Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desktop PC with csrss.exe malware (Attn NASDAQ)


  • This topic is locked This topic is locked
2 replies to this topic

#1 diggermel

diggermel

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brisbane, Australia
  • Local time:03:14 AM

Posted 24 January 2015 - 01:17 AM

Hi Nasdaq, 

 

Thanks again for your help  with the HP250.

These log files are from my desktop PC which was the first infected.

 

The specs are 

MBO         Gigabyte GA-H97-HD3

CPU          Intel I5  4690   4 core   LGA1150   6mb cache

Memory    8gb

GPU          Gforce GTX760 (fitted but currently no drivers added, so it is running on the MBO VGA)

HDD          470GB SanDisk Extreme

 

In addition to adding the keylogger and stealing files, the hacker also changed the system so that signed drivers are no longer recognised.

I hope you have some ideas on how I should try to fix this too ?

 

Anyway - the logs...

Malwarebytes:

 

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

 Malwarebytes Anti-Malware

www.malwarebytes.org
 
 
Protection, 23/01/2015 5:09:13 PM, SYSTEM, PIPPA-64, Protection, Malware Protection, Starting, 
Protection, 23/01/2015 5:09:13 PM, SYSTEM, PIPPA-64, Protection, Malware Protection, Started, 
Protection, 23/01/2015 5:09:13 PM, SYSTEM, PIPPA-64, Protection, Malicious Website Protection, Starting, 
Protection, 23/01/2015 5:09:13 PM, SYSTEM, PIPPA-64, Protection, Malicious Website Protection, Started, 
Protection, 23/01/2015 5:46:48 PM, SYSTEM, PIPPA-64, Protection, Malware Protection, Starting, 
Protection, 23/01/2015 5:46:48 PM, SYSTEM, PIPPA-64, Protection, Malware Protection, Started, 
Protection, 23/01/2015 5:46:48 PM, SYSTEM, PIPPA-64, Protection, Malicious Website Protection, Starting, 
Protection, 23/01/2015 5:46:48 PM, SYSTEM, PIPPA-64, Protection, Malicious Website Protection, Started, 
Protection, 23/01/2015 6:07:52 PM, SYSTEM, PIPPA-64, Protection, Malware Protection, Starting, 
Protection, 23/01/2015 6:07:52 PM, SYSTEM, PIPPA-64, Protection, Malware Protection, Started, 
Protection, 23/01/2015 6:07:52 PM, SYSTEM, PIPPA-64, Protection, Malicious Website Protection, Starting, 
Protection, 23/01/2015 6:07:52 PM, SYSTEM, PIPPA-64, Protection, Malicious Website Protection, Started, 
Update, 23/01/2015 6:12:05 PM, SYSTEM, PIPPA-64, Manual, Failed, Unable to access update server, 
Update, 23/01/2015 6:12:28 PM, SYSTEM, PIPPA-64, Manual, Failed, Unable to access update server, 
Update, 23/01/2015 6:12:32 PM, SYSTEM, PIPPA-64, Manual, Failed, Unable to access update server, 
Update, 23/01/2015 6:31:35 PM, SYSTEM, PIPPA-64, Manual, Failed, Unable to access update server, 
Scan, 23/01/2015 6:35:12 PM, SYSTEM, PIPPA-64, Manual, Start:23/01/2015 6:31:35 PM, Duration:3 min 36 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections, 
 
(end)

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

 

AdwCleaner

 

