Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Son's laptop completly infected - HELP!!!


  • This topic is locked This topic is locked
27 replies to this topic

#1 wannawonda

wannawonda

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 05 February 2015 - 10:51 PM

I am unsure what is actually causing the problem on my son's laptop.  Three days ago I turned it on and was surprised to find his browser inundated adware it also appeared to be hijacked and was switching to "trovi".  Ran several utilities over the last two days - rkill, mbam, adwcleaner, tdsskiller, hitman, chameleon, mbar in addition to the kaspersky tools from his internet security.  Last night it seemed to be clean but ran another mbam this evening in addition to superantispyware and came back with trojan.agent and others.  Way over my head!! Please Help!!!

 

 

 

Ran Farbar Recovery Scan Tool, logs to follow: 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-02-2015
Ran by Joe (administrator) on MYPRECIOUSMYPRE on 05-02-2015 19:24:35
Running from C:\Users\Joe\Desktop
Loaded Profiles: Joe (Available profiles: Joe)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Rosetta Stone Ltd.) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
(Dell Inc.) C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avpui.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Dell) C:\Program Files\Dell\Dell Data Services\DDSSvc.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
() C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\plugin-nm-server.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\klwtblfs.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7510232 2014-01-17] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374936 2014-01-13] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe [285272 2013-12-30] (Waves Audio Ltd.)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3777696 2014-01-16] (Dell Inc.)
HKLM-x32\...\Run: [DropboxOEM] => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [462160 2014-09-02] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [133760 2014-01-08] ( (Qualcomm®Atheros®))
HKU\S-1-5-21-3574709052-614345936-1146494541-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [18643560 2013-03-01] (Skype Technologies S.A.)
HKU\S-1-5-21-3574709052-614345936-1146494541-1001\...\Run: [Steam] => C:\Users\Joe\Desktop\Steam\steam.exe [1942720 2015-01-23] (Valve Corporation)
HKU\S-1-5-21-3574709052-614345936-1146494541-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2015-01-22] (SUPERAntiSpyware)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3574709052-614345936-1146494541-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3574709052-614345936-1146494541-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13.msn.com/?pc=DCJB
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3574709052-614345936-1146494541-1001 -> {250034E5-E739-448F-B581-76731E00705F} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
BHO-x32: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO-x32: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 24.113.32.29 24.113.32.30 66.235.59.7
 
