Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 okidoki

okidoki

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 06 December 2014 - 03:56 PM

Removed/quarantined ransomware infection yesterday using Malwarebytes.  How do I make sure that it is completely removed?  I suspect it is not completely removed, as I am still seeing several dllhost.exe*32 and almost 20 svchost.exe processes running via Task Manager.

Also, Malwarebytes window pops up occasionally indicating it has blocked a certain IP address (95.215.1.57). I am only using that computer offline. Somehow only about 5% of my files were encrypted. Thanks for your help.

Attached File  attach.txt   12.41KB   0 downloads

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17420  BrowserJavaVersion: 11.25.2
Run by Oliver Koch at 15:28:47 on 2014-12-06
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.32647.28118 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\ibmpmsvc.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\Program Files\Lenovo\Fingerprint Manager Pro\OmniServ.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\System32\WUDFHost.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\system32\WLANExt.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Lenovo\Fingerprint Manager Pro\opvapp.exe
C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe
C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\Mgl3DCtlrRPCService.exe
C:\Windows\System32\hkcmd.exe
C:\windows\system32\igfxsrvc.exe
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\Windows\System32\igfxpers.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
C:\windows\SysWOW64\NLSSRV32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\TpShocks.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Lenovo\QuickControl\QuickControlMasterSvc.exe
C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\3DxService.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe
C:\windows\system32\valWBFPolicyService.exe
C:\PROGRA~1\LENOVO\HOTKEY\tpnumlkd.exe
C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
C:\PROGRA~1\LENOVO\HOTKEY\tpnumlk.exe
C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\3DxPieMenus.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Windows\SysWOW64\rundll32.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\rundll32.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\SearchIndexer.exe
C:\PROGRA~1\Lenovo\HOTKEY\TPONSCR.EXE
C:\windows\system32\svchost.exe -k HPService
C:\windows\system32\svchost.exe -k bthsvcs
C:\PROGRA~1\Lenovo\HOTKEY\SHTCTKY.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\windows\system32\wbem\unsecapp.exe
C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
C:\Users\Oliver Koch\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe
C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files (x86)\Lenovo\QuickControl\QuickControlService.exe
C:\Program Files (x86)\Lenovo\QuickControl\QuickControl.exe
C:\Program Files (x86)\Lenovo\QuickControl\QuickControlInput.exe
C:\Program Files (x86)\Lenovo\QuickControl\QuickControlInput.exe
C:\PROGRAM FILES (x86)\Cyberlink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Lenovo\message center plus\mcplaunch.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\DRIVERS\o2flash.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskmgr.exe
C:\windows\syswow64\dllhost.exe
C:\windows\system32\rundll32.exe
C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/
uSearch Bar = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll
uRun: [Autodesk Sync] C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [Dolby Home Theater v4] "C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe" -autostart
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Lenovo Registration] C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [ADSKAppManager] "C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgr.exe" -showminimized -checkautorun
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRunOnce: [UNINST1] rundll32 c:\users\oliver~1\appdata\local\temp\uninstmanager.dll,UninstallFinalizeFromNonMsiCaller {AC76BA86-0000-0000-0000-000000000000}
dRun: [Autodesk Sync] C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP12EP25-10026/webex/ieatgpc1.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B1EE75E7-3641-478C-8E53-A0508735C87D} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{EE8723D0-E1E3-4506-B65F-EFF329AAFB08} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{EE8723D0-E1E3-4506-B65F-EFF329AAFB08}\36D647963707D27657563747 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{EE8723D0-E1E3-4506-B65F-EFF329AAFB08}\54D607279637567454D27657563747 : DHCPNameServer = 192.168.3.1
TCP: Interfaces\{EE8723D0-E1E3-4506-B65F-EFF329AAFB08}\B4F636860275966496 : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
AppInit_DLLs= C:\windows\SysWOW64\nvinit.dll
SSODL: WebCheck - <orphaned>
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [BLEServicesCtrl] C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
x64-Run: [IgfxTray] "C:\windows\System32\igfxtray.exe"
x64-Run: [HotKeysCmds] "C:\windows\System32\hkcmd.exe"
x64-Run: [Persistence] "C:\windows\System32\igfxpers.exe"
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TpShocks] TpShocks.exe
x64-Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
x64-Run: [3DxWare Service] "C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\3DxService.exe" -quiet
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\windows\System32\drivers\aswRvrt.sys [2014-6-25 65776]
R0 aswVmm;avast! VM Monitor;C:\windows\System32\drivers\aswVmm.sys [2014-6-25 267632]
R0 DzHDD64;DzHDD64;C:\windows\System32\drivers\DZHDD64.SYS [2014-6-20 29512]
R0 iaStorA;iaStorA;C:\windows\System32\drivers\iaStorA.sys [2014-6-20 644968]
R0 iaStorF;iaStorF;C:\windows\System32\drivers\iaStorF.sys [2014-6-20 28008]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\windows\System32\drivers\iusb3hcs.sys [2014-6-20 20464]
R0 nvpciflt;nvpciflt;C:\windows\System32\drivers\nvpciflt.sys [2013-11-15 30496]
R0 TPDIGIMN;TPDIGIMN;C:\windows\System32\drivers\ApsHM64.sys [2013-6-20 25856]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswsnx.sys [2014-6-25 1050432]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswsp.sys [2014-6-25 436624]
R1 OMNISMI;OMNISMI;C:\Windows\SysWOW64\drivers\omnismi.sys [2014-6-20 14776]
R2 AdAppMgrSvc;Autodesk Application Manager Service;C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe [2014-7-7 597896]
R2 aswHwid;avast! HardwareID;C:\windows\System32\drivers\aswHwid.sys [2014-6-25 29208]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2014-6-25 83280]
R2 aswStm;aswStm;C:\windows\System32\drivers\aswstm.sys [2014-6-25 116728]
R2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [2014-2-7 31192]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-11-25 50344]
