Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

files/folders acting weird (inc MBAM), system32 (&wow64) mods, Russian Keybrd


  • Please log in to reply
14 replies to this topic

#1 Chingtrong

Chingtrong

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 04 January 2015 - 12:11 AM

Hi,

 

I have found some strange behavoir and I have run multiple malware scanners (Malwarebytes (inc rootkit), tdsskiller, Emisoft, a linux booting windows scan tool, superantispyware, etc) but haven't found the root of the problem.

 

The odd behavior inclues -

 

Files in taskmanager are showing up as *32 where they weren't originally. I believe the files and folders are being moved or copied into my WOW64 folder, perhaps because portions of the malware are geared toward exploiting 32 bit windows? This includes Malwarebytes and flashplayer.

 

multiple instances of the same program running in task manager (two adobe flash players, eg), and wscsvc.exe which I read could be a trojan (I stopped the program before running the attached logs; I can reboot and run DDS again if needed).

 

Windows Remote Desktop keeps re-enabling (during the same logon session) even though I keep stopping and disabling it through computer management.

 

Malware bytes keeps popping open after being closed, and although I have scanned with it multiple times in the last 2 weeks it says a scan has never been run on my system. As a new development, Malwarebytes crashed an hour ago (right around the time I did the DDS logs, I believe it was after), and now it is running in taskmanager but there is no window open, and when I click "open file location" nothing happens.

 

There are duplicate entries in my device manager: 2 acpi thermal zone, 2 HD audio device, 2 HD audio controller, 6 PCI host CPU bridge, 4 pci - pci bridge, 4 wifi adaptors. There is also an unknown PCI device with no drivers and no information in it's "properties."

 

Russian keyboard and other russian software has been downloaded. Files and folders I have not accessed have been created, viewed, and modified all over my C: drive but I am the only user of this PC. I've been pouring over tons of files but I am fairly sure folders that are full of suspicious .dll, .exe, and obscure file types one day will often ben completely empty the next (not talking about temp files ofc).

 

I checked your rootkit list, and I at some point ran across a weirdly named print spooler in /system32 but I can't find it now, also win32k.sys is in /system32 (you list it as a rootkit if found in /windows folder, maybe it's supposed to be here?).

 

On one occasion last week I found a suspicious file name referenced in a file (while viewing in notepad++, as below). I then typed the file name into google and got several results about a viruse called Mal/ *can't remember* -C. However, within a minute of finding this notepad++ and firefox had BOTH closed without an error message. Very, very suspicious.

 

I opened many suspicious files in essential systems folders (eg system32,  created or modified since the problems started) with notepad++ and found they were mostly full of gibberish (binary or encryption?). But after changing the encoding on some and removing thousands of "NUL" characters I found some legible stuff. In many instances, the legible portion of code suggests these files are geared at circumventing windows security and modifying my machine. These files make repeated reference to Remote desktop, setting up and modifying a proxy, doing things in the registry, authentification and credentials (that fail more than the suceed). Then again, I have no idea what I'm looking at. I've attached an additional text file, Weird_Files_Sample.txt, in case this might help confirm the infection or suggest the type of malware. It may be completely normal, in which case I"m sorry and ignore it.
 

Please help!!

 

