Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Again, Even After Clean Install, Ransomware the First Time


  • This topic is locked This topic is locked
21 replies to this topic

#1 Mr. Humble Appraiser

Mr. Humble Appraiser

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 06 January 2015 - 02:55 AM

Infected a month ago with Ransomware (not sure how, but have a couple of suspicions I can provide details on) understood at the time there was no way to decrypt files so did clean install of Windows (fairly tech savvy)after first backing up personal files from 'previous version capability.' Now a month later I have indications of infection again and no idea how. Spent much time on web reading, hired local PC guy, etc. Just as the first infection my internet security settings are being changed from default to 'custom.' Which I believe is giving the malware/hacker(s) more capability to run malware through lower security settings. The first time around I had Security Essesntials which I guess is crap and I ran Malwarebytes which began to detect threats, but because I needed to get back to work I cancelled the scan and within 30 seconds my files were encrypted. This time I installed Avast and after first indication of malware I shutdown the pc immediately for fear of Ransomware again. Avast had popped up twice saying it blocked xyz web page for two different sites within a few seconds, neither of which I was on at the time nor recognized as sites I would have visited. Local Pc guy just ran Malwarebytes and reset IE settings and said I'm not infected. I don't trust that as somehow my IE security settings are being changed from default to custom which was the same thing that happened the first time around. I can provide details on how I know this if needed. Anyways, already spent $80 with local shop and considering spending another $150 with Geek Squad as I need to figure out origin of problem so it doesn't keep happening. I just read on this website about Ransomware that is making it through various ISP's disguised as legitimate software updates. I believe I recall Adobe flash player update pushes on both days i was infected, but not sure if this is issue. If so, will make quite a call to Comcast. Any advice from anyone is appreciated! Up all night trying to figure this stuff out is very unpleasant experience. Thanks!

BC AdBot (Login to Remove)

 


#2 Mr. Humble Appraiser

Mr. Humble Appraiser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 07 January 2015 - 10:29 PM

I apologize that I missed the preparation guide before posting; I've now read it and will add logs in this post.  And to provide an update a Avast Boot Time Scan finally discovered something substantial, evidently I had the Poweliks Trojan.  I quarantined it and then found a removal guide for it on bleepingcomputer.com.  The guide had all the symptoms I had experienced and a link to a removal tool which I installed and ran and it appeared to identify a second instance of the Trojan for which it removed.  Not sure why there would have been two instances of it or if there was some sort of glitch with either Avast or the tool.  I then ran the online scanner which was also in the guide and it didn't detect any additional malware.  I've since ran a Malwarebytes scan and it also detected no other malware.  Anyhow, I've been on the web for a couple hours now without any symptoms of infection.  I presume the Trojan was how I got Ransomware on my computer the first time around because I was having the same symptoms prior to the Ransomware.  But I still don't know how I am getting infected. The same Trojan even after a clean install of Windows.  So at this point I am kindly asking for some help with A) trying to identify how I am getting infected so that I can take necessary steps? And B) is there possibly more malware on my computer that is just waiting for a convenient time to launch another attack?  Thanks!  FYI, I've since installed a paid version of Norton since neither Security Essentials nor Avast was able to keep my computer from being infected; it was actually free through my ISP.Attached File  attach.txt   5.61KB   0 downloads