R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2013-6-25 1132920]
R2 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2013-4-23 1366392]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2013-4-23 1153400]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2013-5-11 733696]
R2 ISCTAgent;Intel® Smart Connect Technology Agent;C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [2013-4-15 182760]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2014-6-20 169432]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\Communications Utility\CamMute.exe [2014-6-20 59896]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2014-6-25 110128]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe [2014-6-20 74232]
R2 LENOVO.TVTVCAM;ThinkVantage Virtual Camera Controller;C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [2014-6-20 199160]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe [2014-6-20 136288]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-12-5 1871160]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-12-5 969016]
R2 Mgl3DCtlrRPCService;3Dconnexion Broker Service;C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\Mgl3DCtlrRPCService.exe [2014-6-23 30208]
R2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [2013-6-17 230408]
R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2013-6-17 69640]
R2 QuickControlMasterSvc;Lenovo QuickControl Master Service;C:\Program Files (x86)\Lenovo\QuickControl\QuickControlMasterSvc.exe [2013-7-16 59384]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2014-6-25 124400]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2014-6-25 126512]
R2 valWBFPolicyService;Synaptics FP WBF Policy Service;C:\windows\System32\valWBFPolicyService.exe [2014-5-12 49040]
R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2013-8-2 3378416]
R3 btmaux;Intel Bluetooth Auxiliary Service;C:\windows\System32\drivers\btmaux.sys [2013-4-23 132920]
R3 btmhsf;btmhsf;C:\windows\System32\drivers\btmhsf.sys [2013-8-8 1385272]
R3 e1dexpress;Intel® PRO/1000 PCI Express Network Connection Driver D;C:\windows\System32\drivers\e1d62x64.sys [2014-6-25 488216]
R3 ibtusb;Intel® Wireless Bluetooth® 4.0 + HS Adapter;C:\windows\System32\drivers\ibtusb.sys [2013-6-13 114632]
R3 ikbevent;Intel Upper keyboard Class Filter Driver;C:\windows\System32\drivers\ikbevent.sys [2013-4-15 21048]
R3 imsevent;Intel Upper Mouse Class Filter Driver;C:\windows\System32\drivers\imsevent.sys [2013-4-15 21048]
R3 ISCT;Intel® Smart Connect Technology Device Driver;C:\windows\System32\drivers\ISCTD64.sys [2013-4-15 46568]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\windows\System32\drivers\iusb3hub.sys [2014-6-20 368624]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\windows\System32\drivers\iusb3xhc.sys [2014-6-20 790000]
R3 iwdbus;IWD Bus Enumerator;C:\windows\System32\drivers\iwdbus.sys [2013-7-26 25528]
R3 KMJHidMini;3Dconnexion KMJ Emulator;C:\windows\System32\drivers\3dxkmj.sys [2014-5-12 18944]
R3 KMJShim;3Dconnexion KMJ Emulator Shim;C:\windows\System32\drivers\3dxshim.sys [2014-5-12 7168]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2014-12-5 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\windows\System32\drivers\MBAMSwissArmy.sys [2014-12-5 129752]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\windows\System32\drivers\mwac.sys [2014-12-5 63704]
R3 O2FJ2RDR;O2FJ2RDR;C:\windows\System32\drivers\O2FJ2w7x64.sys [2013-8-16 195768]
R3 Power Manager DBC Service;Power Manager Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2014-6-20 1668904]
R3 QuickControlService;Lenovo QuickControl Service;C:\Program Files (x86)\Lenovo\QuickControl\QuickControlService.exe [2013-7-16 138744]
R3 SmbDrvI;SmbDrvI;C:\windows\System32\drivers\Smb_driver_Intel.sys [2014-6-20 33008]
R3 SPUVCbv;SPUVCb Driver Service;C:\windows\System32\drivers\SPUVCBv_x64.sys [2013-3-15 1450104]
R3 tvtvcamd;Camera Plus (VGA Resolution Maximum);C:\windows\System32\drivers\tvtvcamd.sys [2014-6-20 27432]
R3 usb3Hub;UoIP Hub;C:\windows\System32\drivers\usb3Hub.sys [2013-6-20 206744]
R3 WPRO_41_2001;WinPcap Packet Driver (WPRO_41_2001);C:\windows\System32\drivers\WPRO_41_2001.sys [2014-6-20 34752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-10-28 383776]
S3 3dxhid;3Dconnexion HID filter;C:\windows\System32\drivers\3dxhid.sys [2014-6-12 38672]
S3 dmvsc;dmvsc;C:\windows\System32\drivers\dmvsc.sys [2010-11-20 71168]
S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2014-6-20 320576]
S3 FlexNet Licensing Service 64;FlexNet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService64.exe [2014-7-7 1357104]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\windows\System32\ieetwcollector.exe [2014-11-12 114688]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\windows\System32\drivers\intelaud.sys [2013-7-26 35256]
S3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2014-6-20 452088]
S3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [2013-5-11 822232]
S3 iumsvc;Intel® Update Manager;C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2014-2-28 174368]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2013-8-2 273136]
S3 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe [2014-6-20 1664808]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2014-6-25 19456]
S3 StorSvc;Storage Service;C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2014-6-25 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2014-6-25 30208]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2013-3-18 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2014-6-25 1255736]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=C:\windows\System32\notepad.exe "%1"
.
=============== Created Last 30 ================
.
2014-12-06 18:26:08 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{869F4C8B-D091-4A4F-A685-DFE494B3307F}\offreg.dll
2014-12-06 15:50:34 94656 ----a-w- C:\windows\System32\WPRO_41_2001woem.tmp
2014-12-05 21:26:16 11632448 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{869F4C8B-D091-4A4F-A685-DFE494B3307F}\mpengine.dll
2014-12-05 21:22:45 290304 ----a-w- C:\windows\SysWow64\subinacl.exe
2014-12-05 21:16:38 -------- d-----w- C:\Program Files\Common Files\Microsoft
2014-12-05 21:16:38 -------- d-----w- C:\Program Files\Adware-Removal-Tool
2014-12-05 21:01:21 129752 ----a-w- C:\windows\System32\drivers\MBAMSwissArmy.sys
2014-12-05 21:01:13 93400 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys
2014-12-05 21:01:13 63704 ----a-w- C:\windows\System32\drivers\mwac.sys
2014-12-05 21:01:13 25816 ----a-w- C:\windows\System32\drivers\mbam.sys
2014-12-05 21:01:13 -------- d-----w- C:\ProgramData\Malwarebytes
2014-12-05 21:01:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-05 21:01:00 -------- d-----w- C:\windows\ERUNT