DDS LOG:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496
Run by Sexy Sarah at 16:01:51 on 2015-01-03
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2811.883 [GMT -8:00]
.
AV: Panda Free Antivirus *Disabled/Updated* {3456760B-FDAA-FFFD-06C2-7BB528D2066C}
SP: Panda Free Antivirus *Disabled/Updated* {8F3797EF-DB90-F073-3C72-40C753554CD1}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Panda Firewall *Disabled* {0C6DF72E-B7C5-FEA5-2D9D-D280D6014117}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Chingletron\mbamscheduler.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\mmc.exe
C:\Windows\regedit.exe
C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Program Files (x86)\Chingletron\mbam.exe
C:\Program Files (x86)\WinRAR\WinRAR.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
mStart Page = www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
TB: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [PSUAMain] "C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" /LaunchSysTray
mRun: [Panda Security URL Filtering] "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe"
mRun: [Privatefirewall] C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
mRun: [emsisoft anti-malware] "c:\program files (x86)\emsisoft anti-malware\a2guard.exe" /d=60
StartupFolder: C:\Users\SEXYSA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~2.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Clip bookmark - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=0
IE: Clip image - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office15\EXCEL.EXE/3000
IE: LastPass - C:\Users\Sexy Sarah\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - C:\Users\Sexy Sarah\AppData\LocalLow\LastPass\context.html?cmd=fillforms
IE: New note - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\NewNote.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{478C09F5-5C5E-4C2E-93C1-9A947AB85CAA} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{478C09F5-5C5E-4C2E-93C1-9A947AB85CAA}\371627168616E646B61647 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{478C09F5-5C5E-4C2E-93C1-9A947AB85CAA}\F4F5F6 : DHCPNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
TCP: Interfaces\{A8B49CE0-70A1-4E53-ACEE-FABCA85890AC} : DHCPNameServer = 209.222.18.222 209.222.18.218
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = www.google.com
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-TB: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll
x64-TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\AddNote.html
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=282369&p=
FF - plugin: C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass64.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll
.
============= SERVICES / DRIVERS ===============
.
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2014-12-29 26176]
R1 a2injectiondriver;a2injectiondriver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2014-12-29 45208]
R1 a2util;a-squared Malware-IDS utility driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [2014-12-29 23088]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2014-7-22 172344]
R2 a2AntiMalware;Emsisoft Protection Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2014-12-29 4907232]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Chingletron\mbamscheduler.exe [2014-12-29 1871160]
R3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2014-12-29 71472]
R3 cleanhlp;cleanhlp;C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [2014-12-29 57024]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-12-29 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-12-20 129752]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-3-14 726160]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Chingletron\mbamservice.exe [2014-12-29 969016]
S3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2013-4-12 139592]
S3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2013-4-12 418632]
S3 b06diag;Broadcom NetXtreme II Diag Driver;C:\Windows\System32\drivers\bxdiaga.sys [2013-3-14 88104]
S3 BFN7x64;Bigfoot Networks Killer Gaming Service;C:\Windows\System32\drivers\Xeno7x64.sys [2013-3-14 157288]
S3 bxfcoe;bxfcoe;C:\Windows\System32\drivers\bxfcoe.sys [2013-3-14 178216]
S3 bxois;bxois;C:\Windows\System32\drivers\bxois.sys [2013-3-14 539176]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2013-2-27 65152]
S3 EtronSTOR;Etron Enhance USB BOT/UASP Mass Storage Driver;C:\Windows\System32\drivers\EtronSTOR.sys [2013-2-27 32512]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2013-2-27 88832]
S3 ioatdma1;ioatdma1;C:\Windows\System32\drivers\qd162x64.sys [2013-3-14 40144]
S3 ioatdma2;Intel® QuickData Technology device ver.2;C:\Windows\System32\drivers\qd262x64.sys [2013-3-14 42192]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-4-12 366216]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-4-12 786056]
S3 massfilter_hs;HS HandSet Mass Storage Filter Driver;C:\Windows\System32\drivers\massfilter_hs.sys [2014-11-4 18456]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-12-29 63704]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2013-2-27 96768]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2013-2-27 213504]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-9-14 19456]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-9-14 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-9-14 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-9-14 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-9-14 1255736]
S3 zghsdiag;ZTE General Handset Diagnostic Port;C:\Windows\System32\drivers\zghsdiag.sys [2014-11-4 129432]
S3 zghsmdm;ZTE General Handset USB Modem Proprietary;C:\Windows\System32\drivers\zghsmdm.sys [2014-11-4 129432]
S3 zghsnmea;ZTE General Handset NMEA Port;C:\Windows\System32\drivers\zghsnmea.sys [2014-11-4 129432]
S4 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-20 114688]
.
=============== Created Last 30 ================
.
2014-12-31 17:34:09    --------    d-sh--w-    C:\found.001
2014-12-30 05:37:34    --------    d-----w-    C:\ProgramData\Emsisoft
2014-12-30 04:45:21    701616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-12-30 04:45:20    71344    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-30 03:55:20    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-12-30 03:25:20    305832    ----a-w-    C:\Windows\System32\drivers\tmcomm.sys
2014-12-30 03:25:20    193544    ----a-w-    C:\Windows\System32\drivers\tmrkb.sys
2014-12-30 00:14:52    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Roaming\SUPERAntiSpyware.com
2014-12-30 00:14:33    --------    d-----w-    C:\ProgramData\SUPERAntiSpyware.com
2014-12-30 00:14:33    --------    d-----w-    C:\Program Files\SUPERAntiSpyware
2014-12-30 00:07:33    --------    d-----w-    C:\Program Files (x86)\Emsisoft Anti-Malware
2014-12-29 20:11:42    93400    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-12-29 20:11:42    63704    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-12-29 20:11:42    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-12-29 20:11:41    --------    d-----w-    C:\Program Files (x86)\Chingletron
2014-12-26 20:46:00    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\ElevatedDiagnostics
2014-12-23 16:46:11    11870360    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8FFE0610-9D4E-47C3-B38F-F95FE433EC03}\mpengine.dll
2014-12-23 10:03:46    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\Evernote
2014-12-23 10:02:39    --------    d-----w-    C:\Program Files (x86)\Evernote
2014-12-23 09:51:42    133152    ----a-w-    C:\Windows\System32\drivers\pwipf6.sys
2014-12-23 09:50:29    --------    d-----w-    C:\ProgramData\Privacyware
2014-12-23 09:50:28    --------    d-----w-    C:\Program Files (x86)\Privacyware
2014-12-23 09:44:13    14147584    ----a-w-    C:\Program Files (x86)\Common Files\lpuninstall.exe
2014-12-23 09:38:17    --------    d-----w-    C:\Program Files (x86)\LastPass
2014-12-23 09:38:12    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Roaming\Local
2014-12-23 09:35:21    --------    d-----w-    C:\ProgramData\panda_url_filtering
2014-12-23 09:35:19    --------    d-----w-    C:\ProgramData\Panda Security URL Filtering
2014-12-23 09:34:47    60400    ----a-w-    C:\Windows\System32\drivers\PSKMAD.sys
2014-12-23 09:34:34    --------    d-----w-    C:\Program Files (x86)\pandasecuritytb
2014-12-23 09:34:29    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Roaming\Panda Security
2014-12-23 09:33:16    --------    d-----w-    C:\Program Files (x86)\Panda Security
2014-12-23 09:30:48    --------    d-----w-    C:\ProgramData\Panda Security
2014-12-22 19:54:28    34072    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
2014-12-22 19:54:28    25759344    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\xul.dll
2014-12-22 18:45:13    115712    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-12-21 21:38:24    --------    d--h--w-    C:\ProgramData\Common Files
2014-12-21 21:38:24    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\MFAData
2014-12-21 21:38:24    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\Avg2015
2014-12-21 21:38:24    --------    d-----w-    C:\ProgramData\MFAData
2014-12-21 21:30:00    3209728    ----a-w-    C:\Windows\SysWow64\mf.dll
2014-12-21 21:29:58    4121600    ----a-w-    C:\Windows\System32\mf.dll
2014-12-21 03:54:12    1424384    ----a-w-    C:\Windows\System32\WindowsCodecs.dll
2014-12-21 03:54:11    1230336    ----a-w-    C:\Windows\SysWow64\WindowsCodecs.dll
2014-12-21 03:46:00    165888    ----a-w-    C:\Windows\System32\charmap.exe
2014-12-21 03:46:00    155136    ----a-w-    C:\Windows\SysWow64\charmap.exe
2014-12-21 03:45:59    346624    ----a-w-    C:\Windows\System32\WSManMigrationPlugin.dll
2014-12-21 03:45:59    310272    ----a-w-    C:\Windows\System32\WsmWmiPl.dll
2014-12-21 03:45:59    266240    ----a-w-    C:\Windows\System32\WSManHTTPConfig.exe
2014-12-21 03:45:59    248832    ----a-w-    C:\Windows\SysWow64\WSManMigrationPlugin.dll
2014-12-21 03:45:59    2020352    ----a-w-    C:\Windows\System32\WsmSvc.dll
2014-12-21 03:45:59    181248    ----a-w-    C:\Windows\System32\WsmAuto.dll
2014-12-21 03:45:59    1177088    ----a-w-    C:\Windows\SysWow64\WsmSvc.dll
2014-12-21 03:45:58    214016    ----a-w-    C:\Windows\SysWow64\WsmWmiPl.dll
2014-12-21 03:45:58    198656    ----a-w-    C:\Windows\SysWow64\WSManHTTPConfig.exe
2014-12-21 03:45:58    145920    ----a-w-    C:\Windows\SysWow64\WsmAuto.dll
2014-12-21 03:45:53    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2014-12-21 03:45:53    2048    ----a-w-    C:\Windows\System32\tzres.dll
2014-12-21 01:53:12    --------    d-----w-    C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-21 01:23:13    --------    d-sh--w-    C:\Users\Sexy Sarah\AppData\Local\EmieBrowserModeList
2014-12-20 22:44:19    --------    d-----w-    C:\Program Files (x86)\WinDirStat
2014-12-20 21:37:03    --------    d-----w-    C:\ProgramData\Spybot - Search & Destroy
2014-12-20 21:36:58    --------    d-----w-    C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-12-20 20:44:11    129752    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-12-20 20:43:55    --------    d-----w-    C:\ProgramData\Malwarebytes
2014-12-20 20:43:55    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-20 20:43:21    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\Programs
2014-12-17 21:46:12    144384    ----a-w-    C:\Windows\System32\ieUnatt.exe
.
==================== Find3M  ====================
.
2014-12-21 04:00:15    17930928    ----a-w-    C:\Windows\SysWow64\FlashPlayerInstaller.exe
2014-11-24 22:04:56    275080    ------w-    C:\Windows\System32\MpSigStub.exe
2014-11-22 03:06:23    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-11-22 03:06:11    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39    66560    ----a-w-    C:\Windows\System32\iesetup.dll
2014-11-22 02:50:10    580096    ----a-w-    C:\Windows\System32\vbscript.dll
2014-11-22 02:49:54    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20    88064    ----a-w-    C:\Windows\System32\MshtmlDac.dll
2014-11-22 02:35:29    114688    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-11-22 02:34:51    814080    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-11-22 02:34:07    6039552    ----a-w-    C:\Windows\System32\jscript9.dll
2014-11-22 02:26:31    968704    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16    77824    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43    501248    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-11-22 02:07:17    62464    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-11-22 02:06:32    47616    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02    64000    ----a-w-    C:\Windows\SysWow64\MshtmlDac.dll
2014-11-22 01:54:30    620032    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10    1359360    ----a-w-    C:\Windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58    2125312    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-11-22 01:40:04    60416    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26    4299264    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-11-22 01:28:21    2358272    ----a-w-    C:\Windows\System32\wininet.dll
2014-11-22 01:22:49    2052096    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57    1155072    ----a-w-    C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20    1888256    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-11-19 04:47:48    1247904    ----a-w-    C:\Windows\SysWow64\FM20.DLL
2014-11-11 03:08:52    241152    ----a-w-    C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48    728064    ----a-w-    C:\Windows\System32\kerberos.dll
2014-11-11 02:44:32    186880    ----a-w-    C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25    550912    ----a-w-    C:\Windows\SysWow64\kerberos.dll
2014-11-11 01:46:26    119296    ----a-w-    C:\Windows\System32\drivers\tdx.sys
2014-10-25 01:57:59    77824    ----a-w-    C:\Windows\System32\packager.dll
2014-10-25 01:32:37    67584    ----a-w-    C:\Windows\SysWow64\packager.dll
2014-10-18 02:05:23    861696    ----a-w-    C:\Windows\System32\oleaut32.dll
2014-10-18 01:33:18    571904    ----a-w-    C:\Windows\SysWow64\oleaut32.dll
2014-10-14 02:16:37    155064    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06    683520    ----a-w-    C:\Windows\System32\termsrv.dll
2014-10-14 02:13:00    3241984    ----a-w-    C:\Windows\System32\msi.dll
2014-10-14 02:12:57    1460736    ----a-w-    C:\Windows\System32\lsasrv.dll
2014-10-14 02:09:31    146432    ----a-w-    C:\Windows\System32\msaudite.dll
2014-10-14 02:07:31    681984    ----a-w-    C:\Windows\System32\adtschema.dll
2014-10-14 01:50:47    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2014-10-14 01:50:41    2363904    ----a-w-    C:\Windows\SysWow64\msi.dll
2014-10-14 01:49:38    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2014-10-14 01:47:30    146432    ----a-w-    C:\Windows\SysWow64\msaudite.dll
2014-10-14 01:46:02    681984    ----a-w-    C:\Windows\SysWow64\adtschema.dll
2014-10-13 20:04:37    107792    ----a-w-    C:\Windows\System32\drivers\PSINReg.sys
2014-10-13 20:04:36    163088    ----a-w-    C:\Windows\System32\drivers\PSINAflt.sys
2014-10-13 20:04:36    121616    ----a-w-    C:\Windows\System32\drivers\PSINFile.sys
2014-10-10 00:57:42    3198976    ----a-w-    C:\Windows\System32\win32k.sys
.
============= FINISH: 16:02:44.63 ===============
 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 PM

Posted 09 January 2015 - 12:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/562016 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Chingtrong

Chingtrong
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 10 January 2015 - 12:15 PM

