Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with DNS Changer Trojan - is re-installed on each reboot


  • This topic is locked This topic is locked
7 replies to this topic

#1 nathaniel22

nathaniel22

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 06 February 2015 - 04:47 AM

Hi,

 

My parent's PC has become infected a 'DNS Changer' trojan which, despite being quarantined and deleted by Malware Bytes reappears after a reboot.

 

Here are the Farbar logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-02-2015
Ran by advent (administrator) on ADVENT-PC on 05-02-2015 19:26:30
Running from C:\Users\advent\Desktop
Loaded Profiles: IUSR_NMPR & advent (Available profiles: IUSR_NMPR & advent & Tony Powell & UpdatusUser)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Check Point Software Technologies Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
() C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\QualityManager.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(Check Point Software Technologies, Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
() C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\Event Manager\EEventManager.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Check Point Software Technologies Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Express Tray\ExpressTray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
() C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\tv_w32.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Windows Mail\WinMail.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_12_0_0_70_ActiveX.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Desktop.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Abine Inc.) C:\Program Files\Check Point Software Technologies LTD\zonealarm\AbineSDK\IE\DNTPService.exe
 

==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4493312 2007-06-20] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [174872 2007-03-21] (Intel Corporation)
HKLM\...\Run: [NMSSupport] => C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe [439512 2007-06-27] (Intel Corporation)
HKLM\...\Run: [CCUTRAYICON] => C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe [215256 2007-06-27] (Intel® Corporation)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-06-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Adobe Photo Downloader] => C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [63712 2007-03-09] (Adobe Systems Incorporated)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [ISW] => [X]
HKLM\...\Run: [ZoneAlarm] => C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe [137352 2014-05-30] (Check Point Software Technologies Ltd.)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3282321327-2338849114-975383226-1000\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-01-06] (Google Inc.)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [EPSON PX710W Series] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFSE.EXE [199680 2009-02-23] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-08-22] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\MountPoints2: {48a77f75-b561-11dc-ae16-806e6f6e6963} - D:\Autorun.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TP-LINK Wireless Configuration Utility.lnk
ShortcutTarget: TP-LINK Wireless Configuration Utility.lnk -> C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.knowhow.com/
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thetechguys.com/welcome
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-3282321327-2338849114-975383226-1001 -> {7282D889-F394-4A5E-A26F-653A20DEE801} URL =http://www.search.ask.com/web?tpid=ORJ-SPE&o=APN11406&pf=V7&p2=^BBE^OSJ000^YY^GB&gct=&itbv=12.23.0.15&apn_uid=465F6957-2050-40EE-BC3C-DF110753904A&apn_ptnrs=BBE&apn_dtid=^OSJ000^YY^GB&apn_dbr=ie_9.0.8112.16599&doi=2015-02-02&trgb=IE&q={searchTerms}&psv=&pt=tb
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Zonealarm Helper Object -> {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} -> C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.29.17\bh\zonealarm.dll (Check Point Software Technologies LTD)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: ZoneAlarm Security Engine Registrar -> {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} -> C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll No File
BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
BHO: Google Dictionary Compression sdch -> {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} -> C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
Toolbar: HKLM - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll No File
Toolbar: HKLM - ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.29.17\zonealarmTlbr.dll (Check Point Software Technologies LTD)
Toolbar: HKU\S-1-5-21-3282321327-2338849114-975383226-1001 -> &Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
Toolbar: HKU\S-1-5-21-3282321327-2338849114-975383226-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Tcpip\Parameters: [DhcpNameServer] 91.212.124.159 8.8.8.8
 
FireFox:
========
FF Plugin: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll No File
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-07-15]
FF HKLM\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\TrustChecker
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AlertService; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [223448 2007-06-27] (Intel® Corporation)
S3 DHTRACE; C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [39640 2007-06-27] (Intel® Corporation)
R2 DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [208896 2007-02-12] () [File not signed]
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [220504 2013-08-22] (Garmin Ltd or its subsidiaries)
R2 ISSM; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [59096 2007-06-27] (Intel® Corporation)
R2 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [268504 2007-06-27] ()
R2 MCLServiceATL; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [157912 2007-06-27] (Intel® Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 NMSCore; C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [317656 2007-06-27] (Intel® Corporation)
R2 QualityManager; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [272600 2007-06-27] (Intel® Corporation)
R2 Remote UI Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [446680 2007-06-27] (Intel® Corporation)
R2 vsmon; C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe [3592120 2014-05-30] (Check Point Software Technologies Ltd.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)
R2 ZAPrivacyService; C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [90936 2014-05-29] (Check Point Software Technologies, Ltd.)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 IntelDH; C:\Windows\System32\Drivers\IntelDH.sys [5632 2007-09-28] (Intel Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-02-05] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R2 nmsunidr; C:\Windows\System32\DRIVERS\nmsunidr.sys [5376 2007-02-18] (Gteko Ltd.)
R1 RtlProt; C:\Windows\System32\DRIVERS\rtlprot.sys [25896 2007-04-23] (Windows ® Codename Longhorn DDK provider)
R3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [1310864 2013-03-05] (Realtek Semiconductor Corporation                           )
S3 TSHWMDTCP; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys [14552 2007-06-27] ()
R1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [456088 2014-05-30] (Check Point Software Technologies Ltd.)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187B; system32\DRIVERS\wg111v3.sys [X]
S3 RTL8192cu; system32\DRIVERS\RTL8192cu.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 