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17496
Run by Admin at 21:24:23 on 2015-01-07
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3510.1613 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe
C:\Windows\System32\StikyNot.exe
C:\Users\Jerimy\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\a la mode\Sched\eSched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Program Files\Norton Security Suite\Engine\21.1.0.18\N360.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_16_0_0_235_ActiveX.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\HP Officejet 4630 series\Bin\HPNetworkCommunicatorCom.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com/
uDefault_Page_URL = hxxp://www.dell.com
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\21.1.0.18\CoIEPlg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\21.1.0.18\ips\IPSBHO.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\21.1.0.18\CoIEPlg.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [The Assistant] "c:\program files\a la mode\sched\eSched.exe" /checkuac
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print\SmartPrintSetup.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{350B2066-E045-4B51-8C83-9E21D9D5FA70} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{350B2066-E045-4B51-8C83-9E21D9D5FA70}\960586F6E656 : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{ED99463F-B214-46A4-A02E-14826B6E3B10} : DHCPNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\1506000.020\symds.sys [2015-1-7 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\1506000.020\symefa.sys [2015-1-7 936152]
R1 BHDrvx86;BHDrvx86;c:\program files\norton security suite\nortondata\21.1.0.18\definitions\bashdefs\20141209.001\BHDrvx86.sys [2014-12-9 1138392]
R1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\n360\1506000.020\ccsetx86.sys [2015-1-7 127064]
R1 IDSVix86;IDSVix86;c:\program files\norton security suite\nortondata\21.1.0.18\definitions\ipsdefs\20150107.001\IDSvix86.sys [2015-1-7 479448]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\1506000.020\ironx86.sys [2015-1-7 209624]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-11-17 1871160]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-11-17 969016]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-11-17 23256]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-11-17 51928]
R3 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\1501000.012\symnets.sys [2015-1-7 446552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-12-9 102912]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-11-17 114904]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
.
=============== File Associations ===============
.
ShellExec: alamode.WinTOTAL.API.Data.exe: open=c:\program files\a la mode\total\bin\alamode.WinTOTAL.API.Data.exe
.
=============== Created Last 30 ================
.
2015-01-08 02:05:36 936152 ----a-w- c:\windows\system32\drivers\n360\1506000.020\symefa.sys
2015-01-08 02:05:36 664792 ----a-w- c:\windows\system32\drivers\n360\1506000.020\srtsp.sys
2015-01-08 02:05:36 447704 ----a-w- c:\windows\system32\drivers\n360\1506000.020\symnets.sys
2015-01-08 02:05:36 367704 ----a-r- c:\windows\system32\drivers\n360\1506000.020\symds.sys
2015-01-08 02:05:36 32984 ----a-w- c:\windows\system32\drivers\n360\1506000.020\srtspx.sys
2015-01-08 02:05:36 21520 ----a-r- c:\windows\system32\drivers\n360\1506000.020\symelam.sys
2015-01-08 02:05:36 209624 ----a-w- c:\windows\system32\drivers\n360\1506000.020\ironx86.sys
2015-01-08 02:05:35 127064 ----a-r- c:\windows\system32\drivers\n360\1506000.020\ccsetx86.sys
2015-01-08 02:05:17 -------- d-----w- c:\windows\system32\drivers\n360\1506000.020
2015-01-08 01:32:51 142936 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2015-01-08 01:32:51 -------- d-----w- c:\program files\common files\Symantec Shared
2015-01-08 01:31:50 935512 ----a-r- c:\windows\system32\drivers\n360\1501000.012\SymEFA.sys
2015-01-08 01:31:50 651352 ----a-r- c:\windows\system32\drivers\n360\1501000.012\srtsp.sys
2015-01-08 01:31:50 446552 ----a-r- c:\windows\system32\drivers\n360\1501000.012\symnets.sys
2015-01-08 01:31:50 367704 ----a-r- c:\windows\system32\drivers\n360\1501000.012\SymDS.sys
2015-01-08 01:31:50 32344 ----a-r- c:\windows\system32\drivers\n360\1501000.012\srtspx.sys
2015-01-08 01:31:50 21520 ----a-r- c:\windows\system32\drivers\n360\1501000.012\SymELAM.sys
2015-01-08 01:31:50 206936 ----a-r- c:\windows\system32\drivers\n360\1501000.012\Ironx86.sys
2015-01-08 01:31:50 127064 ----a-r- c:\windows\system32\drivers\n360\1501000.012\ccSetx86.sys
2015-01-08 01:31:38 14818 ----a-r- c:\windows\system32\drivers\n360\1501000.012\SymVTcer.dat
2015-01-08 01:31:38 -------- d-----w- c:\windows\system32\drivers\n360\1501000.012
2015-01-08 01:31:38 -------- d-----w- c:\windows\system32\drivers\N360
2015-01-08 01:31:36 -------- d-----w- c:\program files\Norton Security Suite
2015-01-08 01:22:48 -------- d-----w- c:\programdata\NortonInstaller