FireFox:
========
FF ProfilePath: C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\7ugvkxb7.default
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @kaspersky.com/content_blocker -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com ()
FF Plugin-x32: @kaspersky.com/online_banking -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com ()
FF Plugin-x32: @kaspersky.com/virtual_keyboard -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com ()
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-3574709052-614345936-1146494541-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Joe\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF user.js: detected! => C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\7ugvkxb7.default\user.js
FF HKLM-x32\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com
FF Extension: Ngăn chặn trang web nguy hiểm - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\content_blocker@kaspersky.com [2014-12-18]
FF HKLM-x32\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com
FF Extension: Bàn phím ảo - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\virtual_keyboard@kaspersky.com [2014-12-18]
FF HKLM-x32\...\Firefox\Extensions: [url_advisor@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\url_advisor@kaspersky.com
FF Extension: Công cụ kiểm tra liên kết của Kaspersky - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\url_advisor@kaspersky.com [2014-12-18]
FF HKLM-x32\...\Firefox\Extensions: [anti_banner@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\anti_banner@kaspersky.com
FF Extension: Chặn quảng cáo - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\anti_banner@kaspersky.com [2014-12-18]
FF HKLM-x32\...\Firefox\Extensions: [online_banking@kaspersky.com] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com
FF Extension: An toàn giao dịch tài chính - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\FFExt\online_banking@kaspersky.com [2014-12-18]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "https://www.youtube.com/", "https://www.google.com/"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-25]
CHR Extension: (Google Docs) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-25]
CHR Extension: (Google Drive) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-27]
CHR Extension: (YouTube) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-25]
CHR Extension: (Google Search) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-25]
CHR Extension: (Kaspersky Protection) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbhjdbfgekjfcfkkfjjmlmojhbllhbho [2014-12-25]
CHR Extension: (Blur (Formerly DoNotTrackMe)) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\epanfjkfahimkgomnigadpkobaefekcd [2014-12-25]
CHR Extension: (Google Sheets) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-25]
CHR Extension: (Google Wallet) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-25]
CHR Extension: (Gmail) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-25]
CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - https://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho [Not Found]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [318592 2014-01-08] (Windows ® Win 7 DDK provider)
R2 AVP15.0.0; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\avp.exe [233552 2014-04-20] (Kaspersky Lab ZAO)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
R2 Dell Data Services; C:\Program Files\Dell\Dell Data Services\DDSSvc.exe [45936 2014-11-13] (Dell)
R2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [73072 2014-11-10] (Dell)
S3 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [293440 2014-04-01] (Aviata, Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [203128 2014-12-12] (Dell Inc.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282072 2014-02-24] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation)
R2 My Dell Client Framework; C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe [168960 2014-01-10] (Dell Inc.) [File not signed]
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2013-07-29] (CyberLink)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1921768 2014-07-02] (SoftThinks SAS)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3881472 2013-12-12] (Qualcomm Atheros Communications, Inc.)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-01-08] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [457824 2014-02-20] (Kaspersky Lab ZAO)
S0 klelam; C:\Windows\System32\DRIVERS\klelam.sys [29616 2012-07-27] (Kaspersky Lab)
R3 klflt; C:\Windows\system32\DRIVERS\klflt.sys [142344 2014-12-18] (Kaspersky Lab ZAO)
