Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Diagnosing If i have been infected by flash exploit


  • This topic is locked This topic is locked
22 replies to this topic

#1 rp88

rp88

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 PM

Posted 07 January 2015 - 10:23 AM

I previously had this thread here
http://www.bleepingcomputer.com/forums/t/562175/i-need-to-work-out-if-a-crash-in-flash-player-was-caused-by-an-exploit-attack/
On this subject but was advised to start one here instead. This comes after I experienced flash player crashing while trying to watch an online video.
I have already run several scanners and thye found nothing, I have also run MiniToolBox, FSS, r-kill and SecurityCheck, their logs are posted in the thread I have linked to. Along with unusual behaviours I have spotted described there. Please refer to that thread for that information.


Scans so far:

(came up clean)
AVG
malwarebytes
malwarebytes anti-rootkit
ESET online scanner
kasperksy virus removal tool (latest version)




(made logs which I have already posted In other thread.)
MiniToolBox
RKill
FSS
SecurityCheck



Below is my DDS log And attach.txt is waiting on my harddrive should you request it.


My browser was open and I was connected to the internet at the time I ran it. The program list contains quite a lot of pre-installed programs which I don't use but would rather leave as they are.


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.17183
Run by (removed for privacy) at 15:12:57 on 2015-01-07
Microsoft Windows 8  6.2.9200.0.1252.44.2057.18.3979.2181 [GMT 0:00]
.
AV: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
c:\PROGRA~2\AVG\AVG2015\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Windows\system32\mqsvc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostex.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files (x86)\AVG\AVG2015\avgui.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk
uDefault_Page_URL = hxxp://www.google.co.uk
mWinlogon: Userinit = userinit.exe
BHO: Dragon NaturallySpeaking Rich Internet Application Support - Extension: {73A89C60-CF59-4EC7-9215-9B7EF05ECEA4} - C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ieshim.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
uRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
uRun: [AVG-Secure-Search-Update_1214av] C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe /PROMPT /mid=827aa0d77eff47d29dcca11d94690100-bdb527e1ce41070524c77cdce9e4a40f26d7971f /CMPID=1214av
mRun: [ITSecMng] C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
mRun: [CanonQuickMenu] C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE /logon
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2015\avgui.exe" /TRAYONLY
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\BLUETO~1.LNK - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 10.235.192.1
TCP: Interfaces\{0A58E177-44F0-462A-B0D5-02F8D96B8949} : DHCPNameServer = 10.235.192.1
TCP: Interfaces\{C67238EB-F208-49BC-B06A-5872169B00AC} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\Hotkey\TCrdMain_Win8.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\(removed for privacy)\AppData\Roaming\Mozilla\Firefox\Profiles\pudftc64.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.co.uk
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\npDgnRia.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\Drivers\avgidsha.sys [2014-6-18 190744]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\Drivers\avgloga.sys [2014-7-18 313624]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\Drivers\avgmfx64.sys [2014-10-5 124184]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\Drivers\avgrkx64.sys [2014-6-18 31512]
R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\Drivers\avgdiska.sys [2014-6-18 153368]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\Drivers\avgidsdrivera.sys [2014-10-29 263960]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\Drivers\avgldx64.sys [2014-8-28 243480]
R1 Avgwfpa;AVG Firewall Driver;C:\Windows\System32\Drivers\avgwfpa.sys [2014-9-24 277784]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [2014-11-9 3488784]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [2014-11-9 298080]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 Intel® ME Service;Intel® ME Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [2013-8-22 129856]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-8-22 166720]
R2 RtkAudioService;Realtek Audio Service;C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE [2013-8-28 201872]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-8-22 365376]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\Drivers\RtsUStor.sys [2013-8-22 252048]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2012-6-2 589824]
S0 Avgboota;AVG Early Launch Anti-Malware Driver;C:\Windows\System32\Drivers\avgboota.sys [2013-9-4 20496]
S3 BtFilter;Bluetooth LowerFilter Class Filter Driver;C:\Windows\System32\Drivers\btfilter.sys [2012-7-11 43944]
S3 BthLEEnum;Bluetooth Low Energy Driver;C:\Windows\System32\Drivers\BthLEEnum.sys [2012-7-26 202752]
S3 Olympus DVR Service;Olympus DVR Service;C:\Program Files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [2012-11-8 174592]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE [2010-1-9 174440]
S4 DragonSvc;Dragon Service;C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe [2013-3-8 311184]
.
=============== File Associations ===============
.
FileExt: .inf: inffile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2014-12-14 18:51:26    --------    d-----w-    C:\Users\(removed for privacy)\AppData\Local\webkit
2014-12-10 15:18:02    --------    d-----w-    C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av
2014-12-10 15:17:47    --------    d-----w-    C:\ProgramData\Avg_Update_1214av
2014-12-08 23:00:33    17536    ----a-w-    C:\ProgramData\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
.
==================== Find3M  ====================
.
2015-01-07 15:07:57    129752    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2015-01-05 21:29:03    96472    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-11-26 21:11:29    714184    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-11-26 21:11:29    106440    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-21 08:38:00    2237952    ----a-w-    C:\Windows\System32\wininet.dll
2014-11-21 08:37:51    915968    ----a-w-    C:\Windows\System32\uxtheme.dll
2014-11-21 08:37:51    53760    ----a-w-    C:\Windows\System32\UXInit.dll
2014-11-21 08:36:24    3959296    ----a-w-    C:\Windows\System32\jscript9.dll
2014-11-21 08:36:17    67072    ----a-w-    C:\Windows\System32\iesetup.dll
2014-11-21 08:36:17    136704    ----a-w-    C:\Windows\System32\iesysprep.dll
2014-11-21 08:35:42    1509376    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-11-21 07:17:51    1762816    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-11-21 07:17:44    44032    ----a-w-    C:\Windows\SysWow64\UXInit.dll
2014-11-21 07:16:46    2861568    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-11-21 07:16:42    61440    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-11-21 07:16:42    109056    ----a-w-    C:\Windows\SysWow64\iesysprep.dll
2014-11-21 07:16:16    1441280    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-11-21 07:00:18    2706432    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-11-21 06:54:49    2706432    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-11-21 06:14:26    64216    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-11-21 06:14:08    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-11-21 04:30:26    534528    ----a-w-    C:\Windows\SysWow64\uxtheme.dll
2014-11-19 04:26:34    1614504    ----a-w-    C:\Windows\System32\FM20.DLL
2014-11-08 11:22:11    238080    ----a-w-    C:\Windows\System32\pku2u.dll
2014-11-08 11:21:32    827904    ----a-w-    C:\Windows\System32\kerberos.dll
2014-11-08 06:57:15    187904    ----a-w-    C:\Windows\SysWow64\pku2u.dll
2014-11-08 06:56:40    666624    ----a-w-    C:\Windows\SysWow64\kerberos.dll
2014-11-06 06:50:46    1627648    ----a-w-    C:\Windows\System32\WindowsCodecs.dll
2014-11-06 05:03:42    1339392    ----a-w-    C:\Windows\SysWow64\WindowsCodecs.dll
2014-10-29 21:35:16    263960    ----a-w-    C:\Windows\System32\drivers\avgidsdrivera.sys
2014-10-23 12:47:53    79872    ----a-w-    C:\Windows\System32\packager.dll
2014-10-23 11:04:41    68096    ----a-w-    C:\Windows\SysWow64\packager.dll
2014-10-18 08:44:05    778240    ----a-w-    C:\Windows\System32\oleaut32.dll
2014-10-18 07:05:16    567808    ----a-w-    C:\Windows\SysWow64\oleaut32.dll
2014-10-11 08:35:58    171840    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2014-10-11 07:45:07    10115072    ----a-w-    C:\Windows\System32\twinui.dll
2014-10-11 07:44:56    588288    ----a-w-    C:\Windows\System32\SHCore.dll
2014-10-11 07:44:47    3248640    ----a-w-    C:\Windows\System32\rdpcorets.dll
2014-10-11 07:44:07    393216    ----a-w-    C:\Windows\System32\msihnd.dll
2014-10-11 07:44:07    2885632    ----a-w-    C:\Windows\System32\msi.dll
2014-10-11 07:43:51    1281536    ----a-w-    C:\Windows\System32\lsasrv.dll
2014-10-11 07:43:08    2307072    ----a-w-    C:\Windows\System32\authui.dll
2014-10-11 05:58:05    8858624    ----a-w-    C:\Windows\SysWow64\twinui.dll
2014-10-11 05:57:57    452608    ----a-w-    C:\Windows\SysWow64\SHCore.dll
2014-10-11 05:57:21    295424    ----a-w-    C:\Windows\SysWow64\msihnd.dll
2014-10-11 05:57:21    2416640    ----a-w-    C:\Windows\SysWow64\msi.dll
2014-10-11 05:56:37    2037760    ----a-w-    C:\Windows\SysWow64\authui.dll
2014-10-11 05:41:57    146944    ----a-w-    C:\Windows\System32\msaudite.dll
2014-10-11 05:41:43    713728    ----a-w-    C:\Windows\System32\adtschema.dll
2014-10-11 05:05:20    146944    ----a-w-    C:\Windows\SysWow64\msaudite.dll
2014-10-11 05:04:59    713728    ----a-w-    C:\Windows\SysWow64\adtschema.dll
.
============= FINISH: 15:13:52.59 ===============