2014-12-03 20:01:33 -------- d-sh--w- C:\found.000
2014-12-01 14:46:05 -------- d-----w- C:\Users\Oliver Koch\AppData\Roaming\LSC
2014-11-25 20:03:18 43152 ----a-w- C:\windows\avastSS.scr
2014-11-25 19:22:34 -------- d-----w- C:\ProgramData\KewgOvej
2014-11-25 19:22:10 -------- d-----w- C:\ProgramData\NothUpqem
2014-11-18 19:01:59 728064 ----a-w- C:\windows\System32\kerberos.dll
2014-11-18 19:01:59 241152 ----a-w- C:\windows\System32\pku2u.dll
2014-11-18 19:01:58 550912 ----a-w- C:\windows\SysWow64\kerberos.dll
2014-11-18 19:01:58 186880 ----a-w- C:\windows\SysWow64\pku2u.dll
2014-11-14 10:36:32 84208 ----a-w- C:\windows\System32\ibmpmsvc.exe
2014-11-14 10:36:32 72432 ----a-w- C:\windows\System32\ibmpmctl.exe
2014-11-14 10:36:32 60112 ----a-w- C:\windows\System32\drivers\ibmpmdrv.sys
2014-11-14 10:36:32 40176 ----a-w- C:\windows\System32\tpinspm.dll
2014-11-13 13:56:26 -------- d-sh--w- C:\Users\Oliver Koch\AppData\Local\EmieBrowserModeList
2014-11-12 16:06:59 968704 ----a-w- C:\windows\System32\MsSpellCheckingFacility.exe
2014-11-12 16:05:27 2048 ----a-w- C:\windows\SysWow64\msxml3r.dll
.
==================== Find3M  ====================
.
2014-12-06 15:50:34 34752 ----a-w- C:\windows\System32\drivers\WPRO_41_2001.sys
2014-11-25 20:03:35 1050432 ----a-w- C:\windows\System32\drivers\aswsnx.sys
2014-11-25 20:03:19 93568 ----a-w- C:\windows\System32\drivers\aswRdr2.sys
2014-11-25 20:03:19 83280 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2014-11-25 20:03:19 65776 ----a-w- C:\windows\System32\drivers\aswRvrt.sys
2014-11-25 20:03:19 29208 ----a-w- C:\windows\System32\drivers\aswHwid.sys
2014-11-25 20:03:19 267632 ----a-w- C:\windows\System32\drivers\aswVmm.sys
2014-11-25 20:03:19 116728 ----a-w- C:\windows\System32\drivers\aswstm.sys
2014-11-06 04:04:03 2724864 ----a-w- C:\windows\System32\mshtml.tlb
2014-11-06 04:03:50 4096 ----a-w- C:\windows\System32\ieetwcollectorres.dll
2014-11-06 03:47:03 66560 ----a-w- C:\windows\System32\iesetup.dll
2014-11-06 03:46:12 580096 ----a-w- C:\windows\System32\vbscript.dll
2014-11-06 03:46:12 48640 ----a-w- C:\windows\System32\ieetwproxystub.dll
2014-11-06 03:44:28 88064 ----a-w- C:\windows\System32\MshtmlDac.dll
2014-11-06 03:30:22 144384 ----a-w- C:\windows\System32\ieUnatt.exe
2014-11-06 03:30:08 114688 ----a-w- C:\windows\System32\ieetwcollector.exe
2014-11-06 03:29:18 814080 ----a-w- C:\windows\System32\jscript9diag.dll
2014-11-06 03:28:20 2724864 ----a-w- C:\windows\SysWow64\mshtml.tlb
2014-11-06 03:23:57 6040064 ----a-w- C:\windows\System32\jscript9.dll
2014-11-06 03:13:43 501248 ----a-w- C:\windows\SysWow64\vbscript.dll
2014-11-06 03:13:36 62464 ----a-w- C:\windows\SysWow64\iesetup.dll
2014-11-06 03:12:44 47616 ----a-w- C:\windows\SysWow64\ieetwproxystub.dll
2014-11-06 03:10:58 64000 ----a-w- C:\windows\SysWow64\MshtmlDac.dll
2014-11-06 03:07:29 77824 ----a-w- C:\windows\System32\JavaScriptCollectionAgent.dll
2014-11-06 02:59:36 115712 ----a-w- C:\windows\SysWow64\ieUnatt.exe
2014-11-06 02:58:38 620032 ----a-w- C:\windows\SysWow64\jscript9diag.dll
2014-11-06 02:42:36 60416 ----a-w- C:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-06 02:39:39 1359360 ----a-w- C:\windows\System32\mshtmlmedia.dll
2014-11-06 02:38:25 2124288 ----a-w- C:\windows\System32\inetcpl.cpl
2014-11-06 02:21:49 4298240 ----a-w- C:\windows\SysWow64\jscript9.dll
2014-11-06 02:21:25 2051072 ----a-w- C:\windows\SysWow64\inetcpl.cpl
2014-11-06 02:20:37 1155072 ----a-w- C:\windows\SysWow64\mshtmlmedia.dll
2014-11-06 02:17:24 2365440 ----a-w- C:\windows\System32\wininet.dll
2014-11-06 01:52:35 1892864 ----a-w- C:\windows\SysWow64\wininet.dll
2014-11-05 17:56:54 304640 ----a-w- C:\windows\System32\generaltel.dll
2014-11-05 17:56:36 228864 ----a-w- C:\windows\System32\aepdu.dll
2014-11-05 17:52:22 424448 ----a-w- C:\windows\System32\aeinv.dll
2014-11-04 19:30:58 275080 ------w- C:\windows\System32\MpSigStub.exe
2014-10-25 01:57:59 77824 ----a-w- C:\windows\System32\packager.dll
2014-10-25 01:32:37 67584 ----a-w- C:\windows\SysWow64\packager.dll
2014-10-20 20:17:49 98216 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-18 02:05:23 861696 ----a-w- C:\windows\System32\oleaut32.dll
2014-10-18 01:33:18 571904 ----a-w- C:\windows\SysWow64\oleaut32.dll
2014-10-14 02:16:37 155064 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06 683520 ----a-w- C:\windows\System32\termsrv.dll
2014-10-14 02:13:00 3241984 ----a-w- C:\windows\System32\msi.dll
2014-10-14 02:12:57 1460736 ----a-w- C:\windows\System32\lsasrv.dll
2014-10-14 02:09:31 146432 ----a-w- C:\windows\System32\msaudite.dll
2014-10-14 02:07:31 681984 ----a-w- C:\windows\System32\adtschema.dll
2014-10-14 01:50:47 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2014-10-14 01:50:41 2363904 ----a-w- C:\windows\SysWow64\msi.dll
2014-10-14 01:49:38 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2014-10-14 01:47:30 146432 ----a-w- C:\windows\SysWow64\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- C:\windows\SysWow64\adtschema.dll
2014-10-10 00:57:42 3198976 ----a-w- C:\windows\System32\win32k.sys
2014-10-03 02:12:00 500224 ----a-w- C:\windows\System32\AUDIOKSE.dll
2014-10-03 02:11:54 284672 ----a-w- C:\windows\System32\EncDump.dll
2014-10-03 02:11:51 680960 ----a-w- C:\windows\System32\audiosrv.dll
2014-10-03 02:11:51 440832 ----a-w- C:\windows\System32\AudioEng.dll
2014-10-03 02:11:51 296448 ----a-w- C:\windows\System32\AudioSes.dll
2014-10-03 01:44:42 442880 ----a-w- C:\windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44:26 374784 ----a-w- C:\windows\SysWow64\AudioEng.dll
2014-10-03 01:44:26 195584 ----a-w- C:\windows\SysWow64\AudioSes.dll
2014-09-25 02:08:38 371712 ----a-w- C:\windows\System32\qdvd.dll
2014-09-25 01:40:50 519680 ----a-w- C:\windows\SysWow64\qdvd.dll
2014-09-19 09:42:52 210944 ----a-w- C:\windows\System32\wdigest.dll
2014-09-19 09:42:51 86528 ----a-w- C:\windows\System32\TSpkg.dll
2014-09-19 09:42:49 342016 ----a-w- C:\windows\System32\schannel.dll
2014-09-19 09:42:47 314880 ----a-w- C:\windows\System32\msv1_0.dll
2014-09-19 09:42:47 309760 ----a-w- C:\windows\System32\ncrypt.dll
2014-09-19 09:42:41 22016 ----a-w- C:\windows\System32\credssp.dll
2014-09-19 09:23:55 172032 ----a-w- C:\windows\SysWow64\wdigest.dll
2014-09-19 09:23:52 65536 ----a-w- C:\windows\SysWow64\TSpkg.dll
2014-09-19 09:23:49 248832 ----a-w- C:\windows\SysWow64\schannel.dll
2014-09-19 09:23:46 221184 ----a-w- C:\windows\SysWow64\ncrypt.dll
2014-09-19 09:23:45 259584 ----a-w- C:\windows\SysWow64\msv1_0.dll
2014-09-19 09:23:36 17408 ----a-w- C:\windows\SysWow64\credssp.dll
2014-09-09 22:11:04 2048 ----a-w- C:\windows\System32\tzres.dll
2014-09-09 21:47:10 2048 ----a-w- C:\windows\SysWow64\tzres.dll
.
============= FINISH: 15:30:03.59 ===============
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:30 PM