R1 klhk; C:\Windows\system32\DRIVERS\klhk.sys [243808 2014-04-10] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [771272 2014-12-18] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\system32\DRIVERS\klim6.sys [30304 2014-02-25] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\system32\DRIVERS\klkbdflt.sys [28768 2014-03-28] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\system32\DRIVERS\klmouflt.sys [29280 2013-08-08] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\system32\DRIVERS\klpd.sys [15456 2013-04-12] (Kaspersky Lab ZAO)
R1 klwfp; C:\Windows\system32\DRIVERS\klwfp.sys [67680 2014-03-19] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\system32\DRIVERS\kneps.sys [179296 2014-03-26] (Kaspersky Lab ZAO)
S3 mbamchameleon; C:\Windows\system32\drivers\66771784.sys [93400 2015-02-03] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [42736 2014-05-22] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S3 xusb22; C:\Windows\System32\drivers\xusb22.sys [87040 2014-11-23] (Microsoft Corporation)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-05 19:24 - 2015-02-05 19:25 - 00022626 _____ () C:\Users\Joe\Desktop\FRST.txt
2015-02-05 19:23 - 2015-02-05 19:24 - 00000000 ____D () C:\FRST
2015-02-05 19:21 - 2015-02-05 19:21 - 02131968 _____ (Farbar) C:\Users\Joe\Desktop\FRST64.exe
2015-02-05 17:46 - 2015-02-05 18:29 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-02-05 17:46 - 2015-02-05 18:28 - 00000538 _____ () C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task cdd79174-381d-42c6-a863-d967efa49901.job
2015-02-05 17:46 - 2015-02-05 18:28 - 00000538 _____ () C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 73df84df-85e7-463a-818e-f43a9fe5d37a.job
2015-02-05 17:46 - 2015-02-05 17:46 - 00003602 _____ () C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 73df84df-85e7-463a-818e-f43a9fe5d37a
2015-02-05 17:46 - 2015-02-05 17:46 - 00003520 _____ () C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task cdd79174-381d-42c6-a863-d967efa49901
2015-02-05 17:46 - 2015-02-05 17:46 - 00001822 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Professional.lnk
2015-02-05 17:46 - 2015-02-05 17:46 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\SUPERAntiSpyware.com
2015-02-05 17:46 - 2015-02-05 17:46 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2015-02-05 17:46 - 2015-02-05 17:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-02-05 17:26 - 2015-02-05 17:27 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\PCDr
2015-02-05 17:25 - 2015-02-05 17:25 - 00000000 ____D () C:\ProgramData\PCDr
2015-02-05 17:17 - 2015-02-05 17:17 - 00000000 ___RD () C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2015-02-05 16:31 - 2015-02-05 16:31 - 00000000 __RHD () C:\MSOCache
2015-02-04 19:15 - 2015-02-04 19:15 - 00001173 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-02-04 19:15 - 2015-02-04 19:15 - 00001161 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-02-04 19:15 - 2015-02-04 19:15 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\Mozilla
2015-02-04 19:15 - 2015-02-04 19:15 - 00000000 ____D () C:\Users\Joe\AppData\Local\Mozilla
2015-02-04 19:15 - 2015-02-04 19:15 - 00000000 ____D () C:\ProgramData\Mozilla
2015-02-04 19:15 - 2015-02-04 19:15 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-04 19:15 - 2015-02-04 19:15 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-04 19:13 - 2015-02-04 19:13 - 00243440 _____ () C:\Users\Joe\Downloads\Firefox Setup Stub 35.0.1.exe
2015-02-04 16:53 - 2015-02-04 16:54 - 09741664 _____ (SurfRight B.V.) C:\Users\Joe\Downloads\HitmanPro_x64.exe
2015-02-04 16:51 - 2015-02-04 16:51 - 01388274 _____ (Thisisu) C:\Users\Joe\Downloads\JRT.exe
2015-02-04 16:39 - 2015-02-04 16:39 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\Joe\Downloads\rkill.exe
2015-02-04 16:30 - 2015-02-04 16:31 - 00301800 _____ () C:\Windows\Minidump\020415-22531-01.dmp
2015-02-04 16:30 - 2015-02-04 16:30 - 575427106 _____ () C:\Windows\MEMORY.DMP
2015-02-04 16:30 - 2015-02-04 16:30 - 00000000 ____D () C:\Windows\Minidump
2015-02-04 16:24 - 2015-02-04 16:29 - 00000000 ____D () C:\AdwCleaner
2015-02-04 16:23 - 2015-02-04 16:23 - 02194432 _____ () C:\Users\Joe\Downloads\AdwCleaner.exe
2015-02-04 16:02 - 2015-02-04 16:02 - 00364640 _____ (Kaspersky Lab) C:\Users\Joe\Downloads\kss12.0.1.808_6398_6399.exe
2015-02-04 15:51 - 2015-02-04 15:51 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Joe\Downloads\tdsskiller.exe