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

# AdwCleaner v4.108 - Report created 24/01/2015 at 15:08:26
# Updated 17/01/2015 by Xplode
# Database : 2015-01-23.3 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : DavidG - PIPPA-64
# Running from : C:\Users\DavidG\Desktop\adwcleaner_4.108.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\Users\DavidG\AppData\Roaming\Mozilla\Firefox\Profiles\rc9kkmsg.default\searchplugins\zonealarm.xml
File Found : C:\Users\DavidG\AppData\Roaming\Mozilla\Firefox\Profiles\rc9kkmsg.default\user.js
Folder Found : C:\Program Files (x86)\GoSSave
Folder Found : C:\Program Files (x86)\YoutubeAdBLLooCke
Folder Found : C:\ProgramData\48cefb25d875657b
Folder Found : C:\ProgramData\ExstraSavIungs
Folder Found : C:\ProgramData\GooSave
Folder Found : C:\ProgramData\GoSSave
Folder Found : C:\ProgramData\SaaverExtensiOn
Folder Found : C:\ProgramData\Trusted Publisher
Folder Found : C:\ProgramData\YoutubeAdBLLooCke
Folder Found : C:\Users\DavidG\AppData\Local\Chromatic Browser
Folder Found : C:\Users\DavidG\AppData\Local\torch
Folder Found : C:\Users\DavidG\AppData\Roaming\EZDownloader
Folder Found : C:\Users\DavidG\PC Cleaner
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Found : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Found : HKCU\Software\ilivid
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D1F5A0B5-0A34-4DD9-A565-6AD767421DE6}
Key Found : HKCU\Software\Myfree Codec
Key Found : HKCU\Software\RegisteredApplicationsEx
Key Found : HKCU\Software\torch
Key Found : [x64] HKCU\Software\ilivid
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D1F5A0B5-0A34-4DD9-A565-6AD767421DE6}
Key Found : [x64] HKCU\Software\Myfree Codec
Key Found : [x64] HKCU\Software\RegisteredApplicationsEx
Key Found : [x64] HKCU\Software\torch
Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Found : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Classes\iLivid.torrent
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Found : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
Key Found : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A4ABCA-CF3D-C548-2DC4-72A55DC5882A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00B2-0409-0000-0000000FF1CE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C637A71C-A4B2-4B47-1B2A-1042A8D525A3}
Key Found : HKLM\SOFTWARE\Myfree Codec
Key Found : HKLM\SOFTWARE\torch
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17420
 
Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&
 
-\\ Mozilla Firefox v33.0 (x86 en-GB)
 
[rc9kkmsg.default] - Line Found : user_pref("browser.startup.homepage", "hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&");
[rc9kkmsg.default] - Line Found : user_pref("extensions.zonealarm.hmpgUrl", "hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&");
[rc9kkmsg.default] - Line Found : user_pref("extensions.zonealarm.kw_url", "hxxp://search.zonealarm.com/search?src=sp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&&q=");
[rc9kkmsg.default] - Line Found : user_pref("extensions.zonealarm.lastB", "hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&");
[rc9kkmsg.default] - Line Found : user_pref("extensions.zonealarm.newTabUrl", "hxxp://search.zonealarm.com/?src=nt&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&");
[rc9kkmsg.default] - Line Found : user_pref("extensions.zonealarm.tlbrSrchUrl", "hxxp://search.zonealarm.com/search?src=tb&tbid=goughDev3&Lan={dfltLng}&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&&q=");
 
-\\ Google Chrome v38.0.2125.101
 
 
-\\ Comodo Dragon v
 
 
*************************
 
AdwCleaner[R0].txt - [6151 octets] - [24/01/2015 15:08:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [6211 octets] ##########
 
 
 