Hi,
 
I very much still need help! For a little background that might be relevant, I bought this computer from a friend who said his hard drive crashed and he had to buy a new one. Apparently, if he was telling the truth about that, he reinstalled a copy of windows 7 that "isn't genuine" or didn't put the right product key in when he reinstalled. Everything was fine for the past year that I've had it, until I tweaked some windows settings and now it is saying "windows 7 is not genuine" on my desktop and when I power up the computer. I plant to install linux on this fairly soon anyway, but I am concerned that his malware may be hiding in bios and/or the hardware. I know most malware doesn't cross OS platforms, but this thing looks pretty damn sophisticated to my untrained eye, and I'd rather be safe than sorry. Also, I would ideally like to save many of the files and programs I have on here to run in a virtual machine or with WINE once I get linux up and running, so I would very much apreciate some help removing this virus. I also am very interested in computer security, so if you feel like it I would love to get some explanations of what you gather from these longs (and how you interpret them), and then what to do about it (and why). The big priority is getting this damn rootkit/backdoor/trojan out of here though so no worries if you would rather keep this brief - I"ll follow any instructions to a "T" and keep my questions to a minimum, if you prefer. Here are the logs:
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17496
Run by Sexy Sarah at 8:53:07 on 2015-01-10
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.2811.1725 [GMT -8:00]
.
AV: Panda Free Antivirus *Disabled/Updated* {3456760B-FDAA-FFFD-06C2-7BB528D2066C}
SP: Panda Free Antivirus *Disabled/Updated* {8F3797EF-DB90-F073-3C72-40C753554CD1}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Panda Firewall *Disabled* {0C6DF72E-B7C5-FEA5-2D9D-D280D6014117}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
mStart Page = www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL
BHO: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
TB: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [PSUAMain] "C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" /LaunchSysTray
mRun: [Panda Security URL Filtering] "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe"
mRun: [Privatefirewall] C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
mRun: [emsisoft anti-malware] "c:\program files (x86)\emsisoft anti-malware\a2guard.exe" /d=60
StartupFolder: C:\Users\SEXYSA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~2.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Clip bookmark - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=0
IE: Clip image - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office15\EXCEL.EXE/3000
IE: LastPass - C:\Users\Sexy Sarah\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - C:\Users\Sexy Sarah\AppData\LocalLow\LastPass\context.html?cmd=fillforms
IE: New note - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\NewNote.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{478C09F5-5C5E-4C2E-93C1-9A947AB85CAA} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{478C09F5-5C5E-4C2E-93C1-9A947AB85CAA}\371627168616E646B61647 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{478C09F5-5C5E-4C2E-93C1-9A947AB85CAA}\F4F5F6 : DHCPNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
TCP: Interfaces\{A8B49CE0-70A1-4E53-ACEE-FABCA85890AC} : DHCPNameServer = 209.222.18.222 209.222.18.218
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = www.google.com
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-TB: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll
x64-TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\AddNote.html
x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=282369&p=
FF - plugin: C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass64.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll
.
============= SERVICES / DRIVERS ===============
.
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2014-12-29 26176]
R1 a2injectiondriver;a2injectiondriver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2014-12-29 45208]
R1 a2util;a-squared Malware-IDS utility driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [2014-12-29 23088]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2014-7-22 172344]
R2 a2AntiMalware;Emsisoft Protection Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2014-12-29 4907232]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2014-12-29 71472]
R3 cleanhlp;cleanhlp;C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [2014-12-29 57024]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-12-29 25816]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-3-14 726160]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 MBAMScheduler;MBAMScheduler;"C:\Program Files (x86)\Chingletron\mbamscheduler.exe" --> C:\Program Files (x86)\Chingletron\mbamscheduler.exe [?]
S2 MBAMService;MBAMService;"C:\Program Files (x86)\Chingletron\mbamservice.exe" --> C:\Program Files (x86)\Chingletron\mbamservice.exe [?]
S3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2013-4-12 139592]
S3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2013-4-12 418632]
S3 b06diag;Broadcom NetXtreme II Diag Driver;C:\Windows\System32\drivers\bxdiaga.sys [2013-3-14 88104]
S3 BFN7x64;Bigfoot Networks Killer Gaming Service;C:\Windows\System32\drivers\Xeno7x64.sys [2013-3-14 157288]
S3 bxfcoe;bxfcoe;C:\Windows\System32\drivers\bxfcoe.sys [2013-3-14 178216]
S3 bxois;bxois;C:\Windows\System32\drivers\bxois.sys [2013-3-14 539176]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2013-2-27 65152]
S3 EtronSTOR;Etron Enhance USB BOT/UASP Mass Storage Driver;C:\Windows\System32\drivers\EtronSTOR.sys [2013-2-27 32512]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2013-2-27 88832]
S3 ioatdma1;ioatdma1;C:\Windows\System32\drivers\qd162x64.sys [2013-3-14 40144]
S3 ioatdma2;Intel® QuickData Technology device ver.2;C:\Windows\System32\drivers\qd262x64.sys [2013-3-14 42192]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2013-4-12 366216]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2013-4-12 786056]
S3 massfilter_hs;HS HandSet Mass Storage Filter Driver;C:\Windows\System32\drivers\massfilter_hs.sys [2014-11-4 18456]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-12-20 129752]
S3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-12-29 63704]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2013-2-27 96768]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2013-2-27 213504]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-9-14 19456]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2013-9-14 29696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-9-14 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-9-14 30208]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-9-14 1255736]
S3 zghsdiag;ZTE General Handset Diagnostic Port;C:\Windows\System32\drivers\zghsdiag.sys [2014-11-4 129432]
S3 zghsmdm;ZTE General Handset USB Modem Proprietary;C:\Windows\System32\drivers\zghsmdm.sys [2014-11-4 129432]
S3 zghsnmea;ZTE General Handset NMEA Port;C:\Windows\System32\drivers\zghsnmea.sys [2014-11-4 129432]
S4 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-20 114688]
.
=============== Created Last 30 ================
.
2014-12-31 17:34:09    --------    d-sh--w-    C:\found.001
2014-12-30 05:37:34    --------    d-----w-    C:\ProgramData\Emsisoft
2014-12-30 04:45:21    701616    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-12-30 04:45:20    71344    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-30 03:55:20    --------    d-----w-    C:\TDSSKiller_Quarantine
2014-12-30 03:25:20    305832    ----a-w-    C:\Windows\System32\drivers\tmcomm.sys
2014-12-30 03:25:20    193544    ----a-w-    C:\Windows\System32\drivers\tmrkb.sys
2014-12-30 00:14:52    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Roaming\SUPERAntiSpyware.com
2014-12-30 00:14:33    --------    d-----w-    C:\ProgramData\SUPERAntiSpyware.com
2014-12-30 00:14:33    --------    d-----w-    C:\Program Files\SUPERAntiSpyware
2014-12-30 00:07:33    --------    d-----w-    C:\Program Files (x86)\Emsisoft Anti-Malware
2014-12-29 20:11:42    93400    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-12-29 20:11:42    63704    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-12-29 20:11:42    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-12-29 20:11:41    --------    d-----w-    C:\Program Files (x86)\Malware Bytes
2014-12-26 20:46:00    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\ElevatedDiagnostics
2014-12-23 16:46:11    11870360    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{8FFE0610-9D4E-47C3-B38F-F95FE433EC03}\mpengine.dll
2014-12-23 10:03:46    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\Evernote
2014-12-23 10:02:39    --------    d-----w-    C:\Program Files (x86)\Evernote
2014-12-23 09:51:42    133152    ----a-w-    C:\Windows\System32\drivers\pwipf6.sys
2014-12-23 09:50:29    --------    d-----w-    C:\ProgramData\Privacyware
2014-12-23 09:50:28    --------    d-----w-    C:\Program Files (x86)\Privacyware
2014-12-23 09:44:13    14147584    ----a-w-    C:\Program Files (x86)\Common Files\lpuninstall.exe
2014-12-23 09:38:17    --------    d-----w-    C:\Program Files (x86)\LastPass
2014-12-23 09:38:12    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Roaming\Local
2014-12-23 09:35:21    --------    d-----w-    C:\ProgramData\panda_url_filtering
2014-12-23 09:35:19    --------    d-----w-    C:\ProgramData\Panda Security URL Filtering
2014-12-23 09:34:47    60400    ----a-w-    C:\Windows\System32\drivers\PSKMAD.sys
2014-12-23 09:34:34    --------    d-----w-    C:\Program Files (x86)\pandasecuritytb
2014-12-23 09:34:29    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Roaming\Panda Security
2014-12-23 09:33:16    --------    d-----w-    C:\Program Files (x86)\Panda Security
2014-12-23 09:30:48    --------    d-----w-    C:\ProgramData\Panda Security
2014-12-22 19:54:28    34072    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
2014-12-22 19:54:28    25759344    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\xul.dll
2014-12-22 18:45:13    115712    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-12-21 21:38:24    --------    d--h--w-    C:\ProgramData\Common Files
2014-12-21 21:38:24    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\MFAData
2014-12-21 21:38:24    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\Avg2015
2014-12-21 21:38:24    --------    d-----w-    C:\ProgramData\MFAData
2014-12-21 21:30:00    3209728    ----a-w-    C:\Windows\SysWow64\mf.dll
2014-12-21 21:29:58    4121600    ----a-w-    C:\Windows\System32\mf.dll
2014-12-21 03:54:12    1424384    ----a-w-    C:\Windows\System32\WindowsCodecs.dll
2014-12-21 03:54:11    1230336    ----a-w-    C:\Windows\SysWow64\WindowsCodecs.dll
2014-12-21 03:46:00    165888    ----a-w-    C:\Windows\System32\charmap.exe
2014-12-21 03:46:00    155136    ----a-w-    C:\Windows\SysWow64\charmap.exe
2014-12-21 03:45:59    346624    ----a-w-    C:\Windows\System32\WSManMigrationPlugin.dll
2014-12-21 03:45:59    310272    ----a-w-    C:\Windows\System32\WsmWmiPl.dll
2014-12-21 03:45:59    266240    ----a-w-    C:\Windows\System32\WSManHTTPConfig.exe
2014-12-21 03:45:59    248832    ----a-w-    C:\Windows\SysWow64\WSManMigrationPlugin.dll
2014-12-21 03:45:59    2020352    ----a-w-    C:\Windows\System32\WsmSvc.dll
2014-12-21 03:45:59    181248    ----a-w-    C:\Windows\System32\WsmAuto.dll
2014-12-21 03:45:59    1177088    ----a-w-    C:\Windows\SysWow64\WsmSvc.dll
2014-12-21 03:45:58    214016    ----a-w-    C:\Windows\SysWow64\WsmWmiPl.dll
2014-12-21 03:45:58    198656    ----a-w-    C:\Windows\SysWow64\WSManHTTPConfig.exe
2014-12-21 03:45:58    145920    ----a-w-    C:\Windows\SysWow64\WsmAuto.dll
2014-12-21 03:45:53    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2014-12-21 03:45:53    2048    ----a-w-    C:\Windows\System32\tzres.dll
2014-12-21 01:53:12    --------    d-----w-    C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-21 01:23:13    --------    d-sh--w-    C:\Users\Sexy Sarah\AppData\Local\EmieBrowserModeList
2014-12-20 22:44:19    --------    d-----w-    C:\Program Files (x86)\WinDirStat
2014-12-20 21:37:03    --------    d-----w-    C:\ProgramData\Spybot - Search & Destroy
2014-12-20 21:36:58    --------    d-----w-    C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-12-20 20:44:11    129752    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-12-20 20:43:55    --------    d-----w-    C:\ProgramData\Malwarebytes
2014-12-20 20:43:55    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-20 20:43:21    --------    d-----w-    C:\Users\Sexy Sarah\AppData\Local\Programs
2014-12-17 21:46:12    144384    ----a-w-    C:\Windows\System32\ieUnatt.exe
.
==================== Find3M  ====================
.
2014-12-21 04:00:15    17930928    ----a-w-    C:\Windows\SysWow64\FlashPlayerInstaller.exe
2014-11-24 22:04:56    275080    ------w-    C:\Windows\System32\MpSigStub.exe
2014-11-22 03:06:23    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-11-22 03:06:11    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39    66560    ----a-w-    C:\Windows\System32\iesetup.dll
2014-11-22 02:50:10    580096    ----a-w-    C:\Windows\System32\vbscript.dll
2014-11-22 02:49:54    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20    88064    ----a-w-    C:\Windows\System32\MshtmlDac.dll
2014-11-22 02:35:29    114688    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-11-22 02:34:51    814080    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-11-22 02:34:07    6039552    ----a-w-    C:\Windows\System32\jscript9.dll
2014-11-22 02:26:31    968704    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16    77824    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43    501248    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-11-22 02:07:17    62464    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-11-22 02:06:32    47616    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02    64000    ----a-w-    C:\Windows\SysWow64\MshtmlDac.dll
2014-11-22 01:54:30    620032    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10    1359360    ----a-w-    C:\Windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58    2125312    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-11-22 01:40:04    60416    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26    4299264    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-11-22 01:28:21    2358272    ----a-w-    C:\Windows\System32\wininet.dll
2014-11-22 01:22:49    2052096    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57    1155072    ----a-w-    C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20    1888256    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-11-19 04:47:48    1247904    ----a-w-    C:\Windows\SysWow64\FM20.DLL
2014-11-11 03:08:52    241152    ----a-w-    C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48    728064    ----a-w-    C:\Windows\System32\kerberos.dll
2014-11-11 02:44:32    186880    ----a-w-    C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25    550912    ----a-w-    C:\Windows\SysWow64\kerberos.dll
2014-11-11 01:46:26    119296    ----a-w-    C:\Windows\System32\drivers\tdx.sys
2014-10-25 01:57:59    77824    ----a-w-    C:\Windows\System32\packager.dll
2014-10-25 01:32:37    67584    ----a-w-    C:\Windows\SysWow64\packager.dll
2014-10-18 02:05:23    861696    ----a-w-    C:\Windows\System32\oleaut32.dll
2014-10-18 01:33:18    571904    ----a-w-    C:\Windows\SysWow64\oleaut32.dll
2014-10-14 02:16:37    155064    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06    683520    ----a-w-    C:\Windows\System32\termsrv.dll
2014-10-14 02:13:00    3241984    ----a-w-    C:\Windows\System32\msi.dll
2014-10-14 02:12:57    1460736    ----a-w-    C:\Windows\System32\lsasrv.dll
2014-10-14 02:09:31    146432    ----a-w-    C:\Windows\System32\msaudite.dll
2014-10-14 02:07:31    681984    ----a-w-    C:\Windows\System32\adtschema.dll
2014-10-14 01:50:47    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2014-10-14 01:50:41    2363904    ----a-w-    C:\Windows\SysWow64\msi.dll
2014-10-14 01:49:38    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2014-10-14 01:47:30    146432    ----a-w-    C:\Windows\SysWow64\msaudite.dll
2014-10-14 01:46:02    681984    ----a-w-    C:\Windows\SysWow64\adtschema.dll
2014-10-13 20:04:37    107792    ----a-w-    C:\Windows\System32\drivers\PSINReg.sys
2014-10-13 20:04:36    163088    ----a-w-    C:\Windows\System32\drivers\PSINAflt.sys
2014-10-13 20:04:36    121616    ----a-w-    C:\Windows\System32\drivers\PSINFile.sys
.
============= FINISH:  8:54:20.16 ===============
 
