Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System files Rootkit


  • This topic is locked This topic is locked
53 replies to this topic

#1 Vomit_Soup

Vomit_Soup

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 18 December 2014 - 05:09 AM

hey gus,
 
I am trying to fight off  a SYSTEM FILES ROOTKIT,  so far  only 2 of 16 rootkit detectors found it,
GMER & UnHackMe. 
 
I had blue screens, Zemana (changed for other software now) opened 20 conections, Avast
(changed for other software now) would not make updates, Opera (changed for other software now)
a background connection would appear. A anti-logger test shows that my webcam, keyboard, cache,
screen ain't protected even tough if have active protection. Other thngs happened that i don't recall
at the moment, details.
 
Just to give you an idea, GMER  gives me this results that i type under here:
 
 
Process        (***hidden***)                             [4]8504FD90
 
UnHackMe detects it but needs the RegRun Warrior disk to remove it,
that's 80$ and we are one week before the holidays , bad timing.  GMER has no removal feature,
however there are a CMD & EXE windows to execute commonds from.
 
If one of U guys knows  scripts & is willing to help or if you have another idea.



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 AM

Posted 23 December 2014 - 05:10 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/560251 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Vomit_Soup

Vomit_Soup
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 23 December 2014 - 06:16 AM

So far,  Dr.Web Cure it* cought a trojan & deleted it (can't tell the trojan's name), probably the one who opened the door

for the rootkit to install itself. i caught it on a  ***DOT.TO video streaming site  i cannot paste anything on my CMD.exe.

i blocked a few URL's (suspicious). Any anti-logging tool enabled won't work, but look to be working (tested with AntiTest).

ressources are lower, crash, lagg, frozen,  and my bandwith has sudden lowpeaks, more things but thats all that comes

to mind now....

 

HERE'S THE  LOG :

a

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18975  BrowserJavaVersion: 10.67.2
Run by Yoda at 5:52:08 on 2014-12-23
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.2.1033.18.2037.807 [GMT -5:00]
.
AV: 360 Internet Security *Disabled/Updated* {2B66EE1E-E5C8-C2F7-648F-4E55AC68D37D}
SP: 360 Internet Security *Disabled/Updated* {90070FFA-C3F2-CD79-5E3F-7527D7EF99C0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\HitmanPro.Alert\hmpalert.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
c:\program files\common files\Chameleon Manager\monitor.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Toolwiz TimeFreeze\ToolwizTimeFreezeGUI.exe
C:\Program Files\KeyScrambler\KeyScrambler.exe
C:\Program Files\SpyShelter Firewall\SpyShelter.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Users\Yoda\Documents\Moo0 SystemMonitor 1.64 Portable\SystemMonitor.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\Program Files\Ditto\Ditto.exe
C:\Windows\system32\conime.exe
C:\Users\Yoda\AppData\Local\ToolwizCareFree\ToolwizCares.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Yoda\AppData\Local\ToolwizCareFree\ToolwizTools.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Unchecky\bin\unchecky_svc.exe
C:\Program Files\Unchecky\bin\unchecky_bg.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\QTranslate\QTranslate.exe
C:\Program Files\Comodo\IceDragon\icedragon.exe
C:\Program Files\Chameleon Task Manager\manager_task.exe
C:\WINDOWS\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Rising PC Doctor: {98B7C13A-E9CD-4959-8B46-FBEAB41E42A8} - c:\windows\system32\UrlFilter.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [GUDelayStartup] "c:\program files\glary utilities 5\StartupManager.exe" -delayrun
uRun: [SpyShelter] c:\program files\spyshelter firewall\SpyShelter.exe
mRun: [Toolwiz TimeFreeze] "c:\program files\toolwiz timefreeze\ToolwizTimeFreezeGUI.exe" -autorun
mRun: [KeyScrambler] c:\program files\keyscrambler\keyscrambler.exe /a
mRun: [Registry Alert] c:\program files\registry alerts\Registry Alert.exe
mRun: [360sd] "c:\program files\360\360 internet security\360sdrun.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:253
uPolicies-Explorer: NoDriveAutoRun- = dword:0
uPolicies-Explorer: NoDriveTypeAutoRun- = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun- = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun- = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:253
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
TCP: NameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{B855F27C-BC8E-483E-898A-31D779658507} : DHCPNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{C3973864-79CD-4A5D-B52C-F508732068B9} : DHCPNameServer = 192.168.2.1 192.168.2.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
Hosts: 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
Hosts: 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
Hosts: 0.0.0.0 media.opencandy.com
Hosts: 0.0.0.0 cdn.opencandy.com
Hosts: 0.0.0.0 tracking.opencandy.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 BTOWSVF;BTOWSVF;c:\windows\system32\drivers\BTOWSVF.sys [2014-4-15 51200]
R0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2014-11-18 17200]
R0 HookPort;HookPort;c:\windows\system32\drivers\hookport.sys [2014-11-24 54856]
R1 360AntiHacker;360Safe Anti Hacker Service;c:\windows\system32\drivers\360AntiHacker.sys [2014-11-24 86608]
R1 360Box;360Box mini-filter driver;c:\windows\system32\drivers\360Box.sys [2014-11-24 192080]
R1 360Camera;360Safe Camera Filter Service;c:\windows\system32\drivers\360Camera.sys [2014-11-24 35920]
R1 360SelfProtection;360SelfProtection;c:\windows\system32\drivers\360SelfProtection.sys [2014-11-24 165192]
R1 BAPIDRV;BAPIDRV;c:\windows\system32\drivers\BAPIDRV.SYS [2014-11-24 165968]
R1 BTOWSFF;BTOWSFF;c:\windows\system32\drivers\BTOWSFF.sys [2014-4-15 26880]
R1 EfiMon;EfiSystemMon;c:\windows\system32\drivers\efimon.sys [2014-11-24 22992]
R1 GUBootStartup;GUBootStartup;c:\windows\system32\drivers\GUBootStartup.sys [2014-5-19 17344]
R1 qutmdserv;Quantum DeepScanner Servers;c:\windows\system32\drivers\qutmdrv.sys [2014-11-24 233808]
R1 qutmipc;qutmipc;c:\windows\system32\drivers\qutmipc.sys [2014-11-24 43984]
R1 Spyshelter;Spyshelter;c:\program files\spyshelter firewall\SpyShelter.sys [2014-12-16 483680]
R1 SpyshelterKb;SpyshelterKb;c:\program files\spyshelter firewall\SpyshelterKb.sys [2014-12-16 114528]
R2 360rp;360 Internet Security Real-time Protection Loading Service;c:\program files\360\360 internet security\360rps.exe [2014-11-24 235848]
R2 DisplayLinkService;DisplayLinkManager;c:\program files\displaylink core software\DisplayLinkManager.exe [2014-9-26 8549680]
R2 FoxitCloudUpdateService;Foxit Cloud Safe Update Service;c:\program files\foxit software\foxit reader\foxit cloud\FCUpdateService.exe [2014-8-19 242728]
R2 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys [2014-12-4 75640]
R2 hmpalertsvc;HitmanPro.Alert Service;c:\program files\hitmanpro.alert\hmpalert.exe [2014-12-4 1876816]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]
R2 SpyshelterFw;SpyshelterFw;c:\program files\spyshelter firewall\SpyshelterTDI.sys [2014-12-16 89440]
R2 Unchecky;Unchecky;c:\program files\unchecky\bin\unchecky_svc.exe [2014-5-2 111208]
R2 ZhuDongFangYu;Proactive Defence;c:\program files\360\360 internet security\deepscan\QHActiveDefense.exe [2014-11-24 236360]
R3 360AvFlt;360AvFlt mini-filter driver;c:\windows\system32\drivers\360AvFlt.sys [2014-11-24 56912]
R3 DisplayLinkUsbIo;DisplayLinkUsbIo;c:\windows\system32\drivers\DisplayLinkUsbIo_7.7.57957.0.sys [2014-11-18 38192]
R3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2014-11-18 373040]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2014-10-29 209016]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2014-8-22 20040]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\yoda\documents\moo0 systemmonitor 1.64 portable\WinRing0.sys [2014-2-2 14416]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2014-5-29 30976]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2014-12-18 24416]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 camfrog_update_service;Camfrog Update Service;c:\program files\camfrog\camfrog video chat\update\cf_update_service.exe [2014-10-2 1032680]
.
=============== Created Last 30 ================
.
2014-12-23 07:10:43    62576    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{fb2bdc87-4efb-4652-8a76-9429cf5edb65}\offreg.dll
2014-12-23 06:49:39    9054624    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{fb2bdc87-4efb-4652-8a76-9429cf5edb65}\mpengine.dll
2014-12-18 08:45:53    --------    d-sh--r-    C:\comment.htt
2014-12-18 08:03:57    40720    ----a-w-    c:\windows\system32\Partizan.exe
2014-12-18 07:57:56    24416    ----a-w-    c:\windows\system32\drivers\regguard.sys
2014-12-17 01:57:15    57344    ----a-w-    c:\windows\system32\inject_logon_dll.dll
2014-12-17 01:57:15    33632    ----a-w-    c:\windows\system32\SpyShelterShellExt.dll
2014-12-17 01:57:15    32096    ----a-w-    c:\windows\system32\Osklauncher.exe
2014-12-17 01:57:14    --------    d-----w-    c:\users\yoda\appdata\roaming\SpyShelter
2014-12-17 01:57:14    --------    d-----w-    c:\program files\SpyShelter Firewall
2014-12-15 13:51:07    --------    d-----w-    c:\program files\common files\Chameleon Manager
2014-12-15 13:51:07    --------    d-----w-    c:\program files\Chameleon Task Manager
2014-12-14 13:29:16    --------    d-----w-    c:\users\yoda\appdata\roaming\SpyStudio
2014-12-14 13:29:16    --------    d-----w-    c:\users\yoda\appdata\roaming\Nektra
2014-12-14 13:28:37    --------    d-----w-    c:\users\yoda\appdata\local\Nektra
2014-12-14 10:47:48    --------    d-----w-    c:\users\yoda\appdata\roaming\Ditto
2014-12-14 10:47:34    --------    d-----w-    c:\program files\Ditto
2014-12-14 08:57:24    --------    d-----w-    c:\users\yoda\appdata\local\CrashRpt
2014-12-12 15:00:38    --------    d-----w-    c:\users\yoda\appdata\roaming\Process Hacker 2
2014-12-12 14:47:10    --------    d-----w-    c:\program files\Process Hacker 2
2014-12-11 17:41:00    --------    d-----w-    c:\programdata\RegRun
2014-12-11 17:40:30    35816    ----a-w-    c:\windows\system32\drivers\Partizan.sys
2014-12-11 17:40:05    2    --shatr-    c:\windows\winstart.bat
2014-12-11 17:39:55    12800    ----a-w-    c:\windows\system32\drivers\UnHackMeDrv.sys
2014-12-11 17:39:50    --------    d-----w-    c:\program files\UnHackMe
2014-12-11 15:23:54    --------    d-----w-    C:\NPE
2014-12-11 15:18:24    --------    d-----w-    c:\users\yoda\appdata\local\NPE
2014-12-11 02:05:03    --------    d-----w-    c:\program files\ThreatExpert Memory Scanner
2014-12-10 08:24:20    --------    d-----w-    c:\users\yoda\appdata\roaming\Opera Software
2014-12-10 07:50:07    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-12-10 06:21:52    33440    ----a-w-    c:\windows\system32\drivers\DasPtct.SYS
2014-12-09 10:07:24    7680    ----a-w-    c:\windows\system32\drivers\RKL4BD9.tmp.sys
2014-12-08 04:09:29    --------    d-----w-    c:\program files\Sophos
2014-12-08 02:55:52    --------    d-----w-    c:\programdata\Sophos
2014-12-06 15:08:45    --------    d-----w-    c:\windows\system32\catroot2
2014-12-06 07:19:20    --------    d-----w-    C:\System Recovery
2014-12-04 22:00:39    --------    d-sh--w-    C:\360Rec
2014-12-04 13:30:14    --------    d-----w-    c:\windows\CryptoGuard
2014-12-04 13:30:01    477008    ----a-w-    c:\windows\system32\hmpalert.dll
2014-12-04 13:29:45    75640    ----a-w-    c:\windows\system32\drivers\hmpalert.sys
2014-12-04 13:29:42    --------    d-----w-    c:\program files\HitmanPro.Alert
2014-11-28 17:10:36    --------    d-----w-    c:\users\yoda\appdata\local\temp
2014-11-28 17:09:45    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-11-25 09:26:34    --------    d-----w-    c:\programdata\UVK
2014-11-25 08:58:02    --------    d-----w-    c:\program files\UVK - Ultra Virus Killer
2014-11-25 00:13:23    --------    d-----w-    C:\FRST
2014-11-24 12:53:32    --------    d-----w-    c:\users\yoda\Doctor Web
2014-11-24 09:16:06    56912    ----a-w-    c:\windows\system32\drivers\360AvFlt.sys
2014-11-24 09:12:28    --------    d-----w-    c:\program files\360
2014-11-23 12:03:49    --------    d-----w-    c:\windows\system32\wbem\repository
.
==================== Find3M  ====================
.
2014-12-17 01:08:24    30976    ----a-w-    c:\windows\system32\drivers\hitmanpro37.sys
2014-12-16 05:37:58    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-16 05:37:58    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-11-28 15:53:12    34808    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-11-24 19:04:58    229000    ------w-    c:\windows\system32\MpSigStub.exe
2014-11-18 23:27:47    860672    ----a-w-    c:\windows\system32\DisplayLinkUsbCo2_7.7.57957.0.dll
2014-11-18 23:27:45    38192    ----a-w-    c:\windows\system32\drivers\DisplayLinkUsbIo_7.7.57957.0.sys
2014-10-18 20:38:09    17344    ----a-w-    c:\windows\system32\drivers\GUBootStartup.sys
2014-09-26 13:03:18    373040    ----a-w-    c:\windows\system32\drivers\dlkmd.sys
2014-09-26 13:03:18    17200    ----a-w-    c:\windows\system32\drivers\dlkmdldr.sys
2014-09-26 13:00:02    1661744    ----a-w-    c:\windows\system32\dlumd64.dll
2014-09-26 12:59:59    1296176    ----a-w-    c:\windows\system32\dlumd32.dll
2014-09-26 12:59:56    128304    ----a-w-    c:\windows\system32\DLTmmB.dll
2014-09-26 12:59:56    125232    ----a-w-    c:\windows\system32\ManageTMMLifeTime.dll
.
============= FINISH:  5:54:11.95 ===============
 

Attached Files


Edited by Vomit_Soup, 23 December 2014 - 06:20 AM.