==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-05 19:26 - 2015-02-05 19:26 - 00016778 _____ () C:\Users\advent\Desktop\FRST.txt
2015-02-05 19:26 - 2015-02-05 19:26 - 00000000 ____D () C:\FRST
2015-02-05 19:22 - 2015-02-05 19:22 - 01123328 _____ (Farbar) C:\Users\advent\Desktop\FRST.exe
2015-02-02 20:18 - 2015-02-02 20:18 - 00000000 ____D () C:\ProgramData\APN
2015-02-02 20:15 - 2015-02-02 20:15 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-02-02 19:51 - 2015-02-02 19:51 - 00000000 ____D () C:\Users\advent\AppData\Roaming\TeamViewer
2015-02-02 12:01 - 2015-02-02 14:49 - 00000000 ____D () C:\Users\advent\AppData\Roaming\Mozilla
2015-01-14 12:25 - 2014-12-19 00:25 - 00115200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 12:21 - 2014-12-06 03:14 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 12:21 - 2014-12-06 03:14 - 00093184 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-14 12:21 - 2014-12-06 03:14 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2015-01-14 12:20 - 2014-12-06 03:14 - 00153600 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-05 19:05 - 2014-07-17 20:08 - 00000000 ____D () C:\Users\advent\AppData\Local\DoNotTrackPlus
2015-02-05 18:57 - 2014-06-27 15:53 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-05 18:46 - 2007-12-28 14:04 - 01419552 _____ () C:\Windows\WindowsUpdate.log
2015-02-05 17:42 - 2006-11-02 10:33 - 00765776 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-05 17:36 - 2006-11-02 13:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-05 17:36 - 2006-11-02 12:47 - 00003168 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-05 17:36 - 2006-11-02 12:47 - 00003168 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-04 16:24 - 2006-11-02 13:01 - 00032620 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-02-04 14:58 - 2014-07-17 19:38 - 00014764 _____ () C:\Windows\PFRO.log
2015-02-03 12:43 - 2008-01-30 15:17 - 00000000 ____D () C:\Users\advent\Documents\Gill's items
2015-02-02 20:18 - 2013-10-20 15:11 - 00000000 ____D () C:\ProgramData\Oracle
2015-02-02 20:16 - 2014-11-04 10:51 - 00000000 ____D () C:\Program Files\Java
2015-02-02 20:15 - 2014-11-04 10:51 - 00272296 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2015-02-02 20:15 - 2014-11-04 10:51 - 00176552 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2015-02-02 20:15 - 2014-11-04 10:51 - 00176552 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2015-02-02 20:15 - 2014-11-04 10:51 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-02-02 14:55 - 2014-06-27 15:53 - 00000904 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-02 14:55 - 2014-06-27 15:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-02 14:55 - 2014-06-27 15:52 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-02 14:50 - 2006-11-02 11:18 - 00000000 ____D () C:\Windows\nap
2015-01-29 16:54 - 2010-01-22 16:54 - 00000242 _____ () C:\Windows\Tasks\Epson Printer Software Downloader.job
2015-01-26 16:00 - 2008-01-30 15:16 - 00000000 ____D () C:\Users\advent\Documents\Church business
2015-01-15 18:07 - 2014-07-17 19:46 - 00000000 ____D () C:\Users\advent\AppData\Roaming\TP-LINK
2015-01-14 12:25 - 2013-08-06 09:12 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 12:21 - 2006-11-02 10:24 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
 
==================== Files in the root of some directories =======
 
2008-08-09 14:39 - 2008-08-09 14:39 - 0000059 _____ () C:\Program Files\ping_wip.txt
2008-02-09 16:26 - 2010-08-08 17:01 - 0029072 _____ () C:\Users\advent\AppData\Roaming\UserTile.png
2014-06-04 20:12 - 2014-06-04 20:12 - 0000000 ____H () C:\Users\advent\AppData\Local\BIT5DF8.tmp
2010-03-30 11:05 - 2010-03-30 11:05 - 0000552 _____ () C:\Users\advent\AppData\Local\d3d8caps.dat
2009-07-28 16:21 - 2014-07-11 15:29 - 0002032 _____ () C:\Users\advent\AppData\Local\d3d9caps.dat
2008-01-25 17:06 - 2014-08-07 08:22 - 0020480 _____ () C:\Users\advent\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-05-21 08:29 - 2011-05-23 16:13 - 0001940 _____ () C:\Users\advent\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
2014-06-04 20:12 - 2014-06-04 20:12 - 0000000 _____ () C:\Users\advent\AppData\Local\{BD761196-0806-465F-B71C-FDC470D5BA74}
 