2015-02-03 20:47 - 2015-02-05 18:38 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-03 20:39 - 2015-02-03 20:39 - 00001116 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-03 20:39 - 2015-02-03 20:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-03 20:39 - 2015-02-03 20:39 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-03 20:39 - 2015-02-03 20:39 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-03 20:39 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-03 20:39 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-03 20:39 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-02-03 20:38 - 2015-02-03 20:38 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\66771784.sys
2015-02-03 20:16 - 2015-02-03 20:16 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Joe\Downloads\mbam-setup-2.0.4.1028.exe
2015-02-03 20:15 - 2015-02-03 20:15 - 16466552 _____ (Malwarebytes Corp.) C:\Users\Joe\Downloads\mbar-1.08.3.1004.exe
2015-02-03 20:14 - 2015-02-03 20:14 - 04909382 _____ () C:\Users\Joe\Downloads\mbam-chameleon-3.1.7.0.zip
2015-02-02 17:16 - 2015-02-02 17:16 - 00000510 _____ () C:\Windows\system32\Drivers\etc\hosts.ics
2015-02-02 16:43 - 2015-02-02 16:43 - 00357864 _____ () C:\Windows\system32\errordetails.xml
2015-02-02 15:56 - 2015-02-02 15:56 - 00000000 ____D () C:\Users\Joe\.android
2015-01-30 19:46 - 2015-02-02 15:51 - 00000000 ____D () C:\ProgramData\BlueStacksSetup
2015-01-24 13:05 - 2015-02-05 18:28 - 00001362 _____ () C:\Windows\Tasks\XXUVBT.job
2015-01-24 13:05 - 2015-02-04 08:35 - 00000000 ____D () C:\Program Files (x86)\8d353b53-d155-4a70-a7c6-8a003789cc66
2015-01-24 13:05 - 2015-01-24 13:05 - 00004378 _____ () C:\Windows\System32\Tasks\XXUVBT
2015-01-24 10:04 - 2015-01-24 10:04 - 00003518 _____ () C:\Windows\System32\Tasks\BBQLeads
2015-01-24 10:00 - 2015-01-24 10:00 - 00537672 _____ () C:\Users\Joe\Downloads\GarageBand.exe
2015-01-23 16:46 - 2015-01-23 16:46 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\Unity
2015-01-14 18:43 - 2015-01-16 16:51 - 00000000 ____D () C:\Users\Joe\Desktop\Things
2015-01-14 15:01 - 2015-01-14 15:56 - 00000000 ____D () C:\Users\Joe\Documents\School
2015-01-13 15:25 - 2014-12-11 18:04 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 15:25 - 2014-12-11 16:51 - 00075776 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ahcache.sys
2015-01-13 15:25 - 2014-12-08 17:50 - 00225280 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 15:24 - 2014-12-18 22:26 - 00140800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 15:24 - 2014-12-08 11:42 - 00535640 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2015-01-13 15:24 - 2014-12-08 11:42 - 00531616 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll
2015-01-13 15:24 - 2014-12-08 11:42 - 00448792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2015-01-13 15:24 - 2014-12-08 11:42 - 00413248 _____ (Microsoft Corporation) C:\Windows\system32\Faultrep.dll
2015-01-13 15:24 - 2014-12-08 11:42 - 00372408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Faultrep.dll
2015-01-13 15:24 - 2014-12-08 11:42 - 00108944 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-01-13 15:24 - 2014-12-08 11:42 - 00038264 _____ (Microsoft Corporation) C:\Windows\system32\WerFaultSecure.exe
2015-01-13 15:24 - 2014-12-08 11:42 - 00033584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFaultSecure.exe
2015-01-13 15:24 - 2014-12-05 19:17 - 00360448 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-13 15:24 - 2014-12-05 17:41 - 00391680 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 15:24 - 2014-12-05 17:35 - 00229888 _____ (Microsoft Corporation) C:\Windows\system32\AudioEndpointBuilder.dll
2015-01-13 15:24 - 2014-10-28 20:00 - 00465320 _____ (Microsoft Corporation) C:\Windows\system32\WerFault.exe
2015-01-13 15:24 - 2014-10-28 20:00 - 00139984 _____ (Microsoft Corporation) C:\Windows\system32\wermgr.exe
2015-01-13 15:24 - 2014-10-28 19:52 - 00500016 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2015-01-13 15:24 - 2014-10-28 19:52 - 00482872 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2015-01-13 15:24 - 2014-10-28 19:52 - 00394120 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2015-01-13 15:24 - 2014-10-28 19:52 - 00272248 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe
2015-01-13 15:24 - 2014-10-28 19:12 - 00413136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFault.exe
2015-01-13 15:24 - 2014-10-28 19:12 - 00136296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wermgr.exe
2015-01-13 15:24 - 2014-10-28 19:07 - 00424544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2015-01-13 15:24 - 2014-10-28 19:07 - 00370424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2015-01-13 15:24 - 2014-10-28 19:07 - 00344536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2015-01-13 15:24 - 2014-10-28 18:44 - 00037888 _____ (Microsoft Corporation) C:\Windows\system32\werdiagcontroller.dll