# AdwCleaner v4.108 - Report created 24/01/2015 at 15:13:04
# Updated 17/01/2015 by Xplode
# Database : 2015-01-23.3 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : DavidG - PIPPA-64
# Running from : C:\Users\DavidG\Desktop\adwcleaner_4.108.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Trusted Publisher
Folder Deleted : C:\ProgramData\ExstraSavIungs
Folder Deleted : C:\ProgramData\GooSave
Folder Deleted : C:\ProgramData\GoSSave
Folder Deleted : C:\ProgramData\SaaverExtensiOn
Folder Deleted : C:\ProgramData\YoutubeAdBLLooCke
Folder Deleted : C:\ProgramData\48cefb25d875657b
Folder Deleted : C:\Program Files (x86)\GoSSave
Folder Deleted : C:\Program Files (x86)\YoutubeAdBLLooCke
Folder Deleted : C:\Users\DavidG\PC Cleaner
Folder Deleted : C:\Users\DavidG\AppData\Local\Chromatic Browser
Folder Deleted : C:\Users\DavidG\AppData\Local\torch
Folder Deleted : C:\Users\DavidG\AppData\Roaming\EZDownloader
File Deleted : C:\Users\DavidG\AppData\Roaming\Mozilla\Firefox\Profiles\rc9kkmsg.default\searchplugins\zonealarm.xml
File Deleted : C:\Users\DavidG\AppData\Roaming\Mozilla\Firefox\Profiles\rc9kkmsg.default\user.js
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\iLivid.torrent
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D1F5A0B5-0A34-4DD9-A565-6AD767421DE6}
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\Myfree Codec
Key Deleted : HKCU\Software\RegisteredApplicationsEx
Key Deleted : HKCU\Software\torch
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Deleted : HKLM\SOFTWARE\Myfree Codec
Key Deleted : HKLM\SOFTWARE\torch
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A4ABCA-CF3D-C548-2DC4-72A55DC5882A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00B2-0409-0000-0000000FF1CE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C637A71C-A4B2-4B47-1B2A-1042A8D525A3}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17420
 
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
 
-\\ Mozilla Firefox v33.0 (x86 en-GB)
 
[rc9kkmsg.default\prefs.js] - Line Deleted : user_pref("browser.startup.homepage", "hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&");
[rc9kkmsg.default\prefs.js] - Line Deleted : user_pref("extensions.zonealarm.hmpgUrl", "hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&");
[rc9kkmsg.default\prefs.js] - Line Deleted : user_pref("extensions.zonealarm.kw_url", "hxxp://search.zonealarm.com/search?src=sp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&&q=");
[rc9kkmsg.default\prefs.js] - Line Deleted : user_pref("extensions.zonealarm.lastB", "hxxp://search.zonealarm.com/?src=hp&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&");
[rc9kkmsg.default\prefs.js] - Line Deleted : user_pref("extensions.zonealarm.newTabUrl", "hxxp://search.zonealarm.com/?src=nt&tbid=goughDev3&Lan=en&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&");
[rc9kkmsg.default\prefs.js] - Line Deleted : user_pref("extensions.zonealarm.tlbrSrchUrl", "hxxp://search.zonealarm.com/search?src=tb&tbid=goughDev3&Lan={dfltLng}&gu=0e469fa0d85b47c8bf9b64a0fd9a0eec&tu=10OWz00H02B0CO0&sku=&tstsId=&ver=&&q=");
 
-\\ Google Chrome v38.0.2125.101
 
 
-\\ Comodo Dragon v
 
 
*************************
 
AdwCleaner[R0].txt - [6327 octets] - [24/01/2015 15:08:26]
AdwCleaner[S0].txt - [5898 octets] - [24/01/2015 15:13:04]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5958 octets] ##########
 

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

 

FRST.txt

 