Posted 11 December 2014 - 09:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 okidoki

okidoki
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 11 December 2014 - 03:16 PM

thank you nasdaq

After running the AdwCleaner, I checked off the folder C:\windows\util in order to keep it.  It only contains numlock.exe and turbo.exe and I the AdwCleaner didn't flag those.

FYI, the affected computer was not connected to the internet when the scans were run. 

After running the AdwCleaner and FRST, the COM Surrogate dllhost.exe*32 still shows up on the task manager processes, and still results in a Mawarebytes warning popup: "malicious website blocked; IP: 95.215.1.57; process: C:\windows\svswow64\dllhost.exe".

When I click "end process" in task manager, it still comes back, and it seems to start as soon as I navigate in windows explorer.

When I connect to the internet, all sorts of processes start running and using a lot of memory:

dpnsvr.exe*32

wextract.exe*32

NAPSTAT.EXE*32

and go away soon after I disconnect from the network.

Another weird thing is the power manager settings keep switching to airplane mode. 

 

AdwCleaner log file:

# AdwCleaner v4.105 - Report created 11/12/2014 at 13:47:11
# Updated 08/12/2014 by Xplode
# Database : 2014-12-08.2 [Local]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Oliver Koch - OLIVERKOCH
# Running from : C:\Users\Oliver Koch\Desktop\adwcleaner_4.105.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

[x] Not Deleted : C:\windows\Util

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420

*************************

AdwCleaner[R0].txt - [955 octets] - [11/12/2014 13:19:08]
AdwCleaner[R1].txt - [1040 octets] - [11/12/2014 13:42:16]
AdwCleaner[R2].txt - [1101 octets] - [11/12/2014 13:45:26]
AdwCleaner[S0].txt - [1030 octets] - [11/12/2014 13:47:11]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1090 octets] ##########

 

 

 

FRST log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-12-2014 01
Ran by Oliver Koch (administrator) on OLIVERKOCH on 11-12-2014 13:53:25
Running from C:\Users\Oliver Koch\Desktop
Loaded Profiles: UpdatusUser & Oliver Koch (Available profiles: UpdatusUser & Oliver Koch)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Softex Inc.) C:\Program Files\Lenovo\Fingerprint Manager Pro\OmniServ.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Autodesk Inc.) C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Autodesk, Inc.) C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
() C:\Program Files\Lenovo\Fingerprint Manager Pro\opvapp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(3Dconnexion) C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\Mgl3DCtlrRPCService.exe
(Nitro PDF Software) C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControlMasterSvc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
(Synaptics Incorporated) C:\Windows\System32\valWBFPolicyService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
(3Dconnexion, INC) C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\3DxService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Autodesk, Inc.) C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(3Dconnexion) C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\3dxpiemenus.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControlService.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControl.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
(Autodesk Inc.) C:\Users\Oliver Koch\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControlInput.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\QuickControl\QuickControlInput.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(O2Micro International) C:\Windows\System32\drivers\o2flash.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [184112 2012-09-17] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2987760 2013-08-08] (Synaptics Incorporated)
HKLM\...\Run: [TpShocks] => C:\windows\system32\TpShocks.exe [382248 2013-06-20] (Lenovo.)
HKLM\...\Run: [LENOVO.TPKNRRES] => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [296952 2013-07-17] (Lenovo Group Limited)
HKLM\...\Run: [3DxWare Service] => C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\3DxService.exe [2157440 2014-06-23] (3Dconnexion, INC)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [134616 2013-06-18] (Intel Corporation)
HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe [508656 2012-08-31] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [PWMTRV] => rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2013-08-15] (Intel Corporation)
HKLM-x32\...\Run: [Lenovo Registration] => C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe [4315872 2011-06-01] (Lenovo, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [hpqSRMon] => C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5226600 2014-11-25] (AVAST Software)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [ADSKAppManager] => C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgr.exe [488328 2014-09-03] (Autodesk Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1235336 2014-08-28] (Autodesk, Inc.)
HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\...\Policies\Explorer: []
HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\...\MountPoints2: {ab1c4031-7c7b-45d5-98bf-1d10319663a3} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
HKU\S-1-5-18\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1235336 2014-08-28] (Autodesk, Inc.)
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [245872 2013-11-15] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\windows\SysWOW64\nvinit.dll => C:\windows\SysWOW64\nvinit.dll [201576 2013-11-15] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\windows\system32\AcSignIcon.dll (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} => C:\Program Files (x86)\SugarSync\SugarSyncShellExt_x64.dll (SugarSync, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo13-comm.msn.com/?pc=LNJB
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo13-comm.msn.com/?pc=LNJB
HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
StartMenuInternet: IEXPLORE.EXE - C:\program files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1469872871-1961492873-3088120506-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T28L10NSP12EP25-10026/webex/ieatgpc1.cab
Hosts: Hosts file not detected in the default directory