2015-01-13 15:24 - 2014-10-28 17:59 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\werdiagcontroller.dll
2015-01-13 15:24 - 2014-10-28 17:24 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2015-01-13 15:24 - 2014-10-28 17:02 - 00911360 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-01-13 15:24 - 2014-10-28 17:01 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-11 19:34 - 2015-01-11 19:34 - 01080608 _____ (Unity Technologies ApS) C:\Users\Joe\Downloads\UnityWebPlayer (2).exe
2015-01-11 19:34 - 2015-01-11 19:34 - 00270376 _____ () C:\Users\Joe\Downloads\UnityWebPlayer (1).exe
2015-01-11 19:33 - 2015-01-11 19:33 - 01080608 _____ (Unity Technologies ApS) C:\Users\Joe\Downloads\UnityWebPlayer.exe
2015-01-11 19:33 - 2015-01-11 19:33 - 00000000 ____D () C:\Users\Joe\AppData\Local\Unity
2015-01-10 18:29 - 2015-01-10 18:30 - 05006188 _____ () C:\Users\Joe\Downloads\p0sixspwn-v1.0.8-win (2).zip
2015-01-08 15:26 - 2015-01-08 15:26 - 00000000 ____D () C:\Program Files (x86)\Dell Update
2015-01-07 19:24 - 2015-01-07 19:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-01-07 19:22 - 2015-01-08 16:01 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2015-01-07 19:22 - 2015-01-07 19:22 - 01060536 _____ (Microsoft Corporation) C:\Users\Joe\Downloads\Setup.X86.en-US_O365HomePremRetail_5c674535-78a9-47b3-bb6e-c875295d190a_TX_PR_.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-05 19:00 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\system32\sru
2015-02-05 18:41 - 2014-11-23 16:40 - 02017727 _____ () C:\Windows\WindowsUpdate.log
2015-02-05 18:36 - 2014-11-23 16:59 - 00000000 ____D () C:\Program Files (x86)\Dell Backup and Recovery
2015-02-05 18:35 - 2014-03-18 01:53 - 00863592 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-05 18:33 - 2014-12-25 11:28 - 00000914 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-05 18:33 - 2014-12-18 15:51 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3574709052-614345936-1146494541-1001
2015-02-05 18:28 - 2014-12-25 11:28 - 00000910 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-05 18:28 - 2014-12-18 16:03 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2015-02-05 18:28 - 2014-03-18 01:44 - 00190144 _____ () C:\Windows\PFRO.log
2015-02-05 18:28 - 2013-08-22 07:43 - 00000000 ____D () C:\Windows\DigitalLocker
2015-02-05 18:28 - 2013-08-22 06:46 - 00019047 _____ () C:\Windows\setupact.log
2015-02-05 18:28 - 2013-08-22 06:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-04 16:22 - 2014-12-29 16:47 - 00000000 ____D () C:\Program Files\OBS
2015-02-04 16:22 - 2014-12-29 16:47 - 00000000 ____D () C:\Program Files (x86)\OBS
2015-02-04 09:45 - 2014-12-25 10:43 - 00000000 ____D () C:\Users\Joe\AppData\Local\CrashDumps
2015-02-04 08:35 - 2014-12-25 15:53 - 00000000 ____D () C:\Program Files (x86)\Apple Software Update
2015-02-04 08:22 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\TAPI
2015-02-04 08:22 - 2013-08-22 05:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-02-04 08:13 - 2013-08-22 05:25 - 00262144 ___SH () C:\Windows\system32\config\ELAM
2015-02-03 22:02 - 2013-08-22 07:36 - 00000000 __RHD () C:\Users\Public\Libraries
2015-02-03 20:02 - 2014-12-25 20:54 - 00000000 ____D () C:\Users\Joe\Desktop\Things That I Can Not Delete
2015-02-03 09:47 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-02 16:40 - 2013-08-22 07:20 - 00000000 ____D () C:\Windows\CbsTemp
2015-02-02 16:02 - 2014-12-18 15:46 - 00000000 ____D () C:\Users\Joe\AppData\Local\VirtualStore
2015-02-02 15:56 - 2014-12-18 15:46 - 00000000 ____D () C:\Users\Joe
2015-02-02 15:50 - 2014-12-28 09:07 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\Skype
2015-02-02 15:49 - 2014-12-25 11:53 - 00000000 ____D () C:\Users\Joe\Desktop\Steam
2015-01-30 19:48 - 2013-08-22 07:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-01-24 12:20 - 2014-12-18 16:11 - 00714720 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-24 12:20 - 2014-12-18 16:11 - 00106976 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-21 15:37 - 2014-12-25 11:29 - 00002205 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-18 23:00 - 2015-01-03 21:36 - 00000000 ____D () C:\Users\Joe\AppData\Local\CyberLink
2015-01-18 23:00 - 2014-11-23 16:43 - 00000000 ____D () C:\ProgramData\CyberLink
2015-01-15 18:19 - 2014-12-18 15:34 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-15 18:11 - 2014-12-18 15:34 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-08 15:26 - 2014-11-23 16:54 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2015-01-08 15:22 - 2013-08-22 06:44 - 00492000 _____ () C:\Windows\system32\FNTCACHE.DAT
 