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by DavidG (administrator) on PIPPA-64 on 24-01-2015 15:21:58
Running from C:\Users\DavidG\Desktop
Loaded Profiles: DavidG (Available profiles: DavidG)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3514209488-2512295727-3496991240-1000\...\MountPoints2: {a801ef46-18af-11e4-a0ef-806e6f6e6963} - D:\Run.exe
Startup: C:\Users\DavidG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\DavidG\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Winsock: Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll File Not found ()
Winsock: Catalog5-x64 09 C:\Program Files\Bonjour\mdnsNSP.dll File Not found ()
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF ProfilePath: C:\Users\DavidG\AppData\Roaming\Mozilla\Firefox\Profiles\rc9kkmsg.default
FF DefaultSearchEngine: Search By ZoneAlarm
FF SelectedSearchEngine: Search By ZoneAlarm
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3514209488-2512295727-3496991240-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\DavidG\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKU\S-1-5-21-3514209488-2512295727-3496991240-1000: @talk.google.com/O1DPlugin -> C:\Users\DavidG\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-3514209488-2512295727-3496991240-1000: @tools.google.com/Google Update;version=3 -> C:\Users\DavidG\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-3514209488-2512295727-3496991240-1000: @tools.google.com/Google Update;version=9 -> C:\Users\DavidG\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\DavidG\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\DavidG\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-01]
CHR Extension: (No Name) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nclegpnppigghjcjeoohfpcpgeobdeki [2014-10-11]
CHR Extension: (Google Wallet) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-01]
CHR Extension: (chromeIPass) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Default\Extensions\ompiailgknfdndiefoaoiligalphfdae [2014-08-03]
CHR Profile: C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Docs) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2014-08-09]
CHR Extension: (Google Drive) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-08-09]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-08-09]
CHR Extension: (QuickMark QR Code Extension) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bhddglpocgogkbpkbkoieiplhgbjmiim [2014-10-20]
CHR Extension: (YouTube) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-08-09]
CHR Extension: (Google Search) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-08-09]
CHR Extension: (Speedy Shopper) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\flcpelgcagfhfoegekianiofphddckof [2014-10-11]
CHR Extension: (Smooth Key Scroll) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gphmhpfbknciemgfnfhjapilmcaecljh [2014-08-09]
CHR Extension: (VK Switcher) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lfojgmgodcgmjoiokklgmailddgolmda [2014-10-24]
CHR Extension: (GooSavee) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nclegpnppigghjcjeoohfpcpgeobdeki [2014-10-11]
CHR Extension: (Google Wallet) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-09]
CHR Extension: (Cricwaves) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ogkedgpbfenekaceibcobmmgdbokmndm [2014-10-17]
CHR Extension: (chromeIPass) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ompiailgknfdndiefoaoiligalphfdae [2014-08-09]
CHR Extension: (Gmail) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-08-09]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S3 DfSdkS; C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer 7\Dfsdks.exe [544768 2009-08-24] (mst software GmbH, Germany) [File not signed]
S4 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1149760 2014-10-04] (NVIDIA Corporation)
S4 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-04-11] (Intel Corporation)
S4 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [314696 2014-05-21] (Intel Corporation)
S4 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [103808 2008-01-23] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
S4 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S4 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-10-04] (NVIDIA Corporation)
S4 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19440960 2014-10-04] (NVIDIA Corporation)
S4 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390672 2012-08-08] ()
S4 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S4 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S4 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 TlntSvr; C:\Windows\System32\tlntsvr.exe [81920 2009-07-14] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S4 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [X]
S3 wampapache; "c:\wamp\bin\apache\apache2.4.9\bin\httpd.exe" -k runservice [X]
S3 wampmysqld; c:\wamp\bin\mysql\mysql5.6.17\bin\mysqld.exe wampmysqld [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2014-04-11] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-24] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [118272 2014-03-20] (Intel Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20288 2014-10-04] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38048 2014-09-05] (NVIDIA Corporation)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-24 15:21 - 2015-01-24 15:22 - 00016558 _____ () C:\Users\DavidG\Desktop\FRST.txt
2015-01-24 15:21 - 2015-01-24 15:21 - 02126848 _____ (Farbar) C:\Users\DavidG\Desktop\FRST64.exe
2015-01-24 15:08 - 2015-01-24 15:13 - 00000000 ____D () C:\AdwCleaner
2015-01-24 15:07 - 2015-01-24 15:07 - 02186752 _____ () C:\Users\DavidG\Desktop\adwcleaner_4.108.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-24 15:22 - 2014-07-31 22:42 - 01823203 _____ () C:\Windows\WindowsUpdate.log
2015-01-24 15:21 - 2014-11-23 23:55 - 00000000 ____D () C:\FRST
2015-01-24 15:20 - 2009-07-14 14:45 - 00032416 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-24 15:20 - 2009-07-14 14:45 - 00032416 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-24 15:18 - 2009-07-14 15:13 - 00783606 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-24 15:13 - 2014-11-25 00:21 - 00000690 _____ () C:\Windows\PFRO.log
2015-01-24 15:13 - 2014-11-24 13:43 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-24 15:13 - 2014-11-23 18:07 - 00000740 _____ () C:\Windows\setupact.log
2015-01-24 15:13 - 2014-08-01 22:24 - 00000000 ____D () C:\Users\DavidG\AppData\Roaming\Dropbox
2015-01-24 15:13 - 2014-07-31 22:42 - 00000000 ____D () C:\Users\DavidG
2015-01-24 15:13 - 2009-07-14 15:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-08 09:55 - 2010-11-21 13:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
2014-09-28 07:56 - 2014-09-28 07:56 - 0000268 ___RH () C:\Users\DavidG\AppData\Roaming\Abstract
2014-09-28 07:56 - 2014-09-28 07:56 - 0000268 ___RH () C:\Users\DavidG\AppData\Roaming\programs
2014-08-20 20:04 - 2014-11-06 16:03 - 0001759 _____ () C:\Users\DavidG\AppData\Roaming\SAS7_000.DAT
2014-09-28 07:56 - 2014-09-28 07:56 - 0000268 ___RH () C:\Users\DavidG\AppData\Roaming\vhosts
2014-09-28 07:56 - 2014-09-28 07:56 - 0000268 ___RH () C:\ProgramData\Action
2014-09-28 07:56 - 2014-09-28 07:56 - 0000268 ___RH () C:\ProgramData\Action Clauses
2014-09-28 07:56 - 2014-09-28 07:56 - 0000268 ___RH () C:\ProgramData\Alerts
2014-07-31 22:51 - 2014-07-31 22:51 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-22 20:44 - 2014-09-22 20:44 - 0004915 _____ () C:\ProgramData\htoelzqn.oia
2014-09-28 07:56 - 2014-11-03 09:28 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2014-09-28 07:56 - 2014-11-03 09:16 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2014-09-28 07:56 - 2014-10-31 14:15 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
 