2015-01-08 01:22:48 -------- d-----w- c:\program files\NortonInstaller
2015-01-08 01:11:27 -------- d-----w- c:\programdata\Norton
2015-01-07 03:50:57 -------- d-----w- c:\users\admin\appdata\roaming\SBG-SVG
2015-01-07 01:17:33 -------- d-----w- c:\programdata\Geek Squad
2015-01-06 21:15:53 9054624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{99d421c8-84e8-4fbc-b165-f54f1eeef6de}\mpengine.dll
2015-01-06 05:03:55 -------- d-----w- c:\programdata\WRData
2014-12-22 01:11:59 115712 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-13 00:41:29 -------- d-----w- c:\windows\system32\appraiser
2014-12-13 00:34:45 23040 ----a-w- c:\windows\system32\mfpmp.exe
2014-12-13 00:34:45 2048 ----a-w- c:\windows\system32\mferror.dll
2014-12-13 00:34:45 103424 ----a-w- c:\windows\system32\mfps.dll
2014-12-13 00:34:44 50176 ----a-w- c:\windows\system32\rrinstaller.exe
2014-12-13 00:34:44 3209728 ----a-w- c:\windows\system32\mf.dll
2014-12-12 00:06:22 -------- d-----w- c:\program files\eGIS Desktop
2014-12-09 20:42:54 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-12-09 20:42:53 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-12-09 20:38:54 2048 ----a-w- c:\windows\system32\tzres.dll
2014-12-09 20:38:39 248832 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2014-12-09 20:38:39 155136 ----a-w- c:\windows\system32\charmap.exe
2014-12-09 20:38:39 1177088 ----a-w- c:\windows\system32\WsmSvc.dll
2014-12-09 20:38:38 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2014-12-09 20:38:38 198656 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2014-12-09 20:38:38 145920 ----a-w- c:\windows\system32\WsmAuto.dll
.
==================== Find3M  ====================
.
2015-01-07 20:42:44 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-31 20:31:12 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-31 20:31:12 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-12-04 04:38:59 337920 ----a-w- c:\windows\system32\generaltel.dll
2014-12-04 04:38:45 610304 ----a-w- c:\windows\system32\invagent.dll
2014-12-04 04:38:40 315392 ----a-w- c:\windows\system32\devinv.dll
2014-12-04 04:38:37 728576 ----a-w- c:\windows\system32\appraiser.dll
2014-12-04 04:38:36 202752 ----a-w- c:\windows\system32\aepdu.dll
2014-12-04 04:38:36 159744 ----a-w- c:\windows\system32\aepic.dll
2014-12-04 04:34:13 873984 ----a-w- c:\windows\system32\aeinv.dll
2014-12-01 23:28:26 1160872 ----a-w- c:\windows\system32\aitstatic.exe
2014-11-24 19:04:58 229000 ------w- c:\windows\system32\MpSigStub.exe
2014-11-22 02:20:44 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-11-22 02:20:30 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:07:43 501248 ----a-w- c:\windows\system32\vbscript.dll
2014-11-22 02:07:17 62464 ----a-w- c:\windows\system32\iesetup.dll
2014-11-22 02:06:32 47616 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:05:02 64000 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-11-22 01:55:14 102912 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-11-22 01:54:30 620032 ----a-w- c:\windows\system32\jscript9diag.dll
2014-11-22 01:48:26 667648 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 01:40:04 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26 4299264 ----a-w- c:\windows\system32\jscript9.dll
2014-11-22 01:22:49 2052096 ----a-w- c:\windows\system32\inetcpl.cpl
2014-11-22 01:21:57 1155072 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:00:20 1888256 ----a-w- c:\windows\system32\wininet.dll
2014-11-21 11:14:20 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 11:14:10 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 11:14:06 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-18 19:56:48 1202848 ----a-w- c:\windows\system32\FM20.DLL
2014-11-12 21:38:47 69632 ----a-w- c:\windows\system32\smss.exe
2014-11-12 21:38:47 640512 ----a-w- c:\windows\system32\advapi32.dll
2014-11-12 21:38:47 619520 ----a-w- c:\windows\system32\tdh.dll
2014-11-12 21:38:47 38912 ----a-w- c:\windows\system32\csrsrv.dll
2014-11-12 21:38:47 1289096 ----a-w- c:\windows\system32\ntdll.dll
2014-11-12 21:38:21 231424 ----a-w- c:\windows\system32\mswsock.dll
2014-11-12 21:38:05 49152 ----a-w- c:\windows\system32\taskhost.exe
2014-11-12 21:33:48 1505280 ----a-w- c:\windows\system32\d3d11.dll
2014-11-11 02:44:32 186880 ----a-w- c:\windows\system32\pku2u.dll
2014-11-11 02:44:25 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-10-25 01:32:37 67584 ----a-w- c:\windows\system32\packager.dll
2014-10-18 01:33:18 571904 ----a-w- c:\windows\system32\oleaut32.dll
2014-10-14 01:56:19 136632 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 01:50:50 523776 ----a-w- c:\windows\system32\termsrv.dll
2014-10-14 01:50:41 2363904 ----a-w- c:\windows\system32\msi.dll
2014-10-14 01:50:39 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-14 01:47:30 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- c:\windows\system32\adtschema.dll
.
============= FINISH: 21:25:19.11 ===============
 