#4 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 26 December 2014 - 10:58 PM

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days.

:)


Hello there, Vomit_Soup

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.
IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.

---------------------------------------------------------------------------------------------------

Please read through these instructions to familiarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide


Download ComboFix from one of these locations:

Link 1
Link 2



* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

---------------------------------------------------------------------------------------------------
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#5 Vomit_Soup

Vomit_Soup
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 28 December 2014 - 09:17 PM

Sorry if i'm so late, but i had to do it twice because on the first time i forgot i was on a frozen mode state so nothing i did

was kept after Combofix rebooted the program. The first scan took 3h30min & the second took a little less then that.

 

 

i beleiveGMER codes would be the solution.

 

 

COMBOFIX  LOGS :

 

ComboFix 14-12-25.01 - Yoda 28/12/2014  11:49:10.6.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.2.1033.18.2037.1316 [GMT -5:00]
Running from: c:\users\Yoda\Desktop\ComboFix.exe
AV: 360 Internet Security *Disabled/Updated* {2B66EE1E-E5C8-C2F7-648F-4E55AC68D37D}
SP: 360 Internet Security *Disabled/Updated* {90070FFA-C3F2-CD79-5E3F-7527D7EF99C0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\360Rec
c:\360rec\20141204\1709240.vir
c:\360rec\20141208\064A8CC.vir
c:\360rec\20141208\064A9C6.vir
c:\360rec\20141208\064AA25.vir
c:\360rec\20141208\064AA83.vir
c:\360rec\20141208\064AB01.vir
c:\360rec\20141210\0142E50.vir
c:\360rec\20141224\0156EDB.vir
c:\360rec\20141227\174C9C4.vir
c:\users\Yoda\Desktop\Setup.exe
c:\windows\system32\kmon.dll
c:\windows\system32\spsys.log
.
.
(((((((((((((((((((((((((   Files Created from 2014-11-28 to 2014-12-28  )))))))))))))))))))))))))))))))
.
.
2014-12-28 19:41 . 2014-12-28 19:41    --------    d-----w-    c:\users\Yoda\AppData\Local\temp
2014-12-28 19:41 . 2014-12-28 19:41    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-12-28 19:41 . 2014-12-28 19:41    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-12-18 08:45 . 2014-12-18 08:45    --------    d-----r-    C:\comment.htt
2014-12-18 08:03 . 2014-12-18 08:03    40720    ----a-w-    c:\windows\system32\Partizan.exe
2014-12-18 07:57 . 2014-12-18 07:57    24416    ----a-w-    c:\windows\system32\drivers\regguard.sys
2014-12-18 06:41 . 2014-12-02 11:01    9054624    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{2E18ACEF-3D7E-46A2-B700-0772B934AD07}\mpengine.dll
2014-12-17 01:57 . 2014-10-03 03:26    32096    ----a-w-    c:\windows\system32\Osklauncher.exe
2014-12-17 01:57 . 2014-09-18 23:52    57344    ----a-w-    c:\windows\system32\inject_logon_dll.dll
2014-12-17 01:57 . 2014-06-19 05:44    33632    ----a-w-    c:\windows\system32\SpyShelterShellExt.dll
2014-12-17 01:57 . 2014-12-17 02:07    --------    d-----w-    c:\users\Yoda\AppData\Roaming\SpyShelter
2014-12-17 01:57 . 2014-12-17 01:57    --------    d-----w-    c:\program files\SpyShelter Firewall
2014-12-15 13:51 . 2014-12-15 13:51    --------    d-----w-    c:\program files\Common Files\Chameleon Manager
2014-12-15 13:51 . 2014-12-15 13:51    --------    d-----w-    c:\program files\Chameleon Task Manager
2014-12-14 13:29 . 2014-12-14 13:29    --------    d-----w-    c:\users\Yoda\AppData\Roaming\SpyStudio
2014-12-14 13:29 . 2014-12-14 13:29    --------    d-----w-    c:\users\Yoda\AppData\Roaming\Nektra
2014-12-14 13:28 . 2014-12-14 13:28    --------    d-----w-    c:\users\Yoda\AppData\Local\Nektra
2014-12-14 10:47 . 2014-12-27 22:48    --------    d-----w-    c:\users\Yoda\AppData\Roaming\Ditto
2014-12-14 10:47 . 2014-12-14 10:47    --------    d-----w-    c:\program files\Ditto
2014-12-14 08:57 . 2014-12-28 09:33    --------    d-----w-    c:\users\Yoda\AppData\Local\CrashRpt
2014-12-12 15:00 . 2014-12-12 15:00    --------    d-----w-    c:\users\Yoda\AppData\Roaming\Process Hacker 2
2014-12-12 14:47 . 2014-12-12 14:47    --------    d-----w-    c:\program files\Process Hacker 2
2014-12-11 17:41 . 2014-12-18 07:54    --------    d-----w-    c:\programdata\RegRun
2014-12-11 17:40 . 2014-12-11 17:40    35816    ----a-w-    c:\windows\system32\drivers\Partizan.sys
2014-12-11 17:40 . 2014-12-11 17:40    2    --shatr-    c:\windows\winstart.bat
2014-12-11 17:39 . 2014-12-11 23:41    12800    ----a-w-    c:\windows\system32\drivers\UnHackMeDrv.sys
2014-12-11 17:39 . 2014-12-25 08:47    --------    d-----w-    c:\program files\UnHackMe
2014-12-11 15:23 . 2014-12-11 15:25    --------    d-----w-    C:\NPE
2014-12-11 15:18 . 2014-12-11 15:42    --------    d-----w-    c:\users\Yoda\AppData\Local\NPE
2014-12-11 02:05 . 2014-12-11 02:17    --------    d-----w-    c:\program files\ThreatExpert Memory Scanner
2014-12-10 08:24 . 2014-12-12 14:14    --------    d-----w-    c:\users\Yoda\AppData\Roaming\Opera Software
2014-12-10 07:50 . 2014-12-10 07:49    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-12-10 07:49 . 2014-12-10 07:49    --------    d-----w-    c:\program files\Java
2014-12-10 06:21 . 2014-03-17 19:09    33440    ----a-w-    c:\windows\system32\drivers\DasPtct.SYS
2014-12-09 10:07 . 2014-12-09 10:07    7680    ----a-w-    c:\windows\system32\drivers\RKL4BD9.tmp.sys
2014-12-08 04:09 . 2014-12-08 04:09    --------    d-----w-    c:\program files\Sophos
2014-12-08 02:55 . 2014-12-08 04:10    --------    d-----w-    c:\programdata\Sophos
2014-12-06 15:08 . 2014-12-24 19:49    --------    d-----w-    c:\windows\system32\catroot2
2014-12-06 07:19 . 2014-12-06 07:58    --------    d-----w-    C:\System Recovery
2014-12-04 13:30 . 2014-12-21 14:06    --------    d-----w-    c:\windows\CryptoGuard
2014-12-04 13:30 . 2014-12-04 13:30    477008    ----a-w-    c:\windows\system32\hmpalert.dll
2014-12-04 13:29 . 2014-12-04 13:29    75640    ----a-w-    c:\windows\system32\drivers\hmpalert.sys
2014-12-04 13:29 . 2014-12-04 13:29    --------    d-----w-    c:\program files\HitmanPro.Alert
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-17 01:08 . 2014-05-29 21:34    30976    ----a-w-    c:\windows\system32\drivers\hitmanpro37.sys
2014-12-16 05:37 . 2014-02-03 03:04    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-16 05:37 . 2014-02-03 03:04    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-11-28 15:53 . 2014-11-20 02:22    34808    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-11-24 19:04 . 2014-02-03 02:57    229000    ------w-    c:\windows\system32\MpSigStub.exe
2014-11-18 23:27 . 2014-11-18 23:27    860672    ----a-w-    c:\windows\system32\DisplayLinkUsbCo2_7.7.57957.0.dll
2014-11-18 23:27 . 2014-11-18 23:27    38192    ----a-w-    c:\windows\system32\drivers\DisplayLinkUsbIo_7.7.57957.0.sys
2014-10-18 20:38 . 2014-05-20 02:00    17344    ----a-w-    c:\windows\system32\drivers\GUBootStartup.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GUDelayStartup"="c:\program files\Glary Utilities 5\StartupManager.exe" [2014-12-08 37152]
"SpyShelter"="c:\program files\SpyShelter Firewall\SpyShelter.exe" [2014-10-23 3478368]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Toolwiz TimeFreeze"="c:\program files\Toolwiz TimeFreeze\ToolwizTimeFreezeGUI.exe" [2014-04-15 1677912]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2014-05-31 508144]
"Registry Alert"="c:\program files\Registry Alerts\Registry Alert.exe" [2012-11-30 428032]
"360sd"="c:\program files\360\360 Internet Security\360sdrun.exe" [2014-04-16 287560]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0Partizan\0nco??n??
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
2011-04-22 03:41    1591808    ----a-w-    c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GUDelayStartup]
2014-12-08 05:47    37152    ----a-w-    c:\program files\Glary Utilities 5\StartupManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-02-26 16:52    138008    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-02-26 16:52    133912    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProcessTamer]
2009-03-28 01:53    163840    ----a-w-    c:\program files\ProcessTamer\ProcessTamerTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runeip]
2014-02-03 01:40    141936    ----a-w-    c:\program files\Rising\AntiSpyware\RSTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2014-07-25 17:29    256896    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe"
"HotKeysCmds"="c:\windows\system32\hkcmd.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 360rp;360 Internet Security Real-time Protection Loading Service;c:\program files\360\360 Internet Security\360rps.exe [2014-05-07 235848]
S1 360AntiHacker;360Safe Anti Hacker Service;c:\windows\system32\Drivers\360AntiHacker.sys [2014-04-21 86608]
S1 360Box;360Box mini-filter driver;c:\windows\system32\DRIVERS\360Box.sys [2014-04-28 192080]
S1 360Camera;360Safe Camera Filter Service;c:\windows\system32\Drivers\360Camera.sys [2014-04-29 35920]
S1 360SelfProtection;360SelfProtection;c:\windows\system32\drivers\360SelfProtection.sys [2014-05-07 165192]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\Yoda\Desktop\EEK\RUN\a2ddax86.sys [2013-09-04 22056]
S3 360AvFlt;360AvFlt mini-filter driver;c:\windows\system32\DRIVERS\360AvFlt.sys [2014-04-23 56912]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Partizan
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx    REG_MULTI_SZ       scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-09 c:\windows\Tasks\GlaryInitialize 5.job
- c:\program files\Glary Utilities 5\Initialize.exe [2014-12-08 05:46]
.
2014-12-28 c:\windows\Tasks\WpsNotifyTask_Yoda.job
- c:\users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsnotify.exe [2014-08-17 07:06]
.
2014-12-28 c:\windows\Tasks\WpsUpdateTask_Yoda.job
- c:\users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsupdate.exe [2014-08-17 07:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-12-28 14:41
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2014-12-28  14:46:59
ComboFix-quarantined-files.txt  2014-12-28 19:46
ComboFix2.txt  2014-11-28 17:10
ComboFix3.txt  2014-04-25 05:27
ComboFix4.txt  2014-04-17 21:36
ComboFix5.txt  2014-12-28 16:44
.
Pre-Run: 35,208,470,528 bytes free
Post-Run: 35,112,456,192 bytes free
.
- - End Of File - - 71170BA35A09ACB68C66C23E19F336AD
AB2261D98AB453077A8FC300866B802F
 



#6 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 29 December 2014 - 08:18 AM

Hi,

No worries about responding late. As long as you keep us informed, we're all good. :)

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#7 Vomit_Soup

Vomit_Soup
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 29 December 2014 - 09:03 PM

# AdwCleaner v4.106 - Report created 29/12/2014 at 20:40:46
# Updated 21/12/2014 by Xplode
# Database : 2014-12-28.1 [Live]
# Operating System : Windows Vista ™ Home Premium Service Pack 1 (32 bits)
# Username : Yoda - YODA-PC
# Running from : C:\Users\Yoda\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Yoda\AppData\Local\CrashRpt