Files to move or delete:
====================
C:\Users\DavidG\backup_reg1.reg
C:\Users\DavidG\cc_20120715_034010.reg
C:\Users\DavidG\cc_20120726_062045.reg
 
 
Some content of TEMP:
====================
C:\Users\DavidG\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp9m41fa.dll
C:\Users\DavidG\AppData\Local\Temp\Quarantine.exe
C:\Users\DavidG\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-24 12:24
 
==================== End Of Log ============================

 

 

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

 

Addition.txt attached as requested.

 

Regards

 

 

Diggermel

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:14 PM

Posted 24 January 2015 - 09:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Angry IP Scanner (HKLM-x32\...\Angry IP Scanner) (Version: 3.3.2 - Angry IP Scanner) <==== ATTENTION!



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Winsock: Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll File Not found ()
Winsock: Catalog5-x64 09 C:\Program Files\Bonjour\mdnsNSP.dll File Not found ()
FF DefaultSearchEngine: Search By ZoneAlarm
FF SelectedSearchEngine: Search By ZoneAlarm
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Extension: (No Name) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nclegpnppigghjcjeoohfpcpgeobdeki [2014-10-11]
CHR Extension: (Google Wallet) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-01]
CHR Extension: (Speedy Shopper) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\flcpelgcagfhfoegekianiofphddckof [2014-10-11]
CHR Extension: (GooSavee) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nclegpnppigghjcjeoohfpcpgeobdeki [2014-10-11]
CHR Extension: (Google Wallet) - C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-09]
S4 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [X]
S3 wampapache; "c:\wamp\bin\apache\apache2.4.9\bin\httpd.exe" -k runservice [X]
S3 wampmysqld; c:\wamp\bin\mysql\mysql5.6.17\bin\mysqld.exe wampmysqld [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nclegpnppigghjcjeoohfpcpgeobdeki
C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\flcpelgcagfhfoegekianiofphddckof
C:\Users\DavidG\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nclegpnppigghjcjeoohfpcpgeobdeki

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,909 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:14 PM

Posted 30 January 2015 - 10:05 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users