 
 

Attached Files



#4 Chingtrong

Chingtrong
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 10 January 2015 - 12:19 PM

BTW,

 

I attached the first "attach" log file as a .txt file in my first post (I thought .rar was a "zipped" file, but wasn't allowed to upload it). Here is the ***First*** "attach" log file as a compressed .zip file:

Attached Files



#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:26 AM

Posted 12 January 2015 - 04:31 AM

Hello, Chingtrong
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.



Please take note of some guidelines for this fix:

Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
Please reply using the t_reply.gif button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.




Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 Chingtrong

Chingtrong
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 12 January 2015 - 02:14 PM

Hi Tom,

 

Thanks for taking on my help request. I really appreciate what you guys are doing here on bleepingcomputer.com! I have read and understand all of the instructions, and I will follow all directions you give (including refraining from making any changes outside of the steps you tell me to follow).

 

Here is FRST.TXT:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015
Ran by Sexy Sarah (administrator) on SEXYSARAH-PC on 12-01-2015 11:03:06
Running from C:\Users\Sexy Sarah\Desktop\Learning Windows
Loaded Profile: Sexy Sarah (Available profiles: Sexy Sarah)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3053808 2013-04-24] (Synaptics Incorporated)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [PSUAMain] => C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe [37624 2014-10-16] (Panda Security, S.L.)
HKLM-x32\...\Run: [Panda Security URL Filtering] => "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe"
HKLM-x32\...\Run: [Privatefirewall] => C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe [3048480 2013-12-17] (Privacyware/PWI, Inc.)
HKLM-x32\...\Run: [emsisoft anti-malware] => c:\program files (x86)\emsisoft anti-malware\a2guard.exe [4954576 2014-12-01] (Emsisoft GmbH)
HKU\S-1-5-21-396944824-3797339368-1907034032-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2014-12-15] (SUPERAntiSpyware)
HKU\S-1-5-21-396944824-3797339368-1907034032-1000\...\MountPoints2: {5bb1e6f5-647e-11e4-8a99-643150938830} - E:\AutoRun.exe
HKU\S-1-5-21-396944824-3797339368-1907034032-1000\...\MountPoints2: {cf5ea0a2-56d7-11e4-85b2-643150938830} - E:\TL_Bootstrap.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe ()
Startup: C:\Users\Sexy Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-396944824-3797339368-1907034032-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=frg_14_19_ff&cd=2XzuyEtN2Y1L1QzuyCzz0AtA0CyEyD0EtA0B0A0AtDyBzyyDtN0D0Tzu0SzzyDyCtN1L2XzutBtFtBtDtFyCtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyDyByDtA0AtDtDtGyCtByC0CtGyBtAyBtBtGzzyCyEyCtGyB0FyEtC0A0FzzyDtCyD0F0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDyC0E0B0E0AtByEtG0AzytDyDtGzyzz0D0EtGyByC0A0CtGtD0ByEzz0Czy0D0B0DyC0Bzy2Q&cr=2025019501&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=frg_14_19_ff&cd=2XzuyEtN2Y1L1QzuyCzz0AtA0CyEyD0EtA0B0A0AtDyBzyyDtN0D0Tzu0SzzyDyCtN1L2XzutBtFtBtDtFyCtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyDyByDtA0AtDtDtGyCtByC0CtGyBtAyBtBtGzzyCyEyCtGyB0FyEtC0A0FzzyDtCyD0F0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDyC0E0B0E0AtByEtG0AzytDyDtGzyzz0D0EtGyByC0A0CtGtD0ByEzz0Czy0D0B0DyC0Bzy2Q&cr=2025019501&ir=
SearchScopes: HKU\S-1-5-21-396944824-3797339368-1907034032-1000 -> DefaultScope {12D44D10-2E02-44D7-A68C-263473876EAF} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=282369&p={searchTerms}
SearchScopes: HKU\S-1-5-21-396944824-3797339368-1907034032-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=frg_14_19_ff&cd=2XzuyEtN2Y1L1QzuyCzz0AtA0CyEyD0EtA0B0A0AtDyBzyyDtN0D0Tzu0SzzyDyCtN1L2XzutBtFtBtDtFyCtFtDtN1L1CzutCyEtDtAtDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyDyByDtA0AtDtDtGyCtByC0CtGyBtAyBtBtGzzyCyEyCtGyB0FyEtC0A0FzzyDtCyD0F0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDyC0E0B0E0AtByEtG0AzytDyDtGzyzz0D0EtGyByC0A0CtGtD0ByEzz0Czy0D0B0DyC0Bzy2Q&cr=2025019501&ir=
SearchScopes: HKU\S-1-5-21-396944824-3797339368-1907034032-1000 -> {12D44D10-2E02-44D7-A68C-263473876EAF} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=282369&p={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll (LastPass)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Panda Security Toolbar -> {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} -> C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll ()
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll (LastPass)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Panda Security Toolbar -> {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} -> C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll ()
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
Toolbar: HKLM - Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll ()
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll (LastPass)
Toolbar: HKLM-x32 - Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files (x86)\pandasecuritytb\pandasecurityDx.dll ()
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll (LastPass)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default
FF DefaultSearchEngine: DuckDuckGo
FF SelectedSearchEngine: DuckDuckGo
FF Keyword.URL: https://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=282369&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll ()
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll (LastPass)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll (LastPass)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\user.js
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF SearchPlugin: C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\searchplugins\yahoo-msd.xml
FF Extension: HTTPS-Everywhere - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\https-everywhere@eff.org [2014-12-19]
FF Extension: LastPass - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\support@lastpass.com [2014-12-23]
FF Extension: Panda Security Toolbar - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} [2014-12-23]
FF Extension: Evernote Web Clipper - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800} [2014-12-23]
FF Extension: Ghostery - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\firefox@ghostery.com.xpi [2013-12-24]
FF Extension: Reddit Enhancement Suite - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi [2014-02-26]
FF Extension: Newtab for Mozilla Firefox &#x2122; - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\{492cac1a-b4bb-42db-a86d-b176b1b5b5af}.xpi [2014-12-20]
FF Extension: Newtab - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\{54bdd585-b53d-481b-8bd6-996f0233152d}.xpi [2014-11-29]
FF Extension: Search Manager for Moziila Firefox &#x2122; - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\{71e6896a-7bed-49b8-bb69-e641e983b31b}.xpi [2014-11-24]
FF Extension: Adblock Plus - C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-12-23]