Please be aware that this is my only computer so IF I AM infected please avoid suggesting fix methods with high likelyhoods of causing problems booting up or connection problems. Also be aware that should something be wrong I can load form a system image to revert to a time a month or two back, or older, but I cannot restore by any other method(including reinstalling windows, "refresh and reset", or "system restore").

This machine is a windows 8 computer, with Avg as the main antivirus, firefox as the main browser (but chrome and IE 10 also installed) and malwarebytes (free) as a second opinion scanner.


Thank You

Edited by rp88, 07 January 2015 - 11:05 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:17 PM

Posted 07 January 2015 - 04:30 PM

Hey my friend, :)

I'm in the 'Malware Staff Team' and will provide you with advice:
To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.
 
You must reply to posts within days. If you haven't replied within 4 days your topic will be closed. If you go away for some time please let me know. Communication is a important part here! If you are unsure about something - STOP - and ask me. No need to be afraid of asking - better ask than doing a mistake. Mistakes can lead to an unbootable PC! I would recommend to follow the topic by clicking on the Follow this topic button - you will get notified when I have replied to your topic.
 

:exclame: Below are a few tips :exclame:
  • Removing Malware is usually very difficult.
    We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!
  • Please follow these instructions
    If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
  • Please stay in contact with me until your problem is resolved
    As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
  • Please don't run any other tools without consulting with me as this can complicate finding and removing all Malware
    Don't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
  • Read my post completely
    If you don't do so, you may make mistakes that could result in your System crashing by your own actions!
 

I looked at the FSS Log in your other thread. It seems that the service wuauserv isn't running. We will fix it later until I took a look at a fresh FRST Scan log.

Please download FRST (by Farbar) from the link below and save it to your Desktop.
 

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 PM

Posted 07 January 2015 - 08:51 PM

What should wuauserv be doing? Is this a severe problem?

EDIT:I searched the term " what is the wuauserv service" on google an got loads of results about windows automatic updates, I like to have updates run so they CHECK automatically but do not DOWNLOAD or INSTALL until I give permission. IF the current setting as reported by FSS means they check automatically but wait for my permission to download and install then they are working as they should for me.

 

Please note that throughout this log I have removed references to my full name (which is the name of the admin account) and that in my Minitoolbox log I removed a reference within an internet connections section which included my home address.  Anything I have removed is replaced with the text "(removed for privacy)". As I would rather not post my full name and address anywhere online.

 

The FRST logs are below, the FRST.txt log is first and the Addition.txt log is second.


Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-01-2015
Ran by (removed for privacy) (administrator) on (removed for privacy) on 08-01-2015 01:33:31
Running from D:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging
Loaded Profiles: (removed for privacy) & .NET v4.5 & .NET v4.5 Classic (Available profiles: (removed for privacy) & .NET v4.5 & .NET v4.5 Classic)
Platform: Windows 8 (X64) OS Language: English (United Kingdom)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
() C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2565544 2012-10-31] ()
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM-x32\...\Run: [ITSecMng] => C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [80840 2011-04-01] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [2068856 2011-10-12] (Flexera Software LLC.)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1273448 2012-04-03] (CANON INC.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3653136 2014-11-09] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [2068856 2011-10-12] (Flexera Software LLC.)
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\...\Run: [AVG-Secure-Search-Update_1214av] => C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe [2778648 2014-10-26] ()
HKU\S-1-5-82-271721585-897601226-2024613209-625570482-296978595\...\Run: [moveuser] => C:\Windows\iansyst\imoveuser.exe [293213 2012-12-16] ()
HKU\S-1-5-82-271721585-897601226-2024613209-625570482-296978595\...\RunOnce: [theme] => C:\Windows\iansyst\theme.exe [302507 2012-12-16] ()
HKU\S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236\...\Run: [moveuser] => C:\Windows\iansyst\imoveuser.exe [293213 2012-12-16] ()
HKU\S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236\...\RunOnce: [theme] => C:\Windows\iansyst\theme.exe [302507 2012-12-16] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
Startup: C:\Users\(removed for privacy)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup notes ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
HKU\S-1-5-82-271721585-897601226-2024613209-625570482-296978595\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
HKU\S-1-5-82-271721585-897601226-2024613209-625570482-296978595\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
HKU\S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
HKU\S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
URLSearchHook: [S-1-5-82-271721585-897601226-2024613209-625570482-296978595] ATTENTION ==> Default URLSearchHook is missing.
URLSearchHook: [S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236] ATTENTION ==> Default URLSearchHook is missing.
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Dragon NaturallySpeaking Rich Internet Application Support - Extension -> {73A89C60-CF59-4EC7-9215-9B7EF05ECEA4} -> C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ieShim.dll (Nuance Communications, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.235.192.1

FireFox:
========
FF ProfilePath: C:\Users\(removed for privacy)\AppData\Roaming\Mozilla\Firefox\Profiles\pudftc64.default
FF Homepage: https://www.google.co.uk
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: nuance.com/DragonRIAPlugin -> C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\npDgnRia.dll (Nuance Communications Inc.)
FF Extension: NoScript - C:\Users\(removed for privacy)\AppData\Roaming\Mozilla\Firefox\Profiles\pudftc64.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-09-30]
FF Extension: Adblock Plus - C:\Users\(removed for privacy)\AppData\Roaming\Mozilla\Firefox\Profiles\pudftc64.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-09-30]
FF HKLM-x32\...\Firefox\Extensions: [jid0-lmZNVK7a82O8cufhdfB9dUDfA2w@jetpack] - C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ffShim.xpi
FF Extension: No Name - C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ffShim.xpi [2013-03-08]