Some content of TEMP:
====================
C:\Users\advent\AppData\Local\Temp\APNSetup.exe
C:\Users\advent\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\advent\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\advent\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\advent\AppData\Local\Temp\jre-8u31-windows-au.exe
 

==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 

LastRegBack: 2015-02-05 17:44
 
==================== End Of Log ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 05-02-2015
Ran by advent at 2015-02-05 19:27:01
Running from C:\Users\advent\Desktop
Boot Mode: Normal
==========================================================
 

==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Free Firewall Firewall (Enabled) {1B8D532F-88B1-B2AD-ED22-AED92687A1D2}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.70 - Adobe Systems Incorporated)
Adobe Reader 9.5.5 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
Adobe® Photoshop® Album Starter Edition 3.2 (HKLM\...\Adobe® Photoshop® Album Starter Edition 3.2) (Version: 3.2.0 - http://www.adobe.com)
CCleaner (HKLM\...\CCleaner) (Version: 4.14 - Piriform)
Elevated Installer (Version: 2.2.21 - Garmin Ltd or its subsidiaries) Hidden
Epson Easy Photo Print 2 (HKLM\...\{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}) (Version: 2.1.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM\...\{48F22622-1CC2-4A83-9C1E-644DD96F832D}) (Version: 2.30.01 - SEIKO EPSON Corporation)
Epson Print CD (HKLM\...\{D16A31F9-276D-4968-A753-FFEAC56995D0}) (Version: 2.00.00 - SEIKO EPSON CORPORATION)
Epson Printer Software Downloader (HKLM\...\Epson Printer Software Downloader) (Version:  - )
Epson Printer Software Downloader (Version: 2.0.0 - SEIKO EPSON CORPORATION) Hidden
EPSON PX710W Series Printer Uninstall (HKLM\...\EPSON PX710W Series) (Version:  - SEIKO EPSON Corporation)
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - )
Epson Stylus Photo PX710W_PX810FW_TX710W_TX810FW Manual (HKLM\...\Epson Stylus Photo PX710W_PX810FW_TX710W_TX810FW User’s Guide) (Version:  - )
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4i - SEIKO EPSON CORPORATION)
EpsonNet Setup (HKLM\...\{FFFAE01B-466F-4C07-9821-A94FD753BDDA}) (Version: 3.1b - SEIKO EPSON CORPORATION)
FinePixViewer Ver.4.2 (HKLM\...\{24ED4D80-8294-11D5-96CD-0040266301AD}) (Version:  - )
Garmin Express (HKLM\...\{31a12940-e5c8-4d27-a6ac-005212152f1f}) (Version: 2.2.21 - Garmin Ltd or its subsidiaries)
Garmin Express (Version: 2.2.21 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (Version: 2.2.21 - Garmin Ltd or its subsidiaries) Hidden
Garmin Update Service (Version: 2.2.21 - Garmin Ltd or its subsidiaries) Hidden
GearDrvs (Version: 1.00.0000 - GEAR Software) Hidden
GearDrvs (Version: 5.0.0.2 - Symantec Corporation) Hidden
Google Earth (HKLM\...\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}) (Version: 4.2.205.5730 - Google)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version:  - Google Inc.)
ImageMixer VCD2 for FinePix (HKLM\...\{934E9442-D305-4ACF-AD87-A6C11D677CB9}) (Version:  - )
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - )
Intel® PRO Network Connections Drivers (HKLM\...\PROSet) (Version:  - )
Intel® Viiv™ Software (HKLM\...\Intel® Configuration Center) (Version: 1.7.512.0 - Intel Corporation)
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NVIDIA Graphics Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Stereoscopic 3D Driver (HKLM\...\NVIDIAStereo) (Version: 7.17.13.1106 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Power2Go 5.0 (HKLM\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version:  - )
RAW FILE CONVERTER LE (HKLM\...\{D680C913-5955-469D-9D88-C1940F7506D6}) (Version:  - )
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5436 - Realtek Semiconductor Corp.)
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.29480 - TeamViewer)
TP-LINK TL-WN725N_TL-WN723N Driver (HKLM\...\{3C3F9CEB-2C5A-4A47-8EAA-DA76037546BA}) (Version: 1.3.1 - TP-LINK)
TP-LINK Wireless Configuration Utility (HKLM\...\{319D91C6-3D44-436C-9F79-36C0D22372DC}) (Version: 1.3.1 - TP-LINK)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VC 9.0 Runtime (Version: 1.0.0 - Check Point Software Technologies Ltd) Hidden
VLC media player 2.0.4 (HKLM\...\VLC media player) (Version: 2.0.4 - VideoLAN)
ZoneAlarm Firewall (Version: 13.2.015.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Free Firewall (HKLM\...\ZoneAlarm Free Firewall) (Version: 13.2.015.000 - Check Point)
ZoneAlarm LTD Toolbar (HKLM\...\ZoneAlarm LTD Toolbar) (Version:  - Check Point Software Technologies)
ZoneAlarm Security (Version: 13.2.015.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Security Toolbar  (HKLM\...\zonealarm) (Version: 1.8.29.17 - Check Point Software Technologies LTD)
ZoneAlarm Security Toolbar  (HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\zonealarm) (Version: 1.8.29.17 - Check Point Software Technologies LTD)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 