Chrome:
=======
CHR Profile: C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-09-13]
CHR Extension: (Google Docs) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-13]
CHR Extension: (Google Drive) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-23]
CHR Extension: (YouTube) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-13]
CHR Extension: (Adblock Plus) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-10-17]
CHR Extension: (Google Search) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-13]
CHR Extension: (Google Sheets) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-09-13]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2014-10-16]
CHR Extension: (Google Wallet) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-13]
CHR Extension: (Gmail) - C:\Users\Sexy Sarah\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-13]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
S2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [4907232 2014-12-01] (Emsisoft GmbH)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S2 MBAMScheduler; "C:\Program Files (x86)\Chingletron\mbamscheduler.exe" [X]
S2 MBAMService; "C:\Program Files (x86)\Chingletron\mbamservice.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH)
S1 A2DDA; C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
S1 a2injectiondriver; C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [45208 2013-09-30] (Emsisoft GmbH)
S1 a2util; C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [23088 2014-05-12] (Emsisoft GmbH)
S3 b06diag; C:\Windows\system32\drivers\bxdiaga.sys [88104 2012-03-08] (Broadcom Corporation)
S3 BFN7x64; C:\Windows\system32\drivers\Xeno7x64.sys [157288 2012-02-22] (Bigfoot Networks, Inc.)
S3 bxfcoe; C:\Windows\system32\drivers\bxfcoe.sys [178216 2012-02-22] (Broadcom Corporation)
S3 bxois; C:\Windows\system32\drivers\bxois.sys [539176 2012-02-22] (Broadcom Corporation)
S3 cleanhlp; C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
S3 EtronSTOR; C:\Windows\System32\Drivers\EtronSTOR.sys [32512 2012-07-24] (Etron Technology Inc)
S3 massfilter_hs; C:\Windows\system32\drivers\massfilter_hs.sys [18456 2011-08-22] (HandSet Incorporated)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-03] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 zghsdiag; C:\Windows\System32\DRIVERS\zghsdiag.sys [129432 2011-08-22] (ZTE Incorporated)
S3 zghsmdm; C:\Windows\System32\DRIVERS\zghsmdm.sys [129432 2011-08-22] (ZTE Incorporated)
S3 zghsnmea; C:\Windows\System32\DRIVERS\zghsnmea.sys [129432 2011-08-22] (ZTE Incorporated)
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-12 11:02 - 2015-01-12 11:03 - 00000000 ____D () C:\FRST
2015-01-10 09:18 - 2015-01-10 09:18 - 00002382 _____ () C:\Users\Sexy Sarah\Desktop\attach.zip
2015-01-10 09:14 - 2015-01-10 09:14 - 00002383 _____ () C:\Users\Sexy Sarah\Desktop\Attach2.zip
2015-01-10 09:10 - 2015-01-10 09:10 - 00002343 _____ () C:\Users\Sexy Sarah\Desktop\Attach2.rar
2015-01-10 08:54 - 2015-01-10 08:54 - 00023762 _____ () C:\Users\Sexy Sarah\Desktop\DDS2.txt
2015-01-10 08:54 - 2015-01-10 08:54 - 00007407 _____ () C:\Users\Sexy Sarah\Desktop\Attach2.txt
2015-01-03 21:01 - 2015-01-03 21:01 - 00002636 _____ () C:\Users\Sexy Sarah\Desktop\attach.rar
2015-01-03 20:22 - 2015-01-03 20:22 - 00061642 _____ () C:\Users\Sexy Sarah\Desktop\Weird_Files_sample.txt
2015-01-03 16:02 - 2015-01-10 09:09 - 00023777 _____ () C:\Users\Sexy Sarah\Desktop\dds.txt
2015-01-03 16:02 - 2015-01-10 09:09 - 00007407 _____ () C:\Users\Sexy Sarah\Desktop\attach.txt
2015-01-03 16:01 - 2015-01-03 16:01 - 00688992 ____R (Swearware) C:\Users\Sexy Sarah\Downloads\dds.com
2014-12-31 12:13 - 2015-01-02 15:31 - 00000000 ____D () C:\Users\Sexy Sarah\Desktop\electronics
2014-12-31 09:36 - 2014-12-31 09:36 - 00003296 ____N () C:\bootsqm.dat
2014-12-31 09:34 - 2014-12-31 09:34 - 00000000 __SHD () C:\found.001
2014-12-29 21:37 - 2014-12-29 21:37 - 00000000 ____D () C:\ProgramData\Emsisoft
2014-12-29 20:45 - 2015-01-12 10:34 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-29 20:45 - 2014-12-29 20:45 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-29 20:45 - 2014-12-29 20:45 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-29 19:55 - 2014-12-29 19:55 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-12-29 19:26 - 2014-12-29 19:26 - 14861360 _____ (Trend Micro Inc.) C:\Users\Sexy Sarah\Downloads\RootkitBusterV5.0-1180x64(1).exe
2014-12-29 19:25 - 2014-12-29 19:26 - 00193544 _____ (trend_company_name) C:\Windows\system32\Drivers\tmrkb.sys
2014-12-29 19:25 - 2014-12-29 19:25 - 00305832 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2014-12-29 19:25 - 2014-12-29 19:25 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\TMRBLog
2014-12-29 19:25 - 2014-12-29 19:25 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\log
2014-12-29 19:24 - 2014-12-29 19:24 - 14861360 _____ (Trend Micro Inc.) C:\Users\Sexy Sarah\Downloads\RootkitBusterV5.0-1180x64.exe
2014-12-29 17:48 - 2014-12-29 17:49 - 04187592 _____ (Kaspersky Lab ZAO) C:\Users\Sexy Sarah\Downloads\tdsskiller.exe
2014-12-29 17:42 - 2014-12-29 17:47 - 538673152 _____ () C:\Users\Sexy Sarah\Downloads\bitdefender-rescue-cd.iso
2014-12-29 17:36 - 2014-12-29 17:36 - 01088893 _____ (pendrivelinux.com) C:\Users\Sexy Sarah\Downloads\Universal-USB-Installer-1.9.5.8.exe
2014-12-29 17:21 - 2014-12-29 17:21 - 00380416 _____ () C:\Users\Sexy Sarah\Downloads\c1mo8kbb.exe
2014-12-29 16:14 - 2015-01-12 10:34 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-12-29 16:14 - 2014-12-29 16:14 - 20850408 _____ (SUPERAntiSpyware) C:\Users\Sexy Sarah\Downloads\SUPERAntiSpyware.exe
2014-12-29 16:14 - 2014-12-29 16:14 - 00001808 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2014-12-29 16:14 - 2014-12-29 16:14 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Roaming\SUPERAntiSpyware.com
2014-12-29 16:14 - 2014-12-29 16:14 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-12-29 16:14 - 2014-12-29 16:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2014-12-29 16:10 - 2014-12-29 16:10 - 11425992 _____ (Bitdefender LLC) C:\Users\Sexy Sarah\Downloads\BootkitRemoval_x64.exe
2014-12-29 16:08 - 2014-12-29 16:08 - 00001091 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2014-12-29 16:08 - 2014-12-29 16:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2014-12-29 16:07 - 2015-01-10 15:17 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-12-29 16:06 - 2014-12-29 16:07 - 171774184 _____ (Emsisoft Ltd ) C:\Users\Sexy Sarah\Downloads\EmsisoftAntiMalwareSetup.exe
2014-12-29 12:11 - 2014-12-29 12:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chingletron
2014-12-29 12:11 - 2014-12-29 12:11 - 00000000 ____D () C:\Program Files (x86)\Malware Bytes
2014-12-29 12:11 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-29 12:11 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-29 12:11 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-29 12:10 - 2014-12-29 12:10 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Sexy Sarah\Downloads\mbam-setup-2.0.4.1028(1).exe
2014-12-29 12:09 - 2014-12-29 12:09 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Sexy Sarah\Downloads\mbam-setup-2.0.4.1028.exe
2014-12-27 12:22 - 2014-12-27 12:22 - 00000000 _____ () C:\Users\Sexy Sarah\python
2014-12-26 19:36 - 2015-01-11 04:46 - 00001392 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-26 19:36 - 2015-01-11 04:46 - 00001392 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-26 19:36 - 2014-12-26 19:36 - 00000552 _____ () C:\Windows\system32\spsys.log
2014-12-26 14:35 - 2014-12-26 14:35 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2014-12-23 02:03 - 2014-12-23 02:03 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Local\Evernote
2014-12-23 02:03 - 2014-12-23 02:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Evernote
2014-12-23 02:02 - 2014-12-23 02:02 - 00000932 _____ () C:\Users\Sexy Sarah\Desktop\Evernote.lnk
2014-12-23 02:02 - 2014-12-23 02:02 - 00000000 ____D () C:\Program Files (x86)\Evernote
2014-12-23 01:51 - 2013-09-29 21:24 - 00133152 _____ (Privacyware/PWI, Inc.) C:\Windows\system32\Drivers\pwipf6.sys
2014-12-23 01:50 - 2014-12-23 01:50 - 00000146 _____ () C:\Windows\ODBC.INI
2014-12-23 01:50 - 2014-12-23 01:50 - 00000000 ____D () C:\ProgramData\Privacyware
2014-12-23 01:50 - 2014-12-23 01:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privatefirewall 7.0
2014-12-23 01:50 - 2014-12-23 01:50 - 00000000 ____D () C:\Program Files (x86)\Privacyware
2014-12-23 01:49 - 2014-12-23 01:49 - 03749640 _____ (PWI, Inc. ) C:\Users\Sexy Sarah\Downloads\privatefirewall(1).exe
2014-12-23 01:43 - 2014-12-23 01:43 - 00001192 _____ () C:\Users\Public\Desktop\My LastPass Vault.lnk
2014-12-23 01:43 - 2014-12-23 01:43 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LastPass
2014-12-23 01:43 - 2014-12-23 01:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LastPass
2014-12-23 01:38 - 2014-12-23 01:44 - 00000000 ____D () C:\Program Files (x86)\LastPass
2014-12-23 01:37 - 2014-12-23 01:37 - 14147584 _____ () C:\Users\Sexy Sarah\Downloads\lastpass_x64.exe
2014-12-23 01:35 - 2014-12-23 03:50 - 00000000 ____D () C:\ProgramData\panda_url_filtering
2014-12-23 01:35 - 2014-12-23 01:35 - 00000000 ____D () C:\ProgramData\Panda Security URL Filtering
2014-12-23 01:34 - 2014-12-23 01:35 - 00000000 ____D () C:\Program Files (x86)\pandasecuritytb
2014-12-23 01:34 - 2014-12-23 01:34 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Roaming\Panda Security
2014-12-23 01:34 - 2014-03-25 05:15 - 00060400 _____ (Panda Security, S.L.) C:\Windows\system32\Drivers\PSKMAD.sys
2014-12-23 01:33 - 2014-12-23 01:34 - 00000000 ____D () C:\Program Files (x86)\Panda Security
2014-12-23 01:33 - 2014-12-23 01:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Free Antivirus
2014-12-23 01:30 - 2014-12-23 01:34 - 00000000 ____D () C:\ProgramData\Panda Security
2014-12-23 01:30 - 2014-12-23 01:30 - 01630952 _____ () C:\Users\Sexy Sarah\Downloads\PANDAFREEAV.exe
2014-12-23 01:15 - 2014-12-23 01:24 - 98672136 _____ (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Users\Sexy Sarah\Downloads\Evernote_5.8.1.6061.exe
2014-12-23 01:02 - 2014-12-23 01:02 - 04637504 _____ (AVG Technologies) C:\Users\Sexy Sarah\Downloads\avg_free_stb_all_2015_5557_cnet(1).exe
2014-12-22 11:54 - 2014-12-22 11:59 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-12-22 10:45 - 2014-12-12 19:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-21 15:01 - 2014-12-21 15:01 - 02434048 _____ () C:\Users\Sexy Sarah\Downloads\msxml.msi
2014-12-21 15:01 - 2014-12-21 15:01 - 00710976 _____ (Microsoft Corporation) C:\Users\Sexy Sarah\Downloads\msxmlcab.exe
2014-12-21 13:38 - 2014-12-23 01:06 - 00000000 ____D () C:\ProgramData\MFAData
2014-12-21 13:38 - 2014-12-21 13:38 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Local\MFAData
2014-12-21 13:38 - 2014-12-21 13:38 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Local\Avg2015
2014-12-21 13:36 - 2014-12-21 13:37 - 03749640 _____ (PWI, Inc. ) C:\Users\Sexy Sarah\Downloads\privatefirewall.exe
2014-12-21 13:30 - 2014-10-17 17:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-12-21 13:29 - 2014-10-17 18:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-12-21 13:28 - 2014-12-21 13:28 - 04637504 _____ (AVG Technologies) C:\Users\Sexy Sarah\Downloads\avg_free_stb_all_2015_5557_cnet.exe
2014-12-20 20:22 - 2015-01-12 11:03 - 00000000 ____D () C:\Users\Sexy Sarah\Desktop\Learning Windows