Chrome:
=======
CHR HomePage: Default -> https://www.google.co.uk/
CHR StartupUrls: Default -> "https://www.google.co.uk/"
CHR Profile: C:\Users\(removed for privacy)\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\(removed for privacy)\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-30]
CHR Extension: (Google Wallet) - C:\Users\(removed for privacy)\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-30]
CHR HKLM-x32\...\Chrome\Extension: [mikhcaiakabeeokmenglcdebplfdjicn] - C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\chromeShim.crx [2013-03-08]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3488784 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MSMQ; C:\Windows\system32\mqsvc.exe [25088 2012-07-26] (Microsoft Corporation)
S3 Olympus DVR Service; C:\Program Files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [174592 2012-11-08] (OLYMPUS IMAGING CORP.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-12-10] (Realtek Semiconductor)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [471552 2012-07-26] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16032 2014-09-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [20496 2013-09-04] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [263960 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [277784 2014-09-24] (AVG Technologies CZ, s.r.o.)
S3 BtFilter; C:\Windows\system32\DRIVERS\btfilter.sys [43944 2012-07-11] (Atheros) [File not signed]
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-26] (Microsoft Corporation)
R3 MQAC; C:\Windows\System32\drivers\mqac.sys [185856 2012-07-26] (Microsoft Corporation)
R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [28632 2012-08-02] (Windows ® Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-08 01:33 - 2015-01-08 01:33 - 00000000 ____D () C:\FRST
2015-01-05 05:56 - 2015-01-05 05:56 - 00043357 _____ () C:\Users\(removed for privacy)\AppData\Local\recently-used.xbel
2014-12-14 18:51 - 2014-12-14 18:51 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Local\webkit
2014-12-11 21:29 - 2014-12-11 21:29 - 00001163 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-12-10 15:58 - 2014-11-21 08:38 - 02237952 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-10 15:58 - 2014-11-21 08:38 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-10 15:58 - 2014-11-21 08:37 - 01409536 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-10 15:58 - 2014-11-21 08:37 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2014-12-10 15:58 - 2014-11-21 08:37 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 19283456 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 15400960 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-10 15:58 - 2014-11-21 08:35 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-10 15:58 - 2014-11-21 07:17 - 14364672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UXInit.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 13758976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 02054656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-10 15:58 - 2014-11-21 07:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-10 15:58 - 2014-11-21 07:00 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-10 15:58 - 2014-11-21 06:54 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-10 15:58 - 2014-11-21 04:30 - 00534528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
2014-12-10 15:58 - 2014-11-06 06:50 - 01627648 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-10 15:58 - 2014-11-06 05:03 - 01339392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-10 15:18 - 2014-12-10 15:18 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av
2014-12-10 15:17 - 2015-01-08 01:14 - 00000418 _____ () C:\Windows\Tasks\AVG_SYS_TASK_1214av_DELETE.job
2014-12-10 15:17 - 2015-01-08 01:13 - 00000550 _____ () C:\Windows\Tasks\AVG_SYS_TASK_1214av.job
2014-12-10 15:17 - 2014-12-10 15:18 - 00002824 _____ () C:\Windows\System32\Tasks\AVG_SYS_TASK_1214av
2014-12-10 15:17 - 2014-12-10 15:17 - 00002900 _____ () C:\Windows\System32\Tasks\AVG_SYS_TASK_1214av_DELETE
2014-12-10 15:17 - 2014-12-10 15:17 - 00000000 ____D () C:\ProgramData\Avg_Update_1214av

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-08 01:29 - 2014-09-30 20:13 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-08 01:18 - 2014-11-30 07:28 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-08 01:18 - 2014-09-30 20:57 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-08 01:14 - 2013-08-22 16:21 - 00000924 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-08 01:07 - 2013-08-22 16:21 - 00000928 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-08 00:00 - 2012-07-26 08:12 - 00000000 ____D () C:\Windows\system32\sru
2015-01-07 20:59 - 2013-08-22 14:50 - 01745042 _____ () C:\Windows\WindowsUpdate.log
2015-01-07 20:44 - 2012-07-26 07:28 - 00977226 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-07 00:00 - 2014-09-30 18:52 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Roaming\vlc
2015-01-06 18:48 - 2012-07-26 07:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-06 18:47 - 2012-07-26 05:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-01-05 21:45 - 2014-10-01 15:38 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-05 21:29 - 2014-09-30 20:13 - 00096472 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-05 17:00 - 2013-08-22 08:54 - 00021714 _____ () C:\Windows\PFRO.log
2015-01-05 05:56 - 2014-11-29 22:30 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Local\gtk-2.0
2015-01-05 05:56 - 2014-10-01 16:36 - 00000000 ____D () C:\Users\(removed for privacy)\.gimp-2.8
2015-01-04 20:38 - 2012-07-26 05:26 - 00262144 ___SH () C:\Windows\system32\config\ELAM
2015-01-02 23:42 - 2014-11-29 18:14 - 00000000 ____D () C:\tmp
2014-12-29 19:35 - 2014-09-30 19:22 - 00007597 _____ () C:\Users\(removed for privacy)\AppData\Local\Resmon.ResmonCfg
2014-12-25 15:00 - 2012-07-26 07:21 - 00022270 _____ () C:\Windows\setupact.log
2014-12-16 20:23 - 2012-07-26 08:12 - 00000000 ____D () C:\Windows\rescache
2014-12-11 21:43 - 2014-11-30 07:27 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Local\Adobe
2014-12-11 21:42 - 2014-11-30 07:28 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-10 16:08 - 2012-07-26 07:59 - 00000000 ____D () C:\Windows\CbsTemp
2014-12-10 16:07 - 2013-09-06 08:03 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-10 16:07 - 2013-08-22 15:35 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-10 16:04 - 2013-08-22 15:35 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-06 21:45