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18975


-\\ Chromium v


*************************

AdwCleaner[R0].txt - [940 octets] - [03/02/2014 08:58:45]
AdwCleaner[R10].txt - [1713 octets] - [10/04/2014 14:09:39]
AdwCleaner[R11].txt - [1783 octets] - [14/04/2014 13:37:05]
AdwCleaner[R12].txt - [1904 octets] - [24/04/2014 23:59:07]
AdwCleaner[R13].txt - [1965 octets] - [13/05/2014 15:21:45]
AdwCleaner[R14].txt - [2076 octets] - [04/06/2014 18:31:38]
AdwCleaner[R15].txt - [2152 octets] - [24/06/2014 03:48:51]
AdwCleaner[R16].txt - [2211 octets] - [05/07/2014 02:12:52]
AdwCleaner[R17].txt - [2272 octets] - [24/07/2014 00:52:58]
AdwCleaner[R18].txt - [2371 octets] - [22/09/2014 05:18:30]
AdwCleaner[R19].txt - [2702 octets] - [15/11/2014 07:30:44]
AdwCleaner[R1].txt - [763 octets] - [05/02/2014 00:19:47]
AdwCleaner[R20].txt - [2637 octets] - [15/11/2014 07:56:57]
AdwCleaner[R21].txt - [2698 octets] - [15/11/2014 08:20:17]
AdwCleaner[R22].txt - [2812 octets] - [18/11/2014 01:45:51]
AdwCleaner[R23].txt - [2881 octets] - [18/11/2014 18:21:50]
AdwCleaner[R24].txt - [2995 octets] - [20/11/2014 15:25:44]
AdwCleaner[R25].txt - [3249 octets] - [22/11/2014 16:44:03]
AdwCleaner[R26].txt - [3200 octets] - [26/11/2014 18:35:42]
AdwCleaner[R27].txt - [3212 octets] - [13/12/2014 07:13:35]
AdwCleaner[R28].txt - [3265 octets] - [29/12/2014 20:36:48]
AdwCleaner[R2].txt - [881 octets] - [09/02/2014 13:59:12]
AdwCleaner[R3].txt - [940 octets] - [13/02/2014 17:59:46]
AdwCleaner[R4].txt - [1092 octets] - [24/02/2014 12:58:07]
AdwCleaner[R5].txt - [1215 octets] - [28/02/2014 19:41:22]
AdwCleaner[R6].txt - [1302 octets] - [21/03/2014 22:33:27]
AdwCleaner[R7].txt - [1357 octets] - [26/03/2014 18:44:17]
AdwCleaner[R8].txt - [1417 octets] - [26/03/2014 19:18:54]
AdwCleaner[R9].txt - [1541 octets] - [05/04/2014 13:14:02]
AdwCleaner[S0].txt - [1006 octets] - [03/02/2014 09:01:03]
AdwCleaner[S10].txt - [2768 octets] - [15/11/2014 07:35:32]
AdwCleaner[S11].txt - [2876 octets] - [18/11/2014 01:50:54]
AdwCleaner[S12].txt - [3321 octets] - [22/11/2014 16:49:42]
AdwCleaner[S13].txt - [2648 octets] - [29/12/2014 20:40:46]
AdwCleaner[S1].txt - [823 octets] - [05/02/2014 00:21:02]
AdwCleaner[S2].txt - [1000 octets] - [13/02/2014 18:00:31]
AdwCleaner[S3].txt - [1156 octets] - [24/02/2014 12:59:21]
AdwCleaner[S4].txt - [1279 octets] - [28/02/2014 19:42:24]
AdwCleaner[S5].txt - [1479 octets] - [26/03/2014 19:19:50]
AdwCleaner[S6].txt - [1602 octets] - [05/04/2014 13:14:55]
AdwCleaner[S7].txt - [1778 octets] - [10/04/2014 14:10:49]
AdwCleaner[S8].txt - [1844 octets] - [14/04/2014 13:38:06]
AdwCleaner[S9].txt - [2139 octets] - [04/06/2014 18:32:44]

########## EOF - C:\AdwCleaner\AdwCleaner[S13].txt - [3248 octets] ##########
 



#8 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 29 December 2014 - 11:45 PM

Hello,

Seems like you been running it many times.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#9 Vomit_Soup

Vomit_Soup
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 31 December 2014 - 02:00 AM

OK , i just dowloaded FARBAR & will do it in a few hours but i tought it might not hurt to post this:

 

just an observation ; After this infection on this laptop i stated using  SpyShelter has mean of defense, to try to restrict

the damage and the connections to bad servers.  on my  trafic monitor (Crowd inspector)  i have an orange (suspicious) dot beside that process so i verified and see the following copy of the V/T results feature.

__________________________________________________________________________________


Connection is :

  

process name > C:\Program Files\SpyShelter  Firewall\SpyShelter.exe

PID process ID > 3092

VT VirusTotal results > 5%

Inject > OK

MHR > ??

WOT Web of Trust > 88%

Type > TCP

State > Close_Wait

Local IP > 192.168.2.10

Local Port > 49170

Remote IP > 92.51.134.197

Remote Port > 80

DNS > www.spyshelter.com


NOTA :  ** THE 3 FIRST RESULTS OF THE LIST ARE POSITIVES THE REST IS NEGATIVE **

VIRUSTOTAL REPORT  31 DEC 2014 1:19 am

Process:    C:\Program Files\SpyShelter Firewall\SpyShelter.exe
SHA256:    bb0de9f2988dc046db85361af2e7f6f29303cbd6e731bcaeee58c64d12998b32

AV Name    Detected    Version    Updated    Result

Bkav                                true    1.3.0.6267    20141226    HW32.Packed.78FA
CMC                                true    1.1.0.977    20141218    Heur.Win32.Obfuscated.1!O
TrendMicro-HouseCall     true    9.700.0.1001    20141227    Suspicious_GEN.F47V1216

CAT-QuickHeal           false    14.00    20141227    null
McAfee                   false    6.0.5.614    20141227    null
Malwarebytes           false    1.75.0.1    20141227    null
Zillya    false    2.0.0.2017    20141226    null
SUPERAntiSpyware    false    5.6.0.1032    20141227    null
TheHacker    false    6.8.0.5.504    20141227    null
K7GW    false    9.188.14469    20141226    null
K7AntiVirus    false    9.188.14468    20141226    null
Agnitum    false    5.5.1.3    20141227    null
F-Prot    false    4.7.1.166    20141227    null
Symantec    false    20141.1.0.330    20141227    null
Norman    false    7.04.04    20141227    null
TotalDefense    false    37.0.11353    20141227    null
ClamAV    false    0.98.5.0    20141227    null
Kaspersky    false    15.0.1.10    20141227    null
BitDefender    false    7.2    20141227    null
NANO-Antivirus    false    0.30.0.64448    20141227    null
AegisLab    false    1.5    20141227    null
ByteHero    false    1.0.0.1    20141227    null
Tencent    false    1.0.0.1    20141227    null
Ad-Aware    false    12.0.163.0    20141227    null
Emsisoft    false    3.0.0.600    20141227    null
Comodo    false    20501    20141227    null
F-Secure    false    11.0.19100.45    20141227    null
DrWeb    false    7.0.10.8210    20141227    null
VIPRE    false    36130    20141227    null
TrendMicro    false    9.740.0.1012    20141227    null
McAfee-GW-Edition    false    v2014.2    20141227    null
Sophos    false    4.98.0    20141227    null
Cyren    false    5.4.1.7    20141227    null
Jiangmin    false    16.0.100    20141227    null
Avira    false    7.11.198.70    20141227    null
Antiy-AVL    false    1.0.0.1    20141227    null
Kingsoft    false    2013.4.9.267    20141227    null
Microsoft    false    1.11302    20141227    null
ViRobot    false    2014.3.20.0    20141227    null
GData    false    24    20141227    null
AhnLab-V3    false    2014.12.28.00    20141227    null
ALYac    false    1.0.1.4    20141227    null
AVware    false    1.5.0.21    20141227    null
VBA32    false    3.12.26.3    20141226    null
Baidu-International    false    3.5.1.41473    20141227    null
Zoner    false    1.0    20141226    null
ESET-NOD32    false    10934    20141227    null
Rising    false    25.0.0.17    20141227    null
Ikarus    false    T3.1.8.5.0    20141227    null
Fortinet    false    5.0.999.0    20141227    null
AVG    false    15.0.0.4253    20141227    null
Panda    false    4.6.4.2    20141227    null
Qihoo-360    false    1.0.0.1015    20141227    null



#10 Vomit_Soup

Vomit_Soup
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 31 December 2014 - 09:49 AM

FARBAR :

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 28-12-2014
Ran by Yoda at 2014-12-31 09:43:26
Running from C:\Users\Yoda\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: 360 Internet Security (Disabled - Up to date) {2B66EE1E-E5C8-C2F7-648F-4E55AC68D37D}
AS: 360 Internet Security (Disabled - Up to date) {90070FFA-C3F2-CD79-5E3F-7527D7EF99C0}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

360 Internet Security (HKLM\...\360 Internet Security) (Version: 4.9.0.4902 - Qihu 360 Software Co., Ltd.)
Acer LCD Monitor (HKLM\...\{61B4F5AF-BD39-4BE3-A72C-D89E0190B25C}) (Version: 4.5.14974.0 - Acer)
ActiveCheck component for HP Active Support Library (Version: 3.0.0.2 - Hewlett-Packard) Hidden
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Camfrog Video Chat 6.8 (HKLM\...\Camfrog) (Version: 6.8.398 - Camshare, Inc.)
Chameleon Task Manager version 4.0.0.755 (HKLM\...\{96C45BE0-C1AA-41B3-B161-F331DBC29B84-task}}_is1) (Version: 4.0.0.755 - NeoSoft Tools)
Comodo IceDragon (HKLM\...\Comodo IceDragon) (Version: 26.0.0.2 - COMODO)
DisplayLink Core Software (HKLM\...\{63870BF4-858B-445D-8C4B-4866B6D0397B}) (Version: 7.7.57957.0 - DisplayLink Corp.)
Ditto (HKLM\...\Ditto_is1) (Version:  - Scott Brogden)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
ESU for Microsoft Vista (HKLM\...\{88A548E6-4B09-43E7-AD55-3C7D1B37706D}) (Version: 2.0.2.1 - Hewlett-Packard)
Foxit Cloud (HKLM\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 1.7.140.701 - Foxit Corporation)
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 6.2.2.802 - Foxit Corporation)
Free Viewer (HKLM\...\{5EF92F52-FA16-4CA6-A204-811524BEE514}_is1) (Version: 1.0 - Free Viewer, LLC)
Gadwin PrintScreen (HKLM\...\Gadwin PrintScreen) (Version: 4.7 - Gadwin Systems, Inc.)
Glary Utilities PRO 5.14 (HKLM\...\Glary Utilities 5) (Version: 5.14.0.27 - Glarysoft Ltd)
herdProtect Anti-Malware Scanner (HKLM\...\herdProtectScan) (Version: 1.0 - Reason Company Software Inc.)
HitmanPro.Alert (HKLM\...\HitmanPro.Alert) (Version: 2.6.5.77 - SurfRight B.V.)
HP Easy Setup - Frontend (HKLM\...\{40F7AED3-0C7D-4582-99F6-484A515C73F2}) (Version: 5.1.0.2279 - Hewlett-Packard)
HP Help and Support (HKLM\...\{9061CEF2-51F5-42C9-8A70-9ED351C6597A}) (Version: 1.1.0 - Hewlett-Packard)
HP Wireless Assistant (HKLM\...\{D32067CD-7409-4792-BFA0-1469BCD8F0C8}) (Version: 3.00 F1 - Hewlett-Packard)
HPAsset component for HP Active Support Library (Version: 3.0.2.2 - Hewlett-Packard) Hidden
HPNetworkAssistant (HKLM\...\{228C6B46-64E2-404E-898A-EF0830603EF4}) (Version: 1.1.70 - Hewlett-Packard.)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
KeyScrambler (HKLM\...\KeyScrambler) (Version: 3.4.0.2 - QFX Software Corporation)
K-Lite Codec Pack 7.0.0 (Standard) (HKLM\...\KLiteCodecPack_is1) (Version: 7.0.0 - )
L&H TTS3000 Deutsch (HKLM\...\LHTTSGED) (Version:  - )
L&H TTS3000 Français (HKLM\...\LHTTSFRF) (Version:  - )
LightScribe  1.4.136.1 (Version: 1.4.136.1 - http://www.lightscribe.com) Hidden
Maxthon Cloud Browser (HKLM\...\Maxthon3) (Version: 4.4.1.2000 - Maxthon International Limited)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Text-to-Speech Engine 4.0 (English) (HKLM\...\MSTTS) (Version:  - )
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Model Air Design V1.5 Demo (HKLM\...\{2BF7E9E3-AA37-4F18-9A95-2019B6E78B51}_is1) (Version:  - Model Air Design)
MPC-HC 1.7.0 (HKLM\...\{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1) (Version: 1.7.0.7858 - MPC-HC Team)
MSCU for Microsoft Vista (HKLM\...\{3FFB3B34-D639-4384-9AE9-DDE58430D86F}) (Version: 1.0.1.1 - Hewlett-Packard)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB973685) (HKLM\...\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}) (Version: 4.30.2107.0 - Microsoft Corporation)
muvee autoProducer 6.0 (HKLM\...\{0BFC200F-C45D-4271-AF34-4CA969225DEB}) (Version: 6.00.050 - muvee Technologies)
PeerBlock 1.2 (r693) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.2.0.693 - PeerBlock, LLC)
PrivaZer (HKLM\...\PrivaZer) (Version: 2.24.1.0 - Goversoft LLC)
Process Hacker 2.33 (r5590) (HKLM\...\Process_Hacker2_is1) (Version: 2.33.0.5590 - wj32)
Process Tamer 2.11.01 (HKLM\...\Process Tamer_is1) (Version:  - )
PSSWCORE (Version: 2.00.5000 - Hewlett-Packard) Hidden
QTranslate 5.1.0 (HKLM\...\QTranslate) (Version: 5.1.0 - QuestSoft)
RcCAD (HKLM\...\{D1C97486-9D41-4EC5-9992-8FC2E5DF051D}) (Version: 3.0.0 - RcCAD)
ReadPlease 2003/ReadPlease PLUS 2003 (HKLM\...\ReadPlease 2003_is1) (Version: 2003.1.10 - ReadPlease Corporation)
Registry Alerts (HKLM\...\{AD4AD437-D51D-48D0-B99F-9BE25C375B29}) (Version: 4.4.1211 - Probsol)
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Rising PC Doctor (HKLM\...\RisingKaKa) (Version:  - )
Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.4.0 - Roxio)
Roxio Creator Basic v9 (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.4.0 - Roxio)
Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.4.0 - Roxio)
Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.4.0 - Roxio)
Roxio Creator EasyArchive (HKLM\...\{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}) (Version: 3.4.0 - Roxio)
Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.4.0 - Roxio)
Roxio Express Labeler 3 (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 3.2.1 - Roxio)
Screen Calipers (HKLM\...\Screen Calipers) (Version: 4.0 - Iconico)
Secunia PSI (2.0.0.3003) (HKLM\...\Secunia PSI) (Version:  - )
Sophos Virus Removal Tool (HKLM\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.4 - Sophos Limited)
SpyShelter Firewall 9.5 (HKLM\...\SpyshelterInternetSecurity_is1) (Version: 9.5 - )
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 9.1.11.0 - Synaptics)
ThreatExpert Memory Scanner 1.0 (HKLM\...\ThreatExpert Memory Scanner_is1) (Version: 1.0.1.0 - Threat Expert Ltd.)
Timed Shutdown (HKLM\...\Timed Shutdown_is1) (Version: 6.2 - Tinnes Software)
Toolwiz TimeFreeze (HKLM\...\Toolwiz TimeFreeze) (Version: 2.1.0.0 - Toolwiz  TimeFreeze Installer)
Tweaking.com - Windows Repair (All in One) (HKLM\...\Tweaking.com - Windows Repair (All in One)) (Version: 2.10.2 - Tweaking.com)
Unchecky v0.3.5 (HKLM\...\Unchecky) (Version: 0.3.5 - RaMMicHaeL)
UnHackMe 7.55 release (HKLM\...\UnHackMe_is1) (Version:  - Greatis Software, LLC.)
VisiPics V1.31 (HKLM\...\VisiPics_is1) (Version:  - Ozone)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
VT Hash Check 1.4 (HKLM\...\{1E579B65-503B-4184-B481-5138124BEE1D}_is1) (Version: 1.31 - Boredom Software)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
WPS Office (9.1.0.4746) (HKU\S-1-5-21-1264926007-3043391039-2423817161-1000\...\WPS Office) (Version: 9.1.0.4746 - Kingsoft Corp.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020812-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020820-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020821-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020830-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020832-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020900-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020906-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020906-0000-4b30-A977-D214852036FF}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00020907-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{000209F0-0000-4b30-A977-D214852036FF}\InprocServer32 ->  No File
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{000209FF-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{000209FF-0000-4b30-A977-D214852036FF}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{00024500-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{0002CE21-0000-0000-C000-000000000046}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\ksee\EqnEdit.exe (Design Science, Inc.)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{44720441-94BF-4940-926D-4F38FECF2A48}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{44720444-94BF-4940-926D-4F38FECF2A48}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{45540001-5750-5300-4B49-4E47534F4655}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{45540003-5750-5300-4B49-4E47534F4655}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\InprocServer32 ->  No File
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{45540086-5750-5300-4B49-4E47534F4655}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\et.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{4D4E0078-1386-4536-BD05-3E1013F17116}\InprocServer32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\oledefaulthandler.dll (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{8A624388-AA27-43E0-89F8-2A12BFF7BCCD}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{91493443-94BF-4940-926D-4F38FECF2A48}\InprocServer32 ->  No File
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wpp.exe (Zhuhai Kingsoft Office Software Co.,Ltd)
CustomCLSID: HKU\S-1-5-21-1264926007-3043391039-2423817161-1000_Classes\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\localserver32 -> C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\office6\wps.exe (Zhuhai Kingsoft Office Software Co.,Ltd)