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.5.29 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @nitropdf.com/NitroPDF -> C:\Program Files (x86)\Nitro\Pro 8\npnitromozilla.dll (Nitro PDF)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1469872871-1961492873-3088120506-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Oliver Koch\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-06-25]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-25]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdAppMgrSvc; C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe [597896 2014-09-03] (Autodesk Inc.)
R2 Autodesk Content Service; C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [31192 2014-02-07] (Autodesk, Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-11-25] (AVAST Software)
S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [320576 2013-08-01] (Lenovo.)
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [182760 2013-04-15] ()
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [174368 2014-02-28] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-06-18] (Intel Corporation)
R2 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [199160 2013-07-17] (Lenovo Group Limited)
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [136288 2012-08-10] (Lenovo Group Limited)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 Mgl3DCtlrRPCService; C:\Program Files\3Dconnexion\3DxWare\3DxWinCore64\Mgl3DCtlrRPCService.exe [30208 2014-06-23] (3Dconnexion) [File not signed]
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [273136 2013-08-02] ()
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 NitroDriverReadSpool8; C:\Program Files\Common Files\Nitro\Pro\8.0\NitroPDFDriverService8x64.exe [230408 2013-06-17] (Nitro PDF Software)
R2 omniserv; C:\Program Files\Lenovo\Fingerprint Manager Pro\OmniServ.exe [94720 2014-09-25] (Softex Inc.) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 QuickControlMasterSvc; C:\Program Files (x86)\Lenovo\QuickControl\QuickControlMasterSvc.exe [59384 2013-07-16] (Lenovo Group Limited)
R3 QuickControlService; C:\Program Files (x86)\Lenovo\QuickControl\QuickControlService.exe [138744 2013-07-16] (Lenovo Group Limited)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [24560 2014-06-18] ()
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [49040 2014-09-01] (Synaptics Incorporated)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3378416 2013-08-02] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 3dxhid; C:\Windows\System32\DRIVERS\3dxhid.sys [38672 2014-06-12] (3Dconnexion SAM)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-11-25] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-11-25] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-11-25] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-11-25] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-11-25] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-11-25] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-11-25] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-11-25] ()
R3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [132920 2013-04-23] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1385272 2013-08-08] (Motorola Solutions, Inc.)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [488216 2014-03-05] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-08-01] (Intel Corporation)
R3 ibtusb; C:\Windows\System32\DRIVERS\ibtusb.sys [114632 2013-08-28] (Intel Corporation)
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [21048 2013-04-15] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [21048 2013-04-15] ()
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [46568 2013-04-15] ()
R3 KMJHidMini; C:\Windows\System32\DRIVERS\3dxkmj.sys [18944 2014-05-12] (3Dconnextion Inc.)
R3 KMJShim; C:\Windows\System32\DRIVERS\3dxshim.sys [7168 2014-05-12] (3Dconnextion Inc.)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-12-11] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R3 NETwNs64; C:\Windows\System32\DRIVERS\NETwsw02.sys [3584992 2013-08-01] (Intel Corporation)
R3 O2FJ2RDR; C:\Windows\System32\DRIVERS\O2FJ2w7x64.sys [195768 2013-08-16] (O2Micro )
R1 OMNISMI; C:\windows\SysWOW64\drivers\omnismi.sys [14776 2013-07-22] ()
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [33008 2013-08-08] (Synaptics Incorporated)
R3 SPUVCbv; C:\Windows\System32\Drivers\SPUVCbv_x64.sys [1450104 2013-03-15] (Sunplus)
R3 tvtvcamd; C:\Windows\System32\DRIVERS\tvtvcamd.sys [27432 2011-12-08] (ThinkVantage Communications Utility)
R3 usb3Hub; C:\Windows\System32\DRIVERS\usb3Hub.sys [206744 2013-06-20] (Windows ® Win 7 DDK provider)
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2014-12-11] ()