2014-12-20 19:54 - 2014-11-10 19:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-20 19:54 - 2014-11-10 18:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-20 19:49 - 2014-11-26 17:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-20 19:49 - 2014-11-26 17:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-20 19:49 - 2014-11-21 19:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-20 19:49 - 2014-11-21 19:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-20 19:49 - 2014-11-21 19:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-12-20 19:49 - 2014-11-21 18:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-20 19:49 - 2014-11-21 18:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-20 19:49 - 2014-11-21 18:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-20 19:49 - 2014-11-21 18:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-12-20 19:49 - 2014-11-21 18:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-12-20 19:49 - 2014-11-21 18:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-20 19:49 - 2014-11-21 18:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-20 19:49 - 2014-11-21 18:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-20 19:49 - 2014-11-21 18:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-12-20 19:49 - 2014-11-21 18:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-20 19:49 - 2014-11-21 18:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-12-20 19:49 - 2014-11-21 18:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-12-20 19:49 - 2014-11-21 18:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-20 19:49 - 2014-11-21 18:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-20 19:49 - 2014-11-21 18:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-20 19:49 - 2014-11-21 18:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-12-20 19:49 - 2014-11-21 18:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-20 19:49 - 2014-11-21 18:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-20 19:49 - 2014-11-21 18:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-20 19:49 - 2014-11-21 18:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-20 19:49 - 2014-11-21 18:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-12-20 19:49 - 2014-11-21 18:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-20 19:49 - 2014-11-21 18:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-12-20 19:49 - 2014-11-21 18:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-20 19:49 - 2014-11-21 17:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-20 19:49 - 2014-11-21 17:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-20 19:49 - 2014-11-21 17:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-20 19:49 - 2014-11-21 17:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-12-20 19:49 - 2014-11-21 17:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-20 19:49 - 2014-11-21 17:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-20 19:49 - 2014-11-21 17:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-12-20 19:49 - 2014-11-21 17:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-20 19:49 - 2014-11-21 17:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-20 19:49 - 2014-11-21 17:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-20 19:49 - 2014-11-21 17:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-20 19:49 - 2014-11-21 17:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-20 19:49 - 2014-11-21 17:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-20 19:49 - 2014-11-21 17:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-20 19:49 - 2014-11-21 17:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-20 19:49 - 2014-11-21 17:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-20 19:49 - 2014-11-21 17:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-20 19:49 - 2014-11-21 17:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-20 19:49 - 2014-11-21 17:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-12-20 19:49 - 2014-11-21 17:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-20 19:49 - 2014-11-21 17:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-20 19:49 - 2014-11-21 17:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-12-20 19:49 - 2014-11-21 17:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-20 19:49 - 2014-11-21 16:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-20 19:49 - 2014-11-21 16:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-12-20 19:49 - 2014-11-10 17:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2014-12-20 19:46 - 2014-10-29 18:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2014-12-20 19:46 - 2014-10-29 17:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2014-12-20 19:45 - 2014-11-07 19:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-20 19:45 - 2014-11-07 18:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-20 19:45 - 2014-10-02 18:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-12-20 19:45 - 2014-10-02 18:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2014-12-20 19:45 - 2014-10-02 18:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-12-20 19:45 - 2014-10-02 18:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2014-12-20 19:45 - 2014-10-02 18:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2014-12-20 19:45 - 2014-10-02 17:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-12-20 19:45 - 2014-10-02 17:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-20 19:45 - 2014-10-02 17:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-12-20 19:45 - 2014-10-02 17:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2014-12-20 19:45 - 2014-10-02 17:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2014-12-20 18:39 - 2014-12-30 13:25 - 00000000 ____D () C:\Users\Sexy Sarah\Desktop\Mystuff
2014-12-20 18:39 - 2014-12-20 18:41 - 00000000 ____D () C:\Users\Sexy Sarah\Desktop\Sarahs
2014-12-20 18:07 - 2014-12-20 18:07 - 00008798 _____ () C:\Users\Sexy Sarah\Downloads\hijackthis.log
2014-12-20 17:53 - 2014-12-20 18:07 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-20 17:50 - 2014-12-29 12:31 - 00000000 ____D () C:\Users\Sexy Sarah\Desktop\mbar
2014-12-20 17:23 - 2014-12-20 17:23 - 00000000 __SHD () C:\Users\Sexy Sarah\AppData\Local\EmieBrowserModeList
2014-12-20 16:17 - 2014-12-20 16:17 - 00000800 _____ () C:\Users\Sexy Sarah\.pia_manager_crash.log
2014-12-20 14:44 - 2014-12-20 19:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat
2014-12-20 14:44 - 2014-12-20 19:03 - 00000000 ____D () C:\Program Files (x86)\WinDirStat
2014-12-20 14:44 - 2014-12-20 14:44 - 00001031 _____ () C:\Users\Sexy Sarah\Desktop\WinDirStat.lnk
2014-12-20 14:44 - 2014-12-20 14:44 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinDirStat
2014-12-20 13:37 - 2014-12-20 13:53 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-12-20 13:36 - 2014-12-20 19:03 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-12-20 12:44 - 2015-01-03 16:26 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-20 12:43 - 2014-12-20 19:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-20 12:43 - 2014-12-20 19:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-20 12:43 - 2014-12-20 12:43 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-20 12:41 - 2014-12-20 12:56 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Sexy Sarah\Downloads\spybot-2.4.exe
2014-12-19 13:46 - 2014-12-19 13:51 - 00000000 ____D () C:\Users\Sexy Sarah\Desktop\Information Access
2014-12-18 16:18 - 2014-12-20 19:03 - 00000000 ____D () C:\Users\Sexy Sarah\Desktop\KompoZer 0.7.10
2014-12-17 13:46 - 2014-12-12 21:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-12 10:40 - 2009-07-13 21:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-12 10:34 - 2014-09-13 12:20 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-12 10:34 - 2014-09-13 12:20 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-12 10:34 - 2013-12-24 18:30 - 01106715 _____ () C:\Windows\WindowsUpdate.log
2015-01-10 15:14 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-10 15:13 - 2009-07-13 20:51 - 00042176 _____ () C:\Windows\setupact.log
2015-01-10 10:40 - 2014-10-18 13:55 - 00007604 _____ () C:\Users\Sexy Sarah\AppData\Local\Resmon.ResmonCfg
2014-12-29 20:46 - 2014-09-01 07:30 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Local\Adobe
2014-12-29 20:45 - 2013-12-24 19:08 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-29 19:57 - 2009-07-13 21:08 - 00032556 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-12-29 19:56 - 2010-11-20 19:47 - 00036158 _____ () C:\Windows\PFRO.log
2014-12-29 19:55 - 2014-05-05 22:13 - 00000000 ____D () C:\Program Files (x86)\FileZilla Server
2014-12-27 12:22 - 2013-12-24 17:57 - 00000000 ____D () C:\Users\Sexy Sarah
2014-12-23 06:43 - 2009-07-13 20:45 - 00563192 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-23 01:34 - 2014-01-28 21:40 - 00146576 _____ () C:\Users\Sexy Sarah\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-23 00:57 - 2013-12-24 18:01 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-12-22 12:36 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\rescache
2014-12-22 10:41 - 2014-10-17 12:10 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-21 14:53 - 2014-08-03 16:57 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Local\Google
2014-12-21 14:25 - 2013-12-24 18:01 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Roaming\Mozilla
2014-12-21 14:05 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-21 13:49 - 2014-10-17 12:14 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2014-12-21 13:45 - 2014-11-20 19:45 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-21 13:40 - 2014-11-20 19:45 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-21 13:34 - 2014-09-13 12:21 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-12-21 13:26 - 2013-12-24 18:17 - 00000000 ____D () C:\Users\Sexy Sarah\AppData\Roaming\uTorrent
2014-12-20 20:00 - 2014-11-25 14:46 - 17930928 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2014-12-20 19:35 - 2014-09-08 08:42 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-12-20 19:03 - 2014-11-20 18:58 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\The.Newsroom.2012.S03E02.720p.HDTV.x264-KILLERS[rarbg]
2014-12-20 19:03 - 2014-11-19 12:43 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Harry Brown (2009) [1080p]
2014-12-20 19:03 - 2014-11-10 13:21 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Harry.Potter.And.The.Deathly.Hallows.Part.1.2010.BRRiP.720p.x264~PlutO~
2014-12-20 19:03 - 2014-10-17 12:10 - 00000000 ____D () C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2014-12-20 19:03 - 2014-10-16 17:09 - 00000000 ____D () C:\ProgramData\FLEXnet
2014-12-20 19:03 - 2014-10-02 11:49 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\22.Jump.Street.2014.1080p.WEB-DL.AAC2.0.H264-RARBG
2014-12-20 19:03 - 2014-10-02 09:11 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\[ www.Torrenting.com ] - Patton.Oswalt-Tragedy.Plus.Comedy.Equals.Time.2014.720p.HDTV.x264-BATV
2014-12-20 19:03 - 2014-09-19 07:23 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Boardwalk.Empire.S05E02.720p.HDTV.x264-KILLERS[rarbg]
2014-12-20 19:03 - 2014-09-13 12:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-12-20 19:03 - 2014-09-12 12:26 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Bronson.2008.1080p.BluRay.x264.anoXmous
2014-12-20 19:03 - 2014-09-12 08:54 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Tinker Tailor Soldier Spy (2011)
2014-12-20 19:03 - 2014-09-08 08:43 - 00000000 ____D () C:\Windows\System32\Tasks\Apple
2014-12-20 19:03 - 2014-09-08 08:19 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Se7en.1995.REMASTERED.720p.BluRay.x264.DTS-KiNGS
2014-12-20 19:03 - 2014-07-29 14:15 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Django.Unchained.2012.1080p.BluRay.x264.anoXmous
2014-12-20 19:03 - 2014-07-17 19:43 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Dumb.And.Dumber.1994.720p.BluRay.x264-SiNNERS[rarbg]
2014-12-20 19:03 - 2014-07-06 10:49 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Rosetta Stone 4.1.15
2014-12-20 19:03 - 2014-06-22 10:57 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Windows7Ultimate
2014-12-20 19:03 - 2014-04-22 15:57 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Dallas Buyers Club 2013 BluRay 720p x264 AAC Dolby FLiCKSiCK
2014-12-20 19:03 - 2014-03-24 21:03 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Margaret Atwood The Year of the Flood 2009 Retail EPUB eBook-BitBook
2014-12-20 19:03 - 2014-02-18 12:46 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\True.Detective.S01E05.HDTV.x264-KILLERS[rarbg]
2014-12-20 19:03 - 2014-02-18 10:58 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\True.Detective.S01E05.720p.HDTV.x264-KILLERS[rarbg]
2014-12-20 19:03 - 2014-01-22 17:25 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Mean Girls (2004)
2014-12-20 19:03 - 2014-01-22 17:21 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Flash.Gordon.1980.1080p.BluRay.x264.anoXmous
2014-12-20 19:03 - 2013-12-26 12:07 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Janelle Monae - The Electric Lady 2013 320kbps CBR MP3 [VX] [P2PDL]
2014-12-20 19:03 - 2013-12-24 19:08 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-12-20 19:03 - 2013-12-24 19:08 - 00000000 ____D () C:\Windows\system32\Macromed
2014-12-20 19:03 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-12-20 19:03 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\servicing
2014-12-20 19:03 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-12-20 19:03 - 2009-07-13 19:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-12-20 19:02 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-12-20 19:01 - 2014-10-22 20:26 - 00000000 ____D () C:\Users\Sexy Sarah\Documents\ArcGIS
2014-12-20 18:57 - 2014-10-17 12:10 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2014-12-20 18:44 - 2014-09-26 11:24 - 00000000 ____D () C:\Users\Sexy Sarah\Desktop\ebooks
2014-12-20 15:19 - 2014-06-15 11:25 - 00000000 ____D () C:\Users\Sexy Sarah\Downloads\Windows 7 Ultimate - 32 Bit (Auto Activation) - Cracked
2014-12-20 13:17 - 2014-11-13 14:19 - 00000000 ____D () C:\Users\Sexy Sarah\temp