==================== End Of Log ============================

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-01-2015
Ran by (removed for privacy) at 2015-01-08 01:34:21
Running from D:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Atheros Bluetooth Filter Driver Package (HKLM\...\{026B819B-4D60-4C8B-892D-33A0D8666F60}) (Version: 2.0.0.3 - Atheros Communications)
Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Atheros)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5577 - AVG Technologies)
AVG 2015 (Version: 15.0.4257 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5577 - AVG Technologies) Hidden
Blender (HKLM\...\Blender) (Version: 2.65a-release - Blender Foundation)
Bluetooth Stack for Windows by Toshiba (HKLM\...\{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}) (Version: v8.00.12(T) - TOSHIBA CORPORATION)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)
Canon MG5400 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG5400_series) (Version: 1.00 - Canon Inc.)
Canon MG5400 series On-screen Manual (HKLM-x32\...\Canon MG5400 series On-screen Manual) (Version: 7.5.0 - Canon Inc.)
Canon MG5400 series User Registration (HKLM-x32\...\Canon MG5400 series User Registration) (Version:  - Canon Inc.‎)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.0.0 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.0.0 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Claro ScreenMarker (HKLM-x32\...\{4E5FD3CA-F8C3-4D5A-A44A-6289C179FCFA}) (Version: 1.1.0 - Claro Software)
ClaroCapture (HKLM-x32\...\{54CBA75F-6623-4A18-A0D5-B7BE983F69FD}) (Version: 3.0.19 - Claro Software)
ClaroIdeas (HKLM-x32\...\{267F05DC-9816-4E68-A83A-6DAFA3A2BC50}) (Version: 2.1.0 - Claro Software)
ClaroRead Plus (HKLM-x32\...\{0389C7C3-A73B-4C16-909F-80C350EA8953}) (Version: 6.2.7 - Claro Software)
ClaroView (HKLM-x32\...\{A836EF85-4F9B-4BE0-904A-A56B6A48293F}) (Version: 1.0.12 - Claro Software)
Dragon NaturallySpeaking 12 (HKLM-x32\...\{D5D422B9-6976-4E98-8DDF-9632CB515D7E}) (Version: 12.50.000 - Nuance Communications Inc.)
eLearning Module Content version 2.0 (HKLM-x32\...\{8218117A-6682-485E-B7BA-305558DCEF0D}_is1) (Version: 2.0 - iansyst Ltd)
eLearning version 2.0 (HKLM-x32\...\{E1B01443-4A1D-4986-BECC-2D043E0CF893}_is1) (Version: 2.0 - iansyst Ltd)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google SketchUp 8 (HKLM-x32\...\{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}) (Version: 3.0.11752 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3040 - Intel Corporation)
KAZ (Keyboard A-Z) Version 20.5 (HKLM-x32\...\Kaz_10) (Version:  - )
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office Professional 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 34.0 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 34.0 (x86 en-GB)) (Version: 34.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 32.0.3 - Mozilla)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Olympus Sonority (HKLM-x32\...\{40CAF5AE-4E70-46C8-8AD8-4A036D32525C}) (Version: 1.4.3 - OLYMPUS IMAGING CORP.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6794 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.8400.30136 - Realtek Semiconductor Corp.)
ScreenRuler (HKLM-x32\...\{46243C14-2485-45EE-9B4E-609B71B5D5FF}) (Version: 3.0.5 - Claro Software)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (HKLM\...\{90140000-003D-0000-1000-0000000FF1CE}_Office14.SingleImage_{A3364707-2F53-4C83-8F68-C9877A9080C7}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (Version:  - Microsoft) Hidden
Speccy (HKLM\...\Speccy) (Version: 1.26 - Piriform)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.10.5 - Synaptics Incorporated)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.00.6626.6410 - Toshiba Corporation)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Vocalizer Daniel from Claro Software (HKLM-x32\...\{36FB67D5-2099-41E0-8E28-7E061828845C}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Fiona from Claro Software (HKLM-x32\...\{AE789798-995E-47D0-A16C-55E97BCDBFC8}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Karen from Claro Software (HKLM-x32\...\{BFF55ECD-AA48-4872-82A5-65BFD3598CB8}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Lee from Claro Software (HKLM-x32\...\{8B0DF0EC-FCC1-4A97-86E4-E0D9720DAA92}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Moira from Claro Software (HKLM-x32\...\{B8C81D28-7194-4F07-94BE-733615F498E9}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Sangeeta from Claro Software (HKLM-x32\...\{B70556CA-E6DB-4ACD-92B5-1A5F85621690}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Serena from Claro Software (HKLM-x32\...\{4345FA12-BFC9-492B-B47C-C7BEF6785398}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Tom from Claro Software (HKLM-x32\...\{985F3407-E764-4D79-B1AB-ECA53FFBEC52}) (Version: 1.2.1.0 - Claro Software)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3470675919-4289468765-2846079494-1001_Classes\CLSID\{45C6AFA5-2C13-402f-BC5D-45CC8172EF6B}\InprocServer32 -> C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\sys\x64\TosBtExt.dll (TOSHIBA)
CustomCLSID: HKU\S-1-5-21-3470675919-4289468765-2846079494-1001_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InprocServer32 -> C:\Program Files (x86)\Blender Foundation\Blender\BlendThumb64.dll ()

==================== Restore Points  =========================

22-12-2014 18:53:30 Scheduled Checkpoint
29-12-2014 23:17:50 Scheduled Checkpoint
06-01-2015 21:43:40 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 05:26 - 2012-07-26 05:26 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {18338ACF-9FFB-4EC6-8F13-AB08F55E5ED1} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-11] (Adobe Systems Incorporated)
Task: {613BB28E-23C7-406E-9B7A-01AB6507A448} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-08-22] (Google Inc.)
Task: {672CFF0F-034E-491E-8048-6C47E5FB6B28} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2014-12-10] (Microsoft Corporation)
Task: {6C764EED-92FC-4D5B-9606-2DDBC94C7CC9} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe
Task: {761672F4-5B37-4C62-8BA6-4A63CED395F8} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {772F426E-24E0-469D-8B70-68D0DF096536} - System32\Tasks\AVG_SYS_TASK_1214av_DELETE => C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe [2014-10-26] ()
Task: {94C4FDBA-09CA-49A6-984A-8E547FBB9E90} - System32\Tasks\AVG_SYS_TASK_1214av => C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe [2014-10-26] ()
Task: {DCEBAFE7-4471-4EAA-BA44-89589C71D73C} - System32\Tasks\Microsoft\Windows\Setup\Windows Upgrade Notification Task => C:\Windows\system32\NotificationUI.exe [2014-04-19] (Microsoft Corporation)
Task: {E956E91B-4502-4699-A0B6-880F5B387DDF} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-08-22] (Google Inc.)
Task: {F97D658E-5C52-43F1-80C4-CC97424E5872} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-09-26] (Piriform Ltd)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\AVG_SYS_TASK_1214av.job => C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
Task: C:\Windows\Tasks\AVG_SYS_TASK_1214av_DELETE.job => C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2014-12-10 15:17 - 2014-10-26 11:53 - 02778648 _____ () C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
2013-03-06 02:02 - 2013-03-06 02:02 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-10-31 14:15 - 2012-10-31 14:15 - 02565544 _____ () C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
2012-07-18 17:38 - 2012-07-18 17:38 - 00020904 _____ () C:\Program Files\TOSHIBA\Hotkey\SmoothView.dll
2012-07-18 17:38 - 2012-07-18 17:38 - 00049064 _____ () C:\Program Files\TOSHIBA\Hotkey\Hotkey\FnZ.dll
2014-12-10 15:18 - 2014-10-26 11:53 - 02778648 _____ () C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
2013-08-22 14:25 - 2012-06-25 09:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2014-12-02 19:17 - 2014-12-02 19:17 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\StartupFolder: => "Bluetooth Manager.lnk"
HKLM\...\StartupApproved\Run32: => "ISUSPM"
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\...\StartupApproved\Run: => "ISUSPM"
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\...\StartupApproved\Run: => "CCleaner Monitoring"

========================= Accounts: ==========================

Administrator (S-1-5-21-3470675919-4289468765-2846079494-500 - Administrator - Disabled)
Guest (S-1-5-21-3470675919-4289468765-2846079494-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3470675919-4289468765-2846079494-1003 - Limited - Enabled)
(removed for privacy) (S-1-5-21-3470675919-4289468765-2846079494-1001 - Administrator - Enabled) => C:\Users\(removed for privacy)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/08/2015 01:07:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: blender.exe, version: 2.6.5.0, time stamp: 0x50d24361
Faulting module name: blender.exe, version: 2.6.5.0, time stamp: 0x50d24361
Exception code: 0xc0000005
Fault offset: 0x00f807c2
Faulting process ID: 0x1184
Faulting application start time: 0xblender.exe0
Faulting application path: blender.exe1
Faulting module path: blender.exe2
Report ID: blender.exe3
Faulting package full name: blender.exe4
Faulting package-relative application ID: blender.exe5

Error: (01/07/2015 02:52:27 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

Error: (01/06/2015 06:40:12 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.

Error: (01/06/2015 02:44:29 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.

Error: (01/06/2015 02:44:27 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.

Error: (01/05/2015 05:37:52 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.

Error: (01/05/2015 05:37:50 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.

Error: (01/05/2015 05:12:12 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.

Error: (01/05/2015 05:11:35 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.

Error: (01/01/2015 10:41:55 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.