==================== Restore Points  =========================
 
19-11-2014 10:06:11 Scheduled Checkpoint
19-11-2014 13:46:47 Windows Update
22-11-2014 16:32:49 Windows Update
25-11-2014 18:05:45 Windows Update
29-11-2014 17:22:15 Windows Update
03-12-2014 10:43:13 Windows Update
08-12-2014 10:00:29 Windows Update
11-12-2014 15:08:13 Windows Update
11-12-2014 15:18:07 Windows Update
16-12-2014 14:24:58 Windows Update
19-12-2014 17:45:05 Windows Update
26-12-2014 17:48:33 Windows Update
03-01-2015 18:45:06 Windows Update
07-01-2015 13:09:23 Windows Update
10-01-2015 17:34:26 Windows Update
14-01-2015 12:15:07 Windows Update
14-01-2015 12:20:39 Windows Update
18-01-2015 16:26:09 Windows Update
22-01-2015 15:47:03 Windows Update
26-01-2015 16:07:32 Windows Update
27-01-2015 10:38:12 Scheduled Checkpoint
29-01-2015 16:24:37 Windows Update
01-02-2015 21:19:41 Windows Update
03-02-2015 11:13:43 Removed Search App by Ask
05-02-2015 17:50:08 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2006-11-02 10:23 - 2006-09-18 21:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {0423FC50-2262-4246-96B9-9F488C0DAB71} - System32\Tasks\Epson Printer Software Downloader => C:\Program Files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26] (SEIKO EPSON CORPORATION)
Task: {407CE4B4-3A4A-42D0-B9C9-7AC8FF292263} - System32\Tasks\Microsoft\Windows\RestartManager\{9DFB15C3-B3F3-4377-A251-79D17021D801} => C:\Windows\system32\rmclient.exe [2006-11-02] (Microsoft Corporation)
Task: {5F863F2B-D288-4339-A624-730B9406C941} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-05-20] (Piriform Ltd)
Task: {7C2BC720-906B-4FE3-AF87-E77F1775572D} - System32\Tasks\Microsoft\Windows\WindowsCalendar\Reminders - advent => C:\Program Files\Windows Calendar\wincal.exe [2009-04-11] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Epson Printer Software Downloader.job => C:\Program Files\EPSON\EPAPDL\E_SAPDL2.EXE
 
==================== Loaded Modules (whitelisted) ==============
 
2007-02-12 10:46 - 2007-02-12 10:46 - 00208896 _____ () C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
2007-06-27 09:13 - 2007-06-27 09:13 - 00268504 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
2007-06-27 09:14 - 2007-06-27 09:14 - 00325848 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\xmb_mediaserver.dll
2007-06-27 09:13 - 2007-06-27 09:13 - 00563416 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\xmb_client.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00070872 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\xmb_mediaspace.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00219352 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\xmb_import.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00041176 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\lib\mediaserver\mediaserver_aggregate.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00030424 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\lib\mediaserver\mediaserver_sync.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00025304 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\lib\mediaserver\mediaserver_tunisauth.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00104664 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\lib\mediaserver\mediaserver_tunists.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00088280 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\lib\mediaserver\mediaserver_upnp.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00026328 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\lib\mediaserver\mediaserver_upnppower.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00065240 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\xmb_upnppower.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00027864 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\lib\mediaserver\mediaserver_xrturi.dll
2007-06-27 09:14 - 2007-06-27 09:14 - 00252120 _____ () C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\lib\mediaserver\mediaserver_zcardea.dll
2010-01-22 16:52 - 2009-03-12 15:45 - 00135168 ____N () C:\Program Files\Epson Software\Event Manager\Assistants\Scan Assistant\ScanEngine.dll
2010-01-22 16:52 - 2008-11-21 13:58 - 00057344 ____N () C:\Program Files\Epson Software\Event Manager\Assistants\Scan Assistant\Satwain.dll
2014-07-17 19:46 - 2013-01-10 18:09 - 00848384 _____ () C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe
2014-07-17 19:46 - 2013-01-10 17:32 - 01411072 _____ () C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\nicLan.dll
2014-07-17 19:46 - 2013-01-10 18:16 - 00193024 _____ () C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\DC_WFF.dll
2014-07-17 19:46 - 2013-01-07 15:03 - 00297472 _____ () C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\WJRtl.dll
2014-07-17 19:58 - 2013-07-04 04:46 - 00598392 _____ () C:\Program Files\Check Point Software Technologies LTD\zonealarm\AbineSDK\IE\DNTPContentFilter.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 

==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 

==================== Other Registry Areas =====================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3282321327-2338849114-975383226-1000\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\img24.jpg
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\advent\Pictures\Friends and Family\Turner Erin Scarlett\2014\Dec 14\super star.jpg
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 

