Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [1744152 2011-10-07] (Logitech, Inc.)
HKLM-x32\...\Run: [UpdateLBPShortCut] => C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe [103720 2009-12-04] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePDRShortCut] => C:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl8] => C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe [91432 2009-07-16] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD8LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe [50472 2009-04-15] (CyberLink Corp.)
HKLM-x32\...\Run: [BDRegion] => C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2010-01-13] (cyberlink)
HKLM-x32\...\Run: [UpdatePPShortCut] => C:\Program Files (x86)\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePSTShortCut] => C:\Program Files (x86)\CyberLink\Blu-ray Disc Suite\MUITransfer\MUIStartMenu.exe [210216 2010-01-11] (CyberLink Corp.)
HKLM-x32\...\Run: [UCam_Menu] => C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [BrMfcWnd] => C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [ControlCenter3] => C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [AddressBookReminderApp] => C:\Program Files (x86)\Creative Home\Hallmark Card Studio 2011\ReminderApp.exe
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [TaskTray] => [X]
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-07-22] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-07-22] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PPort14reminder] => C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe [333088 2011-05-16] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PDF7 Registry Controller] => C:\Program Files (x86)\Nuance\PDFCreate\RegistryController.exe [140136 2011-06-28] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [3362336 2014-01-10] (Fitbit, Inc.)
HKLM-x32\...\Run: [SystemExplorerAutoStart] => C:\Program Files (x86)\System Explorer\SystemExplorer.exe [3385192 2014-09-15] (Mister Group)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2010-07-07] (Google Inc.)
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\Run: [PDHookServer] => C:\Program Files (x86)\Avanquest\PowerDesk\PDHookServer.exe [67640 2011-12-09] ()
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\Run: [SystemExplorerAutoStart] => C:\Program Files (x86)\System Explorer\SystemExplorer.exe [3385192 2014-09-15] (Mister Group)
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\Run: [{F929B2B9-5BFC-849A-A5E0-2E860AE5CD29}] => C:\Users\Mary\AppData\Roaming\Microsoft\syncMicrosoft.exe
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [3362336 2014-01-10] (Fitbit, Inc.)
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\Run: [WeatherBug] => C:\Program Files\Earth Networks\WeatherBug\WeatherBug.exe [146736 2014-04-01] ()
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\Run: [acillao] => rundll32 "C:\Users\Mary\AppData\Local\acillao.dll",acillao <===== ATTENTION
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\MountPoints2: {632135a2-5857-11df-9778-806e6f6e6963} - E:\start.exe
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton 360\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton 360\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton 360\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-459188570-3383872282-3772164316-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=u218dhp&pc=u218
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
URLSearchHook: HKLM-x32 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files (x86)\NCH_EN\tbNCH1.dll No File
URLSearchHook: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files (x86)\NCH_EN\tbNCH1.dll No File
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SMSN
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2801948
SearchScopes: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SMSN_enUS408US408
SearchScopes: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> 90EAE07089844C64A2E987121DADE7A4 URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SMSN_enUS408US408
SearchScopes: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7SMSN_enUS408US408
SearchScopes: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=retail&geo=US&ver=21&locale=en_US&gct=kwd&qsrc=2869
SearchScopes: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2801948
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll (Logitech, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: NCH EN Toolbar -> {37483b40-c254-4a72-bda4-22ee90182c1e} -> C:\Program Files (x86)\NCH_EN\tbNCH1.dll No File
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll (Zeon Corporation)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll (Logitech, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: ZeonIEEventHelper Class -> {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} -> C:\Program Files (x86)\Nuance\PDFCreate\Bin\ZeonIEFavClient.dll (Zeon Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files (x86)\NCH_EN\tbNCH1.dll No File
Toolbar: HKLM-x32 - DocuCom PDF - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - C:\Program Files (x86)\Nuance\PDFCreate\Bin\ZeonIEFavClient.dll (Zeon Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> No Name - {37483B40-C254-4A72-BDA4-22EE90182C1E} - No File
Toolbar: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://qtinstall.apple.com/qtactivex/qtplugin.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default
FF NewTab: about:blank
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_15_0_0_239.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 -> C:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/VirtualEarth3D,version=4.0 -> C:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=1.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: ZEON/PDF,version=2.0 -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\nppdf.dll (Zeon Corporation)
FF user.js: detected! => C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\user.js
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\searchplugins\safesearch.xml
FF SearchPlugin: C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\searchplugins\web-search.xml
FF Extension: Разпознаване на устройство Logitech - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\DeviceDetection@logitech.com [2011-10-17]
FF Extension: ShopAtHome.com Toolbar - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\toolbar@shopathome.com [2012-11-03]
FF Extension: NCH EN - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{37483b40-c254-4a72-bda4-22ee90182c1e} [2014-11-08]
FF Extension: Ad blocker - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C} [2011-06-14]
FF Extension: Yahoo! Toolbar - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2014-11-08]
FF Extension: Video Downloader - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\lwypryhtrw@lwypryhtrw.org.xpi [2013-02-25]
FF Extension: Office Black - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\Office2007Black@JBBS.xpi [2011-10-17]
FF Extension: BetterPrivacy - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2011-10-17]
FF Extension: Multirow Bookmarks Toolbar - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}.xpi [2012-03-01]
FF Extension: 2 Pane Bookmarks - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{FD61379B-066A-4afc-89DE-89FB24D907C2}.xpi [2011-10-17]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\coFFPlgn [2014-12-07]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2014-12-03]

Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Users\Mary\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\17.0.963.56\pdf.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (RIM Handheld Application Loader) - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll No File
CHR Plugin: (DocuCom PDF Plus) - C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\nppdf.dll (Zeon Corporation)
CHR Plugin: (VLC Multimedia Plug-in) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Profile: C:\Users\Mary\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\Mary\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-02-17]
CHR Extension: (Google Search) - C:\Users\Mary\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-02-17]
CHR Extension: (Gmail) - C:\Users\Mary\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-02-17]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\Exts\Chrome.crx [2014-11-08]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\Exts\Chrome.crx [2014-11-08]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 DMAgent; C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe [408576 2010-06-07] (Red Bend Ltd.) [File not signed]
S2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [1435680 2014-01-10] (Fitbit, Inc.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-04] ()
R2 N360; C:\Program Files (x86)\Norton 360\Engine\21.6.0.32\N360.exe [265040 2014-09-21] (Symantec Corporation)
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [138600 2011-07-22] (Nuance Communications, Inc.)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-07] ()
R3 SystemExplorerHelpService; C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe [821096 2014-08-13] (Mister Group)
R2 WiMAXAppSrv; C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe [911872 2010-06-07] (Intel® Corporation) [File not signed]
R2 wltrysvc; C:\Program Files\Broadcom\Broadcom 802.11 Network Adapter\bcmwltry.exe [4814336 2010-07-07] (Broadcom Corporation) [File not signed]
S2 AQFileRestoreSrv; "C:\Program Files (x86)\Avanquest\SystemSuite\AQFileRestoreSrv.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\BASHDefs\20141203.001\BHDrvx64.sys [1587416 2014-10-30] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys [162392 2014-02-20] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-08-26] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-08-26] (Symantec Corporation)
R1 HWiNFO32; C:\Program Files (x86)\HWiNFO32\HWiNFO64A.SYS [28032 2010-09-29] (REALiX™)
R1 IDSVia64; C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\IPSDefs\20141205.001\IDSvia64.sys [637656 2014-11-17] (Symantec Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-12-07] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141206.002\ENG64.SYS [129752 2014-11-20] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141206.002\EX64.SYS [2137304 2014-11-20] (Symantec Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [92160 2010-06-16] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [31744 2009-01-09] (Research in Motion Ltd)
S3 rtport; C:\windows\SysWOW64\drivers\rtport.sys [15144 2010-10-21] (Windows ® 2003 DDK 3790 provider)
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
R1 SRTSP; C:\Windows\system32\drivers\N360x64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
S3 stdriver; C:\Windows\SysWOW64\DRIVERS\stdriver64.sys [59480 2010-12-07] (NCH Software)
R0 SymDS; C:\Windows\System32\drivers\N360x64\1506000.020\SYMDS64.SYS [493656 2014-08-25] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360x64\1506000.020\SYMEFA64.SYS [1148120 2014-08-25] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-11-08] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\system32\drivers\N360x64\1506000.020\SYMNETS.SYS [593112 2014-08-25] (Symantec Corporation)
R3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl [146928 2010-01-12] (CyberLink Corp.)
S3 AQFileRestore; SYSWOW64\drivers\AQFileRestore.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-07 16:24 - 2014-12-07 16:25 - 00000000 ____D () C:\FRST
2014-12-06 13:44 - 2014-12-06 13:44 - 00000000 __SHD () C:\Users\admin\AppData\Local\EmieUserList
2014-12-06 13:44 - 2014-12-06 13:44 - 00000000 __SHD () C:\Users\admin\AppData\Local\EmieSiteList
2014-12-06 13:44 - 2014-12-06 13:44 - 00000000 __SHD () C:\Users\admin\AppData\Local\EmieBrowserModeList
2014-12-03 14:23 - 2014-12-03 14:23 - 01023955 ____N () C:\windows\Minidump\120314-39983-01.dmp
2014-12-03 09:36 - 2014-12-03 09:36 - 00029516 _____ () C:\Users\Mary\Downloads\DDS.txt
2014-12-03 09:35 - 2014-12-03 09:35 - 00016917 _____ () C:\Users\Mary\Downloads\Attach.txt
2014-12-03 09:33 - 2014-12-03 09:33 - 00029516 _____ () C:\Users\admin\Desktop\dds.txt
2014-12-03 09:33 - 2014-12-03 09:33 - 00016917 _____ () C:\Users\admin\Desktop\attach.txt
2014-12-03 09:26 - 2014-12-03 09:26 - 00000000 ____D () C:\Users\admin\AppData\Local\Logishrd
2014-12-03 09:19 - 2014-12-03 09:19 - 00000000 ____D () C:\Users\admin\AppData\Roaming\Logishrd
2014-12-03 09:19 - 2014-12-03 09:19 - 00000000 ____D () C:\Users\admin\AppData\Local\Best Buy pc app
2014-12-03 09:12 - 2014-12-03 09:12 - 00688992 _____ (Swearware) C:\Users\Mary\Downloads\dds (2).com
2014-12-02 19:16 - 2014-12-02 19:16 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-12-01 22:16 - 2014-12-01 22:16 - 00688992 _____ (Swearware) C:\Users\Mary\Desktop\dds.com
2014-12-01 22:08 - 2014-12-01 22:14 - 00688992 _____ (Swearware) C:\Users\Mary\Desktop\dds (1).com
2014-12-01 22:02 - 2014-12-01 22:03 - 00688992 _____ (Swearware) C:\Users\Mary\Downloads\dds (1).com
2014-12-01 21:59 - 2014-12-01 22:29 - 00688992 ____R (Swearware) C:\Users\Mary\Downloads\dds.com
2014-12-01 17:38 - 2014-12-01 18:37 - 00000000 ____D () C:\NPE
2014-12-01 17:29 - 2014-12-01 19:06 - 00000000 ____D () C:\Users\Mary\AppData\Local\NPE
2014-12-01 12:19 - 2014-12-01 12:19 - 00000000 __SHD () C:\Users\Mary\AppData\Local\EmieBrowserModeList
2014-11-20 17:07 - 2014-11-20 17:07 - 00015035 ____H () C:\Users\Mary\Documents\~WRL3461.tmp
2014-11-20 05:15 - 2014-11-10 22:08 - 00728064 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2014-11-20 05:15 - 2014-11-10 22:08 - 00241152 _____ (Microsoft Corporation) C:\windows\system32\pku2u.dll
2014-11-20 05:15 - 2014-11-10 21:44 - 00550912 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2014-11-20 05:15 - 2014-11-10 21:44 - 00186880 _____ (Microsoft Corporation) C:\windows\SysWOW64\pku2u.dll
2014-11-20 05:15 - 2014-10-13 21:16 - 00155064 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2014-11-20 05:15 - 2014-10-13 21:12 - 01460736 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2014-11-20 05:15 - 2014-10-13 20:50 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2014-11-20 05:15 - 2014-10-13 20:49 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2014-11-12 17:00 - 2014-11-07 14:49 - 00388272 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-11-12 17:00 - 2014-11-07 14:23 - 00341168 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-11-12 17:00 - 2014-11-05 23:04 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-11-12 17:00 - 2014-11-05 23:03 - 25110016 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-11-12 17:00 - 2014-11-05 23:03 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-11-12 17:00 - 2014-11-05 22:47 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-11-12 17:00 - 2014-11-05 22:46 - 00580096 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-11-12 17:00 - 2014-11-05 22:46 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-11-12 17:00 - 2014-11-05 22:44 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2014-11-12 17:00 - 2014-11-05 22:43 - 02884096 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-11-12 17:00 - 2014-11-05 22:36 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-11-12 17:00 - 2014-11-05 22:35 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-11-12 17:00 - 2014-11-05 22:31 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-11-12 17:00 - 2014-11-05 22:30 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-11-12 17:00 - 2014-11-05 22:30 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-11-12 17:00 - 2014-11-05 22:29 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-11-12 17:00 - 2014-11-05 22:28 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-11-12 17:00 - 2014-11-05 22:23 - 06040064 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-11-12 17:00 - 2014-11-05 22:20 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-11-12 17:00 - 2014-11-05 22:16 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-11-12 17:00 - 2014-11-05 22:13 - 00501248 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2014-11-12 17:00 - 2014-11-05 22:13 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-11-12 17:00 - 2014-11-05 22:12 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2014-11-12 17:00 - 2014-11-05 22:10 - 19781632 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-11-12 17:00 - 2014-11-05 22:10 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2014-11-12 17:00 - 2014-11-05 22:07 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-12 17:00 - 2014-11-05 22:05 - 02277376 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-11-12 17:00 - 2014-11-05 22:04 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-11-12 17:00 - 2014-11-05 22:03 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-11-12 17:00 - 2014-11-05 22:02 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-11-12 17:00 - 2014-11-05 22:00 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-11-12 17:00 - 2014-11-05 22:00 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-11-12 17:00 - 2014-11-05 21:59 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-11-12 17:00 - 2014-11-05 21:58 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2014-11-12 17:00 - 2014-11-05 21:57 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-11-12 17:00 - 2014-11-05 21:48 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-11-12 17:00 - 2014-11-05 21:42 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-11-12 17:00 - 2014-11-05 21:41 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-11-12 17:00 - 2014-11-05 21:41 - 00716800 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-11-12 17:00 - 2014-11-05 21:39 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-11-12 17:00 - 2014-11-05 21:38 - 02124288 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-11-12 17:00 - 2014-11-05 21:37 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-11-12 17:00 - 2014-11-05 21:36 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-11-12 17:00 - 2014-11-05 21:34 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-11-12 17:00 - 2014-11-05 21:30 - 14390272 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-11-12 17:00 - 2014-11-05 21:22 - 00688640 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-11-12 17:00 - 2014-11-05 21:21 - 04298240 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-11-12 17:00 - 2014-11-05 21:21 - 02051072 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-11-12 17:00 - 2014-11-05 21:20 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2014-11-12 17:00 - 2014-11-05 21:17 - 02365440 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-11-12 17:00 - 2014-11-05 21:04 - 01550336 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-11-12 17:00 - 2014-11-05 21:03 - 12819456 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-11-12 17:00 - 2014-11-05 20:53 - 00799232 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-11-12 17:00 - 2014-11-05 20:52 - 01892864 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-11-12 17:00 - 2014-11-05 20:48 - 01310208 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-11-12 17:00 - 2014-11-05 20:47 - 00708096 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2014-11-12 17:00 - 2014-11-05 12:56 - 00304640 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2014-11-12 17:00 - 2014-11-05 12:56 - 00228864 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2014-11-12 17:00 - 2014-11-05 12:52 - 00424448 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2014-11-12 17:00 - 2014-10-13 21:13 - 00683520 _____ (Microsoft Corporation) C:\windows\system32\termsrv.dll
2014-11-12 17:00 - 2014-10-13 21:09 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2014-11-12 17:00 - 2014-10-13 21:07 - 00681984 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2014-11-12 17:00 - 2014-10-13 20:47 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2014-11-12 17:00 - 2014-10-13 20:46 - 00681984 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2014-11-12 16:59 - 2014-10-24 20:57 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\packager.dll
2014-11-12 16:59 - 2014-10-24 20:32 - 00067584 _____ (Microsoft Corporation) C:\windows\SysWOW64\packager.dll
2014-11-12 16:59 - 2014-10-17 21:05 - 00861696 _____ (Microsoft Corporation) C:\windows\system32\oleaut32.dll
2014-11-12 16:59 - 2014-10-17 20:33 - 00571904 _____ (Microsoft Corporation) C:\windows\SysWOW64\oleaut32.dll
2014-11-12 16:59 - 2014-10-13 21:13 - 03241984 _____ (Microsoft Corporation) C:\windows\system32\msi.dll
2014-11-12 16:59 - 2014-10-13 20:50 - 02363904 _____ (Microsoft Corporation) C:\windows\SysWOW64\msi.dll
2014-11-12 16:59 - 2014-10-09 19:57 - 03198976 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2014-11-12 16:59 - 2014-10-02 21:12 - 00500224 _____ (Microsoft Corporation) C:\windows\system32\AUDIOKSE.dll
2014-11-12 16:59 - 2014-10-02 21:11 - 00680960 _____ (Microsoft Corporation) C:\windows\system32\audiosrv.dll
2014-11-12 16:59 - 2014-10-02 21:11 - 00440832 _____ (Microsoft Corporation) C:\windows\system32\AudioEng.dll
2014-11-12 16:59 - 2014-10-02 21:11 - 00296448 _____ (Microsoft Corporation) C:\windows\system32\AudioSes.dll
2014-11-12 16:59 - 2014-10-02 21:11 - 00284672 _____ (Microsoft Corporation) C:\windows\system32\EncDump.dll
2014-11-12 16:59 - 2014-10-02 20:44 - 00442880 _____ (Microsoft Corporation) C:\windows\SysWOW64\AUDIOKSE.dll
2014-11-12 16:59 - 2014-10-02 20:44 - 00374784 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioEng.dll
2014-11-12 16:59 - 2014-10-02 20:44 - 00195584 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioSes.dll
2014-11-12 16:59 - 2014-09-19 04:42 - 00342016 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2014-11-12 16:59 - 2014-09-19 04:42 - 00314880 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2014-11-12 16:59 - 2014-09-19 04:42 - 00309760 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2014-11-12 16:59 - 2014-09-19 04:42 - 00210944 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2014-11-12 16:59 - 2014-09-19 04:42 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2014-11-12 16:59 - 2014-09-19 04:42 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2014-11-12 16:59 - 2014-09-19 04:23 - 00259584 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2014-11-12 16:59 - 2014-09-19 04:23 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2014-11-12 16:59 - 2014-09-19 04:23 - 00221184 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2014-11-12 16:59 - 2014-09-19 04:23 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2014-11-12 16:59 - 2014-09-19 04:23 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2014-11-12 16:59 - 2014-09-19 04:23 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2014-11-12 16:59 - 2014-08-21 01:43 - 01882624 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2014-11-12 16:59 - 2014-08-21 01:40 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\msxml3r.dll
2014-11-12 16:59 - 2014-08-21 01:26 - 01237504 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2014-11-12 16:59 - 2014-08-21 01:23 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3r.dll
2014-11-12 16:59 - 2014-08-11 21:02 - 00878080 _____ (Microsoft Corporation) C:\windows\system32\IMJP10K.DLL
2014-11-12 16:59 - 2014-08-11 20:36 - 00701440 _____ (Microsoft Corporation) C:\windows\SysWOW64\IMJP10K.DLL
2014-11-08 21:27 - 2014-12-07 16:08 - 00129752 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-08 21:27 - 2014-12-02 19:09 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-08 21:27 - 2014-12-02 19:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-08 21:27 - 2014-12-02 19:09 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-08 21:27 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-11-08 21:27 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2014-11-08 21:27 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2014-11-08 21:27 - 2014-11-08 21:27 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-08 21:10 - 2014-11-08 21:10 - 00000000 ____D () C:\windows\System32\Tasks\Norton 360
2014-11-08 21:07 - 2014-11-08 21:07 - 00177752 _____ (Symantec Corporation) C:\windows\system32\Drivers\SYMEVENT64x86.SYS
2014-11-08 21:07 - 2014-11-08 21:07 - 00008222 _____ () C:\windows\system32\Drivers\SYMEVENT64x86.CAT
2014-11-08 21:07 - 2014-11-08 21:07 - 00002391 _____ () C:\Users\Public\Desktop\Norton 360.lnk
2014-11-08 21:07 - 2014-11-08 21:07 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2014-11-08 21:06 - 2014-11-08 21:07 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton 360
2014-11-08 21:06 - 2014-11-08 21:06 - 00000000 ____D () C:\Program Files (x86)\Norton 360
2014-11-08 20:05 - 2014-11-08 20:05 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-08 20:04 - 2014-11-08 20:04 - 00000448 ____H () C:\Users\Mary\AppData\Roaming\麽鎒駓覜
2014-11-08 20:04 - 2014-11-08 20:04 - 00000424 _____ () C:\ProgramData\@system.temp
2014-11-08 20:03 - 2014-11-09 14:24 - 00000000 ____D () C:\Users\Mary\AppData\Roaming\FrameworkUpdate7
2014-11-08 20:03 - 2014-11-08 22:18 - 00000000 ____D () C:\ProgramData\ZapmObetl
2014-11-08 20:03 - 2014-11-08 22:18 - 00000000 ____D () C:\ProgramData\XojfoPinej
2014-11-08 20:02 - 2014-11-08 20:02 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-11-08 19:45 - 2014-11-08 19:43 - 00272808 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2014-11-08 19:44 - 2014-11-08 19:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-11-08 19:44 - 2014-11-08 19:43 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2014-11-08 19:44 - 2014-11-08 19:43 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2014-11-08 19:44 - 2014-11-08 19:43 - 00098216 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2014-11-08 19:43 - 2014-11-08 19:43 - 00000000 ____D () C:\Program Files (x86)\Java
2014-11-08 19:00 - 2014-11-08 19:00 - 00007605 _____ () C:\Users\Mary\AppData\Local\Resmon.ResmonCfg
2014-11-08 18:11 - 2014-11-08 18:44 - 00000000 ____D () C:\ProgramData\NortonRnR