System errors:
=============
Error: (12/10/2014 04:18:30 PM) (Source: DCOM) (EventID: 10005) (User: (removed for privacy))
Description: 1053WSearchUnavailable{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (12/10/2014 04:18:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1053

Error: (12/10/2014 04:18:30 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

Error: (12/10/2014 04:18:07 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (12/10/2014 04:18:07 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with the following service-specific error:
%%2147749126

Error: (12/01/2014 10:57:05 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume14'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (12/01/2014 10:47:42 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume10'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (11/30/2014 04:40:52 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The AVGIDSAgent service terminated with the following service-specific error:
%%3758213661

Error: (11/30/2014 04:40:51 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The AVGIDSAgent service terminated with the following service-specific error:
%%3758213661

Error: (11/30/2014 04:40:50 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The AVGIDSAgent service terminated with the following service-specific error:
%%3758213661


Microsoft Office Sessions:
=========================
Error: (01/08/2015 01:07:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: blender.exe2.6.5.050d24361blender.exe2.6.5.050d24361c000000500f807c2118401d02ad07d60688bC:\Program Files (x86)\Blender Foundation\Blender\blender.exeC:\Program Files (x86)\Blender Foundation\Blender\blender.exec5eb37c1-96d2-11e4-be91-7054d28de8f3

Error: (01/07/2015 02:52:27 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

Error: (01/06/2015 06:40:12 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestD:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging\esetsmartinstaller_enu.exe

Error: (01/06/2015 02:44:29 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestD:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging\esetsmartinstaller_enu.exe

Error: (01/06/2015 02:44:27 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestD:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging\esetsmartinstaller_enu.exe

Error: (01/05/2015 05:37:52 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestD:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging\esetsmartinstaller_enu.exe

Error: (01/05/2015 05:37:50 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestD:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging\esetsmartinstaller_enu.exe

Error: (01/05/2015 05:12:12 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestc:\program files (x86)\Nuance\naturallyspeaking12\Program\dragon_support_packager.exe

Error: (01/05/2015 05:11:35 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestC:\Program Files (x86)\ESET\ESET Online Scanner\ESETSmartInstaller.exe

Error: (01/01/2015 10:41:55 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestD:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging\esetsmartinstaller_enu.exe


==================== Memory info ===========================

Processor: Intel® Core™ i3-3120M CPU @ 2.50GHz
Percentage of memory in use: 35%
Total physical RAM: 3979.3 MB
Available physical RAM: 2562.47 MB
Total Pagefile: 11659.3 MB
Available Pagefile: 9525.13 MB
Total Virtual: 8192 MB
Available Virtual: 8191.77 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:197.9 GB) (Free:136.85 GB) NTFS
Drive d: () (Fixed) (Total:218.69 GB) (Free:153.5 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 6FAE3D31)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=197.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=218.7 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=48.8 GB) - (Type=OF Extended)

==================== End Of Log ============================


Do these logs give enough information to tell whether I am infected with anything (if so, what is it?).
And do you still want Attach.txt which was produced by DDS earlier?
I assume that all that any of the tools have done so far is scan and that at this point I'm alright to turn the computer off until tomorrow.

Extra note: All the "installed programs" I recognise as being ones which are supposed to be there, some were preinstalled with the machine when I got it, some were installed by me later on.

Also note: that there might be "gaps in time"(as in long periods where there are no files with them as creation or modification dates) for stuff on my system, that is because I have used system images to restore it to an older state several times.

 

Another note: so you can clearly see what is log and what is my typing I have coloured all my bits in red and left the logs coloured black


Edited by rp88, 07 January 2015 - 09:28 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:17 PM

Posted 08 January 2015 - 10:55 AM

Hey,

HKU\S-1-5-82-271721585-897601226-2024613209-625570482-296978595\...\Run: [moveuser] => C:\Windows\iansyst\imoveuser.exe [293213 2012-12-16] ()
HKU\S-1-5-82-271721585-897601226-2024613209-625570482-296978595\...\RunOnce: [theme] => C:\Windows\iansyst\theme.exe [302507 2012-12-16] ()
HKU\S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236\...\Run: [moveuser] => C:\Windows\iansyst\imoveuser.exe [293213 2012-12-16] ()
HKU\S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236\...\RunOnce: [theme] => C:\Windows\iansyst\theme.exe [302507 2012-12-16] ()

Unknown Malware.

Would you please move FRST to your Desktop? :)

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 PM

Posted 08 January 2015 - 11:50 AM

I don't think those first four things are malware, I know those executables are not digitally signed, but I know they were on here when the machine was brand new and they were put on by the company that set it up. Have they performed any malicious actions or are they just not expected to be found where they are? Unless they have been actively doing something bad then removing these might cause problems with my system.

I am about to run adwcleaner right now, though if it finds anything I will ask you for advice before proceeding with removal.

I already have malwarebytes installed, are you suggesting I uninstall the current one and reinstall it? Should I enable the full free-trial when doing this re-installation or just re-install the free version (which I currently have). EDIT: I uninstalled the vesion that was on here, downloaded the new version and have installed it as the free version, not the free trial. It is performing a "threat scan"(the ones that take 10-15 minutes) right now with those options you have mentioned all enabled.

I will run JRT straight afterwards.

Your fourth step asks me to run FRST again, should I just run it like I did last time, or do you want me to copy it to desktop first instead of running it out of the downloads folder? Should I download it again or just run the copy which I downloaded yesterday? Is there anything you want done differently this time (other than running it from the desktop rather than from within a folder in the downloads folder.)?

Have you been able to spot any recognizable malware? Or have you been able to get a look at any error logs covering the crash of flash player to reveal whether it was bad luck or a malicious attack?

 

 

 

 

 

# AdwCleaner v4.107 - Report created 08/01/2015 at 17:00:57
# Updated 07/01/2015 by Xplode
# Database : 2014-12-21.4 [Local]
# Operating System : Windows 8  (64 bits)
# Username : (removed for privacy)-(REMOVED FOR PRIVACY)
# Running from : D:\Users\(removed for privacy)\Downloads\security exe file downloads since reimaging\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17183


-\\ Mozilla Firefox v34.0 (x86 en-GB)


-\\ Google Chrome v39.0.2171.95

[C:\Users\(removed for privacy)\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [828 octets] - [08/01/2015 17:00:57]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [887 octets] ##########

 

malwarebytes has finished, it's log is below, it found nothing

 

I can't copy the log because The window it opens in is slightly taller than my screen and that window won't resize vertically, nor will it move up high enough to show the bottom of it because that would obscure it's "red x" close button, it has no maximize button, so I can't reach the "export" button at the bottom. Please advise how I am to deal with this.

 

i did find this within C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\   though

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2015/01/08 17:20:28 GMT</date>
<logfile>mbam-log-2015-01-08 (17-20-28).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.4.1028</version>
<malware-database>v2015.01.08.10</malware-database>
<rootkit-database>v2015.01.07.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 8</osversion>
<arch>x64</arch>
<username>(removed for privacy)</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>412265</objects>
<time>778</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>0</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>warn</pup>
<pum>warn</pum>
</options>
<items>
</items>
</mbam-log>

 

JRT running now
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 8 x64
Ran by (removed for privacy) on 08/01/2015 at 18:05:03.75
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 08/01/2015 at 18:09:46.58
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It's deleted something, is that an important system file which has just gone? I daren't restart or anything until i know. Also AVg, my antivirus is no longer showing in the taskbar!

 

And it's turned off UAC!

 

 

Whatever has happened here should i just try and reinstall from a system image made some months back? But I don't know if with wininit.ini missing I am safe to restart my machine and do that. I can't find the file in the recylce bin, I can't find any trace of what was in it. Please help fast, has something critical just been deleted.


Edited by rp88, 08 January 2015 - 01:50 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:17 PM

Posted 08 January 2015 - 01:57 PM

1. Wrong MBAM Log.
2. The last step is missing. As I said before just move FRST64 to your Desktop.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 PM

Posted 08 January 2015 - 01:59 PM

What is all that wininit business about?
Frst Has now finished being run again.
How can i get the RIGHT mbam log, I've mentioned how I can't get to the export log button.