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:57 AM

Posted 10 January 2015 - 10:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Nothing suspicious was found on your DDS log.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#4 Mr. Humble Appraiser

Mr. Humble Appraiser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 10 January 2015 - 06:34 PM

 When I click on the link to download the tool Norton detects it as malware and blocks it.  It says FRST.exe is not safe and it has been removed.  Please advise?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:57 AM

Posted 11 January 2015 - 09:54 AM

The tool if downloaded from the link I suggested is good.

Dequarantine the file.
Or download it again and you will be given an option to review it and accept the download.

#6 Mr. Humble Appraiser

Mr. Humble Appraiser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 11 January 2015 - 05:11 PM

I tried to download it again and it blocked it again and didn't give an option to accept it.  I went into the quarantine section of Norton and there isn't anything there.  Any other ideas? 

 

*Edit: I just now searched for the tool in the download section to try it that way and this time the Windows Smart Clean Filter also objected by saying that the file FRST.EXE is not commonly downloaded, and Norton objected again and also said something about Suspicious.Cloud.7.EP.  I'm sure it's got to be safe coming from you all, but a little unnerving nonetheless.  I'm sure you all use this tool frequently; why is my security telling me that it isn't safe? 


Edited by Mr. Humble Appraiser, 11 January 2015 - 05:22 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:57 AM

Posted 12 January 2015 - 07:50 AM

When you download the file Norton will give you a popup saying that the file is not to be trusted.
Click the details and button/link and accept the download.

I have Norton and always do it that way.

#8 Mr. Humble Appraiser

Mr. Humble Appraiser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 12 January 2015 - 07:19 PM

When I click on details it's not giving me an option to accept the download.  I've attached a screen capture of the box it opens.  I've tried all the options in the box and no luck.  Am I overlooking it somehow?   Also, now when I'm clicking on Save As for the download it prompts me for my Windows password, but then doesn't accept it although I'm absolutely sure I'm typing it in correctly.  But not sure if that problem will persist once I can get Norton to let me download it.  I get the error message that you need permission from....  Also, I've noticed both Norton and Malwarebytes blocking activity when I've gone to Dictionary.com a couple times in the last two days.  Not sure if those are false positives or if there's something to that. 

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:57 AM

Posted 13 January 2015 - 09:55 AM

What happens when you click on locate link on the Left pane?

===


Refer to this page.
http://www.ehow.com/how_6882095_restore-deleted-files-norton.html

Can you now de-quarantine the file?

===
If all fails try this.

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

#10 Mr. Humble Appraiser

Mr. Humble Appraiser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 16 January 2015 - 12:56 AM

This is very frustrating, but I appreciate your assistance. No luck with the link on left pane. No luck dequartining the file.  And Norton is blocking Combofix as well.  It seems someone has had my computer seriously hacked or I'm an idiot.  Will try the steps again tomorrow.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:57 AM

Posted 16 January 2015 - 09:08 AM

Disable Norton for 15 to 30 minutes and while disabled download both tools.