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-07 16:22 - 2011-03-28 20:50 - 00000000 ____D () C:\Users\Mary\AppData\Local\CrashDumps
2014-12-07 16:17 - 2010-12-04 17:36 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-07 16:15 - 2009-07-13 23:45 - 00022976 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-07 16:15 - 2009-07-13 23:45 - 00022976 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-07 16:11 - 2010-07-07 21:50 - 01067432 _____ () C:\windows\WindowsUpdate.log
2014-12-07 16:08 - 2010-12-04 16:15 - 00000000 ____D () C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink Blu-ray Disc Suite
2014-12-07 16:07 - 2012-07-05 15:51 - 00000470 _____ () C:\windows\Tasks\SDMsgUpdate (TE).job
2014-12-07 16:07 - 2010-12-04 17:36 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-07 16:06 - 2010-07-07 21:51 - 00000050 _____ () C:\windows\system32\SupplicantTest.log
2014-12-07 16:06 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-12-07 16:06 - 2009-07-13 23:51 - 00060422 _____ () C:\windows\setupact.log
2014-12-07 16:02 - 2013-02-20 10:44 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-12-07 15:23 - 2010-12-07 22:53 - 00000000 ____D () C:\Users\Mary\Documents\Outlook Files
2014-12-07 14:10 - 2011-07-07 11:03 - 00000000 ____D () C:\windows\Minidump
2014-12-07 14:10 - 2010-08-18 20:49 - 00323181 ____N () C:\windows\Minidump\120714-46113-01.dmp
2014-12-07 14:10 - 2010-07-07 22:22 - 03435868 _____ () C:\windows\PFRO.log
2014-12-06 21:10 - 2010-12-05 11:50 - 00000000 ____D () C:\Program Files (x86)\System Explorer
2014-12-06 13:45 - 2014-09-12 19:55 - 00000000 ____D () C:\Users\admin\AppData\Local\Deployment
2014-12-06 13:43 - 2014-09-12 19:54 - 00000000 ____D () C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink Blu-ray Disc Suite
2014-12-06 02:38 - 2014-09-12 19:54 - 00000000 ____D () C:\Users\admin
2014-12-04 11:24 - 2010-12-06 21:12 - 00000000 ____D () C:\Users\Mary\Documents\Mary's Files
2014-12-03 22:40 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\rescache
2014-12-03 12:16 - 2013-10-26 16:33 - 00000000 ____D () C:\windows\system32\MRT
2014-12-03 12:09 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\system32\NDF
2014-12-03 09:26 - 2010-12-04 17:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech
2014-12-03 09:21 - 2012-01-01 16:38 - 00000000 ____D () C:\Program Files\Logitech
2014-12-03 09:21 - 2010-12-04 17:14 - 00000000 ____D () C:\ProgramData\Logishrd
2014-12-03 09:21 - 2010-12-04 17:14 - 00000000 ____D () C:\Program Files\Common Files\LogiShrd
2014-12-03 09:19 - 2014-09-12 19:55 - 00000000 ____D () C:\Users\admin\AppData\Roaming\Logitech
2014-12-03 09:15 - 2014-09-12 19:55 - 00156776 _____ () C:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-02 23:37 - 2010-12-05 11:50 - 00000000 ____D () C:\ProgramData\SystemExplorer
2014-12-02 19:38 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\LiveKernelReports
2014-12-02 19:28 - 2012-06-03 10:27 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-12-01 17:29 - 2010-12-04 18:39 - 00000000 ____D () C:\ProgramData\Norton
2014-12-01 12:18 - 2010-12-04 16:18 - 00156776 _____ () C:\Users\Mary\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-01 12:11 - 2009-07-13 23:45 - 00501464 _____ () C:\windows\system32\FNTCACHE.DAT
2014-12-01 12:04 - 2014-06-24 11:42 - 00000000 ___SD () C:\windows\system32\CompatTel
2014-12-01 12:03 - 2010-12-05 22:31 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-01 10:42 - 2014-09-12 12:14 - 00031581 _____ () C:\Users\Mary\Desktop\land contract.xlsx
2014-11-29 14:16 - 2010-07-07 21:54 - 00000000 ____D () C:\ProgramData\Temp
2014-11-26 00:02 - 2013-02-20 10:44 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2014-11-26 00:02 - 2012-04-21 13:15 - 00701104 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2014-11-26 00:02 - 2011-06-14 21:34 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-11-24 12:09 - 2012-01-01 16:04 - 00000000 ____D () C:\Users\Mary\AppData\Roaming\.oit
2014-11-23 18:12 - 2010-12-04 16:15 - 00000000 ____D () C:\Users\Mary
2014-11-18 14:01 - 2009-07-14 00:13 - 00782470 _____ () C:\windows\system32\PerfStringBackup.INI
2014-11-15 02:12 - 2010-12-04 17:36 - 00003894 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-15 02:12 - 2010-12-04 17:36 - 00003642 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-11-10 05:18 - 2012-07-10 15:15 - 00000000 ____D () C:\Users\Mary\AppData\Local\Macromedia
2014-11-09 14:27 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\tracing
2014-11-08 21:36 - 2010-12-07 22:23 - 00000000 ____D () C:\Program Files (x86)\ConduitEngine
2014-11-08 21:10 - 2010-12-04 18:39 - 00000000 ____D () C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
2014-11-08 21:07 - 2013-11-13 20:25 - 00003206 _____ () C:\windows\System32\Tasks\Norton WSC Integration
2014-11-08 20:56 - 2011-02-27 13:47 - 00001292 _____ () C:\Users\Mary\Desktop\Norton Installation Files.lnk
2014-11-08 20:56 - 2010-12-04 18:39 - 00000000 ____D () C:\Users\Public\Downloads\Norton
2014-11-08 19:45 - 2013-12-15 13:52 - 00000000 ____D () C:\ProgramData\Oracle