Frst.txt and addition.txt are below.


Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-01-2015
Ran by (removed for privacy) (administrator) on (removed for privacy) on 08-01-2015 19:00:36
Running from D:\Users\(removed for privacy)\Desktop
Loaded Profile: (removed for privacy) (Available profiles: (removed for privacy) & .NET v4.5 & .NET v4.5 Classic)
Platform: Windows 8 (X64) OS Language: English (United Kingdom)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2565544 2012-10-31] ()
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM-x32\...\Run: [ITSecMng] => C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [80840 2011-04-01] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [2068856 2011-10-12] (Flexera Software LLC.)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1273448 2012-04-03] (CANON INC.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3667472 2014-12-18] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [2068856 2011-10-12] (Flexera Software LLC.)
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\...\Run: [AVG-Secure-Search-Update_1214av] => C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe [2778648 2014-10-26] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
Startup: C:\Users\(removed for privacy)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup notes ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Dragon NaturallySpeaking Rich Internet Application Support - Extension -> {73A89C60-CF59-4EC7-9215-9B7EF05ECEA4} -> C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ieShim.dll (Nuance Communications, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.235.192.1

FireFox:
========
FF ProfilePath: C:\Users\(removed for privacy)\AppData\Roaming\Mozilla\Firefox\Profiles\pudftc64.default
FF Homepage: https://www.google.co.uk
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: nuance.com/DragonRIAPlugin -> C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\npDgnRia.dll (Nuance Communications Inc.)
FF Extension: NoScript - C:\Users\(removed for privacy)\AppData\Roaming\Mozilla\Firefox\Profiles\pudftc64.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-09-30]
FF Extension: Adblock Plus - C:\Users\(removed for privacy)\AppData\Roaming\Mozilla\Firefox\Profiles\pudftc64.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-09-30]
FF HKLM-x32\...\Firefox\Extensions: [jid0-lmZNVK7a82O8cufhdfB9dUDfA2w@jetpack] - C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ffShim.xpi
FF Extension: No Name - C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ffShim.xpi [2013-03-08]

Chrome:
=======
CHR HomePage: Default -> https://www.google.co.uk/
CHR StartupUrls: Default -> "https://www.google.co.uk/"
CHR Profile: C:\Users\(removed for privacy)\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\(removed for privacy)\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-30]
CHR Extension: (Google Wallet) - C:\Users\(removed for privacy)\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-30]
CHR HKLM-x32\...\Chrome\Extension: [mikhcaiakabeeokmenglcdebplfdjicn] - C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\chromeShim.crx [2013-03-08]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3432976 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MSMQ; C:\Windows\system32\mqsvc.exe [25088 2012-07-26] (Microsoft Corporation)
S3 Olympus DVR Service; C:\Program Files (x86)\Common Files\Olympus Shared\DeviceManager\olydvrsv.exe [174592 2012-11-08] (OLYMPUS IMAGING CORP.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-12-10] (Realtek Semiconductor)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [471552 2012-07-26] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16032 2014-09-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [20496 2013-09-04] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [260888 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [203544 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [277784 2014-09-24] (AVG Technologies CZ, s.r.o.)
S3 BtFilter; C:\Windows\system32\DRIVERS\btfilter.sys [43944 2012-07-11] (Atheros) [File not signed]
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-26] (Microsoft Corporation)
R3 MQAC; C:\Windows\System32\drivers\mqac.sys [185856 2012-07-26] (Microsoft Corporation)
R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [28632 2012-08-02] (Windows ® Win 7 DDK provider)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-08 18:09 - 2015-01-08 18:09 - 00000675 _____ () C:\Users\(removed for privacy)\Desktop\JRT.txt
2015-01-08 18:05 - 2015-01-08 18:05 - 00000000 ____D () C:\Windows\ERUNT
2015-01-08 17:17 - 2015-01-08 18:19 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-08 17:17 - 2015-01-08 17:17 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-08 17:17 - 2015-01-08 17:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-08 17:16 - 2015-01-08 17:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-08 17:16 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-08 17:16 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-08 17:16 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-08 17:00 - 2015-01-08 17:02 - 00000000 ____D () C:\AdwCleaner
2015-01-08 01:33 - 2015-01-08 19:00 - 00000000 ____D () C:\FRST
2015-01-05 05:56 - 2015-01-05 05:56 - 00043357 _____ () C:\Users\(removed for privacy)\AppData\Local\recently-used.xbel
2014-12-14 18:51 - 2014-12-14 18:51 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Local\webkit
2014-12-11 21:29 - 2014-12-11 21:29 - 00001163 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-12-10 15:58 - 2014-11-21 08:38 - 02237952 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-10 15:58 - 2014-11-21 08:38 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-10 15:58 - 2014-11-21 08:37 - 01409536 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-10 15:58 - 2014-11-21 08:37 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2014-12-10 15:58 - 2014-11-21 08:37 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 19283456 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 15400960 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-10 15:58 - 2014-11-21 08:36 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-10 15:58 - 2014-11-21 08:35 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-10 15:58 - 2014-11-21 07:17 - 14364672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-10 15:58 - 2014-11-21 07:17 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UXInit.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 13758976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 02054656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-10 15:58 - 2014-11-21 07:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-10 15:58 - 2014-11-21 07:16 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-10 15:58 - 2014-11-21 07:00 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-10 15:58 - 2014-11-21 06:54 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-10 15:58 - 2014-11-21 04:30 - 00534528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
2014-12-10 15:58 - 2014-11-06 06:50 - 01627648 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-10 15:58 - 2014-11-06 05:03 - 01339392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-10 15:18 - 2014-12-10 15:18 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av
2014-12-10 15:17 - 2015-01-08 17:14 - 00000550 _____ () C:\Windows\Tasks\AVG_SYS_TASK_1214av.job
2014-12-10 15:17 - 2015-01-08 17:14 - 00000418 _____ () C:\Windows\Tasks\AVG_SYS_TASK_1214av_DELETE.job
2014-12-10 15:17 - 2014-12-10 15:18 - 00002824 _____ () C:\Windows\System32\Tasks\AVG_SYS_TASK_1214av
2014-12-10 15:17 - 2014-12-10 15:17 - 00002900 _____ () C:\Windows\System32\Tasks\AVG_SYS_TASK_1214av_DELETE
2014-12-10 15:17 - 2014-12-10 15:17 - 00000000 ____D () C:\ProgramData\Avg_Update_1214av