If successful run the Farbar tool and post a fresh log.

p.s.Do not enable Norton until you have executed the program and save the file.


An addition link to use if you have issues restoring the downloaded files.
http://support.bootstrapdevelopment.com/KB/a52/how-to-disable-norton-download-intelligence-restore.aspx

Edited by nasdaq, 16 January 2015 - 09:08 AM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:57 AM

Posted 22 January 2015 - 09:29 AM

Are you still with me?

#13 Mr. Humble Appraiser

Mr. Humble Appraiser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 22 January 2015 - 10:26 PM

Yes, thanks. The options to disable Norton are all greyed out and been unable to find guidance within the Help section nor online for it.  It is the Comcast version of Norton Security Suite.  I might have to get support from Norton on it.  I was able to put Norton in quite mode and when I did it allowed Combofix download.  I will continue to work on getting Farbar downloaded and post results.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:57 AM

Posted 23 January 2015 - 10:32 AM

Have a look at topic.

http://forums.comcast.com/t5/Security-and-Anti-Virus/How-to-Uninstall-Reinstall-Norton-Security-Suite-under-normal/td-p/870737

#15 Mr. Humble Appraiser

Mr. Humble Appraiser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:57 AM

Posted 02 February 2015 - 09:38 PM

Sorry for delay.  Farbar scan results below and attached.  Please let me know if you still want me to run Combofix.  Thanks.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-02-2015
Ran by Jerimy (ATTENTION: The logged in user is not administrator) on JERIMY-PC on 02-02-2015 21:28:43
Running from C:\Users\Jerimy\Desktop\Farbar
Loaded Profiles: Jerimy (Available profiles: Admin & Jerimy)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Dropbox, Inc.) C:\Users\Jerimy\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_16_0_0_296_ActiveX.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet 4630 series\Bin\HPNetworkCommunicatorCom.exe
(a la mode, inc.) C:\Program Files\a la mode\Sched\eSched.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5955072 2011-01-17] (Dell Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [The Assistant] => C:\Program Files\a la mode\Sched\eSched.exe [99840 2007-04-16] (a la mode, inc.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-1843295198-3164462118-2789039555-1001\...\Run: [HP Officejet 4630 series (NET)] => C:\Program Files\HP\HP Officejet 4630 series\Bin\ScanToPCActivationApp.exe [2382368 2013-08-13] (Hewlett-Packard Co.)
HKU\S-1-5-21-1843295198-3164462118-2789039555-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
Startup: C:\Users\Jerimy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Jerimy\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1843295198-3164462118-2789039555-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-1843295198-3164462118-2789039555-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.live.com/login.srf?wa=wsignin1.0&ct=1420830746&rver=6.1.6206.0&sa=1&ntprob=-1&wp=mbi_ssl_shared&wreply=https:%2f%2fmail.live.com%2f%3fowa%3d1%26owasuffix%3dowa%252f&id=64855&snsc=1&cbcxt=mail
HKU\S-1-5-21-1843295198-3164462118-2789039555-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://idp.irmls.safemls.net/idp/Authn/UserPassword
https://www.google.com/maps/dir/Cloverdale,+IN/Owen+County,+IN/@39.3621582,-86.7976446,12z/data=!4m13!4m12!1m5!1m1!1s0x886ce4216d136bd5:0xfed9015e15aee70f!2m2!1d-86.7938968!2d39.5147682!1m5!1m1!1s0x886cf9272362db45:0x3ce8b187def60b72!2m2!1d-86.8220341!2d39.3603429
SearchScopes: HKU\S-1-5-21-1843295198-3164462118-2789039555-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=360&chn=S1122&geo=US&ver=21&locale=en_US&gct=kwd&qsrc=2869