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-05 16:56

==================== End Of Log ============================

Attached Files


Edited by mprich, 07 December 2014 - 05:24 PM.


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 08 December 2014 - 05:15 AM

Hello,

 

 

I am sorry about the delay. I was out of town and just returned from a trip and I couldn't reply sooner.

 

Please go ahead and uninstall Conduit Engine from the Control Penal.

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#6 mprich

mprich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 08 December 2014 - 03:11 PM

I could not uninstall Conduit Engine.  Searched the web, saw that this is a common problem, saw several fix-its offered.  Any advice?

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-12-2014 01
Ran by Mary at 2014-12-08 13:58:44 Run:1
Running from C:\Users\Mary\Desktop\Downloads
Loaded Profile: Mary (Available profiles: Mary & admin)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...\Run: [acillao] => rundll32 "C:\Users\Mary\AppData\Local\acillao.dll",acillao <===== ATTENTION
C:\Users\Mary\AppData\Local\acillao.dll
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
C:\ProgramData\Best Buy pc app
C:\Users\admin\AppData\Local\Best Buy pc app
URLSearchHook: HKLM-x32 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files (x86)\NCH_EN\tbNCH1.dll No File
URLSearchHook: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files (x86)\NCH_EN\tbNCH1.dll No File
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2801948
SearchScopes: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2801948
BHO-x32: NCH EN Toolbar -> {37483b40-c254-4a72-bda4-22ee90182c1e} -> C:\Program Files (x86)\NCH_EN\tbNCH1.dll No File
Toolbar: HKLM-x32 - NCH EN Toolbar - {37483b40-c254-4a72-bda4-22ee90182c1e} - C:\Program Files (x86)\NCH_EN\tbNCH1.dll No File
Toolbar: HKU\S-1-5-21-459188570-3383872282-3772164316-1000 -> No Name - {37483B40-C254-4A72-BDA4-22EE90182C1E} - No File
FF Extension: ShopAtHome.com Toolbar - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\toolbar@shopathome.com [2012-11-03]
FF Extension: NCH EN - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{37483b40-c254-4a72-bda4-22ee90182c1e} [2014-11-08]
FF Extension: Video Downloader - C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\lwypryhtrw@lwypryhtrw.org.xpi [2013-02-25]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
2014-11-20 17:07 - 2014-11-20 17:07 - 00015035 ____H () C:\Users\Mary\Documents\~WRL3461.tmp
2014-11-08 20:05 - 2014-11-08 20:05 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-08 20:04 - 2014-11-08 20:04 - 00000448 ____H () C:\Users\Mary\AppData\Roaming\麽鎒駓覜
2014-11-08 20:04 - 2014-11-08 20:04 - 00000424 _____ () C:\ProgramData\@system.temp
2014-11-08 20:03 - 2014-11-09 14:24 - 00000000 ____D () C:\Users\Mary\AppData\Roaming\FrameworkUpdate7
2014-11-08 20:03 - 2014-11-08 22:18 - 00000000 ____D () C:\ProgramData\ZapmObetl
2014-11-08 20:03 - 2014-11-08 22:18 - 00000000 ____D () C:\ProgramData\XojfoPinej
2014-11-08 20:02 - 2014-11-08 20:02 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-11-08 21:36 - 2010-12-07 22:23 - 00000000 ____D () C:\Program Files (x86)\ConduitEngine
AlternateDataStreams: C:\ProgramData\Temp:FD9CE1F3
Emptytemp:
end
*****************

Processes closed successfully.
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\Software\Microsoft\Windows\CurrentVersion\Run\\acillao => value deleted successfully.
"C:\Users\Mary\AppData\Local\acillao.dll" => File/Directory not found.
"HKU\S-1-5-21-459188570-3383872282-3772164316-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-459188570-3383872282-3772164316-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk => Moved successfully.
"C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk" => File/Directory not found.
C:\ProgramData\Best Buy pc app => Moved successfully.
C:\Users\admin\AppData\Local\Best Buy pc app => Moved successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\{37483b40-c254-4a72-bda4-22ee90182c1e} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{37483b40-c254-4a72-bda4-22ee90182c1e}" => Key deleted successfully.
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{37483b40-c254-4a72-bda4-22ee90182c1e} => value deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}" => Key not found.
"HKU\S-1-5-21-459188570-3383872282-3772164316-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}" => Key deleted successfully.
"HKCR\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37483b40-c254-4a72-bda4-22ee90182c1e}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{37483b40-c254-4a72-bda4-22ee90182c1e}" => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{37483b40-c254-4a72-bda4-22ee90182c1e} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{37483b40-c254-4a72-bda4-22ee90182c1e}" => Key not found.
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{37483B40-C254-4A72-BDA4-22EE90182C1E} => value deleted successfully.
"HKCR\CLSID\{37483B40-C254-4A72-BDA4-22EE90182C1E}" => Key not found.
C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\toolbar@shopathome.com => Moved successfully.
C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{37483b40-c254-4a72-bda4-22ee90182c1e} => Moved successfully.
C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\lwypryhtrw@lwypryhtrw.org.xpi => Moved successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => Key deleted successfully.
C:\Users\Mary\Documents\~WRL3461.tmp => Moved successfully.
C:\ProgramData\@system3.att => Moved successfully.
C:\Users\Mary\AppData\Roaming\麽鎒駓覜 => Moved successfully.
C:\ProgramData\@system.temp => Moved successfully.
C:\Users\Mary\AppData\Roaming\FrameworkUpdate7 => Moved successfully.
C:\ProgramData\ZapmObetl => Moved successfully.
C:\ProgramData\XojfoPinej => Moved successfully.
C:\ProgramData\Windows Genuine Advantage => Moved successfully.
C:\Program Files (x86)\ConduitEngine => Moved successfully.
C:\ProgramData\Temp => ":FD9CE1F3" ADS removed successfully.
EmptyTemp: => Removed 4.5 GB temporary data.

The system needed a reboot.

==== End of Fixlog ====



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 08 December 2014 - 03:28 PM

No worries, we removed the main folder manually:

 

C:\Program Files (x86)\ConduitEngine => Moved successfully.

 

The Poweliks trojan was taken care of. :)

 

However if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

 

STEP 1

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

STEP 2

 

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Rootkit MBAM_Logo.png and save it to your desktop.

  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

 

 

That's it for now.

 

 

Regards,

Georgi


cXfZ4wS.png


#8 mprich

mprich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 08 December 2014 - 06:17 PM

Instructions followed, files follow.

I noticed a registry key for WeatherBug was deleted.  Is this program a known bad actor?

 

 

 

 

 

 

 

# AdwCleaner v4.104 - Report created 08/12/2014 at 16:51:48
# Updated 05/12/2014 by Xplode
# Database : 2014-12-08.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Mary - BIGRED
# Running from : C:\Users\Mary\Desktop\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\driver-soft
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\Users\Mary\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Mary\AppData\LocalLow\ConduitEngine
Folder Deleted : C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
Folder Deleted : C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
File Deleted : C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\invalidprefs.js
File Deleted : C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\searchplugins\safesearch.xml
File Deleted : C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\searchplugins\web-search.xml
File Deleted : C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\user.js

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.superfish.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.superfish.com
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2801948
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{059EACC2-1ABE-49E8-928D-DC8BD355B7A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\conduitEngine
Key Deleted : HKLM\SOFTWARE\Driver-Soft
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Driver Genius Professional Edition_is1
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\464AA55239C100F32AF2D438EDDC0F47
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5652BA3D5FB98AE31B337BF0AF939856
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\86EB95E1AFCBABE3DB9ECCC669B99494
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\nortonsafe.search.ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\tuvaro.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.ask.com

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420

-\\ Mozilla Firefox v34.0 (x86 en-US)