==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 05:23 - 2014-12-31 07:40 - 00001196 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com
0.0.0.0 cdn.appround.biz
0.0.0.0 cdn.bigspeedpro.com

There are 5 more lines.


==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {076FF2B7-152B-4B1E-B12F-2BBE97B6879A} - System32\Tasks\UnHackMe Task Scheduler => C:\Program Files\UnHackMe\hackmon.exe [2014-12-11] (Greatis Software)
Task: {16A73DA0-56F5-4AB8-9CCE-D61C77F06DB6} - System32\Tasks\Chameleon Monitor-Yoda => c:\program files\common files\Chameleon Manager\monitor.exe [2014-11-18] (NeoSoft Tools)
Task: {1993FFE0-5E84-4A2E-8A8F-E4EE3E2886C1} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: {1C81EA24-6FF9-4305-A0E4-F5E509809954} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-18] (Microsoft Corporation)
Task: {2CE006C0-935B-4FF0-AC76-286A505E8EE8} - System32\Tasks\WpsUpdateTask_Yoda => C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsupdate.exe [2014-08-17] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {2DBB49FC-DD7A-447C-B831-267380B37822} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: {3A19854B-BFC2-485A-8A56-36F4DCA82E7D} - System32\Tasks\{54FADEC8-A727-44D7-A6AC-96CFDC1F18F0} => pcalua.exe -a "C:\Users\Yoda\Desktop\FreeRAM XP Pro 1.52.exe" -d C:\Users\Yoda\Desktop
Task: {41741672-FC78-4207-ABB9-660ADCA52DBA} - System32\Tasks\GlaryInitialize 5 => C:\Program Files\Glary Utilities 5\Initialize.exe [2014-12-08] (Glarysoft Ltd)
Task: {5D8FE231-1D2A-4DF3-AC47-7ACD067D0D50} - System32\Tasks\Chameleon Task Manager-Yoda => C:\Program Files\Chameleon Task Manager\manager_task.exe [2014-11-18] (NeoSoft Tools)
Task: {71D168BB-2711-4C0E-AD59-8F76F4B404FC} - System32\Tasks\{F5B9B933-DC17-49E8-ADAB-B772050E1A4D} => pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java
Task: {7B4A6583-ED53-45B6-ADE1-69803A6BC4AD} - System32\Tasks\{57991F3C-CAE3-4A21-912B-C5C02E196750} => pcalua.exe -a G:\Driver\Setup.exe -d G:\Driver
Task: {8BCBBB22-6C73-4799-9CF4-616AA0BE03A4} - System32\Tasks\HP Health Check => C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2007-03-12] (Hewlett-Packard)
Task: {8F1BD8BF-B52F-4C3E-AC06-B2D19E71252C} - System32\Tasks\WpsNotifyTask_Yoda => C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsnotify.exe [2014-08-17] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {911F7F55-47F6-497E-A2C7-AD606C5EAEC6} - System32\Tasks\Microsoft\Windows\MobilePC\DisplayLink TMM Control
Task: {967B7AE7-0DFB-4059-9578-0735F0853805} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Signature Update => c:\program files\windows defender\MpCmdRun.exe [2008-01-18] (Microsoft Corporation)
Task: {A0318E1D-C9A1-434B-97E8-4392AA5F39F6} - System32\Tasks\Maxthon Update => C:\Program Files\Maxthon\Bin\mxup.exe [2014-05-13] (Maxthon International ltd.)
Task: {CB8F124B-31BE-4439-B556-848BD832CC70} - \GlaryInitialize 4 No Task File <==== ATTENTION
Task: {F2B48043-8289-41C1-8BDE-4758BF1A9043} - System32\Tasks\GU5SkipUAC => C:\Program Files\Glary Utilities 5\Integrator.exe [2014-12-08] (Glarysoft Ltd)
Task: {F96FEBAA-B302-4E88-A47A-66227A9C2C39} - System32\Tasks\Chameleon Monitor-startup-Yoda => c:\program files\common files\Chameleon Manager\monitor.exe [2014-11-18] (NeoSoft Tools)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GlaryInitialize 5.job => C:\Program Files\Glary Utilities 5\Initialize.exe
Task: C:\Windows\Tasks\WpsNotifyTask_Yoda.job => C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsnotify.exe
Task: C:\Windows\Tasks\WpsUpdateTask_Yoda.job => C:\Users\Yoda\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsupdate.exe

==================== Loaded Modules (whitelisted) =============

2007-05-08 15:56 - 2007-03-28 19:45 - 00270431 _____ () C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
2007-05-08 15:56 - 2007-03-28 19:45 - 00233573 _____ () C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapEngine.dll
2014-12-07 21:34 - 2002-05-14 18:22 - 00122880 _____ () C:\Program Files\WinRAR\rarext.dll
2014-12-16 20:57 - 2014-06-19 00:44 - 00033632 _____ () C:\Windows\system32\SpyShelterShellExt.dll
2014-03-19 16:57 - 2014-03-19 16:57 - 02159415 _____ () C:\Program Files\PrivaZer\PrivaMenu5.dll
2007-02-22 03:50 - 2007-02-22 03:50 - 00245760 _____ () C:\Windows\system32\igfxTMM.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Yoda\Desktop\Anti-keylogger (anti spy protection) software review - YouTube [720p].mp4:TOC.WMV
AlternateDataStreams: C:\Users\Yoda\Downloads\Eurotrip _ All Deleted Scenes (part 1) (1).flv:TOC.WMV
AlternateDataStreams: C:\Users\Yoda\Downloads\Eurotrip _ All Deleted Scenes (part 1).flv:TOC.WMV
AlternateDataStreams: C:\Users\Yoda\Downloads\Is War Over_ — A Paradox Explained.flv:TOC.WMV
AlternateDataStreams: C:\Users\Yoda\Downloads\Top 5 Pranks 2014.mp4:TOC.WMV

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: ehRecvr => 2
MSCONFIG\Services: ehSched => 2
MSCONFIG\Services: ehstart => 2
MSCONFIG\Services: TrustedInstaller => 3
MSCONFIG\startupreg: FreeRAM XP => "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
MSCONFIG\startupreg: GUDelayStartup => "C:\Program Files\Glary Utilities 5\StartupManager.exe" -delayrun
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: ProcessTamer => C:\Program Files\ProcessTamer\ProcessTamerTray.exe
MSCONFIG\startupreg: runeip => "C:\Program Files\Rising\AntiSpyware\rstray.exe" /startup
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

========================= Accounts: ==========================

Administrator (S-1-5-21-1264926007-3043391039-2423817161-500 - Administrator - Disabled)
Guest (S-1-5-21-1264926007-3043391039-2423817161-501 - Limited - Disabled)
Yoda (S-1-5-21-1264926007-3043391039-2423817161-1000 - Administrator - Enabled) => C:\Users\Yoda

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2014-12-31 09:43:16.339
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\DasPtct.SYS because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:43:16.183
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\DasPtct.SYS because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:42:55.154
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:42:55.045
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:42:54.936
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:42:54.826
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:42:54.639
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:42:54.514
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:42:54.390
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-31 09:42:54.265
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™2 CPU T5300 @ 1.73GHz
Percentage of memory in use: 48%
Total physical RAM: 2037.31 MB
Available physical RAM: 1059 MB
Total Pagefile: 4311.88 MB
Available Pagefile: 3324.67 MB
Total Virtual: 2047.88 MB
Available Virtual: 1899.81 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:81.36 GB) (Free:32.54 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (IMG) (Fixed) (Total:40.02 GB) (Free:0.09 GB) FAT32
Drive e: (FILMZZZ) (Fixed) (Total:20.49 GB) (Free:1.23 GB) FAT32
Drive f: (BOX) (Fixed) (Total:7.12 GB) (Free:0.2 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 149.1 GB) (Disk ID: 736214AA)
Partition 1: (Active) - (Size=81.4 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=60.6 GB) - (Type=OF Extended)
Partition 3: (Not Active) - (Size=7.1 GB) - (Type=0C)

==================== End Of Log ============================



#11 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 31 December 2014 - 12:55 PM

The log you provided is the second log of FRST. You should have the other one. Could you post that as well?


Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#12 Vomit_Soup

Vomit_Soup
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 01 January 2015 - 11:00 PM

Ooups , Sorry    ...   here ...