==================== Accounts: =============================
 
Administrator (S-1-5-21-3282321327-2338849114-975383226-500 - Administrator - Disabled)
advent (S-1-5-21-3282321327-2338849114-975383226-1001 - Administrator - Enabled) => C:\Users\advent
Guest (S-1-5-21-3282321327-2338849114-975383226-501 - Limited - Disabled)
IUSR_NMPR (S-1-5-21-3282321327-2338849114-975383226-1000 - Limited - Enabled) => C:\Users\IUSR_NMPR
Tony Powell (S-1-5-21-3282321327-2338849114-975383226-1002 - Limited - Enabled) => C:\Users\Tony Powell
UpdatusUser (S-1-5-21-3282321327-2338849114-975383226-1004 - Limited - Enabled) => C:\Users\UpdatusUser
 
==================== Faulty Device Manager Devices =============
 

==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/14/2015 00:24:23 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
 
Error: (01/14/2015 00:24:22 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
 
Error: (01/11/2015 03:15:40 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Photoshp.exe version 5.0.128.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: f94
Start Time: 01d02db1516c4600
Termination Time: 0
 
Error: (01/07/2015 03:46:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 9.0.8112.16599, time stamp 0x5473964b, faulting module IEFRAME.dll, version 9.0.8112.16599, time stamp 0x547396ec, exception code 0xc0000005, fault offset 0x001a8290,
process id 0x101c, application start time 0xiexplore.exe0.
 
Error: (12/11/2014 03:22:24 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
 
Error: (12/11/2014 03:22:23 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
 
Error: (11/24/2014 05:46:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 9.0.8112.16592 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 154c
Start Time: 01d0080d4c0a7f1d
Termination Time: 46
 
Error: (11/13/2014 06:23:14 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
 
Error: (11/13/2014 06:23:14 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
 
Error: (11/04/2014 04:24:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 9.0.8112.16584, time stamp 0x541caffd, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x033d7648,
process id 0x17b0, application start time 0xiexplore.exe0.
 

System errors:
=============
Error: (02/05/2015 05:39:12 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (02/05/2015 05:39:12 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (02/04/2015 04:08:12 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (02/04/2015 04:08:12 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (02/04/2015 03:00:49 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (02/04/2015 03:00:49 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (02/03/2015 00:18:22 PM) (Source: DCOM) (EventID: 10016) (User: advent-PC)
Description: application-specificLocalActivation{A47979D2-C419-11D9-A5B4-001185AD2B89}advent-PCadventS-1-5-21-3282321327-2338849114-975383226-1001LocalHost (Using LRPC)
 
Error: (02/03/2015 11:41:24 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: NVIDIA Update Service Daemon%%1069
 
Error: (02/03/2015 11:41:24 AM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: nvUpdatusService.\UpdatusUser%%1330
 
Error: (02/03/2015 11:07:19 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: NVIDIA Update Service Daemon%%1069
 

Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2015-02-03 11:22:14.567
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 11:22:14.255
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 11:22:13.975
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 11:22:13.663
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 11:22:13.148
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 11:22:12.851
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 11:22:12.555
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 11:22:12.259
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 10:51:46.255
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-02-03 10:51:45.959
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 

==================== Memory info ===========================
 
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of memory in use: 54%
Total physical RAM: 3069.46 MB
Available physical RAM: 1389.02 MB
Total Pagefile: 6349.94 MB
Available Pagefile: 4635.07 MB
Total Virtual: 2047.88 MB
Available Virtual: 1901.76 MB
 
==================== Drives ================================
 
Drive c: (Vista) (Fixed) (Total:226.05 GB) (Free:145.9 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (Secondary Hard Drive) (Fixed) (Total:232.88 GB) (Free:232.67 GB) NTFS
Drive s: (System) (Fixed) (Total:1.46 GB) (Free:1.42 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 232.9 GB) (Disk ID: 498B57C9)
Partition 1: (Not Active) - (Size=5.4 GB) - (Type=27)
Partition 2: (Active) - (Size=1.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=226 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 232.9 GB) (Disk ID: 502714DA)
Partition 1: (Not Active) - (Size=232.9 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 
 
Thanks guys, really appreciate all your help!!


BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:05 AM

Posted 07 February 2015 - 01:45 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

frst.pngfrstfix.png
Please download the attached fixlist txt.gif and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.
Attached File  fixlist.txt   439bytes   9 downloads

After the Reboot:

Step 2

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste the log in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 nathaniel22

nathaniel22
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 09 February 2015 - 04:46 PM

Hi Jurgen, thanks so much for your time & help!!  :thumbup2:

 

Here are the two logs:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 08-02-2015
Ran by advent at 2015-02-09 19:40:34 Run:1
Running from C:\Users\advent\Desktop
Loaded Profiles: IUSR_NMPR & advent (Available profiles: IUSR_NMPR & advent & Tony Powell & UpdatusUser)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
CloseProcesses:
SearchScopes: HKU\.DEFAULT -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-3282321327-2338849114-975383226-1001 -> {7282D889-F394-4A5E-A26F-653A20DEE801} URL =http://www.search.ask.com/web?tpid=ORJ-S
Toolbar: HKU\S-1-5-21-3282321327-2338849114-975383226-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Tcpip\Parameters: [DhcpNameServer] 91.212.124.159 8.8.8.8
EmptyTemp:
*****************
 
Processes closed successfully.
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found. 
"HKU\S-1-5-21-3282321327-2338849114-975383226-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7282D889-F394-4A5E-A26F-653A20DEE801}" => Key deleted successfully.
HKCR\CLSID\{7282D889-F394-4A5E-A26F-653A20DEE801} => Key not found. 
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found. 
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer => value deleted successfully.
EmptyTemp: => Removed 618.7 MB temporary data.
 

The system needed a reboot.
 
==== End of Fixlog 19:41:41 ====
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-02-2015
Ran by advent (administrator) on ADVENT-PC on 09-02-2015 19:59:49
Running from C:\Users\advent\Desktop
Loaded Profiles: IUSR_NMPR & advent (Available profiles: IUSR_NMPR & advent & Tony Powell & UpdatusUser)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Check Point Software Technologies Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\Event Manager\EEventManager.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Check Point Software Technologies Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Express Tray\ExpressTray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
() C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe
() C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\QualityManager.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(Check Point Software Technologies, Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\issm.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
() C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
(Intel® Corporation) C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
Failed to access process -> dllhost.exe
Failed to access process -> dllhost.exe
 

==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4493312 2007-06-20] (Realtek Semiconductor)
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [174872 2007-03-21] (Intel Corporation)
HKLM\...\Run: [NMSSupport] => C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe [439512 2007-06-27] (Intel Corporation)
HKLM\...\Run: [CCUTRAYICON] => C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe [215256 2007-06-27] (Intel® Corporation)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-06-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Adobe Photo Downloader] => C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [63712 2007-03-09] (Adobe Systems Incorporated)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [ISW] => [X]
HKLM\...\Run: [ZoneAlarm] => C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe [137352 2014-05-30] (Check Point Software Technologies Ltd.)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3282321327-2338849114-975383226-1000\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-01-06] (Google Inc.)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [EPSON PX710W Series] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFSE.EXE [199680 2009-02-23] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-08-22] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\...\MountPoints2: {48a77f75-b561-11dc-ae16-806e6f6e6963} - D:\Autorun.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TP-LINK Wireless Configuration Utility.lnk
ShortcutTarget: TP-LINK Wireless Configuration Utility.lnk -> C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\Software\Microsoft\Internet Explorer\Main,Start Page =http://www.knowhow.com/
HKU\S-1-5-21-3282321327-2338849114-975383226-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =http://www.thetechguys.com/welcome
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Zonealarm Helper Object -> {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} -> C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.29.17\bh\zonealarm.dll (Check Point Software Technologies LTD)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: ZoneAlarm Security Engine Registrar -> {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} -> C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll No File
BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
BHO: Google Dictionary Compression sdch -> {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} -> C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
Toolbar: HKLM - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll No File
Toolbar: HKLM - ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.29.17\zonealarmTlbr.dll (Check Point Software Technologies LTD)
Toolbar: HKU\S-1-5-21-3282321327-2338849114-975383226-1001 -> &Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Tcpip\Parameters: [DhcpNameServer] 5.135.54.164 8.8.8.8
 
FireFox:
========
FF Plugin: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll No File
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-07-15]
FF HKLM\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\TrustChecker
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AlertService; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [223448 2007-06-27] (Intel® Corporation)
S3 DHTRACE; C:\Program Files\Common Files\Intel\IntelDH\bin\DHTraceController.exe [39640 2007-06-27] (Intel® Corporation)
R2 DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [208896 2007-02-12] () [File not signed]
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [220504 2013-08-22] (Garmin Ltd or its subsidiaries)
R2 ISSM; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [59096 2007-06-27] (Intel® Corporation)
R2 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [268504 2007-06-27] ()
R2 MCLServiceATL; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [157912 2007-06-27] (Intel® Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 NMSCore; C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe [317656 2007-06-27] (Intel® Corporation)
R2 QualityManager; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe [272600 2007-06-27] (Intel® Corporation)
R2 Remote UI Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [446680 2007-06-27] (Intel® Corporation)
R2 vsmon; C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe [3592120 2014-05-30] (Check Point Software Technologies Ltd.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)
R2 ZAPrivacyService; C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [90936 2014-05-29] (Check Point Software Technologies, Ltd.)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 IntelDH; C:\Windows\System32\Drivers\IntelDH.sys [5632 2007-09-28] (Intel Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-02-05] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R2 nmsunidr; C:\Windows\System32\DRIVERS\nmsunidr.sys [5376 2007-02-18] (Gteko Ltd.)
R1 RtlProt; C:\Windows\System32\DRIVERS\rtlprot.sys [25896 2007-04-23] (Windows ® Codename Longhorn DDK provider)
R3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [1310864 2013-03-05] (Realtek Semiconductor Corporation                           )
S3 TSHWMDTCP; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys [14552 2007-06-27] ()
R1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [456088 2014-05-30] (Check Point Software Technologies Ltd.)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 RTL8187B; system32\DRIVERS\wg111v3.sys [X]
S3 RTL8192cu; system32\DRIVERS\RTL8192cu.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 