Some content of TEMP:
====================
C:\Users\Sexy Sarah\AppData\Local\Temp\{95ED2C58-9953-4229-9E42-17BAE562CCB6}.exe
C:\Users\Sexy Sarah\AppData\Local\Temp\{D5E8B8FE-FDCA-4F29-914F-4A206C3CCAD3}.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-29 22:16

==================== End Of Log ============================

 

 

 

 

Here is the ADDITION.TXT

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-01-2015
Ran by Sexy Sarah at 2015-01-12 11:04:24
Running from C:\Users\Sexy Sarah\Desktop\Learning Windows
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Panda Free Antivirus (Disabled - Up to date) {3456760B-FDAA-FFFD-06C2-7BB528D2066C}
AS: Panda Free Antivirus (Disabled - Up to date) {8F3797EF-DB90-F073-3C72-40C753554CD1}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Panda Firewall (Disabled) {0C6DF72E-B7C5-FEA5-2D9D-D280D6014117}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-396944824-3797339368-1907034032-1000\...\uTorrent) (Version: 3.4.2.35702 - BitTorrent Inc.)
AC3Filter 2.5b (HKLM-x32\...\AC3Filter_is1) (Version: 2.5b - Alexander Vigovsky)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcGIS 10.2.2 for Desktop (HKLM-x32\...\ArcGIS 10.2.2 for Desktop) (Version: 10.2.3552 - Environmental Systems Research Institute, Inc.)
ArcGIS 10.2.2 for Desktop (x32 Version: 10.2.3552 - Environmental Systems Research Institute, Inc.) Hidden
calibre (HKLM-x32\...\{DD649DA2-BBD9-4247-85DD-E04F7C1E8552}) (Version: 1.48.0 - Kovid Goyal)
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft Ltd)
Evernote v. 5.8.1 (HKLM-x32\...\{4FD2D1C8-8636-11E4-9D21-00163E98E7D6}) (Version: 5.8.1.6061 - Evernote Corp.)
FileZilla Client 3.7.3 (HKLM-x32\...\FileZilla Client) (Version: 3.7.3 - Tim Kosse)
FileZilla Server (HKLM-x32\...\FileZilla Server) (Version: beta 0.9.44 - FileZilla Project)
GOM Audio (HKLM-x32\...\GomAudio) (Version: 2.0.5.0138 - Gretech Corporation)
GOM Player (HKLM-x32\...\GOM Player) (Version: 2.2.56.5183 - Gretech Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Join Me Drivers (HKLM-x32\...\{91719435-F4B9-4D21-814D-7C66959DB632}) (Version: 1.0.0 - ZTE)
LastPass (uninstall only) (HKLM-x32\...\LastPass) (Version:  - LastPass)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM-x32\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.6.1 - Notepad++ Team)
OpenOffice 4.0.1 (HKLM-x32\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
Outils de vérification linguistique 2013 de Microsoft Office - Français (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
Panda Devices Agent (HKLM-x32\...\Panda Devices Agent) (Version: 1.03.04 - Panda Security)
Panda Devices Agent (x32 Version: 1.05.00 - Panda Security) Hidden
Panda Free Antivirus (HKLM-x32\...\Panda Universal Agent Endpoint) (Version: 15.00.04.0002 - Panda Security)
Panda Free Antivirus (Version: 7.23.00.0000 - Panda Security) Hidden
Panda Security Toolbar (HKLM-x32\...\pandasecuritytb) (Version: 4.2.1.7 - Panda Security and Visicom Media Inc.)
Panda Security URL Filtering (HKLM-x32\...\Panda Security URL Filtering) (Version: 2.0.2.0 - Panda Security)
Private Internet Access Support Files (HKLM-x32\...\{7D72DAFF-DCB2-437B-BC22-4B2ABF21462B}) (Version: 1.0.0.0 - Private Internet Access)
Privatefirewall 7.0 (HKLM-x32\...\{E8EA933E-03A2-4E62-9F52-812C72BE2A6B}) (Version: 7.0.30.3 - PWI, Inc.)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition (HKLM-x32\...\{90150000-0011-0000-0000-0000000FF1CE}_Office15.PROPLUS_{7F6C4883-A18C-459A-82C1-A2F9403F2DA6}) (Version:  - Microsoft)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1168 - SUPERAntiSpyware.com)
Synaptics TouchPad Driver (HKLM\...\SynTPDeinstKey) (Version: 16.5.3.3 - Synaptics Incorporated)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WinRAR 5.01 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)
ZTE Handset USB Driver (HKLM\...\{01D42BF0-ED08-463f-8A28-99EB6FEE962B}) (Version:  - ZTE Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-396944824-3797339368-1907034032-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Sexy Sarah\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-396944824-3797339368-1907034032-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Sexy Sarah\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File

==================== Restore Points  =========================

22-12-2014 10:38:21 Windows Update
23-12-2014 01:49:56 Installed Privatefirewall 7.0
23-12-2014 02:01:54 Installed Evernote v. 5.8.1
23-12-2014 03:00:16 Windows Update
30-12-2014 15:09:43 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0DEAC19B-6E71-4E9E-A915-716C1FD3CA69} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe
Task: {31A6804D-4A46-4BFF-BF91-2B212F5082D2} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {45E7D9C1-4120-4F23-944F-3319962DAC89} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {57B2B685-25C5-41F3-82B3-C58641012823} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-09-13] (Google Inc.)
Task: {61314FF2-F890-436E-B47F-D6D32344802C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation)
Task: {665416AC-BA79-4307-82F8-51D2B352DA71} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-29] (Adobe Systems Incorporated)
Task: {67A1FEC0-E1CD-4213-824F-8693E1673F4D} - \MySearchDial No Task File <==== ATTENTION
Task: {9CD246DE-F36D-4F5F-8E0E-A8D5DBCD3912} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation)
Task: {F42A84F0-940F-4F42-8B24-E0D4FCE2633F} - System32\Tasks\Private Internet Access Startup => C:\Program Files\pia_manager\pia_manager.exe [2013-12-24] ()
Task: {FFC12F6C-8F02-4B17-87B8-ABA4B13607C3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-09-13] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2014-10-14 23:27 - 2014-10-14 23:27 - 08897696 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2010-01-02 06:42 - 2010-01-02 06:42 - 00098304 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext_64.dll
2012-06-18 07:24 - 2012-06-18 07:24 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_05.dll
2014-12-22 11:59 - 2014-12-22 11:59 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-12-23 01:44 - 2014-12-23 01:44 - 01020928 _____ () C:\Users\Sexy Sarah\AppData\Roaming\Mozilla\Firefox\Profiles\jqx77ruw.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2014-10-14 23:27 - 2014-10-14 23:27 - 08897696 _____ () C:\Program Files (x86)\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-12-29 20:45 - 2014-12-29 20:45 - 16843952 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll
2013-08-07 11:25 - 2013-08-07 11:25 - 00093696 _____ () C:\Program Files (x86)\FileZilla FTP Client\fzshellext.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\39123948.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\98880494.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\39123948.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\98880494.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: FileZilla Server => 2
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: FileZilla Server Interface => "C:\Program Files (x86)\FileZilla Server\FileZilla Server Interface.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: uTorrent => "C:\Users\Sexy Sarah\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED