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-08 18:18 - 2014-11-30 07:28 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-08 18:11 - 2014-09-30 20:57 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-08 18:07 - 2013-08-22 16:21 - 00000928 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-08 18:00 - 2012-07-26 08:12 - 00000000 ____D () C:\Windows\system32\sru
2015-01-08 17:14 - 2013-08-22 16:21 - 00000924 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-08 17:14 - 2012-07-26 07:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-08 17:13 - 2013-08-22 14:50 - 01811145 _____ () C:\Windows\WindowsUpdate.log
2015-01-08 11:09 - 2014-11-30 05:26 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2015-01-08 11:09 - 2014-11-30 05:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-01-08 03:32 - 2014-09-30 18:52 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Roaming\vlc
2015-01-07 20:44 - 2012-07-26 07:28 - 00977226 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-06 18:47 - 2012-07-26 05:26 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-01-05 21:45 - 2014-10-01 15:38 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-05 17:00 - 2013-08-22 08:54 - 00021714 _____ () C:\Windows\PFRO.log
2015-01-05 05:56 - 2014-11-29 22:30 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Local\gtk-2.0
2015-01-05 05:56 - 2014-10-01 16:36 - 00000000 ____D () C:\Users\(removed for privacy)\.gimp-2.8
2015-01-04 20:38 - 2012-07-26 05:26 - 00262144 ___SH () C:\Windows\system32\config\ELAM
2015-01-02 23:42 - 2014-11-29 18:14 - 00000000 ____D () C:\tmp
2014-12-29 19:35 - 2014-09-30 19:22 - 00007597 _____ () C:\Users\(removed for privacy)\AppData\Local\Resmon.ResmonCfg
2014-12-25 15:00 - 2012-07-26 07:21 - 00022270 _____ () C:\Windows\setupact.log
2014-12-16 20:23 - 2012-07-26 08:12 - 00000000 ____D () C:\Windows\rescache
2014-12-11 21:43 - 2014-11-30 07:27 - 00000000 ____D () C:\Users\(removed for privacy)\AppData\Local\Adobe
2014-12-11 21:42 - 2014-11-30 07:28 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-10 16:08 - 2012-07-26 07:59 - 00000000 ____D () C:\Windows\CbsTemp
2014-12-10 16:07 - 2013-09-06 08:03 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-10 16:07 - 2013-08-22 15:35 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-10 16:04 - 2013-08-22 15:35 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-06 21:45

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-01-2015
Ran by (removed for privacy) at 2015-01-08 19:01:19
Running from D:\Users\(removed for privacy)\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Atheros Bluetooth Filter Driver Package (HKLM\...\{026B819B-4D60-4C8B-892D-33A0D8666F60}) (Version: 2.0.0.3 - Atheros Communications)
Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Atheros)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5645 - AVG Technologies)
AVG 2015 (Version: 15.0.4257 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5645 - AVG Technologies) Hidden
Blender (HKLM\...\Blender) (Version: 2.65a-release - Blender Foundation)
Bluetooth Stack for Windows by Toshiba (HKLM\...\{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}) (Version: v8.00.12(T) - TOSHIBA CORPORATION)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version:  - ‪Canon Inc.‬)
Canon MG5400 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG5400_series) (Version: 1.00 - Canon Inc.)
Canon MG5400 series On-screen Manual (HKLM-x32\...\Canon MG5400 series On-screen Manual) (Version: 7.5.0 - Canon Inc.)
Canon MG5400 series User Registration (HKLM-x32\...\Canon MG5400 series User Registration) (Version:  - Canon Inc.‎)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.0.0 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.0.0 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Claro ScreenMarker (HKLM-x32\...\{4E5FD3CA-F8C3-4D5A-A44A-6289C179FCFA}) (Version: 1.1.0 - Claro Software)
ClaroCapture (HKLM-x32\...\{54CBA75F-6623-4A18-A0D5-B7BE983F69FD}) (Version: 3.0.19 - Claro Software)
ClaroIdeas (HKLM-x32\...\{267F05DC-9816-4E68-A83A-6DAFA3A2BC50}) (Version: 2.1.0 - Claro Software)
ClaroRead Plus (HKLM-x32\...\{0389C7C3-A73B-4C16-909F-80C350EA8953}) (Version: 6.2.7 - Claro Software)
ClaroView (HKLM-x32\...\{A836EF85-4F9B-4BE0-904A-A56B6A48293F}) (Version: 1.0.12 - Claro Software)
Dragon NaturallySpeaking 12 (HKLM-x32\...\{D5D422B9-6976-4E98-8DDF-9632CB515D7E}) (Version: 12.50.000 - Nuance Communications Inc.)
eLearning Module Content version 2.0 (HKLM-x32\...\{8218117A-6682-485E-B7BA-305558DCEF0D}_is1) (Version: 2.0 - iansyst Ltd)
eLearning version 2.0 (HKLM-x32\...\{E1B01443-4A1D-4986-BECC-2D043E0CF893}_is1) (Version: 2.0 - iansyst Ltd)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google SketchUp 8 (HKLM-x32\...\{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}) (Version: 3.0.11752 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3040 - Intel Corporation)
KAZ (Keyboard A-Z) Version 20.5 (HKLM-x32\...\Kaz_10) (Version:  - )
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office Professional 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 34.0 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 34.0 (x86 en-GB)) (Version: 34.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 32.0.3 - Mozilla)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Olympus Sonority (HKLM-x32\...\{40CAF5AE-4E70-46C8-8AD8-4A036D32525C}) (Version: 1.4.3 - OLYMPUS IMAGING CORP.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6794 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.8400.30136 - Realtek Semiconductor Corp.)
ScreenRuler (HKLM-x32\...\{46243C14-2485-45EE-9B4E-609B71B5D5FF}) (Version: 3.0.5 - Claro Software)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (HKLM\...\{90140000-003D-0000-1000-0000000FF1CE}_Office14.SingleImage_{A3364707-2F53-4C83-8F68-C9877A9080C7}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (Version:  - Microsoft) Hidden
Speccy (HKLM\...\Speccy) (Version: 1.26 - Piriform)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.10.5 - Synaptics Incorporated)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.00.6626.6410 - Toshiba Corporation)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Vocalizer Daniel from Claro Software (HKLM-x32\...\{36FB67D5-2099-41E0-8E28-7E061828845C}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Fiona from Claro Software (HKLM-x32\...\{AE789798-995E-47D0-A16C-55E97BCDBFC8}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Karen from Claro Software (HKLM-x32\...\{BFF55ECD-AA48-4872-82A5-65BFD3598CB8}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Lee from Claro Software (HKLM-x32\...\{8B0DF0EC-FCC1-4A97-86E4-E0D9720DAA92}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Moira from Claro Software (HKLM-x32\...\{B8C81D28-7194-4F07-94BE-733615F498E9}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Sangeeta from Claro Software (HKLM-x32\...\{B70556CA-E6DB-4ACD-92B5-1A5F85621690}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Serena from Claro Software (HKLM-x32\...\{4345FA12-BFC9-492B-B47C-C7BEF6785398}) (Version: 1.2.1.0 - Claro Software)
Vocalizer Tom from Claro Software (HKLM-x32\...\{985F3407-E764-4D79-B1AB-ECA53FFBEC52}) (Version: 1.2.1.0 - Claro Software)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3470675919-4289468765-2846079494-1001_Classes\CLSID\{45C6AFA5-2C13-402f-BC5D-45CC8172EF6B}\InprocServer32 -> C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\sys\x64\TosBtExt.dll (TOSHIBA)
CustomCLSID: HKU\S-1-5-21-3470675919-4289468765-2846079494-1001_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InprocServer32 -> C:\Program Files (x86)\Blender Foundation\Blender\BlendThumb64.dll ()