Toolbar: HKU\S-1-5-21-1843295198-3164462118-2789039555-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1843295198-3164462118-2789039555-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Jerimy\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 HPSupportSolutionsFrameworkService; C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe [89864 2014-12-11] (Hewlett-Packard Company)
R2 lmhosts; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5210112 2011-01-17] (Dell Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18496 2011-01-17] (Broadcom Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-01-07] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-02 21:28 - 2015-02-02 21:28 - 00000000 ____D () C:\FRST
2015-02-02 20:47 - 2015-02-02 20:48 - 00000000 ____D () C:\Users\Jerimy\Desktop\Feb 2nd, 2015 Files From Laptop
2015-01-22 22:01 - 2015-01-22 22:01 - 00002380 _____ () C:\Users\Jerimy\Desktop\Norton Security Suite.lnk
2015-01-22 21:44 - 2015-01-22 21:44 - 05609462 _____ (Swearware) C:\Users\Jerimy\Desktop\ComboFix.exe
2015-01-14 21:54 - 2014-12-18 21:43 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 21:54 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-01-14 21:54 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 21:54 - 2014-12-11 12:47 - 00046592 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 21:53 - 2014-12-18 20:34 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 21:53 - 2014-12-05 22:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-10 18:22 - 2015-02-02 21:28 - 00000000 ____D () C:\Users\Jerimy\Desktop\Farbar
2015-01-07 22:22 - 2015-01-07 22:38 - 00000000 ____D () C:\Users\Jerimy\Desktop\dds
2015-01-07 21:20 - 2015-01-07 21:22 - 00688992 ____R (Swearware) C:\Users\Jerimy\Desktop\dds.com
2015-01-07 20:11 - 2015-02-02 21:25 - 00000000 ____D () C:\ProgramData\Norton
2015-01-07 20:11 - 2015-01-07 20:35 - 00000000 ____D () C:\Users\Jerimy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton
2015-01-07 20:11 - 2015-01-07 20:11 - 00000000 ____D () C:\Users\Public\Downloads\Norton
2015-01-07 16:58 - 2015-01-07 16:58 - 00000197 _____ () C:\Windows\system32\2015-01-07-21-58-27.055-AvastVBoxSVC.exe-3036.log
2015-01-07 15:22 - 2015-01-07 15:24 - 00040888 _____ () C:\Users\Jerimy\Desktop\ESETPoweliksCleaner.exe_20150107.152202.4788.log
2015-01-07 15:21 - 2015-01-07 15:21 - 00186568 _____ (ESET) C:\Users\Jerimy\Desktop\ESETPoweliksCleaner.exe
2015-01-07 00:00 - 2015-01-07 00:00 - 00000197 _____ () C:\Windows\system32\2015-01-07-05-00-24.067-AvastVBoxSVC.exe-2052.log
2015-01-06 22:56 - 2015-01-07 00:02 - 00000264 _____ () C:\Windows\NetopiaEvents.log
2015-01-06 22:50 - 2015-01-06 22:50 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\SBG-SVG
2015-01-06 22:49 - 2015-01-07 00:02 - 00013808 _____ () C:\Windows\Netopia3l.log
2015-01-06 22:44 - 2015-01-06 22:44 - 00000197 _____ () C:\Windows\system32\2015-01-07-03-44-00.061-AvastVBoxSVC.exe-2136.log
2015-01-06 22:04 - 2015-01-06 22:04 - 00000197 _____ () C:\Windows\system32\2015-01-07-03-04-10.089-AvastVBoxSVC.exe-2092.log
2015-01-06 21:03 - 2015-01-06 21:03 - 00000197 _____ () C:\Windows\system32\2015-01-07-02-03-15.055-AvastVBoxSVC.exe-1308.log
2015-01-06 20:17 - 2015-01-06 20:17 - 00000000 ____D () C:\ProgramData\Geek Squad
2015-01-06 20:10 - 2015-01-06 20:10 - 00000197 _____ () C:\Windows\system32\2015-01-07-01-10-40.020-AvastVBoxSVC.exe-2072.log
2015-01-06 19:10 - 2015-01-06 19:10 - 00000197 _____ () C:\Windows\system32\2015-01-07-00-10-35.060-AvastVBoxSVC.exe-2116.log
2015-01-06 17:43 - 2015-01-06 17:43 - 00000197 _____ () C:\Windows\system32\2015-01-06-22-43-22.024-AvastVBoxSVC.exe-2088.log
2015-01-06 15:37 - 2015-01-06 15:37 - 00000197 _____ () C:\Windows\system32\2015-01-06-20-37-28.031-AvastVBoxSVC.exe-2144.log
2015-01-06 00:03 - 2015-01-06 00:04 - 00000000 ____D () C:\ProgramData\WRData