[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948..clientLogIsEnabled", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.BrowserCompStateIsOpen_129797777221477754", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.BrowserCompStateIsOpen_129799503686523541", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.BrowserCompStateIsOpen_129815072111847605", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.BrowserCompStateIsOpen_1359634298000", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.CTID", "CT2801948");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ConfigurationLastCheckTime", "Wed Nov 13 2013 18:58:24 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.CurrentServerDate", "14-11-2013");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.DialogsAlignMode", "LTR");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.DialogsGetterLastCheckTime", "Wed Nov 13 2013 18:58:26 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.DownloadReferralCookieData", "");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.EMailNotifierPollDate", "Wed Dec 08 2010 20:46:01 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.FirstServerDate", "8-12-2010");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.FirstTime", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.FirstTimeFF3", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.FixPageNotFoundErrors", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.GroupingServerCheckInterval", 1440);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.HasUserGlobalKeys", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.Initialize", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.InitializeCommonPrefs", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.InstallationAndCookieDataSentCount", 3);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.InstallationType", "UnknownIntegration");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.InstalledDate", "Tue Dec 07 2010 22:28:37 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.InvalidateCache", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.IsGrouping", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.IsMulticommunity", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.IsOpenThankYouPage", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.IsOpenUninstallPage", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LanguagePackLastCheckTime", "Wed Nov 13 2013 18:58:26 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LanguagePackReloadIntervalMM", 1440);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.13.0.6", "Tue Jul 10 2012 13:00:59 GMT-0400 (Eastern Daylight Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.14.1.0", "Tue Aug 21 2012 10:59:07 GMT-0400 (Eastern Daylight Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.15.1.0", "Sat Nov 03 2012 12:30:26 GMT-0400 (Eastern Daylight Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.16.0.100", "Mon Feb 11 2013 12:08:08 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.16.0.3", "Sun Dec 30 2012 17:27:06 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.18.0.7", "Fri Jul 19 2013 22:21:21 GMT-0400 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.19.0.3", "Thu Sep 19 2013 00:41:28 GMT-0400 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.2.5.2", "Wed Dec 08 2010 19:42:09 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LastLogin_3.20.0.4", "Wed Nov 13 2013 18:58:26 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.LatestVersion", "3.20.0.4");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.Locale", "en-us");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.MCDetectTooltipHeight", "83");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.MCDetectTooltipShow", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.MCDetectTooltipWidth", "295");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.MyStuffEnabledAtInstallation", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioIsPodcast", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioLastCheckTime", "Fri Dec 10 2010 04:22:11 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioLastUpdateIPServer", "3");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioLastUpdateServer", "129307496595170000");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioMediaID", "21435220");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioMediaType", "Media Player");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioMenuSelectedID", "EBRadioMenu_CT280194821435220");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioStationName", "Virgin%20Radio%20Classic%20Rock");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RadioStationURL", "hxxp://www.smgradio.com/core/audio/wmp/live.asx?service=vcbb");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RestartDialogFirstTime", "false");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.RestartDialogShouldDisplay", "false");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SavedHomepage", "hxxp://www.msn.com/");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchAPILastCheckTime", "Wed Nov 13 2013 18:58:24 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchBoxWidth", 100);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchFromAddressBarIsInit", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchInNewTabEnabled", true);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchInNewTabIntervalMM", 1440);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchInNewTabLastCheckTime", "Thu Sep 19 2013 00:41:24 GMT-0400 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID&UM=UM_ID");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchInNewTabURLFromSearchAPI", "hxxp://search.conduit.com/?ctid=CT2801948&octid=CT2801948&SearchSource=15&CUI=SB_CUI&SSPV=EB_SSPV&Lay=1&UM=UM_ID");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageService.asmx/UsersRequests?ctid=EB_TOOLBAR_ID");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ServiceMapLastCheckTime", "Wed Nov 13 2013 18:58:24 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SettingsLastCheckTime", "Wed Nov 13 2013 18:58:21 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.SettingsLastUpdate", "1384332969");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ThirdPartyComponentsInterval", 504);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ThirdPartyComponentsLastCheck", "Tue Dec 07 2010 22:28:36 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ThirdPartyComponentsLastUpdate", "1246790578");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ToolbarShrinkedFromSetup", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.UserID", "UN62141465085065662");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.ValidationData_Toolbar", 1);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.WeatherNetwork", "");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.WeatherPollDate", "Wed Dec 08 2010 20:33:01 GMT-0500 (Eastern Standard Time)");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.WeatherUnit", "C");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.addressBarTakeOverEnabledInHidden", "true");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.alertChannelId", "1194029");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.1000034", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.1000080", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.1000082", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.1000234", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.129306881624250628", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.129306881624563129", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.129306881632844577", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.129311958650656383", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.129311959839444431", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.components.129343840936544328", false);
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("CT2801948.countryCode", "US");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("browser.search.hiddenOneOffs", "Bing,Amazon.com,eBay,Norton Safe Search,Twitter,Wikipedia (en),DuckDuckGo,Web Search");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("extensions.sahtb.searchEngineNameSAH", "Web Search");
[llnaq74l.default\prefs.js] - Line Deleted : user_pref("extensions.sahtb.url.prefs.data", "<ToolbarPrefs>\r\n  <XMLVersion Number=\"{bdd09e8b-8dee-478c-9f4e-0db5e30597cc}\" />\r\n  <AnalyticsURL URL=\"hxxp://www.google-analytics.com/__utm.gif?ut[...]

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [16076 octets] - [08/12/2014 16:49:51]
AdwCleaner[S0].txt - [16825 octets] - [08/12/2014 16:51:48]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [16886 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 7 Home Premium x64
Ran by Mary on Mon 12/08/2014 at 17:00:17.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\weatherbug

 

~~~ Registry Keys

 

~~~ Files

Successfully deleted: [File] C:\windows\prefetch\GOOGLETOOLBARMANAGER_8CA8B414-316F10F7.pf
Successfully deleted: [File] C:\windows\prefetch\GOOGLETOOLBARNOTIFIER.EXE-969E73DB.pf
Successfully deleted: [File] C:\windows\prefetch\GOOGLETOOLBARUSER_32.EXE-66EEE4D2.pf
Successfully deleted: [File] C:\windows\prefetch\GOOGLETOOLBARUSER_64.EXE-BDF1AD93.pf

 

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Mary\appdata\local\best buy pc app"
Successfully deleted: [Empty Folder] C:\Users\Mary\appdata\local\{6D6F9830-269A-4522-9ACD-FA93A75F656F}
Successfully deleted: [Empty Folder] C:\Users\Mary\appdata\local\{83ACA4A4-AC24-42C9-BFAE-3A6B6E3FDA2C}
Successfully deleted: [Empty Folder] C:\Users\Mary\appdata\local\{AB8617E4-6549-46B5-91C2-9E72ED23AB2C}