==================== Files in the root of some directories =======
 
2014-12-28 10:29 - 2014-12-29 21:16 - 0000097 _____ () C:\Users\Joe\AppData\Roaming\LauncherSettings_live.cfg
2014-12-28 10:18 - 2014-12-28 10:26 - 0008144 _____ () C:\Users\Joe\AppData\Roaming\TheHunterSettings_live.bin
2014-12-28 10:12 - 2014-12-28 10:13 - 0000039 _____ () C:\Users\Joe\AppData\Roaming\TheHunterSettings_steam_live.cfg
2014-09-01 00:18 - 2014-09-01 00:18 - 0001248 _____ () C:\Users\Joe\AppData\Roaming\XXUVBT
2014-11-23 16:25 - 2014-11-23 16:25 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-11-23 16:47 - 2014-11-23 16:47 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2014-11-23 16:43 - 2014-11-23 16:44 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2014-11-23 16:44 - 2014-11-23 16:45 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2014-11-23 16:45 - 2014-11-23 16:47 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2014-11-23 16:43 - 2014-11-23 16:43 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
 
Some content of TEMP:
====================
C:\Users\Joe\AppData\Local\Temp\APNSetup.exe
C:\Users\Joe\AppData\Local\Temp\COMAP.EXE
C:\Users\Joe\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Joe\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-04 20:50
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


m

#2 Jo*

Jo*

  • Malware Response Team
  • 3,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:58 AM

Posted 10 February 2015 - 06:38 AM

:welcome:

Hello wannawonda,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Logs can take a while to research, so please be patient.
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 10 February 2015 - 10:30 AM