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-11 13:53 - 2014-12-11 13:53 - 00022296 _____ () C:\Users\Oliver Koch\Desktop\FRST.txt
2014-12-11 13:53 - 2014-12-11 13:53 - 00000000 ____D () C:\FRST
2014-12-11 13:49 - 2014-12-11 13:49 - 00094656 _____ (CACE Technologies) C:\windows\system32\WPRO_41_2001woem.tmp
2014-12-11 13:41 - 2014-12-11 13:16 - 02119680 _____ (Farbar) C:\Users\Oliver Koch\Desktop\FRST64.exe
2014-12-11 13:41 - 2014-12-11 13:12 - 02166272 _____ () C:\Users\Oliver Koch\Desktop\adwcleaner_4.105.exe
2014-12-11 13:19 - 2014-12-11 13:47 - 00000000 ____D () C:\AdwCleaner
2014-12-06 15:30 - 2014-12-06 15:30 - 00028248 _____ () C:\Users\Oliver Koch\Desktop\dds.txt
2014-12-06 15:30 - 2014-12-06 15:30 - 00012703 _____ () C:\Users\Oliver Koch\Desktop\attach.txt
2014-12-06 15:27 - 2014-12-06 15:26 - 00688992 ____R (Swearware) C:\Users\Oliver Koch\Desktop\dds.com
2014-12-05 16:35 - 2014-12-11 13:48 - 00003120 _____ () C:\windows\PFRO.log
2014-12-05 16:33 - 2014-12-11 13:48 - 00000448 _____ () C:\windows\setupact.log
2014-12-05 16:33 - 2014-12-05 16:33 - 00000000 _____ () C:\windows\setuperr.log
2014-12-05 16:26 - 2014-12-05 16:26 - 05600479 _____ (Swearware) C:\Users\Oliver Koch\Downloads\ComboFix.exe
2014-12-05 16:22 - 2014-12-05 16:22 - 00290304 _____ (Microsoft Corporation) C:\windows\SysWOW64\subinacl.exe
2014-12-05 16:19 - 2014-12-06 10:56 - 00006144 ___SH () C:\Users\Oliver Koch\Documents\Thumbs.db
2014-12-05 16:16 - 2014-12-05 16:22 - 00000000 ____D () C:\Program Files\Adware-Removal-Tool
2014-12-05 16:01 - 2014-12-11 13:49 - 00129752 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-05 16:01 - 2014-12-05 16:01 - 00001117 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-05 16:01 - 2014-12-05 16:01 - 00000000 ____D () C:\windows\ERUNT
2014-12-05 16:01 - 2014-12-05 16:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-05 16:01 - 2014-12-05 16:01 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-05 16:01 - 2014-12-05 16:01 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-05 16:01 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-12-05 16:01 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2014-12-05 16:01 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2014-12-04 14:59 - 2014-12-04 14:59 - 00003060 _____ () C:\windows\System32\Tasks\jajlmhg
2014-12-04 10:32 - 2014-12-04 15:03 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Strength of Nature
2014-12-03 15:01 - 2014-12-03 15:01 - 00000000 __SHD () C:\found.000
2014-12-01 09:46 - 2014-12-01 09:46 - 00000000 ____D () C:\Users\Oliver Koch\AppData\Roaming\LSC
2014-11-25 15:03 - 2014-11-25 15:03 - 00364512 _____ (AVAST Software) C:\windows\system32\aswBoot.exe
2014-11-25 15:03 - 2014-11-25 15:03 - 00043152 _____ (AVAST Software) C:\windows\avastSS.scr
2014-11-25 15:03 - 2014-11-25 15:03 - 00001935 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2014-11-25 14:22 - 2014-11-25 14:22 - 00000000 ____D () C:\ProgramData\NothUpqem
2014-11-25 14:22 - 2014-11-25 14:22 - 00000000 ____D () C:\ProgramData\KewgOvej
2014-11-22 12:59 - 2014-11-22 12:59 - 00382721 _____ () C:\Users\Oliver Koch\Downloads\23515T420.STEP
2014-11-22 12:58 - 2014-11-22 12:58 - 00267791 _____ () C:\Users\Oliver Koch\Downloads\23515T420.SAT
2014-11-22 12:56 - 2014-11-22 12:56 - 01098472 _____ () C:\Users\Oliver Koch\Downloads\23515T420.IGS
2014-11-22 12:56 - 2014-11-22 12:56 - 01040896 _____ () C:\Users\Oliver Koch\Downloads\23515T420.SLDPRT
2014-11-18 14:01 - 2014-11-10 22:08 - 00728064 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2014-11-18 14:01 - 2014-11-10 22:08 - 00241152 _____ (Microsoft Corporation) C:\windows\system32\pku2u.dll
2014-11-18 14:01 - 2014-11-10 21:44 - 00550912 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2014-11-18 14:01 - 2014-11-10 21:44 - 00186880 _____ (Microsoft Corporation) C:\windows\SysWOW64\pku2u.dll
2014-11-14 05:36 - 2014-11-14 05:36 - 00084208 _____ (Lenovo.) C:\windows\system32\ibmpmsvc.exe
2014-11-14 05:36 - 2014-11-14 05:36 - 00072432 _____ (Lenovo.) C:\windows\system32\ibmpmctl.exe
2014-11-14 05:36 - 2014-11-14 05:36 - 00060112 _____ (Lenovo.) C:\windows\system32\Drivers\ibmpmdrv.sys
2014-11-14 05:36 - 2014-11-14 05:36 - 00040176 _____ (Lenovo.) C:\windows\system32\tpinspm.dll
2014-11-13 08:57 - 2014-11-13 08:57 - 08813746 _____ () C:\Users\Oliver Koch\Downloads\Structure Concept BIND.dwg
2014-11-13 08:56 - 2014-11-13 08:56 - 00000000 __SHD () C:\Users\Oliver Koch\AppData\Local\EmieBrowserModeList
2014-11-12 11:07 - 2014-11-07 14:49 - 00388272 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-11-12 11:07 - 2014-11-07 14:23 - 00341168 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-11-12 11:07 - 2014-11-05 23:04 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-11-12 11:07 - 2014-11-05 22:46 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-11-12 11:07 - 2014-11-05 22:35 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-11-12 11:07 - 2014-11-05 22:30 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-11-12 11:07 - 2014-11-05 22:28 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-11-12 11:07 - 2014-11-05 22:13 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-11-12 11:07 - 2014-11-05 22:12 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2014-11-12 11:07 - 2014-11-05 22:10 - 19781632 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-11-12 11:07 - 2014-11-05 22:07 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-12 11:07 - 2014-11-05 22:03 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-11-12 11:07 - 2014-11-05 21:42 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-11-12 11:07 - 2014-11-05 21:41 - 00716800 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-11-12 11:07 - 2014-11-05 21:36 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-11-12 11:07 - 2014-11-05 21:34 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-11-12 11:07 - 2014-11-05 21:22 - 00688640 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-11-12 11:07 - 2014-11-05 21:21 - 02051072 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-11-12 11:07 - 2014-11-05 20:48 - 01310208 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-11-12 11:07 - 2014-11-05 20:47 - 00708096 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2014-11-12 11:07 - 2014-11-05 12:56 - 00304640 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2014-11-12 11:07 - 2014-11-05 12:56 - 00228864 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2014-11-12 11:07 - 2014-11-05 12:52 - 00424448 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2014-11-12 11:07 - 2014-10-13 21:16 - 00155064 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2014-11-12 11:07 - 2014-10-13 21:13 - 00683520 _____ (Microsoft Corporation) C:\windows\system32\termsrv.dll
2014-11-12 11:07 - 2014-10-13 21:12 - 01460736 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2014-11-12 11:07 - 2014-10-13 21:09 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2014-11-12 11:07 - 2014-10-13 21:07 - 00681984 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2014-11-12 11:07 - 2014-10-13 20:50 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2014-11-12 11:07 - 2014-10-13 20:49 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2014-11-12 11:07 - 2014-10-13 20:47 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2014-11-12 11:07 - 2014-10-13 20:46 - 00681984 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2014-11-12 11:06 - 2014-11-05 23:03 - 25110016 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-11-12 11:06 - 2014-11-05 23:03 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-11-12 11:06 - 2014-11-05 22:47 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-11-12 11:06 - 2014-11-05 22:46 - 00580096 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-11-12 11:06 - 2014-11-05 22:44 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2014-11-12 11:06 - 2014-11-05 22:43 - 02884096 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-11-12 11:06 - 2014-11-05 22:36 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-11-12 11:06 - 2014-11-05 22:31 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-11-12 11:06 - 2014-11-05 22:30 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-11-12 11:06 - 2014-11-05 22:29 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-11-12 11:06 - 2014-11-05 22:23 - 06040064 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-11-12 11:06 - 2014-11-05 22:20 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-11-12 11:06 - 2014-11-05 22:16 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-11-12 11:06 - 2014-11-05 22:13 - 00501248 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2014-11-12 11:06 - 2014-11-05 22:10 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2014-11-12 11:06 - 2014-11-05 22:05 - 02277376 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-11-12 11:06 - 2014-11-05 22:04 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-11-12 11:06 - 2014-11-05 22:02 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-11-12 11:06 - 2014-11-05 22:00 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-11-12 11:06 - 2014-11-05 22:00 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-11-12 11:06 - 2014-11-05 21:59 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-11-12 11:06 - 2014-11-05 21:58 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2014-11-12 11:06 - 2014-11-05 21:57 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-11-12 11:06 - 2014-11-05 21:48 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-11-12 11:06 - 2014-11-05 21:41 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-11-12 11:06 - 2014-11-05 21:39 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-11-12 11:06 - 2014-11-05 21:38 - 02124288 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-11-12 11:06 - 2014-11-05 21:37 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-11-12 11:06 - 2014-11-05 21:30 - 14390272 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-11-12 11:06 - 2014-11-05 21:21 - 04298240 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-11-12 11:06 - 2014-11-05 21:20 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2014-11-12 11:06 - 2014-11-05 21:17 - 02365440 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-11-12 11:06 - 2014-11-05 21:04 - 01550336 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-11-12 11:06 - 2014-11-05 21:03 - 12819456 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-11-12 11:06 - 2014-11-05 20:53 - 00799232 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-11-12 11:06 - 2014-11-05 20:52 - 01892864 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-11-12 11:05 - 2014-10-24 20:57 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\packager.dll
2014-11-12 11:05 - 2014-10-24 20:32 - 00067584 _____ (Microsoft Corporation) C:\windows\SysWOW64\packager.dll
2014-11-12 11:05 - 2014-10-17 21:05 - 00861696 _____ (Microsoft Corporation) C:\windows\system32\oleaut32.dll
2014-11-12 11:05 - 2014-10-17 20:33 - 00571904 _____ (Microsoft Corporation) C:\windows\SysWOW64\oleaut32.dll
2014-11-12 11:05 - 2014-10-13 21:13 - 03241984 _____ (Microsoft Corporation) C:\windows\system32\msi.dll
2014-11-12 11:05 - 2014-10-13 20:50 - 02363904 _____ (Microsoft Corporation) C:\windows\SysWOW64\msi.dll
2014-11-12 11:05 - 2014-10-09 19:57 - 03198976 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2014-11-12 11:05 - 2014-10-02 21:12 - 00500224 _____ (Microsoft Corporation) C:\windows\system32\AUDIOKSE.dll
2014-11-12 11:05 - 2014-10-02 21:11 - 00680960 _____ (Microsoft Corporation) C:\windows\system32\audiosrv.dll
2014-11-12 11:05 - 2014-10-02 21:11 - 00440832 _____ (Microsoft Corporation) C:\windows\system32\AudioEng.dll
2014-11-12 11:05 - 2014-10-02 21:11 - 00296448 _____ (Microsoft Corporation) C:\windows\system32\AudioSes.dll
2014-11-12 11:05 - 2014-10-02 21:11 - 00284672 _____ (Microsoft Corporation) C:\windows\system32\EncDump.dll
2014-11-12 11:05 - 2014-10-02 20:44 - 00442880 _____ (Microsoft Corporation) C:\windows\SysWOW64\AUDIOKSE.dll
2014-11-12 11:05 - 2014-10-02 20:44 - 00374784 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioEng.dll
2014-11-12 11:05 - 2014-10-02 20:44 - 00195584 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioSes.dll
2014-11-12 11:05 - 2014-09-19 04:42 - 00342016 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2014-11-12 11:05 - 2014-09-19 04:42 - 00314880 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2014-11-12 11:05 - 2014-09-19 04:42 - 00309760 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2014-11-12 11:05 - 2014-09-19 04:42 - 00210944 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2014-11-12 11:05 - 2014-09-19 04:42 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2014-11-12 11:05 - 2014-09-19 04:42 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2014-11-12 11:05 - 2014-09-19 04:23 - 00259584 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2014-11-12 11:05 - 2014-09-19 04:23 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2014-11-12 11:05 - 2014-09-19 04:23 - 00221184 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2014-11-12 11:05 - 2014-09-19 04:23 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2014-11-12 11:05 - 2014-09-19 04:23 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2014-11-12 11:05 - 2014-09-19 04:23 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2014-11-12 11:05 - 2014-08-21 01:43 - 01882624 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2014-11-12 11:05 - 2014-08-21 01:40 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\msxml3r.dll
2014-11-12 11:05 - 2014-08-21 01:26 - 01237504 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2014-11-12 11:05 - 2014-08-21 01:23 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3r.dll
2014-11-12 11:05 - 2014-08-11 21:02 - 00878080 _____ (Microsoft Corporation) C:\windows\system32\IMJP10K.DLL
2014-11-12 11:05 - 2014-08-11 20:36 - 00701440 _____ (Microsoft Corporation) C:\windows\SysWOW64\IMJP10K.DLL