==================== Restore Points  =========================

22-12-2014 18:53:30 Scheduled Checkpoint
29-12-2014 23:17:50 Scheduled Checkpoint
06-01-2015 21:43:40 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 05:26 - 2012-07-26 05:26 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {18338ACF-9FFB-4EC6-8F13-AB08F55E5ED1} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-11] (Adobe Systems Incorporated)
Task: {613BB28E-23C7-406E-9B7A-01AB6507A448} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-08-22] (Google Inc.)
Task: {672CFF0F-034E-491E-8048-6C47E5FB6B28} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2014-12-10] (Microsoft Corporation)
Task: {6C764EED-92FC-4D5B-9606-2DDBC94C7CC9} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe
Task: {761672F4-5B37-4C62-8BA6-4A63CED395F8} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {772F426E-24E0-469D-8B70-68D0DF096536} - System32\Tasks\AVG_SYS_TASK_1214av_DELETE => C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe [2014-10-26] ()
Task: {94C4FDBA-09CA-49A6-984A-8E547FBB9E90} - System32\Tasks\AVG_SYS_TASK_1214av => C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe [2014-10-26] ()
Task: {DCEBAFE7-4471-4EAA-BA44-89589C71D73C} - System32\Tasks\Microsoft\Windows\Setup\Windows Upgrade Notification Task => C:\Windows\system32\NotificationUI.exe [2014-04-19] (Microsoft Corporation)
Task: {E956E91B-4502-4699-A0B6-880F5B387DDF} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-08-22] (Google Inc.)
Task: {F97D658E-5C52-43F1-80C4-CC97424E5872} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-09-26] (Piriform Ltd)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\AVG_SYS_TASK_1214av.job => C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
Task: C:\Windows\Tasks\AVG_SYS_TASK_1214av_DELETE.job => C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2014-12-10 15:17 - 2014-10-26 11:53 - 02778648 _____ () C:\ProgramData\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
2013-03-06 02:02 - 2013-03-06 02:02 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-10-31 14:15 - 2012-10-31 14:15 - 02565544 _____ () C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
2012-07-18 17:38 - 2012-07-18 17:38 - 00020904 _____ () C:\Program Files\TOSHIBA\Hotkey\SmoothView.dll
2012-07-18 17:38 - 2012-07-18 17:38 - 00049064 _____ () C:\Program Files\TOSHIBA\Hotkey\Hotkey\FnZ.dll
2014-12-10 15:18 - 2014-10-26 11:53 - 02778648 _____ () C:\Users\(removed for privacy)\AppData\Roaming\Avg_Update_1214av\AVG-Secure-Search-Update_1214av.exe
2013-08-22 14:25 - 2012-06-25 09:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2014-12-02 19:17 - 2014-12-02 19:17 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\StartupFolder: => "Bluetooth Manager.lnk"
HKLM\...\StartupApproved\Run32: => "ISUSPM"
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\...\StartupApproved\Run: => "ISUSPM"
HKU\S-1-5-21-3470675919-4289468765-2846079494-1001\...\StartupApproved\Run: => "CCleaner Monitoring"

========================= Accounts: ==========================

Administrator (S-1-5-21-3470675919-4289468765-2846079494-500 - Administrator - Disabled)
Guest (S-1-5-21-3470675919-4289468765-2846079494-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3470675919-4289468765-2846079494-1003 - Limited - Enabled)
(removed for privacy) (S-1-5-21-3470675919-4289468765-2846079494-1001 - Administrator - Enabled) => C:\Users\(removed for privacy)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: Intel® Core™ i3-3120M CPU @ 2.50GHz
Percentage of memory in use: 38%
Total physical RAM: 3979.3 MB
Available physical RAM: 2454.21 MB
Total Pagefile: 11659.3 MB
Available Pagefile: 9887.59 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:197.9 GB) (Free:136.58 GB) NTFS
Drive d: () (Fixed) (Total:218.69 GB) (Free:152.67 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 6FAE3D31)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=197.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=218.7 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=48.8 GB) - (Type=OF Extended)

==================== End Of Log ============================


AM i safe to restart the computer at the moment? I'm starting to think restoring from an image might be my best option.


Edited by rp88, 08 January 2015 - 02:13 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#8 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:17 PM

Posted 08 January 2015 - 02:21 PM

Hey,

AM i safe to restart the computer at the moment?

Why not? It won't explode.

You can google Wininit file ... on itself it isn't bad but you can delete it without any harm normally.
  • Start Malwarebytes
  • Go to the tab called History
  • Then click on Application Logs
tq7qi6z6.png
  • Then select the one log where it has found anything, do a double click on it
  • Then click on the Export
  • Button - select in the menu Text File (.txt)
p84ykoav.png
  • Save it on your Desktop and post the content of this text file into your next reply.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#9 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 PM

Posted 08 January 2015 - 02:31 PM

So when I restart the computer will boot up without trouble? That wininit.ini file was NOT something cruical for startup or logon?

Thanks

 

This is going to sound really stupid, but when I open the log files as you have shown the "export" button is too low down in the screen to be clicked on. The window which you show in your second image of your most recent post is too tall for my screen, and I can't seem to resize it to get at that button. The button is obscured behind the taskbar, the window showing the log won't resize vertically and clicking on the top of the button when most of it is "behind" the task bar does nothing.


Edited by rp88, 08 January 2015 - 02:33 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#10 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:17 PM

Posted 08 January 2015 - 02:40 PM

No, you are OK to restart.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#11 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 PM

Posted 08 January 2015 - 02:42 PM

Thank You, as for seeing those malwarebytes logs can you please tell me how to get the window (as shown in your second picture)to reize and shrink, none of the normal ways work for it, It's like when it was coded there was no ability built in for scrolling so it refuses to let itslef be made smaller or soemthing like that.


Edit: i found a way to do this using "alt"+"spacebar" then "s" and the arrow keys.
The MBAM log is here

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 08/01/2015
Scan Time: 17:20:28
Logfile: mbamlog08012015.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.08.10
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: (removed for privacy)

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 412265
Time Elapsed: 12 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Edited by rp88, 08 January 2015 - 02:48 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#12 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 PM

Posted 08 January 2015 - 02:49 PM

Do you now have the information you need to work out if I am infected, would simply restoring from a system image be the best thing to do now?

Edited by rp88, 08 January 2015 - 02:50 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#13 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:17 PM

Posted 08 January 2015 - 03:03 PM

Your system appears to be clean.

IMPORTANT: You MUST use Internet Explorer for this step!
  • Visit the ESET Online Scanner Web Page
  • Select the blue Run ESET Online Scanner button:
    ESET1_zps23a5e840.png
  • Tick the box next to YES, I accept the Terms of Use and click Start
    ESET_EULA2_zps9451f1c3.png
  • When asked, allow the ActiveX control to install.
  • Select Enable detection of potentially unwanted applications and select Advanced Settings:
    ESET2_zpsc701c045.png
  • Make sure to check the options Remove found threats and Enable Anti-Stealth technology are checked:
    ESET4_zps0afafd0d.png
  • Click Start. (This scan can take several hours, so please be patient):
    ESET3_zpsccd1657d.png
  • Once the scan is completed, select List of found threats:
    ESET5_zpsd27be299.png
  • Select Export to text file... and save the file as ESETlog.txt on your Desktop:
    ESET6_zpsc17d154e.png
  • Click the Back button.
  • Click the Finish button:
    ESET9_zps51587217.png
  • Use Notepad to open the saved log file (on your Desktop- ESET.txt)[/b]
  • Copy and paste that log as a reply to this topic.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#14 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:17 PM

Posted 08 January 2015 - 03:12 PM

I had run an ESET scan with this when i first posted on the other thread of mine. I know it takes several hours. I have also, in the past, used firefox or chrome to visit the page, then downloaded the exe file that is offered from there and run it from on my hard-drive. Does it give the same scan when you download the exe file(with any browser) and run it as it does when you go to the page with IE and use the activeX script? If I run ESET now it will probably be 2200 (uk time) before i am finished. Is this a final check to see if the system is clean or do you have other reasons for usggesting this scan?

Thank You

Extra note: I restarted the computer a few minutes ago. Clearly no harm was done by the removal of that wininit.ini file apologies for being in such a rush when it happened.

Edited by rp88, 08 January 2015 - 03:13 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#15 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,976 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:17 PM

Posted 08 January 2015 - 03:34 PM

You can do it on two ways. Either via Chrome/FireFox or via IE. It's your decision.

As I said the system appears to be clean. I expect that this finds nothing or just minor entries.

;)

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users