========================= Accounts: ==========================

Administrator (S-1-5-21-396944824-3797339368-1907034032-500 - Administrator - Disabled)
Guest (S-1-5-21-396944824-3797339368-1907034032-501 - Limited - Disabled)
Sexy Sarah (S-1-5-21-396944824-3797339368-1907034032-1000 - Administrator - Enabled) => C:\Users\Sexy Sarah

==================== Faulty Device Manager Devices =============

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: ATA Channel 1
Description: IDE Channel
Class Guid: {4d36e96a-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard IDE ATA/ATAPI controllers)
Service: atapi
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/12/2015 10:37:18 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/12/2015 10:36:11 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x00000000.

Error: (01/12/2015 10:36:11 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
0x8007043C

Error: (01/10/2015 03:15:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/10/2015 09:52:59 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/10/2015 09:49:02 AM) (Source: Software Protection Platform Service) (EventID: 1017) (User: )
Description: Installation of the Proof of Purchase failed. 0xC004F015
Partial Pkey=48BB2
ACID=5e017a8a-f3f9-4167-b1bd-ba3e236a4d8f
Detailed Error[?]

Error: (01/10/2015 09:44:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/10/2015 08:50:40 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/06/2015 07:55:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/03/2015 06:03:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 0.0.0.0, time stamp: 0x542b53ec
Faulting module name: MSVCR100.dll, version: 0.0.0.0, time stamp: 0x4df2be1e
Exception code: 0x40000015
Fault offset: 0x0008d6fd
Faulting process id: 0xd70
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3


System errors:
=============
Error: (01/12/2015 11:04:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:04:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:02:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:02:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:02:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:02:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:00:53 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:00:53 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:00:53 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

Error: (01/12/2015 11:00:53 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (01/12/2015 10:37:18 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/12/2015 10:36:11 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x000000000x00000001

Error: (01/12/2015 10:36:11 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: 0x8007043C

Error: (01/10/2015 03:15:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/10/2015 09:52:59 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/10/2015 09:49:02 AM) (Source: Software Protection Platform Service) (EventID: 1017) (User: )
Description: 0xC004F01548BB25e017a8a-f3f9-4167-b1bd-ba3e236a4d8f?

Error: (01/10/2015 09:44:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/10/2015 08:50:40 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/06/2015 07:55:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/03/2015 06:03:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: mbam.exe0.0.0.0542b53ecMSVCR100.dll0.0.0.04df2be1e400000150008d6fdd7001d027b5046e82acC:\Program Files (x86)\Chingletron\mbam.exeC:\Program Files (x86)\Chingletron\MSVCR100.dlldcdef9a9-93b5-11e4-a3d9-643150938830


==================== Memory info ===========================

Processor: AMD Athlon™ II P360 Dual-Core Processor
Percentage of memory in use: 36%
Total physical RAM: 2810.9 MB
Available physical RAM: 1792.2 MB
Total Pagefile: 5619.98 MB
Available Pagefile: 4637.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:312.63 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 22CD5E01)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#7 Chingtrong

Chingtrong
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 12 January 2015 - 02:23 PM

Tom,

 

I ran the above scan in "safe-mode." For the most part, I've only been running this computer in safe-mode since I noticed the malware infection, figuring that safe-mode might interfere with the malware to some degree. I have mentioned this in my previous posts in this topic. To my knowledge, booting in safe-mode doesn't constitute "making changes to" my computer, so I went ahead and followed my usual protocol here; please let me know if I should refrain from using safe-mode unless specifically directed to, and I will from now on.



#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:26 AM

Posted 12 January 2015 - 03:09 PM

 

C:\Program Files (x86)\Chingletron\mbam.exe

Did you change the folder name of MBAM due to the installation?

 

Please show me a screenshot from your taskmanager so I can see what you mean :)


regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 Chingtrong

Chingtrong
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 12 January 2015 - 04:28 PM

Yes, I changed the folde name myself when I downloaded it (a few weeks ago). I wasn't able to put a screencap into the text of this post, so I attached a .jpeg file of my task manager.

 

Malwarebytes isn't running right now. I think it only does the thing where it auto-scans several times throughout the day (but also tells me a scan has never been run on this computer) when I boot outside of safe-mode.

 

Also, the thing where mbam crashed, then was still running in processes (but wouldn't go to folder location) only happened once, and I think it was actually a result of not clicking "OK" yet on the text box informing me of the crash.

Attached Files



#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:26 AM

Posted 13 January 2015 - 02:33 AM

The *32 behind the process name just means that this is a 32 bit process running on a 64bit system. Not every software is fully 64bit. But there is no problem when running 32bit software on a 64bit system.

Firefox, as example, is a 32bit software. When you would like to use 64bit firefox, you have to install the beta-browser Nightly.


Dou you use MBAM as freeware or with activated real time protection?

Edited by schrauber, 13 January 2015 - 02:34 AM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 Chingtrong

Chingtrong
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 16 January 2015 - 01:31 AM

Ah shoot, I wrote up a reply but must not have sent it.

 

I do not have any paid antivirus, I'm running mbam as a scan tool only right now. I was using panda security as real time protection (free) up until 2-3 days ago when I went to reinstall Panda due to an error alert - "An error occured in your protection: we recommend you restart your computer to fix it" - that has persisted for several weeks and dozens of system restarts and shutdowns. I have not reinstalled it or any other anti-malware. 



#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:26 AM

Posted 16 January 2015 - 03:58 AM

Please try a different av program. Will this get installed fine?


regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:26 AM

Posted 22 January 2015 - 06:48 AM

Still with me?


regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 Chingtrong

Chingtrong
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 22 January 2015 - 06:48 PM

Hi,

 

I do very much appreciate your help thus far, and I also would love for you to prove me wrong here and show me that there are productive steps to be taken to secure this machine. BTW, I have indeed enabled and am running EMISOFT security, which has been widely recommended (even by yourself, above?)

 

Here is where I am at which has made me frustrated. Based on things I've read, because the malware is "not doing much of anything" but also evades all detection, it seems likely that it is operating outside the Windows environment. My likely suspects so far are the duplicate audio cards, touchpads, etc and the PCI device that is completely unidentified, 0 useful info in properties tabs (&no driver, signature, or anything). The most comprehensive answers I've seen in security & computing forums indicate that once a system is compromised as deeply as mine is, there is never a complete guarantee that it will be fixed. Even with a FULL reformat of ALL possible partitions + flashed BIOS from trusted sources, there is still no way to be absolutely sure even with full format + bios flash with trusted versions.

 

Also, I learned the sketchy bits of code (attached to 1st post) are actually script commands eg powershell or VBScript. So it would appear that deep within essential system files (I found dozens, by no means exhaustive) there are snippets of code that will begin running shell commands to modify and gather all kinds of data in my filesystem, as well as things that should enable the attacker to remotely access my system. Also, when I used ipconfig to list info about my DNS, in addition to the one I would expect there were 4 other entries which several tutorials had no reference for. They were inactive because of "disconnected hardware" or something like that, so the ip (bridge?) read 0.00.00.00.0, but clearly these have been set up and used in the past, likely when my system hybernates. There was also a log file I encountered (or several, I can't remember) showing that the virtual machine software which I once downloaded but never used has been accessed multiple times.

 

Bottom line: I should probably just reformat and then use this computer as a junker. I may even want to remove all networking capability, although that may be harder than I used to think. It appears that nefarious groups have put backdoors into damn near everything these days, so who knows, maybe my webcam has low-grade wireless capability in it and my onboard sound card has a reserved portion of its ROM containing a couple dozen or so lines of code that can coordinate other bits of code distributed all throughout various internal hardware.

 

I can only speculate, but unless what I am saying is completely off-the-mark or misinformed, I would appreciate it if you could confirm that there isn't much you can do for me in terms of a guaranteed fix... remember, this malware isn't "doing" anything that particularly bothers me, so my main interest in seeking help thus far was to gain a sense of security and the ability to use this computer for acct management and sensitive transactions again (which seems now impossible).

 

Thanks again for your help thus far! Is it really worth it to continue? Do you know of any resources that might help me learn how to do damage control and/or study the malware on here or at least learn from past mistakes?



#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:26 AM

Posted 23 January 2015 - 07:08 AM

 

The most comprehensive answers I've seen in security & computing forums indicate that once a system is compromised as deeply as mine is, there is never a complete guarantee that it will be fixed. Even with a FULL reformat of ALL possible partitions + flashed BIOS from trusted sources, there is still no way to be absolutely sure even with full format + bios flash with trusted versions.

Technically, and in theorie, there could be a malware which will survive a full reformat including CMOS reset. In a lab environment, with a lot of time, and lot of costs. You will not see something like this in the wild. That is simply wrong.

When you do a full reformat, the system is clean.

 

But, you are right at one point, we cannot guarantee that our cleanup or removal will be 100%.

 

At this point, I would just do a clean reformat, install an av programm and the drivers needed for this system. Then check again the device manager.


regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users