 

~~~ FireFox

Successfully deleted: [Folder] C:\Users\Mary\AppData\Roaming\mozilla\firefox\profiles\llnaq74l.default\conduitcommon
Successfully deleted: [Folder] C:\Users\Mary\AppData\Roaming\mozilla\firefox\profiles\llnaq74l.default\smartbar
Successfully deleted the following from C:\Users\Mary\AppData\Roaming\mozilla\firefox\profiles\llnaq74l.default\prefs.js

user_pref("extensions.sahtb.url.merchants.data", "<?xml version=\"1.0\"?><MerchantSettings><v n=\"470\" /><GlobalSuppresses><s u=\"2mobilez.com\" g=\"1\" i=\"2000398\" /><s u=
Emptied folder: C:\Users\Mary\AppData\Roaming\mozilla\firefox\profiles\llnaq74l.default\minidumps [148 files]

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 12/08/2014 at 17:05:25.52
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

Malwarebytes Anti-Rootkit BETA 1.08.2.1001
www.malwarebytes.org

Database version: v2014.12.08.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17420
Mary :: BIGRED [administrator]

12/8/2014 5:26:29 PM
mbar-log-2014-12-08 (17-26-29).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 421050
Time elapsed: 16 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKU\S-1-5-21-459188570-3383872282-3772164316-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|{F929B2B9-5BFC-849A-A5E0-2E860AE5CD29} (Trojan.Agent.Gen) -> Data: C:\Users\Mary\AppData\Roaming\Microsoft\syncMicrosoft.exe -> Delete on reboot. [1158a3bd99e3f93df3b44807996bde22]

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

Malwarebytes Anti-Rootkit BETA 1.08.2.1001
www.malwarebytes.org

Database version: v2014.12.08.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17420
Mary :: BIGRED [administrator]

12/8/2014 5:51:35 PM
mbar-log-2014-12-08 (17-51-35).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 420866
Time elapsed: 15 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17420

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 4081635328, free: 1805856768

Downloaded database version: v2014.12.08.09
Downloaded database version: v2014.12.08.01
Downloaded database version: v2014.12.06.01
=======================================
Initializing...
This version of Malwarebytes Anti-Rootkit requires you to completely exit the Malwarebytes Anti-Malware application to continue.
=======================================
Initializing...
------------ Kernel report ------------
     12/08/2014 17:26:19
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\SYMDS64.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\SYMEFA64.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\ccSetx64.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\SRTSP64.SYS
\SystemRoot\system32\drivers\N360x64\1506000.020\SRTSPX64.SYS
\SystemRoot\system32\drivers\N360x64\1506000.020\Ironx64.SYS
\??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS
\??\C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141207.020\EX64.SYS
\??\C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141207.020\ENG64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\SYMNETS.SYS
\??\C:\windows\system32\Drivers\SABI.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\IPSDefs\20141205.001\IDSvia64.sys
\??\C:\Program Files (x86)\HWiNFO32\HWiNFO64A.SYS
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\BASHDefs\20141203.001\BHDrvx64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw5s64.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\yk62x64.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\RootMdm.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\RimSerial_AMD64.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\WDKMD.sys
\SystemRoot\system32\DRIVERS\bpenum.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\bpusb.sys
\SystemRoot\system32\DRIVERS\bpmp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\LEqdUsb.Sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\LHidEqd.Sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\LHidFilt.Sys
\SystemRoot\system32\DRIVERS\LMouFilt.Sys
\SystemRoot\system32\DRIVERS\wdcsam64.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\??\C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\BCM42RLY.sys
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\difxapi.dll
\Windows\System32\normaliz.dll
\Windows\System32\iertutil.dll
\Windows\System32\msvcrt.dll
\Windows\System32\usp10.dll
\Windows\System32\sechost.dll
\Windows\System32\msctf.dll
\Windows\System32\clbcatq.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\ws2_32.dll
\Windows\System32\lpk.dll
\Windows\System32\urlmon.dll
\Windows\System32\Wldap32.dll
\Windows\System32\setupapi.dll
\Windows\System32\ole32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\gdi32.dll
\Windows\System32\shell32.dll
\Windows\System32\psapi.dll
\Windows\System32\advapi32.dll
\Windows\System32\imm32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\comdlg32.dll
\Windows\System32\wininet.dll
\Windows\System32\user32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\nsi.dll
\Windows\System32\kernel32.dll
\Windows\System32\devobj.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\userenv.dll
\Windows\System32\wintrust.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\profapi.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8008735790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a4\
Lower Device Object: 0xfffffa8008655810
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004603060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004318050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004603060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004603b20, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004603060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004318050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1E7F3CF6

Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 31457280

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 31459328  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 31664128  Numsec = 209715200

    Partition 3 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 241379328  Numsec = 735389696

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8008735790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8008665a50, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8008735790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8008655810, DeviceName: \Device\000000a4\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 3DF226A4

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 976705536

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500074283008 bytes
Sector size: 512 bytes

Done!
Infected: HKU\S-1-5-21-459188570-3383872282-3772164316-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|{F929B2B9-5BFC-849A-A5E0-2E860AE5CD29} --> [Trojan.Agent.Gen]
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17420

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 2.394000 GHz
Memory total: 4081635328, free: 2423152640

Downloaded database version: v2014.12.08.10
=======================================
Initializing...
------------ Kernel report ------------
     12/08/2014 17:51:24
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\SYMDS64.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\SYMEFA64.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\ccSetx64.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\SRTSP64.SYS
\SystemRoot\system32\drivers\N360x64\1506000.020\SRTSPX64.SYS
\SystemRoot\system32\drivers\N360x64\1506000.020\Ironx64.SYS
\??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS
\??\C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141207.020\EX64.SYS
\??\C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\VirusDefs\20141207.020\ENG64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\drivers\N360x64\1506000.020\SYMNETS.SYS
\??\C:\windows\system32\Drivers\SABI.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\IPSDefs\20141205.001\IDSvia64.sys
\??\C:\Program Files (x86)\HWiNFO32\HWiNFO64A.SYS
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\Program Files (x86)\Norton 360\NortonData\21.6.0.32\Definitions\BASHDefs\20141203.001\BHDrvx64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw5s64.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\yk62x64.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\Impcd.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\System32\Drivers\RootMdm.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\RimSerial_AMD64.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\WDKMD.sys
\SystemRoot\system32\DRIVERS\bpenum.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\IntcDAud.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\bpusb.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\bpmp.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\LEqdUsb.Sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\LHidEqd.Sys
\SystemRoot\system32\DRIVERS\LHidFilt.Sys
\SystemRoot\system32\DRIVERS\LMouFilt.Sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\wdcsam64.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\??\C:\Program Files (x86)\CyberLink\PowerDVD8\000.fcl
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\BCM42RLY.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\shell32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\msctf.dll
\Windows\System32\nsi.dll
\Windows\System32\imagehlp.dll
\Windows\System32\lpk.dll
\Windows\System32\iertutil.dll
\Windows\System32\urlmon.dll
\Windows\System32\Wldap32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\psapi.dll
\Windows\System32\ole32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\normaliz.dll
\Windows\System32\difxapi.dll
\Windows\System32\sechost.dll
\Windows\System32\gdi32.dll
\Windows\System32\imm32.dll
\Windows\System32\wininet.dll
\Windows\System32\user32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\advapi32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\setupapi.dll
\Windows\System32\kernel32.dll
\Windows\System32\usp10.dll
\Windows\System32\ws2_32.dll
\Windows\System32\userenv.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\crypt32.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\msasn1.dll
\Windows\System32\profapi.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa80089b1790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a7\
Lower Device Object: 0xfffffa80089a8b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8004621060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8004337050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8004621060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8004621b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8004621060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004337050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1E7F3CF6

Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 31457280