2015-01-05 23:27 - 2015-01-05 23:27 - 00000197 _____ () C:\Windows\system32\2015-01-06-04-27-05.041-AvastVBoxSVC.exe-2092.log
2015-01-05 22:37 - 2015-01-05 22:37 - 00000197 _____ () C:\Windows\system32\2015-01-06-03-37-28.054-AvastVBoxSVC.exe-2164.log
2015-01-05 19:08 - 2015-01-05 19:08 - 00000197 _____ () C:\Windows\system32\2015-01-06-00-08-22.061-AvastVBoxSVC.exe-1128.log
2015-01-05 18:18 - 2015-01-05 18:18 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2015-01-05 18:05 - 2015-01-05 18:05 - 00000197 _____ () C:\Windows\system32\2015-01-05-23-05-22.093-AvastVBoxSVC.exe-2072.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-02 21:29 - 2014-11-12 17:19 - 01234132 _____ () C:\Windows\WindowsUpdate.log
2015-02-02 21:27 - 2014-11-12 23:11 - 00000000 ___RD () C:\Users\Jerimy\Dropbox
2015-02-02 21:27 - 2014-11-12 23:05 - 00000000 ____D () C:\Users\Jerimy\AppData\Roaming\Dropbox
2015-02-02 21:25 - 2010-11-20 16:48 - 01457858 _____ () C:\Windows\PFRO.log
2015-02-02 21:25 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-02 21:25 - 2009-07-13 23:39 - 00026929 _____ () C:\Windows\setupact.log
2015-02-02 21:11 - 2014-11-17 13:27 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-02 20:50 - 2010-11-20 16:01 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-02 20:33 - 2014-11-12 23:46 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-02 20:28 - 2009-07-13 23:34 - 00031088 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-02 20:28 - 2009-07-13 23:34 - 00031088 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-29 22:38 - 2014-11-12 21:42 - 00000000 ____D () C:\ProgramData\alamode
2015-01-29 20:27 - 2014-11-12 22:57 - 00000000 ____D () C:\ProgramData\Mercury
2015-01-29 20:25 - 2014-11-12 23:46 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-01-29 20:25 - 2014-11-12 23:46 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-01-18 19:38 - 2014-12-08 18:38 - 00000000 ____D () C:\Users\Jerimy\AppData\Roaming\HpUpdate
2015-01-14 22:17 - 2014-11-12 16:29 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 22:14 - 2014-11-12 16:29 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-14 22:05 - 2009-07-13 23:33 - 00311160 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-11 19:53 - 2014-11-21 16:51 - 00000000 ____D () C:\Users\Jerimy\AppData\Roaming\PrimoPDF
2015-01-09 20:05 - 2014-11-12 22:43 - 00071784 _____ () C:\Users\Jerimy\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-09 15:11 - 2014-12-01 17:52 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2015-01-07 22:39 - 2014-12-01 16:38 - 00002421 _____ () C:\Windows\ElevateApp.log
2015-01-07 20:37 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-07 20:27 - 2014-11-25 22:21 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-01-07 15:44 - 2014-11-12 23:40 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-07 15:42 - 2014-11-17 13:27 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-07 15:40 - 2014-11-17 13:27 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-07 15:40 - 2014-11-17 13:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-07 01:14 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\LogFiles
2015-01-07 01:10 - 2009-07-13 21:37 - 00000000 __RHD () C:\Users\Public\Libraries

==================== Files in the root of some directories =======

2014-12-01 17:49 - 2014-12-01 17:49 - 0000057 _____ () C:\ProgramData\Ament.ini

Some content of TEMP:
====================
C:\Users\Jerimy\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqlsxff.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

ATTENTION: ==> Could not access BCD. Check to make sure user is administrator or see Addition.txt for additional information.

==================== End Of Log ============================

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users