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-12-2014
Ran by Yoda (administrator) on YODA-PC on 31-12-2014 09:42:28
Running from C:\Users\Yoda\Desktop
Loaded Profile: Yoda (Available profiles: Yoda)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SurfRight B.V.) C:\Program Files\HitmanPro.Alert\hmpalert.exe
(Microsoft Corporation) C:\WINDOWS\System32\SLsvc.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
(Qihu 360 Software Co., Ltd.) C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe
() C:\Program Files\Hp\QuickPlay\Kernel\TV\CLCapSvc.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehsched.exe
(Foxit Corporation) C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Secunia) C:\Program Files\Secunia\PSI\psia.exe
(RaMMicHaeL) C:\Program Files\Unchecky\bin\unchecky_svc.exe
(Conexant Systems, Inc.) C:\WINDOWS\System32\drivers\XAudio.exe
(RaMMicHaeL) C:\Program Files\Unchecky\bin\unchecky_bg.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
(NeoSoft Tools) C:\Program Files\Common Files\Chameleon Manager\monitor.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Toolwiz) C:\Program Files\Toolwiz TimeFreeze\ToolwizTimeFreezeGUI.exe
(QFX Software Corporation) C:\Program Files\KeyScrambler\KeyScrambler.exe
(Secunia) C:\Program Files\Secunia\PSI\psi_tray.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Moo0) C:\Users\Yoda\Documents\Moo0 SystemMonitor 1.64 Portable\SystemMonitor.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
(Qihu 360 Software Co., Ltd.) C:\Program Files\360\360 Internet Security\360rps.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Toolwiz TimeFreeze] => C:\Program Files\Toolwiz TimeFreeze\ToolwizTimeFreezeGUI.exe [1677912 2014-04-15] (Toolwiz)
HKLM\...\Run: [KeyScrambler] => C:\Program Files\KeyScrambler\keyscrambler.exe [508144 2014-05-30] (QFX Software Corporation)
HKLM\...\Run: [Registry Alert] => C:\Program Files\Registry Alerts\Registry Alert.exe [428032 2012-11-29] (Probsol)
HKLM\...\Run: [360sd] => C:\Program Files\360\360 Internet Security\360sdrun.exe [287560 2014-04-16] (Qihu 360 Software Co., Ltd.)
HKLM\...\Policies\Explorer: [NoDriveAutoRun-] 0
HKLM\...\Policies\Explorer: [NoDriveTypeAutoRun-] 0
HKU\S-1-5-21-1264926007-3043391039-2423817161-1000\...\Run: [GUDelayStartup] => C:\Program Files\Glary Utilities 5\StartupManager.exe [37152 2014-12-08] (Glarysoft Ltd)
HKU\S-1-5-21-1264926007-3043391039-2423817161-1000\...\Run: [SpyShelter] => C:\Program Files\SpyShelter Firewall\SpyShelter.exe [3478368 2014-10-23] ()
HKU\S-1-5-21-1264926007-3043391039-2423817161-1000\...\Policies\Explorer: [NoDriveAutoRun-] 0
HKU\S-1-5-21-1264926007-3043391039-2423817161-1000\...\Policies\Explorer: [NoDriveTypeAutoRun-] 0
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
BootExecute: autocheck autochk * Partizannco??n??

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1264926007-3043391039-2423817161-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1264926007-3043391039-2423817161-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
HKU\S-1-5-21-1264926007-3043391039-2423817161-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Rising PC Doctor -> {98B7C13A-E9CD-4959-8B46-FBEAB41E42A8} -> C:\Windows\system32\UrlFilter.dll (Beijing Rising Information Technology Co., Ltd.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 192.168.2.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-02-03]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 360rp; C:\Program Files\360\360 Internet Security\360rps.exe [235848 2014-05-07] (Qihu 360 Software Co., Ltd.)
S4 camfrog_update_service; C:\Program Files\Camfrog\Camfrog Video Chat\update\cf_update_service.exe [1032680 2014-10-02] (Camshare Inc.)
R2 CLCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe [270431 2007-03-28] () [File not signed]
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [8549680 2014-09-26] (DisplayLink Corp.)
R2 FoxitCloudUpdateService; C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [242728 2014-07-01] (Foxit Corporation)
R2 hmpalertsvc; C:\Program Files\HitmanPro.Alert\hmpalert.exe [1876816 2014-11-26] (SurfRight B.V.)
S4 HP Health Check Service; C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [62984 2007-03-14] (Hewlett-Packard)
S4 hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [135168 2006-05-02] (Hewlett-Packard Development Company, L.P.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2006-12-14] (Hewlett-Packard Company) [File not signed]
S3 scan; C:\Program Files\360\360 Internet Security\scan.dll [335176 2014-04-24] (S.C. BitDefender S.R.L)
R2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-04-19] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-04-19] (Secunia)
R2 Unchecky; C:\Program Files\Unchecky\bin\unchecky_svc.exe [111208 2014-12-24] (RaMMicHaeL)
R2 ZhuDongFangYu; C:\Program Files\360\360 Internet Security\deepscan\QHActiveDefense.exe [236360 2014-04-23] (Qihu 360 Software Co., Ltd.)
S2 CLSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe" [X]
S3 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 360AntiHacker; C:\Windows\System32\Drivers\360AntiHacker.sys [86608 2014-04-21] (Qihu 360 Software Co., Ltd.)
R3 360AvFlt; C:\Windows\System32\DRIVERS\360AvFlt.sys [56912 2014-04-23] (Qihu 360 Software Co., Ltd.)
R1 360Box; C:\Windows\System32\DRIVERS\360Box.sys [192080 2014-04-28] (Qihu 360 Software Co., Ltd.)
R1 360Camera; C:\Windows\System32\Drivers\360Camera.sys [35920 2014-04-28] (Qihu 360 Software Co., Ltd.)
R1 360SelfProtection; C:\Windows\System32\drivers\360SelfProtection.sys [165192 2014-05-07] (Qihu 360 Software Co., Ltd.)
R1 A2DDA; C:\Users\Yoda\Desktop\EEK\RUN\a2ddax86.sys [22056 2013-09-04] (Emsisoft GmbH)
R1 BAPIDRV; C:\Windows\System32\DRIVERS\BAPIDRV.sys [165968 2014-04-14] (Qihu 360 Software Co., Ltd.)
R1 BTOWSFF; C:\Windows\system32\Drivers\BTOWSFF.sys [26880 2014-04-15] (Toolwiz.com)
R0 BTOWSVF; C:\Windows\System32\Drivers\BTOWSVF.sys [51200 2014-04-15] (Toolwiz.com)
S3 cleanhlp; C:\Users\Yoda\Desktop\EEK\Run\cleanhlp32.sys [50200 2014-11-19] (Emsisoft GmbH)
S3 DisplayLinkUsbIo; C:\Windows\System32\DRIVERS\DisplayLinkUsbIo_7.7.57957.0.sys [38192 2014-11-18] ()
R3 dlkmd; C:\Windows\system32\drivers\dlkmd.sys [373040 2014-09-26] (DisplayLink Corp.)
R0 dlkmdldr; C:\Windows\System32\drivers\dlkmdldr.sys [17200 2014-09-26] (DisplayLink Corp.)
S3 eabfiltr; C:\Windows\System32\DRIVERS\eabfiltr.sys [8192 2006-11-30] (Hewlett-Packard Development Company, L.P.)
R1 EfiMon; C:\Windows\System32\Drivers\Efimon.sys [22992 2014-05-14] (Qihu 360 Software Co., Ltd.)
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [17344 2014-10-18] (Glarysoft Ltd)
R3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [159232 2007-02-22] (Conexant Systems Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30976 2014-12-16] ()
R2 hmpalert; C:\Windows\System32\drivers\hmpalert.sys [75640 2014-12-04] ()
R0 HookPort; C:\Windows\System32\Drivers\Hookport.sys [54856 2014-04-21] (360安全中心)
R3 KeyScrambler; C:\Windows\System32\drivers\keyscrambler.sys [209016 2013-05-31] (QFX Software Corporation)
U0 Partizan; C:\Windows\System32\drivers\Partizan.sys [35816 2014-12-11] (Greatis Software)
S3 pbfilter; C:\Program Files\PeerBlock\pbfilter.sys [20040 2014-01-14] ()
R3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
R1 qutmdserv; C:\Windows\system32\drivers\qutmdrv.sys [233808 2014-05-14] (Qihu 360 Software Co., Ltd.)
R1 qutmipc; C:\Windows\system32\drivers\qutmipc.sys [43984 2014-05-14] (Qihu 360 Software Co., Ltd.)
S3 RegGuard; C:\Windows\system32\Drivers\regguard.sys [24416 2014-12-18] (Greatis Software)
R1 Spyshelter; C:\Program Files\SpyShelter Firewall\SpyShelter.sys [483680 2014-10-23] (SpyShelter) [File not signed]
R2 SpyshelterFw; C:\Program Files\SpyShelter Firewall\SpyshelterTDI.sys [89440 2014-10-23] () [File not signed]
R1 SpyshelterKb; C:\Program Files\SpyShelter Firewall\SpyshelterKb.sys [114528 2014-10-02] (SpyShelter) [File not signed]
R3 WinRing0_1_2_0; C:\Users\Yoda\Documents\Moo0 SystemMonitor 1.64 Portable\WinRing0.sys [14416 2008-07-26] (OpenLibSys.org)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-18] (Microsoft Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\Yoda\AppData\Local\Temp\catchme.sys [X]
S3 DisplayLinkUsbPort; system32\DRIVERS\DisplayLinkUsbPort.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 keycrypt; system32\DRIVERS\KeyCrypt32.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