 Results of screen317's Security Check version 0.99.96  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Kaspersky Internet Security   
Windows Defender              
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Java 8 Update 25  
 Java version 32-bit out of Date! 
  Java 64-bit 8 Update 31  
 Google Chrome 39.0.2171.99 Google Chrome out of date!  
````````Process Check: objlist.exe by Laurent````````  
 Kaspersky Lab Kaspersky Internet Security 15.0.0 avp.exe  
 Kaspersky Lab Kaspersky Internet Security 15.0.0 avpui.exe  
 Kaspersky Lab Kaspersky Internet Security 15.0.0 plugin-nm-server.exe  
 Kaspersky Lab Kaspersky Internet Security 15.0.0 klwtblfs.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 


#4 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 10 February 2015 - 10:42 AM

# AdwCleaner v4.110 - Logfile created 10/02/2015 at 07:35:11
# Updated 05/02/2015 by Xplode
# Database : 2015-02-09.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Joe - MYPRECIOUSMYPRE
# Running from : C:\Users\Joe\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Found : C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\7ugvkxb7.default\user.js
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v40.0.2214.91
 
*************************
 
AdwCleaner[R0].txt - [3692 bytes] - [04/02/2015 16:24:25]
AdwCleaner[R1].txt - [764 bytes] - [10/02/2015 07:35:11]
AdwCleaner[S0].txt - [3579 bytes] - [04/02/2015 16:29:49]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [881 bytes] ##########


#5 Jo*

Jo*

  • Malware Response Team
  • 3,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:58 AM

Posted 10 February 2015 - 11:12 AM

Did you run the Malwarebytes Anti-Rootkit?
Did it find something?

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#6 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 10 February 2015 - 11:27 AM

Malwarebytes Anti-Rootkit- none found at this time.  

 

My son, Joe, has been off the computer since last week, except to open and work on a powerpoint for German class.  When the laptop was started he got a blue screen and a message stating windows had failed to load properly.  He restarted the system and windows loaded properly.  Prior to our first bleeping computer help request we ran rkill, mbam, adwcleaner, tdsskiller, hitman, chameleon, mbar and the misc kaspersky tools from his internet security. Do you want the logs from those original scans?  



#7 Jo*

Jo*

  • Malware Response Team
  • 3,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:58 AM

Posted 10 February 2015 - 11:57 AM

Hello wannawonda,

a blue screen can be a hardware or driver problem as welll.
If windows now works again, ok no problem.

Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Run the Farbar Recovery Scan Tool again.
  • Double-click to run FSRT / FSRT64. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

***


How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 10 February 2015 - 12:13 PM

# AdwCleaner v4.110 - Logfile created 10/02/2015 at 09:11:19
# Updated 05/02/2015 by Xplode
# Database : 2015-02-09.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Joe - MYPRECIOUSMYPRE
# Running from : C:\Users\Joe\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Deleted : C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\7ugvkxb7.default\user.js
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v40.0.2214.91
 
 
*************************
 
AdwCleaner[R0].txt - [3692 bytes] - [04/02/2015 16:24:25]
AdwCleaner[R1].txt - [959 bytes] - [10/02/2015 07:35:11]
AdwCleaner[R2].txt - [1017 bytes] - [10/02/2015 09:07:15]
AdwCleaner[S0].txt - [3579 bytes] - [04/02/2015 16:29:49]
AdwCleaner[S1].txt - [948 bytes] - [10/02/2015 09:11:19]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1006  bytes] ##########


#9 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 10 February 2015 - 12:28 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 8.1 x64
Ran by Joe on Tue 02/10/2015 at  9:15:43.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\pcdr"
Successfully deleted: [Folder] "C:\Users\Joe\AppData\Roaming\pcdr"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/10/2015 at  9:21:59.40
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#10 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 10 February 2015 - 12:41 PM

Attempted to run FSRT / FSRT64 twice.  Each time received the following error. 

 

Application Error.   Exception EAccessViolation in module ERUNT.exe at 00003A38. Access violation at address 00403A38 in module 'ERUNT.exe'. Read of address 0076005D.

 

 

Re-downloaded FSRT / FSRT64 and received the same error message on third attempt.  


Edited by wannawonda, 10 February 2015 - 12:44 PM.


#11 Jo*

Jo*

  • Malware Response Team
  • 3,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:58 AM

Posted 10 February 2015 - 01:20 PM

please reboot the pc and try FSRT64 again.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 10 February 2015 - 01:33 PM

Same type of message but different module and address violations.

 

 

Exception EAccessViolation in module ERUNT.exe at 00003A62.  Access violation at address 00403A62 in module 'ERUNT.exe'. Read of address 0069005C

 

 

 

It would appear that I can click ok and get to the application though.



#13 Jo*

Jo*

  • Malware Response Team
  • 3,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:58 AM

Posted 10 February 2015 - 01:48 PM

when the error appears, click ok and try to get a FRST log.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#14 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 10 February 2015 - 01:53 PM

Ok.  Would you like all the whitelist boxes checked?  What about the optional scan boxes...



#15 Jo*

Jo*

  • Malware Response Team
  • 3,269 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:10:58 AM

Posted 10 February 2015 - 01:57 PM

leave all Default Settings as they are...
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users