==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-09 19:39 - 2015-02-09 19:39 - 00000000 ____D () C:\Users\advent\Desktop\FRST-OlderVersion
2015-02-05 19:27 - 2015-02-05 19:28 - 00024124 _____ () C:\Users\advent\Desktop\Addition.txt
2015-02-05 19:26 - 2015-02-09 19:59 - 00015569 _____ () C:\Users\advent\Desktop\FRST.txt
2015-02-05 19:26 - 2015-02-09 19:59 - 00000000 ____D () C:\FRST
2015-02-05 19:22 - 2015-02-09 19:39 - 01124352 _____ (Farbar) C:\Users\advent\Desktop\FRST.exe
2015-02-02 20:18 - 2015-02-02 20:18 - 00000000 ____D () C:\ProgramData\APN
2015-02-02 20:15 - 2015-02-02 20:15 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-02-02 19:51 - 2015-02-02 19:51 - 00000000 ____D () C:\Users\advent\AppData\Roaming\TeamViewer
2015-02-02 12:01 - 2015-02-02 14:49 - 00000000 ____D () C:\Users\advent\AppData\Roaming\Mozilla
2015-01-14 12:25 - 2014-12-19 00:25 - 00115200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 12:21 - 2014-12-06 03:14 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 12:21 - 2014-12-06 03:14 - 00093184 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-14 12:21 - 2014-12-06 03:14 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2015-01-14 12:20 - 2014-12-06 03:14 - 00153600 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-09 19:58 - 2006-11-02 10:33 - 00765776 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-09 19:57 - 2007-12-28 14:04 - 01513910 _____ () C:\Windows\WindowsUpdate.log
2015-02-09 19:52 - 2014-07-17 19:38 - 00015066 _____ () C:\Windows\PFRO.log
2015-02-09 19:52 - 2006-11-02 13:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-09 19:52 - 2006-11-02 12:47 - 00003168 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-09 19:52 - 2006-11-02 12:47 - 00003168 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-09 19:51 - 2006-11-02 13:01 - 00032620 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-02-09 19:29 - 2014-07-17 20:08 - 00000000 ____D () C:\Users\advent\AppData\Local\DoNotTrackPlus
2015-02-05 18:57 - 2014-06-27 15:53 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-03 12:43 - 2008-01-30 15:17 - 00000000 ____D () C:\Users\advent\Documents\Gill's items
2015-02-02 20:18 - 2013-10-20 15:11 - 00000000 ____D () C:\ProgramData\Oracle
2015-02-02 20:16 - 2014-11-04 10:51 - 00000000 ____D () C:\Program Files\Java
2015-02-02 20:15 - 2014-11-04 10:51 - 00272296 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2015-02-02 20:15 - 2014-11-04 10:51 - 00176552 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2015-02-02 20:15 - 2014-11-04 10:51 - 00176552 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2015-02-02 20:15 - 2014-11-04 10:51 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-02-02 14:55 - 2014-06-27 15:53 - 00000904 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-02 14:55 - 2014-06-27 15:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-02 14:55 - 2014-06-27 15:52 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-02 14:50 - 2006-11-02 11:18 - 00000000 ____D () C:\Windows\nap
2015-01-29 16:54 - 2010-01-22 16:54 - 00000242 _____ () C:\Windows\Tasks\Epson Printer Software Downloader.job
2015-01-26 16:00 - 2008-01-30 15:16 - 00000000 ____D () C:\Users\advent\Documents\Church business
2015-01-15 18:07 - 2014-07-17 19:46 - 00000000 ____D () C:\Users\advent\AppData\Roaming\TP-LINK
2015-01-14 12:25 - 2013-08-06 09:12 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 12:21 - 2006-11-02 10:24 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
 
==================== Files in the root of some directories =======
 
2008-08-09 14:39 - 2008-08-09 14:39 - 0000059 _____ () C:\Program Files\ping_wip.txt
2008-02-09 16:26 - 2010-08-08 17:01 - 0029072 _____ () C:\Users\advent\AppData\Roaming\UserTile.png
2014-06-04 20:12 - 2014-06-04 20:12 - 0000000 ____H () C:\Users\advent\AppData\Local\BIT5DF8.tmp
2010-03-30 11:05 - 2010-03-30 11:05 - 0000552 _____ () C:\Users\advent\AppData\Local\d3d8caps.dat
2009-07-28 16:21 - 2014-07-11 15:29 - 0002032 _____ () C:\Users\advent\AppData\Local\d3d9caps.dat
2008-01-25 17:06 - 2014-08-07 08:22 - 0020480 _____ () C:\Users\advent\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-05-21 08:29 - 2011-05-23 16:13 - 0001940 _____ () C:\Users\advent\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
2014-06-04 20:12 - 2014-06-04 20:12 - 0000000 _____ () C:\Users\advent\AppData\Local\{BD761196-0806-465F-B71C-FDC470D5BA74}
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 