========================== Drivers MD5 =======================

C:\Windows\System32\Drivers\360AntiHacker.sys 3CCF51D72494E420357C029698A2D15C
C:\Windows\System32\DRIVERS\360AvFlt.sys F64D8009EE7CE48D0E9A058CBB702AD4
C:\Windows\System32\DRIVERS\360Box.sys 99711A1B9D177373E6DBB6C844A83B81
C:\Windows\System32\Drivers\360Camera.sys 1217CCEA79EF90A07C37C305B14EB56E
C:\Windows\System32\drivers\360SelfProtection.sys A0CDAD1810D760C3DC3D42141AEAB068
C:\Users\Yoda\Desktop\EEK\RUN\a2ddax86.sys B0CC0B50441372157F31C4C023D43A3E
C:\Windows\System32\drivers\acpi.sys FCB8C7210F0135E24C6580F7F649C73C
C:\Windows\system32\drivers\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpu160m.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys 48EB99503533C27AC6135648E5474457
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\djsvs.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys 90395B64600EBB4552E26E178C94B2E4
C:\Windows\system32\drivers\amdagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys 0577DF1D323FE75A739C787893D300EA
C:\Windows\system32\drivers\amdk7.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdk8.sys ==> MD5 is legit
C:\Windows\system32\drivers\arc.sys ==> MD5 is legit
C:\Windows\system32\drivers\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys 53B202ABEE6455406254444303E87BE1
C:\Windows\System32\drivers\atapi.sys 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\DRIVERS\BAPIDRV.sys 483A27296416B8DC403F0F1E1E1B35C2
C:\Windows\System32\DRIVERS\bcmwl6.sys CF6A67C90951E3E763D2135DEDE44B85
C:\Windows\system32\Drivers\Beep.sys 67E506B75BD5326A3EC7B70BD014DFB6
C:\Windows\System32\DRIVERS\bowser.sys 8153396D5551276227FA146900F734E6
C:\Windows\system32\drivers\brfiltlo.sys ==> MD5 is legit
C:\Windows\system32\drivers\brfiltup.sys ==> MD5 is legit
C:\Windows\system32\drivers\brserid.sys ==> MD5 is legit
C:\Windows\system32\drivers\brserwdm.sys ==> MD5 is legit
C:\Windows\system32\drivers\brusbmdm.sys ==> MD5 is legit
C:\Windows\system32\drivers\brusbser.sys ==> MD5 is legit
C:\Windows\system32\drivers\bthmodem.sys ==> MD5 is legit
C:\Windows\system32\Drivers\BTOWSFF.sys 4A0EE312641A62A69E644E97D37777FB
C:\Windows\System32\Drivers\BTOWSVF.sys 56287567A1834D5296378B36D4C7CD33
C:\Windows\System32\DRIVERS\cdfs.sys 7ADD03E75BEB9E6DD102C3081D29840A
C:\Windows\System32\DRIVERS\cdrom.sys 1EC25CEA0DE6AC4718BF89F9E1778B57
C:\Windows\system32\drivers\circlass.sys ==> MD5 is legit
C:\Users\Yoda\Desktop\EEK\Run\cleanhlp32.sys DBC8CDAFC84E96E894C3BAAED9B30F47
C:\Windows\System32\CLFS.sys 465745561C832B29F7C48B488AAB3842
C:\Windows\System32\DRIVERS\CmBatt.sys 99AFC3795B58CC478FBBBCDC658FCB56
C:\Windows\system32\drivers\cmdide.sys 45201046C776FFDAF3FC8A0029C581C8
C:\Windows\System32\DRIVERS\compbatt.sys 6AFEF0B60FA25DE07C0968983EE4F60A
C:\Windows\System32\drivers\crcdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\crusoe.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys A3E9FA213F443AC77C7746119D13FEEC
C:\Windows\System32\drivers\disk.sys 64109E623ABD6955C8FB110B592E68B7
C:\Windows\System32\DRIVERS\DisplayLinkUsbIo_7.7.57957.0.sys 1F9FC321B799E866B864A525724B5850
C:\Windows\system32\drivers\dlkmd.sys 05627D211A0432EC6C5BE23FA7743E4D
C:\Windows\System32\drivers\dlkmdldr.sys AA95AA32FB457E4A9B8AE17CB3ABC3A0
C:\Windows\System32\drivers\drmkaud.sys 97FEF831AB90BEE128C9AF390E243F80
C:\Windows\System32\drivers\dxgkrnl.sys 85F33880B8CFB554BD3D9CCDB486845A
C:\Windows\System32\DRIVERS\e100b325.sys D00EEAE1CACD77A1A8396BBC19140BBA
C:\Windows\System32\DRIVERS\E1G60I32.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\eabfiltr.sys E88B0CFCECF745211BBA87F44F85D0DD
C:\Windows\System32\drivers\ecache.sys DD2CD259D83D8B72C02C5F2331FF9D68
C:\Windows\System32\Drivers\Efimon.sys E6F678EAB0AC637E91F01583401E056D
C:\Windows\system32\drivers\elxstor.sys ==> MD5 is legit
C:\Windows\system32\Drivers\exfat.sys 0D858EB20589A34EFB25695ACAA6AA2D
C:\Windows\system32\Drivers\fastfat.sys 3C489390C2E2064563727752AF8EAB9E
C:\Windows\System32\DRIVERS\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys A8C0139A884861E3AAE9CFE73B208A9F
C:\Windows\System32\drivers\filetrace.sys 0AE429A696AECBC5970E3CF2C62635AE
C:\Windows\System32\DRIVERS\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys 05EA53AFE985443011E36DAB07343B46
C:\Windows\system32\Drivers\Fs_Rec.sys 65EA8B77B5851854F0C55C43FA51A198
C:\Windows\system32\drivers\gagp30kx.sys ==> MD5 is legit
C:\Windows\System32\drivers\GUBootStartup.sys E9CDEB631E63E83A7540CF6E81B5486B
C:\Windows\System32\DRIVERS\cpqbttn.sys DE15777902A5D9121857D155873A1D1B
C:\Windows\System32\drivers\CHDART.sys 07EEE11D6E2B78122E17DB3878B4C687
C:\Windows\System32\DRIVERS\HDAudBus.sys C87B1EE051C0464491C1A7B03FA0BC99
C:\Windows\system32\drivers\hidbth.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys 854CA287AB7FAF949617A788306D967E
C:\Windows\system32\drivers\hitmanpro37.sys CE77439BAF613019D6B7658292D1E4A6
C:\Windows\System32\drivers\hmpalert.sys 5240B0F53AE3327446CD2F964BC6A010
C:\Windows\System32\Drivers\Hookport.sys A16F576FC5ECF1807AD36DE7A4B69AB3
C:\Windows\system32\drivers\hpcisss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\VSTAZL3.SYS 46D67209550973257601A533E2AC5785
C:\Windows\System32\DRIVERS\HSX_DPV.sys 0D7A055A840C3099C37D576573A42CD5
C:\Windows\System32\DRIVERS\HSXHWAZL.sys BCC074692882C056B0E1AC97F3331A02
C:\Windows\System32\drivers\HTTP.sys 96E241624C71211A79C84F50A8E71CAB
C:\Windows\system32\drivers\i2omp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\i8042prt.sys 22D56C8184586B7A1F6FA60BE5F5A2BD
C:\Windows\System32\DRIVERS\igdkmd32.sys DBB0588936E43C5F16B643F90F53C06D
C:\Windows\system32\drivers\iastorv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\igdkmd32.sys DBB0588936E43C5F16B643F90F53C06D
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\System32\drivers\intelide.sys 83AA759F3189E6370C30DE5DC5590718
C:\Windows\System32\DRIVERS\intelppm.sys 224191001E78C89DFA78924C3EA595FF
C:\Windows\System32\DRIVERS\ipfltdrv.sys 62C265C38769B864CB25B4BCF62DF6C3
C:\Windows\system32\drivers\ipmidrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipnat.sys 8793643A67B42CEC66490B2A0CF92D68
C:\Windows\System32\drivers\irenum.sys 109C0DFB82C3632FBD11949B73AEEAC9
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\msiscsi.sys F247EEC28317F6C739C16DE420097301
C:\Windows\system32\drivers\iteatapi.sys ==> MD5 is legit
C:\Windows\system32\drivers\iteraid.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys 37605E0A8CF00CBBA538E753E4344C6E
C:\Windows\System32\DRIVERS\kbdhid.sys 18247836959BA67E3511B62846B9C2E0
C:\Windows\System32\drivers\keyscrambler.sys D9CA77A69473A93E40B7551A7DE425A9
C:\Windows\System32\Drivers\ksecdd.sys 7A0CF7908B6824D6A2A1D313E5AE3DCA
C:\Windows\System32\DRIVERS\lltdio.sys D1C5883087A0C3F1344D9D55A44901F6
C:\Windows\system32\drivers\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys 8F5C7426567798E62A3B3614965D62CC
C:\Windows\System32\DRIVERS\mdmxsdk.sys 0CEA2D0D3FA284B85ED5B68365114F76
C:\Windows\system32\drivers\megasas.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys E13B5EA0F51BA5B1512EC671393D09BA
C:\Windows\System32\DRIVERS\monitor.sys 0A9BB33B56E294F686ABB7C1E4E2D8A8
C:\Windows\System32\DRIVERS\motmodem.sys FE80C18BA448DDD76B7BEAD9EB203D37
C:\Windows\System32\DRIVERS\mouclass.sys 5BF6A1326A335C5298477754A506D263
C:\Windows\System32\DRIVERS\mouhid.sys 93B8D4869E12CFBE663915502900876F
C:\Windows\System32\drivers\mountmgr.sys BDAFC88AA6B92F7842416EA6A48E1600
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys 22241FEBA9B2DEFA669C8CB0A8DD7D2E
C:\Windows\system32\drivers\mraid35x.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys AE3DE84536B6799D2267443CEC8EDBB9
C:\Windows\System32\DRIVERS\mrxsmb.sys 5734A0F2BE7E495F7D3ED6EFD4B9F5A1
C:\Windows\System32\DRIVERS\mrxsmb10.sys 6B5FA5ADFACAC9DBBE0991F4566D7D55
C:\Windows\System32\DRIVERS\mrxsmb20.sys 5C80D8159181C7ABF1B14BA703B01E0B
C:\Windows\System32\drivers\msahci.sys 28023E86F17001F7CD9B15A5BC9AE07D
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\system32\Drivers\Msfs.sys A9927F4A46B816C92F461ACB90CF8515
C:\Windows\System32\drivers\msisadrv.sys 0F400E306F385C56317357D6DEA56F62
C:\Windows\System32\drivers\MSKSSRV.sys D8C63D34D9C9E56C059E24EC7185CC07
C:\Windows\System32\drivers\MSPCLOCK.sys 1D373C90D62DDB641D50E55B9E78D65E
C:\Windows\System32\drivers\MSPQM.sys B572DA05BF4E098D4BBA3A4734FB505B
C:\Windows\system32\Drivers\MsRPC.sys B5614AECB05A9340AA0FB55BF561CC63
C:\Windows\System32\DRIVERS\mssmbios.sys E384487CB84BE41D09711C30CA79646C
C:\Windows\System32\drivers\MSTEE.sys 7199C1EEC1E4993CAF96B8C0A26BD58A
C:\Windows\System32\Drivers\mup.sys 6DFD1D322DE55B0B7DB7D21B90BEC49C
C:\Windows\System32\DRIVERS\nwifi.sys 3C21CE48FF529BB73DADB98770B54025
C:\Windows\System32\drivers\ndis.sys 9BDC71790FA08F0A0B5F10462B1BD0B1
C:\Windows\System32\DRIVERS\ndistapi.sys 0E186E90404980569FB449BA7519AE61
C:\Windows\System32\DRIVERS\ndisuio.sys D6973AA34C4D5D76C0430B181C3CD389
C:\Windows\System32\DRIVERS\ndiswan.sys 3D14C3B3496F88890D431E8AA022A411
C:\Windows\system32\Drivers\NDProxy.sys 71DAB552B41936358F3B541AE5997FB3
C:\Windows\System32\DRIVERS\netbios.sys BCD093A5A6777CF626434568DC7DBA78
C:\Windows\System32\DRIVERS\netbt.sys 7C5FEE5B1C5728507CD96FB4A13E7A02
C:\Windows\System32\DRIVERS\NETw3v32.sys EA30BD026A7D1B745A37516880C4AC1B
C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit
C:\Windows\system32\Drivers\Npfs.sys ECB5003F484F9ED6C608D6D6C7886CBB
C:\Windows\System32\drivers\nsiproxy.sys 609773E344A97410CE4EBF74A8914FCF
C:\Windows\system32\Drivers\Ntfs.sys B4EFFE29EB4F15538FD8A9681108492D
C:\Windows\system32\drivers\ntrigdigi.sys ==> MD5 is legit
C:\Windows\system32\Drivers\Null.sys C5DBBCDA07D780BDA9B685DF333BB41E
C:\Windows\system32\drivers\nvraid.sys E69E946F80C1C31C53003BFBF50CBB7C
C:\Windows\system32\drivers\nvstor.sys 9E0BA19A28C498A6D323D065DB76DFFC
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ohci1394.sys 790E27C3DB53410B40FF9EF2FD10A1D9
C:\Windows\system32\drivers\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\Partizan.sys 6DDCF3F801EC15FE698F6A215CF30A1F
C:\Windows\System32\drivers\partmgr.sys 3B38467E7C3DAED009DFE359E17F139F
C:\Windows\system32\drivers\parvdm.sys ==> MD5 is legit
C:\Program Files\PeerBlock\pbfilter.sys DD20CD5991712BE6004F45BE5C44CAD0
C:\Windows\System32\drivers\pci.sys 01B94418DEB235DFF777CC80076354B4
C:\Windows\system32\drivers\pciide.sys 3B1901E401473E03EB8C874271E50C26
C:\Windows\system32\drivers\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ECFFFAEC0C1ECD8DBC77F39070EA1DB1
C:\Windows\system32\drivers\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys BFEF604508A0ED1EAE2A73E872555FFB
C:\Windows\System32\DRIVERS\psi_mf.sys D24DFD16A1E2A76034DF5AA18125C35D
C:\Windows\System32\Drivers\PxHelp20.sys D86B4A68565E444D76457F14172C875A
C:\Windows\system32\drivers\ql2300.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qutmdrv.sys F6E2716D8F5CAAB0CEB2A0AA13F11CE9
C:\Windows\system32\drivers\qutmipc.sys FD039D3E67537B7FD1F1BD1B917293AB
C:\Windows\system32\drivers\qwavedrv.sys 9F5E0E1926014D17486901C88ECA2DB7
C:\Windows\System32\DRIVERS\rasacd.sys 147D7F9C556D259924351FEB0DE606C3
C:\Windows\System32\DRIVERS\rasl2tp.sys A214ADBAF4CB47DD2728859EF31F26B0
C:\Windows\System32\DRIVERS\raspppoe.sys 3E9D9B048107B40D87B97DF2E48E0744
C:\Windows\System32\DRIVERS\rassstp.sys A7D141684E9500AC928A772ED8E6B671
C:\Windows\System32\DRIVERS\rdbss.sys 6E1C5D0457622F9EE35F683110E93D14
C:\Windows\System32\DRIVERS\RDPCDD.sys 89E59BE9A564262A3FB6C4F4F1CD9899
C:\Windows\system32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys 9D91FE5286F748862ECFFA05F8A0710C
C:\Windows\system32\Drivers\RDPWD.sys E1C18F4097A5ABCEC941DC4B2F99DB7E
C:\Windows\system32\Drivers\regguard.sys 37ECEBDD930395A9C399FB18A3C236D3
C:\Windows\System32\DRIVERS\rimmptsk.sys D85E3FA9F5B1F29BB4ED185C450D1470
C:\Windows\System32\DRIVERS\rimsptsk.sys DB8EB01C58C9FADA00C70B1775278AE0
C:\Windows\System32\DRIVERS\rixdptsk.sys 6C1F93C0760C9F79A1869D07233DF39D
C:\Windows\System32\DRIVERS\rspndr.sys 9C508F4074A39E8B4B31D27198146FAD
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\sdbus.sys 126EA89BCC413EE45E3004FB0764888F
C:\Windows\system32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\serenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\serial.sys ==> MD5 is legit
C:\Windows\system32\drivers\sermouse.sys 8AF3D28A879BF75DB53A0EE7A4289624
C:\Windows\System32\DRIVERS\sffdisk.sys 3EFA810BDCA87F6ECC24F9832243FE86
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\sffp_sd.sys 3D0EA348784B7AC9EA9BD9F317980979
C:\Windows\system32\drivers\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisraid2.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys 031E6BCD53C9B2B9ACE111EAFEC347B6
C:\Windows\system32\Drivers\spldr.sys 7AEBDEEF071FE28B0EEF2CDD69102BFF
C:\Program Files\SpyShelter Firewall\SpyShelter.sys 659D13C264F13620ED725940D501419B
C:\Program Files\SpyShelter Firewall\SpyshelterTDI.sys ED27174F7D58819CB1669E70C941AD90
C:\Program Files\SpyShelter Firewall\SpyshelterKb.sys 318FA3920F8048FA9B84BA36CCA020BA
C:\Windows\System32\DRIVERS\srv.sys 2252AEF839B1093D16761189F45AF885
C:\Windows\System32\DRIVERS\srv2.sys B7FF59408034119476B00A81BB53D5D1
C:\Windows\System32\DRIVERS\srvnet.sys 2ACCC9B12AF02030F531E6CCA6F8B76E
C:\Windows\System32\DRIVERS\swenum.sys 7BA58ECF0C0A9A69D44B3DCA62BECF56
C:\Windows\system32\drivers\symc8xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\sym_hi.sys ==> MD5 is legit
C:\Windows\system32\drivers\sym_u3.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\SynTP.sys 8327106D1C93E9A7B98E63B9FCC24BB7
C:\Windows\System32\drivers\tcpip.sys 782568AB6A43160A159B6215B70BCCE9
C:\Windows\System32\DRIVERS\tcpip.sys 782568AB6A43160A159B6215B70BCCE9
C:\Windows\System32\drivers\tcpipreg.sys D4A2E4A4B011F3A883AF77315A5AE76B
C:\Windows\System32\drivers\tdpipe.sys 5DCF5E267BE67A1AE926F2DF77FBCC56
C:\Windows\System32\drivers\tdtcp.sys 389C63E32B3CEFED425B61ED92D3F021
C:\Windows\System32\DRIVERS\tdx.sys D09276B1FAB033CE1D40DCBDF303D10F
C:\Windows\System32\DRIVERS\termdd.sys A048056F5E1A96A9BF3071B91741A5AA
C:\Windows\System32\DRIVERS\tssecsrv.sys DCF0F056A2E4F52287264F5AB29CF206
C:\Windows\System32\DRIVERS\tunmp.sys CAECC0120AC49E3D2F758B9169872D38
C:\Windows\System32\DRIVERS\tunnel.sys 6042505FF6FA9AC1EF7684D0E03B6940
C:\Windows\system32\drivers\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys 8B5088058FA1D1CD897A2113CCFF6C58
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\ulsata.sys ==> MD5 is legit
C:\Windows\system32\drivers\ulsata2.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys 32CFF9F809AE9AED85464492BF3E32D2
C:\Windows\System32\drivers\usbaudio.sys 292A25BB75A568AE2C67169BA2C6365A
C:\Windows\System32\DRIVERS\usbccgp.sys CAF811AE4C147FFCD5B51750C7F09142
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbehci.sys CEBE90821810E76320155BEBA722FCF9
C:\Windows\System32\DRIVERS\usbhub.sys CC6B28E4CE39951357963119CE47B143
C:\Windows\system32\drivers\usbohci.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS 87BA6B83C5D19B69160968D07D6E2982
C:\Windows\System32\DRIVERS\usbuhci.sys 814D653EFC4D48BE3B04A307ECEFF56F
C:\Windows\System32\Drivers\usbvideo.sys E67998E8F14CB0627A769F6530BCB352
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys 2E93AC0A1D8C79D019DB6C51F036636C
C:\Windows\system32\drivers\viaagp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viac7.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys FD2E3175FCADA350C7AB4521DCA187EC
C:\Windows\System32\drivers\volmgr.sys 69503668AC66C77C6CD7AF86FBDF8C43
C:\Windows\System32\drivers\volmgrx.sys 98F5FFE6316BD74E9E2C97206C190196
C:\Windows\System32\drivers\volsnap.sys D8B4A53DD2769F226B3EB374374987C9
C:\Windows\system32\drivers\vsmraid.sys ==> MD5 is legit
C:\Windows\system32\drivers\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys 55201897378CCA7AF8B5EFD874374A26
C:\Windows\System32\DRIVERS\wanarp.sys 55201897378CCA7AF8B5EFD874374A26
C:\Windows\system32\drivers\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys B6F0A7AD6D4BD325FBCD8BAC96CD8D96
C:\Windows\System32\DRIVERS\HSX_CNXT.sys 3B4522D0E750BAC8FE7AE61622A57014
C:\Users\Yoda\Documents\Moo0 SystemMonitor 1.64 Portable\WinRing0.sys 845AF1BA23C8D5E64DEF61BCC441604C
C:\Windows\System32\DRIVERS\wmiacpi.sys 2E7255D172DF0B8283CDFB7B433B864E
C:\Windows\system32\drivers\ws2ifsl.sys E3A3CB253C0EC2494D4A61F5E43A389C
C:\Windows\System32\DRIVERS\WUDFRd.sys AC13CB789D93412106B0FB6C7EB2BCB6
C:\Windows\System32\DRIVERS\xaudio.sys 88AF537264F2B818DA15479CEEAF5D7C