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 31459328  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 31664128  Numsec = 209715200

    Partition 3 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 241379328  Numsec = 735389696

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa80089b1790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80089aeb90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80089b1790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80089a8b60, DeviceName: \Device\000000a7\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 3DF226A4

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 976705536

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500074283008 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-31459328-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 08 December 2014 - 07:31 PM

Instructions followed, files follow.

I noticed a registry key for WeatherBug was deleted.  Is this program a known bad actor?

 

Hi,

 

This is probably a false positive. The results for the program looks ok to me:

 

http://www.herdprotect.com/weatherbug.exe-b6e7a155558c79818621ab8a1f8908f2ee28843b.aspx

 

https://www.virustotal.com/en/analisis//file/498df6600e5841d8709ae29edead691226ea5e9a7da23c6bc828b315ad891c7b/analysis/

 

You can restore the entry this way:

 

Backup Your Registry

 

 

Now download the following file and save it to your desktop =>

 

Now double click on it. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

Lets check for leftovers and confirm your machine appears free of malware:

 

 

 

STEP 1

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

 

STEP 3

 

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

 

6-scanfin-choose.jpg
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

Note: Programdata is hidden by default. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

 

 

 

Regards,

Georgi


cXfZ4wS.png


#10 mprich

mprich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 08 December 2014 - 10:05 PM

Takes two posts to get all of the logs to you.

 

 

RogueKiller V10.0.9.0 (x64) [Dec  8 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Mary [Administrator]
Mode : Scan -- Date : 12/08/2014  21:02:04

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\SynTP @ \Device\00000084 (\SystemRoot\system32\drivers\mssmbios.sys)

¤¤¤ Web browsers : 1 ¤¤¤
[PUP][FIREFX:Addon] llnaq74l.default : Yahoo Toolbar [{635abd67-4fe9-1b23-4f01-e679fa7484c1}] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HM500JI +++++
--- User ---
[MBR] fed7c30da79f9a935893982a85d535b3
[BSP] 35254fdc97c2eea6eb96d300d64c6f7e : Kiwi MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 31459328 | Size: 100 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 31664128 | Size: 102400 MB
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 241379328 | Size: 359077 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WD My Passport 0830 USB Device +++++
--- User ---
[MBR] 22d82eb37aa3e81a7abe9c89e3af3fdc
[BSP] 8def43093f24b82db63b3d30cfde94f4 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476907 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

 

 

HitmanPro 3.7.9.232
www.hitmanpro.com
   Computer name . . . . : BIGRED
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : BigRed\Mary
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free
   Scan date . . . . . . : 2014-12-08 21:27:10
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 8m 22s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 27
   Objects scanned . . . : 2,605,951
   Files scanned . . . . : 45,555
   Remnants scanned  . . : 1,265,593 files / 1,294,803 keys
Suspicious files ____________________________________________________________
   C:\Users\Mary\Desktop\Downloads\FRST64.exe
      Size . . . . . . . : 2,119,680 bytes
      Age  . . . . . . . : 1.2 days (2014-12-07 16:20:03)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : DDB765CE96F38B5967E3B98E1EA9772AB75B91448206166B69B1857C1B53905B
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
          0.0s C:\Users\Mary\Desktop\Downloads\FRST64.exe
   C:\Users\Mary\Desktop\frst64.exe
      Size . . . . . . . : 2,119,168 bytes
      Age  . . . . . . . : 0.4 days (2014-12-08 11:05:13)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : F12F8E00354953322ECB734595B81DE815AF9BDBF10C3FE39C59FDC74E506D5F
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s C:\Users\Mary\Desktop\frst64.exe
          0.0s C:\Users\Mary\Desktop\frst64.exe
          0.0s C:\Users\Mary\Desktop\frst64.exe
          0.0s C:\Users\Mary\Desktop\frst64.exe
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}
          0.5s C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.6.0.32\CmnClnt\ccSubSDK\{EE0B5DFC-C96E-41E6-8758-01F6814B1EAB}

Cookies _____________________________________________________________________
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\0CI41MST.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\3FZ8ZBI3.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\5VZFNJOL.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\6EOWIML0.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\8BVGY8J4.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\A2MZLB5W.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\B0JQ461L.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\CP67OC7R.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\E4DYAGCN.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\EQSWCC62.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\GTEC81PL.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\JIQ9IJ18.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\JU86QOHH.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\KW6Q57XU.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\KY64MOPI.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\L44YPDAJ.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\LFW91CUO.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\LX5QS9CH.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\O5ZS5F17.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\P6ZY3IB1.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\Q1I8YZEP.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\RAAXOXFN.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\RDRF0GV5.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\VL9XBIOH.txt
   C:\Users\Mary\AppData\Roaming\Microsoft\Windows\Cookies\ZYXVR8V6.txt

 

 

 

 

   
 
        



#11 mprich

mprich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 08 December 2014 - 10:10 PM

TDSSKiller log is too large to paste or upload, 976K

 

 

 

 

 

 

 

 

 

 

 

 



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 09 December 2014 - 03:53 AM

Hi,

 

Upload TDSSKIller log at http://zippyshare.com/ and post the link to the log in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#13 mprich

mprich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 09 December 2014 - 10:58 AM

http://www54.zippyshare.com/v/52244883/file.html



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 09 December 2014 - 06:43 PM

Hi,

 

The logs are clean.

 

 

STEP 1

 

 

Before I let you go I'd like to scan your machine with ESET OnlineScan
 

  • Please download and the run exe from the link below:
    ESET OnlineScan
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check the option beside: Enable detection of potentially unwanted applications
  • Now click on Advanced Settings and make sure that the option Remove found threats is NOT checked, and select the following:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
    • Click on the Change button and select only Operating memory and drive C:\

fhSji42.png

 

  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

 

 

STEP 2

 

 

Also let's check for outdated and vulnerable software on your pc

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

Let me know for any remaining issues.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#15 mprich

mprich
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:34 AM

Posted 10 December 2014 - 08:53 AM

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application
C:\FRST\Quarantine\C\Program Files (x86)\ConduitEngine\ConduitEngine.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\FRST\Quarantine\C\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\llnaq74l.default\Extensions\{37483b40-c254-4a72-bda4-22ee90182c1e}\ctypes\FirefoxCtype.dll a variant of Win32/Conduit.SearchProtect.N potentially unwanted application
C:\Program Files (x86)\Laplink\PCmover\ThirdParty\registrybooster.exe a variant of Win32/RegistryBooster potentially unwanted application
C:\Program Files (x86)\NCH Swift Sound\ExpressBurn\burnsetup_v4.40.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application
C:\Program Files (x86)\NCH Swift Sound\ExpressBurn\expressburn.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application
C:\Program Files (x86)\NCH Swift Sound\ExpressBurn\uninst.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application
C:\Program Files (x86)\NCH Swift Sound\SoundTap\soundtap.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application
C:\Program Files (x86)\NCH Swift Sound\SoundTap\stsetup_v2.10.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application
C:\Program Files (x86)\NCH Swift Sound\SoundTap\uninst.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application
C:\ProgramData\{E0A9340B-C01B-42C1-9910-C307D7BE4756}\WeatherBugSetup.res a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\All Users\{E0A9340B-C01B-42C1-9910-C307D7BE4756}\WeatherBugSetup.res a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Mary\AppData\Local\Downloaded Installations\{D5D6261A-38A4-4559-8195-8655505D1F7C}\PCmover Professional.msi a variant of Win32/RegistryBooster potentially unwanted application
C:\Users\Mary\Downloads\burnsetup.exe a variant of Win32/Toolbar.Conduit.J potentially unwanted application
C:\Users\Mary\Downloads\WeatherBugSetup(1).msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Mary\Downloads\WeatherBugSetup(2).msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Mary\Downloads\WeatherBugSetup(3).msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Mary\Downloads\WeatherBugSetup.msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Windows\Installer\28d2a12e.msi a variant of Win32/RegistryBooster potentially unwanted application

 

 

 Results of screen317's Security Check version 0.99.92 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Norton 360   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 71 
 Adobe Flash Player 15.0.0.246 
 Adobe Reader XI 
 Mozilla Firefox (34.0)
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users