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-11 13:52 - 2014-06-20 11:23 - 01474911 _____ () C:\windows\WindowsUpdate.log
2014-12-11 13:50 - 2014-07-01 08:33 - 00000550 _____ () C:\windows\Tasks\G2MUpdateTask-S-1-5-21-1469872871-1961492873-3088120506-1001.job
2014-12-11 13:49 - 2014-06-20 11:28 - 00034752 _____ () C:\windows\system32\Drivers\WPRO_41_2001.sys
2014-12-11 13:48 - 2014-06-20 11:31 - 00000000 ____D () C:\ProgramData\Validity
2014-12-11 13:48 - 2014-06-20 11:27 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-12-11 13:48 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-12-11 13:45 - 2009-07-14 00:13 - 00785858 _____ () C:\windows\system32\PerfStringBackup.INI
2014-12-11 13:42 - 2009-07-13 23:45 - 00034432 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-11 13:42 - 2009-07-13 23:45 - 00034432 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-11 13:18 - 2014-06-27 10:49 - 00000000 ____D () C:\Users\Oliver Koch\AppData\Roaming\Nitro PDF
2014-12-11 09:14 - 2014-06-25 17:02 - 00056134 _____ () C:\Users\Oliver Koch\Documents\plot.log
2014-12-10 09:21 - 2014-06-25 16:46 - 00000000 ____D () C:\Users\Oliver Koch\Documents\GE
2014-12-10 09:06 - 2014-06-25 16:43 - 00000000 ____D () C:\Users\Oliver Koch\Documents\EMD Chemicals
2014-12-09 19:10 - 2014-06-25 17:07 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Outlook New
2014-12-09 18:53 - 2014-06-25 16:40 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Acad
2014-12-08 10:32 - 2009-07-14 00:08 - 00032544 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2014-12-08 10:26 - 2009-07-13 23:45 - 00494216 _____ () C:\windows\system32\FNTCACHE.DAT
2014-12-06 16:40 - 2014-06-25 16:54 - 00000000 ____D () C:\Users\Oliver Koch\Documents\OKInc
2014-12-06 13:30 - 2014-06-25 14:57 - 00146784 _____ () C:\Users\Oliver Koch\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-06 13:10 - 2014-09-22 19:31 - 00000000 ____D () C:\Users\Public\Documents\Adobe PDF
2014-12-06 11:16 - 2014-06-25 17:05 - 00000000 ____D () C:\Users\Oliver Koch\AppData\Local\CrashDumps
2014-12-05 16:28 - 2012-10-01 14:26 - 00000000 ____D () C:\windows\Panther
2014-12-05 16:26 - 2014-06-25 17:58 - 00000000 ____D () C:\windows\system32\MRT
2014-12-05 16:18 - 2014-06-20 11:29 - 00000000 ____D () C:\windows\System32\Tasks\Lenovo
2014-12-05 16:18 - 2014-06-20 11:25 - 00000000 ____D () C:\Program Files\Lenovo
2014-12-05 16:16 - 2014-06-25 16:31 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-12-05 16:14 - 2014-06-25 17:15 - 00000000 ____D () C:\windows\PCHEALTH
2014-12-04 15:04 - 2014-07-07 13:37 - 00000000 ____D () C:\Users\Oliver Koch\AppData\Local\Akamai
2014-12-04 15:04 - 2014-06-25 17:00 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Tronox
2014-12-04 15:04 - 2014-06-25 16:52 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Gulfstream
2014-12-04 15:04 - 2014-06-25 16:52 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Golf
2014-12-04 15:04 - 2014-06-25 16:45 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Engineering
2014-12-04 15:04 - 2014-06-25 16:43 - 00000000 ____D () C:\Users\Oliver Koch\Documents\E-commerce
2014-12-04 15:04 - 2014-06-25 16:43 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Calculations
2014-12-04 15:04 - 2014-06-25 16:43 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Boat
2014-12-04 15:04 - 2014-06-20 11:33 - 00000000 ____D () C:\Program Files (x86)\SugarSync
2014-12-04 15:03 - 2014-08-18 20:10 - 00000000 ____D () C:\Users\Oliver Koch\AppData\Roaming\FileOpen
2014-12-04 15:03 - 2014-08-02 16:23 - 00000000 ____D () C:\Program Files\iPod
2014-12-04 15:03 - 2014-08-02 16:23 - 00000000 ____D () C:\Program Files (x86)\iTunes
2014-12-04 15:03 - 2014-06-25 17:01 - 00000000 ____D () C:\Users\Oliver Koch\Documents\VALUEADD
2014-12-04 15:03 - 2014-06-25 17:01 - 00000000 ____D () C:\Users\Oliver Koch\Documents\trucks
2014-12-04 15:03 - 2014-06-25 16:59 - 00000000 ____D () C:\Users\Oliver Koch\Documents\SWSHARE
2014-12-04 15:03 - 2014-06-25 16:55 - 00000000 ____D () C:\Users\Oliver Koch\Documents\PDH files
2014-12-04 15:03 - 2014-06-25 16:54 - 00000000 ____D () C:\Users\Oliver Koch\Documents\New Folder
2014-12-04 15:03 - 2014-06-25 16:54 - 00000000 ____D () C:\Users\Oliver Koch\Documents\My Data Sources
2014-12-04 15:03 - 2014-06-25 16:54 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Mopar
2014-12-04 15:03 - 2014-06-25 16:54 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Live Oak
2014-12-04 15:03 - 2014-06-25 16:53 - 00000000 ____D () C:\Users\Oliver Koch\Documents\INtercat
2014-12-04 15:03 - 2014-06-25 16:53 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Imperial
2014-12-04 15:03 - 2014-06-25 16:52 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Home
2014-12-04 15:03 - 2014-06-25 16:43 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Autos
2014-12-04 15:03 - 2014-06-20 11:27 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2014-12-04 15:03 - 2012-10-01 14:26 - 00000000 ____D () C:\SWTOOLS
2014-12-04 15:00 - 2014-06-20 11:33 - 00000000 ____D () C:\ProgramData\Norton
2014-12-04 08:24 - 2014-06-25 17:01 - 00004182 _____ () C:\windows\System32\Tasks\avast! Emergency Update
2014-11-30 11:13 - 2014-06-20 11:35 - 00000000 ____D () C:\windows\System32\Tasks\TVT
2014-11-30 11:12 - 2014-06-20 11:22 - 00000000 ____D () C:\Program Files\Synaptics
2014-11-30 11:12 - 2009-07-14 00:32 - 00000000 ____D () C:\windows\system32\WinBioPlugIns
2014-11-30 11:08 - 2014-06-20 11:29 - 00000000 ____D () C:\windows\Downloaded Installations
2014-11-25 15:03 - 2014-06-25 17:01 - 01050432 _____ (AVAST Software) C:\windows\system32\Drivers\aswsnx.sys
2014-11-25 15:03 - 2014-06-25 17:01 - 00436624 _____ (AVAST Software) C:\windows\system32\Drivers\aswsp.sys
2014-11-25 15:03 - 2014-06-25 17:01 - 00267632 _____ () C:\windows\system32\Drivers\aswVmm.sys
2014-11-25 15:03 - 2014-06-25 17:01 - 00116728 _____ (AVAST Software) C:\windows\system32\Drivers\aswstm.sys
2014-11-25 15:03 - 2014-06-25 17:01 - 00093568 _____ (AVAST Software) C:\windows\system32\Drivers\aswRdr2.sys
2014-11-25 15:03 - 2014-06-25 17:01 - 00083280 _____ (AVAST Software) C:\windows\system32\Drivers\aswMonFlt.sys
2014-11-25 15:03 - 2014-06-25 17:01 - 00065776 _____ () C:\windows\system32\Drivers\aswRvrt.sys
2014-11-25 15:03 - 2014-06-25 17:01 - 00029208 _____ () C:\windows\system32\Drivers\aswHwid.sys
2014-11-20 19:29 - 2014-01-28 20:05 - 00000096 _____ () C:\IFRToolLog.txt.zkujfxh
2014-11-20 14:09 - 2014-07-17 14:06 - 00000000 ____D () C:\ProgramData\WebEx
2014-11-17 12:01 - 2014-07-07 13:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Autodesk
2014-11-17 11:03 - 2014-07-07 13:45 - 00000000 ____D () C:\Users\Oliver Koch\Documents\Autodesk Application Manager
2014-11-14 11:48 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\rescache
2014-11-13 08:14 - 2014-06-25 18:10 - 00000000 ___SD () C:\windows\system32\CompatTel
2014-11-12 15:23 - 2014-06-25 17:12 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-11-12 14:43 - 2014-07-01 08:33 - 00003596 _____ () C:\windows\System32\Tasks\G2MUpdateTask-S-1-5-21-1469872871-1961492873-3088120506-1001