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-31 09:42 - 2014-12-31 09:43 - 00031944 _____ () C:\Users\Yoda\Desktop\FRST.txt
2014-12-31 09:41 - 2014-12-31 06:36 - 01114624 _____ (Farbar) C:\Users\Yoda\Desktop\FRST.exe
2014-12-30 01:26 - 2014-12-30 01:36 - 279130267 _____ () C:\Users\Yoda\Desktop\▶ ANCIENT BLOOD CONSPIRACY - YouTube [360p].mp4
2014-12-29 07:36 - 2014-12-29 07:36 - 00026624 _____ (Gibson Research Corp.) C:\Users\Yoda\Downloads\idserve.exe
2014-12-29 07:34 - 2014-12-31 08:01 - 00000000 __SHD () C:\360Rec
2014-12-28 14:47 - 2014-12-28 14:47 - 00012398 _____ () C:\ComboFix.txt
2014-12-28 11:43 - 2014-12-28 14:47 - 00000000 ____D () C:\ComboFix
2014-12-23 15:57 - 2014-12-23 15:58 - 00311896 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-22 14:32 - 2014-12-22 14:32 - 00077152 _____ () C:\Users\Yoda\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-21 08:54 - 2014-12-21 08:58 - 00000000 ___RD () C:\Users\Yoda\Desktop\RETRO FLYERS
2014-12-18 15:24 - 2014-12-18 15:24 - 00001670 _____ () C:\Users\Public\Desktop\PrivaZer.lnk
2014-12-18 15:23 - 2014-12-18 15:23 - 07241864 _____ (Goversoft LLC) C:\Users\Yoda\Downloads\privazer_free(10).exe
2014-12-18 03:45 - 2014-12-18 03:45 - 00000000 ___RD () C:\comment.htt
2014-12-18 03:06 - 2014-12-31 07:40 - 00000264 _____ () C:\Windows\system32\PARTIZAN.TXT
2014-12-18 03:03 - 2014-12-18 03:03 - 00040720 _____ (Greatis Software) C:\Windows\system32\Partizan.exe
2014-12-18 02:57 - 2014-12-18 02:57 - 00024416 _____ (Greatis Software) C:\Windows\system32\Drivers\regguard.sys
2014-12-16 20:57 - 2014-12-16 21:07 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\SpyShelter
2014-12-16 20:57 - 2014-12-16 20:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpyShelter
2014-12-16 20:57 - 2014-12-16 20:57 - 00000000 ____D () C:\Program Files\SpyShelter Firewall
2014-12-16 20:57 - 2014-10-02 22:26 - 00032096 _____ () C:\Windows\system32\Osklauncher.exe
2014-12-16 20:57 - 2014-09-18 18:52 - 00057344 _____ () C:\Windows\system32\inject_logon_dll.dll
2014-12-16 20:57 - 2014-06-19 00:44 - 00033632 _____ () C:\Windows\system32\SpyShelterShellExt.dll
2014-12-16 20:49 - 2014-12-16 20:49 - 06865480 _____ ( ) C:\Users\Yoda\Downloads\fwsetup.exe
2014-12-16 20:40 - 2014-12-21 01:40 - 26110315 _____ () C:\Users\Yoda\Desktop\Anti-keylogger (anti spy protection) software review - YouTube [720p].mp4
2014-12-16 19:08 - 2014-12-16 19:09 - 04066136 _____ (Zemana Ltd. ) C:\Users\Yoda\Downloads\AntiLoggerFree_Setup_1.7.2.390.exe
2014-12-16 19:02 - 2014-12-16 19:03 - 18842568 _____ (Zemana Ltd. ) C:\Users\Yoda\Downloads\Zemana_AntiLogger_1.9.3.527.exe
2014-12-16 00:31 - 2014-12-16 00:32 - 17925296 _____ (Adobe Systems Incorporated) C:\Users\Yoda\Downloads\flashplayer_16_ax_debug(1).exe
2014-12-16 00:30 - 2014-12-16 00:32 - 17866928 _____ (Adobe Systems Incorporated) C:\Users\Yoda\Downloads\flashplayer_16_plugin_debug(1).exe
2014-12-16 00:30 - 2014-12-16 00:31 - 17925296 _____ (Adobe Systems Incorporated) C:\Users\Yoda\Downloads\flashplayer_16_ax_debug.exe
2014-12-16 00:30 - 2014-12-16 00:31 - 17866928 _____ (Adobe Systems Incorporated) C:\Users\Yoda\Downloads\flashplayer_16_plugin_debug.exe
2014-12-15 08:51 - 2014-12-15 08:51 - 00000922 _____ () C:\Users\Public\Desktop\Chameleon Task Manager.lnk
2014-12-15 08:51 - 2014-12-15 08:51 - 00000000 ____D () C:\Users\Yoda\Documents\Chameleon files
2014-12-15 08:51 - 2014-12-15 08:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chameleon Task Manager
2014-12-15 08:51 - 2014-12-15 08:51 - 00000000 ____D () C:\Program Files\Common Files\Chameleon Manager
2014-12-15 08:51 - 2014-12-15 08:51 - 00000000 ____D () C:\Program Files\Chameleon Task Manager
2014-12-14 08:32 - 2014-12-14 08:32 - 00000000 ___RD () C:\Users\Yoda\Desktop\ICO
2014-12-14 08:29 - 2014-12-14 08:29 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\SpyStudio
2014-12-14 08:29 - 2014-12-14 08:29 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\Nektra
2014-12-14 08:28 - 2014-12-14 08:28 - 00000000 ____D () C:\Users\Yoda\AppData\Local\Nektra
2014-12-14 08:27 - 2014-12-14 08:34 - 00000000 ___RD () C:\Users\Yoda\Desktop\SS
2014-12-14 08:17 - 2014-12-14 08:17 - 01903184 _____ (Mister Group ) C:\Users\Yoda\Downloads\SystemExplorerSetup_610.exe
2014-12-14 08:12 - 2014-12-14 08:13 - 13587055 _____ () C:\Users\Yoda\Downloads\SpyStudio-v2.zip
2014-12-14 06:06 - 2014-12-14 06:06 - 00230768 _____ () C:\Users\Yoda\Downloads\unlockedwebcamprotectorsetup.exe
2014-12-14 05:53 - 2014-12-14 05:53 - 00000000 ____D () C:\Users\Yoda\Desktop\RR
2014-12-14 05:47 - 2014-12-29 20:36 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\Ditto
2014-12-14 05:47 - 2014-12-14 05:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ditto
2014-12-14 05:47 - 2014-12-14 05:47 - 00000000 ____D () C:\Program Files\Ditto
2014-12-14 05:13 - 2014-12-14 05:14 - 05016584 _____ ( ) C:\Users\Yoda\Downloads\setupfree.exe
2014-12-14 05:10 - 2014-12-14 05:10 - 05924193 _____ () C:\Users\Yoda\Downloads\DataGuardAklFreeSetup.zip
2014-12-13 09:21 - 2013-03-24 13:20 - 01375744 _____ () C:\Users\Yoda\Desktop\AntiTest.exe
2014-12-13 09:19 - 2014-12-13 09:19 - 01346242 _____ () C:\Users\Yoda\Downloads\AntiTest.zip
2014-12-13 09:02 - 2014-12-13 09:03 - 19362952 _____ (IObit ) C:\Users\Yoda\Downloads\imfv2-setup-for-review.exe
2014-12-13 07:20 - 2014-12-13 07:08 - 02166272 _____ () C:\Users\Yoda\Downloads\adwcleaner_4.105 (2).exe
2014-12-13 07:10 - 2014-12-13 07:10 - 02166272 _____ () C:\Users\Yoda\Downloads\adwcleaner_4.105(1).exe
2014-12-13 07:08 - 2014-12-13 07:08 - 02166272 _____ () C:\Users\Yoda\Downloads\adwcleaner_4.105.exe
2014-12-12 10:00 - 2014-12-12 10:00 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\Process Hacker 2
2014-12-12 09:47 - 2014-12-12 09:47 - 00001833 _____ () C:\Users\Yoda\Desktop\Process Hacker 2.lnk
2014-12-12 09:47 - 2014-12-12 09:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2
2014-12-12 09:47 - 2014-12-12 09:47 - 00000000 ____D () C:\Program Files\Process Hacker 2
2014-12-12 09:45 - 2014-12-12 09:45 - 01932448 _____ (wj32 ) C:\Users\Yoda\Downloads\processhacker-2.33-setup.exe
2014-12-12 09:07 - 2014-12-12 09:07 - 07268536 _____ (Bitdefender LLC) C:\Users\Yoda\Downloads\BootkitRemoval_x86.exe
2014-12-11 12:41 - 2014-12-18 02:54 - 00000000 ____D () C:\ProgramData\RegRun
2014-12-11 12:40 - 2014-12-18 02:54 - 00000000 ____D () C:\Users\Yoda\Documents\RegRun2
2014-12-11 12:40 - 2014-12-11 12:40 - 00035816 _____ (Greatis Software) C:\Windows\system32\Drivers\Partizan.sys
2014-12-11 12:40 - 2014-12-11 12:40 - 00000002 RSHOT () C:\Windows\winstart.bat
2014-12-11 12:39 - 2014-12-29 07:27 - 00000000 ____D () C:\Program Files\UnHackMe
2014-12-11 12:39 - 2014-12-18 02:54 - 00000000 ____D () C:\Users\Public\Documents\regruninfo
2014-12-11 12:39 - 2014-12-11 18:41 - 00012800 _____ (Greatis Software, LLC.) C:\Windows\system32\Drivers\UnHackMeDrv.sys
2014-12-11 12:39 - 2014-12-11 12:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
2014-12-11 12:33 - 2014-12-11 18:42 - 16602720 _____ (Greatis Software, LLC. ) C:\Users\Yoda\Desktop\unhackme_setup.exe
2014-12-11 12:19 - 2014-12-11 12:19 - 00117312 _____ (Gibson Research Corp.) C:\Users\Yoda\Downloads\securable.exe
2014-12-11 11:34 - 2014-12-11 11:34 - 00737280 _____ () C:\Users\Yoda\Downloads\Gromozon Rootkit Removal Tool.exe
2014-12-11 10:45 - 2014-12-11 10:45 - 00000338 _____ () C:\ProgramData\SMRResults430.dat
2014-12-11 10:23 - 2014-12-11 10:25 - 00000000 ____D () C:\NPE
2014-12-11 10:18 - 2014-12-11 10:42 - 00000000 ____D () C:\Users\Yoda\AppData\Local\NPE
2014-12-11 09:48 - 2014-12-11 10:02 - 37094982 _____ () C:\Users\Yoda\Downloads\aswar.log
2014-12-11 01:22 - 2014-12-11 01:24 - 10913141 _____ () C:\Users\Yoda\Downloads\Killer Clown Torture Prank! (Prank Kings) Inspired By DM PRANKS.flv
2014-12-10 21:05 - 2014-12-10 21:17 - 00000000 ____D () C:\Program Files\ThreatExpert Memory Scanner
2014-12-10 21:05 - 2014-12-10 21:05 - 00000882 _____ () C:\Users\Public\Desktop\ThreatExpert Memory Scanner.lnk
2014-12-10 21:05 - 2014-12-10 21:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ThreatExpert Memory Scanner
2014-12-10 20:56 - 2014-12-10 20:56 - 00879024 _____ (Proland Software) C:\Users\Yoda\Downloads\Windows Vulnerability Scanner.exe
2014-12-10 20:26 - 2014-12-10 20:26 - 00000000 _____ () C:\Windows\system32\cmd
2014-12-10 19:04 - 2014-12-10 19:08 - 110021312 _____ () C:\Users\Yoda\Downloads\WWII Aircraft of Japan - Documentary.flv
2014-12-10 03:24 - 2014-12-12 09:14 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\Opera Software
2014-12-10 03:18 - 2014-12-10 03:20 - 32532216 _____ (Opera Software) C:\Users\Yoda\Downloads\Opera_26.0.1656.32_Setup.exe
2014-12-10 03:14 - 2014-12-10 03:19 - 123197184 _____ (Microsoft Corporation) C:\Users\Yoda\Downloads\msert.exe
2014-12-10 03:14 - 2014-12-10 03:15 - 11447608 _____ (Microsoft Corporation) C:\Users\Yoda\Downloads\mseinstall.exe
2014-12-10 02:50 - 2014-12-10 02:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-12-10 02:50 - 2014-12-10 02:49 - 00272808 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-12-10 02:50 - 2014-12-10 02:49 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-12-10 02:50 - 2014-12-10 02:49 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-12-10 02:50 - 2014-12-10 02:49 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-12-10 02:49 - 2014-12-10 02:49 - 00000000 ____D () C:\Program Files\Java
2014-12-10 01:21 - 2014-03-17 14:09 - 00033440 _____ () C:\Windows\system32\Drivers\DasPtct.SYS
2014-12-09 06:42 - 2014-12-09 06:43 - 29458856 _____ (Oracle Corporation) C:\Users\Yoda\Downloads\jre-7u71-windows-i586.exe
2014-12-09 05:16 - 2014-12-09 05:16 - 00000000 ____D () C:\Users\Yoda\Desktop\mbar
2014-12-09 05:07 - 2014-12-09 05:07 - 00007680 _____ (Lavasoft AB) C:\Windows\system32\Drivers\RKL4BD9.tmp.sys
2014-12-09 01:14 - 2014-12-09 01:15 - 14754312 _____ () C:\Users\Yoda\Downloads\gup5setup(11).exe
2014-12-08 04:06 - 2014-12-21 01:45 - 00000000 ___RD () C:\Users\Yoda\Desktop\2DAY
2014-12-07 23:48 - 2014-12-07 23:49 - 00000000 ____D () C:\Users\Yoda\Downloads\ARKs
2014-12-07 23:48 - 2014-12-07 23:48 - 00000000 ____D () C:\Users\Yoda\Downloads\Vba32 AntiRootkit
2014-12-07 23:09 - 2014-12-07 23:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2014-12-07 23:09 - 2014-12-07 23:09 - 00000000 ____D () C:\Program Files\Sophos
2014-12-07 22:34 - 2014-12-07 22:45 - 00001254 _____ () C:\Users\Yoda\Desktop\fsbl-20141208033408.log
2014-12-07 21:55 - 2014-12-07 23:10 - 00000000 ____D () C:\ProgramData\Sophos
2014-12-07 21:35 - 2014-12-07 21:35 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2014-12-07 21:35 - 2014-12-07 21:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2014-12-07 21:34 - 2014-12-07 21:39 - 00000000 ____D () C:\Program Files\WinRAR
2014-12-07 21:13 - 2014-12-07 21:13 - 00465298 _____ () C:\Users\Yoda\Downloads\RootRepeal.rar
2014-12-06 17:56 - 2014-12-31 09:05 - 00000394 _____ () C:\Windows\Tasks\WpsUpdateTask_Yoda.job
2014-12-06 02:19 - 2014-12-06 02:58 - 00000000 ____D () C:\System Recovery
2014-12-04 16:59 - 2014-12-04 17:26 - 00010508 _____ () C:\Users\Yoda\Desktop\FIREFOX.txt
2014-12-04 08:30 - 2014-12-29 20:36 - 00000000 ____D () C:\Windows\CryptoGuard
2014-12-04 08:30 - 2014-12-04 08:30 - 00477008 _____ (SurfRight) C:\Windows\system32\hmpalert.dll
2014-12-04 08:30 - 2014-12-04 08:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
2014-12-04 08:29 - 2014-12-04 08:29 - 00075640 _____ () C:\Windows\system32\Drivers\hmpalert.sys
2014-12-04 08:29 - 2014-12-04 08:29 - 00000000 ____D () C:\Program Files\HitmanPro.Alert
2014-12-04 07:55 - 2014-12-04 08:04 - 00000000 ___RD () C:\Users\Yoda\Desktop\MOReXe
2014-12-03 05:48 - 2014-12-03 05:51 - 74988114 _____ () C:\Users\Yoda\Downloads\Flite Test _ FT Mini Scout _ BUILD (Mighty Minis).3gp
2014-12-03 03:46 - 2014-12-03 03:52 - 166503020 _____ () C:\Users\Yoda\Downloads\Flite Test _ DIY Micro 5.8Ghz FPV.mp4

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-31 09:42 - 2014-11-24 19:13 - 00000000 ____D () C:\FRST
2014-12-31 09:40 - 2006-11-02 07:47 - 00003168 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-31 09:40 - 2006-11-02 07:47 - 00003168 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-31 09:07 - 2014-11-28 11:32 - 00000394 _____ () C:\Windows\Tasks\WpsNotifyTask_Yoda.job
2014-12-31 07:44 - 2014-02-22 14:57 - 01462916 _____ () C:\Windows\WindowsUpdate.log
2014-12-31 07:41 - 2014-02-03 19:40 - 00000000 ____D () C:\Toolwiz
2014-12-31 07:40 - 2006-11-02 08:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-31 07:40 - 2006-11-02 07:37 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-12-30 15:42 - 2014-08-22 00:09 - 00000000 ____D () C:\Program Files\PeerBlock
2014-12-30 01:07 - 2014-11-21 23:13 - 00000000 ____D () C:\Users\Yoda\AppData\Local\CrashDumps
2014-12-29 21:07 - 2014-03-19 16:56 - 00000000 ____D () C:\Users\Yoda\AppData\Local\PrivaZer
2014-12-29 20:41 - 2006-11-02 08:01 - 00032614 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-12-29 20:40 - 2014-02-03 08:58 - 00000000 ____D () C:\AdwCleaner
2014-12-29 07:35 - 2014-11-24 04:15 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\360safe
2014-12-29 07:13 - 2014-04-05 03:24 - 00000000 ___RD () C:\Users\Yoda\Desktop\FiLMZ
2014-12-28 14:47 - 2014-02-24 12:28 - 00000000 ____D () C:\Qoobox
2014-12-28 14:41 - 2006-11-02 05:23 - 00000215 _____ () C:\Windows\system.ini
2014-12-28 11:42 - 2014-02-24 12:26 - 05603624 ____R (Swearware) C:\Users\Yoda\Desktop\ComboFix.exe
2014-12-28 07:07 - 2014-02-03 03:00 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\vlc
2014-12-28 04:34 - 2014-04-08 13:41 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\Camfrog
2014-12-27 23:28 - 2014-11-20 00:45 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\Registry_Alert
2014-12-24 02:27 - 2014-11-19 09:54 - 00000000 ___RD () C:\Users\Yoda\Desktop\EEK
2014-12-21 01:44 - 2014-04-16 15:34 - 00000000 ____D () C:\Users\Yoda\AppData\Local\ToolwizCareFree
2014-12-18 16:59 - 2014-05-19 21:00 - 00000000 ____D () C:\Program Files\Glary Utilities 5
2014-12-18 15:24 - 2014-03-19 16:56 - 00001682 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PrivaZer.lnk
2014-12-18 15:24 - 2014-03-19 16:56 - 00000000 ____D () C:\Program Files\PrivaZer
2014-12-18 03:22 - 2014-02-02 23:15 - 00000000 ___RD () C:\Users\Yoda\Desktop\Of Rare Use
2014-12-16 20:30 - 2014-02-04 09:42 - 00000000 ____D () C:\Windows\Minidump
2014-12-16 20:27 - 2014-02-02 20:39 - 00000651 _____ () C:\Users\Yoda\Desktop\MS Crash.txt
2014-12-16 20:08 - 2014-05-29 16:34 - 00030976 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys
2014-12-16 19:55 - 2014-08-22 00:06 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-16 00:38 - 2014-02-02 21:39 - 00000000 ____D () C:\Users\Yoda\AppData\Local\Adobe
2014-12-16 00:37 - 2014-02-02 22:04 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-12-16 00:37 - 2014-02-02 22:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-12-14 06:12 - 2014-02-02 20:25 - 00000000 ____D () C:\Users\Yoda
2014-12-13 08:31 - 2014-11-24 04:15 - 00000000 ____D () C:\ProgramData\360SD
2014-12-13 07:03 - 2014-02-04 21:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo
2014-12-13 07:03 - 2014-02-04 21:13 - 00000000 ____D () C:\Program Files\Comodo
2014-12-12 09:14 - 2014-02-22 13:22 - 00000000 ____D () C:\Users\Yoda\AppData\Local\Opera Software
2014-12-11 12:40 - 2006-11-02 05:23 - 00002577 _____ () C:\Windows\system32\config.nt
2014-12-11 12:40 - 2006-11-02 05:23 - 00001688 _____ () C:\Windows\system32\autoexec.nt
2014-12-11 10:18 - 2014-02-02 23:17 - 00000000 ____D () C:\ProgramData\Norton
2014-12-11 07:09 - 2014-02-22 12:54 - 00000000 ____D () C:\Users\Yoda\Documents\PrintScreen Files
2014-12-10 02:50 - 2007-05-08 16:38 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-12-09 01:18 - 2014-05-19 21:00 - 00000889 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities 5.lnk
2014-12-09 01:18 - 2014-05-19 21:00 - 00000318 _____ () C:\Windows\Tasks\GlaryInitialize 5.job
2014-12-07 21:16 - 2014-11-24 04:15 - 00000000 _RSHD () C:\360SANDBOX
2014-12-06 03:28 - 2007-05-08 16:23 - 00000000 ____D () C:\Windows\SMINST
2014-12-06 00:52 - 2006-11-02 05:23 - 00002022 _____ () C:\Windows\system32\Drivers\etc\hosts_bak_369
2014-12-03 02:38 - 2014-11-20 00:44 - 00000000 ____D () C:\Program Files\Registry Alerts
2014-12-03 02:37 - 2014-11-20 00:44 - 00000000 ____D () C:\Users\Yoda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Registry Alert
2014-12-03 02:35 - 2006-11-02 05:33 - 00703388 _____ () C:\Windows\system32\PerfStringBackup.INI

Files to move or delete:
====================
C:\ProgramData\SMRResults430.dat


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=C:
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Microsoft Windows Vista
locale                  en-US
inherit                 {bootloadersettings}
osdevice                partition=C:
systemroot              \Windows
resumeobject            {8c384824-6ff0-11db-8455-0016d303c84f}
nx                      OptIn
bootlog                 No

Resume from Hibernate
---------------------
identifier              {8c384824-6ff0-11db-8455-0016d303c84f}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
pae                     Yes
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=C:
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}



LastRegBack: 2014-12-31 07:47

==================== End Of Log ============================



#13 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 02 January 2015 - 08:36 AM

Not seeing anything alarming from your log. Please run GMER by following the instructions. I want to see what exactly did GMER show you.

Delete the existing copy of GMER (if any), and download new copy here.

gmer_zip.gif
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Extract the contents of the zipped file to desktop (applicable only to Zip mirror) .
  • Double click gmerRandomIcon.png or gmerDesktopIcon.png on your desktop.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    gmerNoDialog.png

    GMER_thumb.jpg
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#14 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 02 January 2015 - 08:36 AM

Happy New Year by the way. :thumbsup:


Edited by Conspire, 02 January 2015 - 08:37 AM.

Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#15 Vomit_Soup

Vomit_Soup
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 02 January 2015 - 09:31 PM

Happy New Year by the way. :thumbsup:

  :)  HAPPY NEW YEAR 2015 (y)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users