Some content of TEMP:
====================
C:\Users\Oliver Koch\AppData\Local\Temp\Quarantine.exe
C:\Users\Oliver Koch\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-12-06 16:27

==================== End Of Log ============================

 

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:30 PM

Posted 12 December 2014 - 08:04 AM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\...\Policies\Explorer: []
HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1469872871-1961492873-3088120506-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
Task: {21CAC345-93BE-4C0A-B413-30564A2644E9} - System32\Tasks\jajlmhg => C:\Users\OLIVER~1\AppData\Local\Temp\oznsirghixmzgk.exe <==== ATTENTION
C:\Users\OLIVER~1\AppData\Local\Temp\oznsirghixmzgk.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#5 okidoki

okidoki
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 12 December 2014 - 09:24 AM

So far so good! 

After running the FRST, the COM surrogate has not shown up, and all seems well.  

Connected to internet, and the strange processes are not running anymore. Thanks

 

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2014 01
Ran by Oliver Koch at 2014-12-12 09:00:16 Run:1
Running from C:\Users\Oliver Koch\Desktop
Loaded Profiles: UpdatusUser & Oliver Koch (Available profiles: UpdatusUser & Oliver Koch)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\...\Policies\Explorer: []
HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1469872871-1961492873-3088120506-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
Task: {21CAC345-93BE-4C0A-B413-30564A2644E9} - System32\Tasks\jajlmhg => C:\Users\OLIVER~1\AppData\Local\Temp\oznsirghixmzgk.exe <==== ATTENTION
C:\Users\OLIVER~1\AppData\Local\Temp\oznsirghixmzgk.exe

End

*****************

Processes closed successfully.
HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => value deleted successfully.
"HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-1469872871-1961492873-3088120506-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-1469872871-1961492873-3088120506-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{21CAC345-93BE-4C0A-B413-30564A2644E9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21CAC345-93BE-4C0A-B413-30564A2644E9}" => Key deleted successfully.
C:\Windows\System32\Tasks\jajlmhg => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\jajlmhg" => Key deleted successfully.
"C:\Users\OLIVER~1\AppData\Local\Temp\oznsirghixmzgk.exe" => File/Directory not found.

The system needed a reboot.

==== End of Fixlog ====

 

checkup:

 Results of screen317's Security Check version 0.99.93 
 Windows 7 Service Pack 1 x64 (UAC is disabled!) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
avast! Antivirus  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 25 
 Java version 32-bit out of Date!
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast AvastUI.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 7%
````````````````````End of Log``````````````````````
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:30 PM

Posted 12 December 2014 - 09:42 AM

Java 8 Update 25
Java version 32-bit out of Date


You have the latest version for your 64 bit system.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 okidoki

okidoki
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 12 December 2014 - 10:05 AM

Thanks for the help, it was worth the wait. 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,969 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:30 PM

Posted 12 December 2014 - 02:14 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users