LastRegBack: 2015-02-09 19:59
 
==================== End Of Log ============================


#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:05 AM

Posted 09 February 2015 - 05:02 PM

Hi,
please do the following:
 
Change the DNS entries ; change router password

 

http://www.howtogeek.com/164981/how-to-switch-to-opendns-or-google-dns-to-speed-up-web-browsing/

http://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/
 
Afterwards:

Step 1

rzqZvBe.png MiniToolBox

  • Please download MiniToolBox and save the file to your Desktop.
  • Close any open windows.
  • Right-Click MiniToolBox.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Check the following items:
    • njvAG80.png
    • 6N6QY9z.png
    • zmWTIXg.png
    • VAFn5gg.png
    • AtULTyM.png
    • kLju9nY.png
    • chxHkm0.png
  • Click 9Z8u2SR.png.
  • A log (Result.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.

Edited by deeprybka, 09 February 2015 - 05:03 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:05 AM

Posted 13 February 2015 - 06:53 AM

Hi,

3 Day Inactivity

This is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 48 hours, this thread will be closed due to inactivity.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#6 nathaniel22

nathaniel22
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 14 February 2015 - 08:01 AM

Hi Jurgen

 

Sorry for the delay. Changed DNS servers. output od result.txt as below...

 

MiniToolBox by Farbar  Version: 30-11-2014
Ran by advent (administrator) on 14-02-2015 at 12:43:54
Running from "C:\Users\advent\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= IP Configuration: ================================

Intel® 82566DC-2 Gigabit Network Connection = Local Area Connection (Connected)
TP-LINK Wireless USB Adapter = Wireless Network Connection (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : advent-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TP-LINK Wireless USB Adapter
   Physical Address. . . . . . . . . : C0-6D-00-57-1B-7B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel® 82566DC-2 Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-1C-67-37-2D-15
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2da3:d14f:a1f9:62d7%8(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 14 February 2015 12:13:43
   Lease Expires . . . . . . . . . . : 17 February 2015 12:13:43
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 184556581
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-06-BA-EC-00-1C-49-8A-5C-15
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{6673E70A-E639-4EDB-9F57-FC08C82E4269}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{37A7E16E-5C9C-43D3-8CF0-62A29EEC3FD8}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
1.1.168.192.in-addr.arpa
 primary name server = localhost
 responsible mail addr = nobody.invalid
 serial  = 1
 refresh = 600 (10 mins)
 retry   = 1200 (20 mins)
 expire  = 604800 (7 days)
 default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  192.168.1.1

Name:    google.com
Addresses:  2a00:1450:4009:80d::200e
   62.164.169.159
   62.164.169.165
   62.164.169.152
   62.164.169.185
   62.164.169.166
   62.164.169.148
   62.164.169.176
   62.164.169.154
   62.164.169.155
   62.164.169.181
   62.164.169.170
   62.164.169.174
   62.164.169.144
   62.164.169.187
   62.164.169.177
   62.164.169.163

 

Pinging google.com [62.164.169.154] with 32 bytes of data:

Reply from 62.164.169.154: bytes=32 time=37ms TTL=58

Reply from 62.164.169.154: bytes=32 time=33ms TTL=58

 

Ping statistics for 62.164.169.154:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 33ms, Maximum = 37ms, Average = 35ms

1.1.168.192.in-addr.arpa
 primary name server = localhost
 responsible mail addr = nobody.invalid
 serial  = 1
 refresh = 600 (10 mins)
 retry   = 1200 (20 mins)
 expire  = 604800 (7 days)
 default TTL = 10800 (3 hours)
Server:  UnKnown
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  98.138.253.109
   98.139.183.24
   206.190.36.45

 

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

Reply from 206.190.36.45: bytes=32 time=197ms TTL=48

Reply from 206.190.36.45: bytes=32 time=196ms TTL=48

 

Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 196ms, Maximum = 197ms, Average = 196ms

 

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time=1ms TTL=128

Reply from 127.0.0.1: bytes=32 time=1ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 1ms, Average = 1ms

===========================================================================
Interface List
 12 ...c0 4a 00 29 1b 7b ...... TP-LINK Wireless USB Adapter
  8 ...00 1c 67 37 2d 15 ...... Intel® 82566DC-2 Gigabit Network Connection
  1 ........................... Software Loopback Interface 1
 13 ...00 00 00 00 00 00 00 e0  isatap.{6673E70A-E639-4EDB-9F57-FC08C82E4269}
  9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 15 ...00 00 00 00 00 00 00 e0  isatap.{37A7E16E-5C9C-43D3-8CF0-62A29EEC3FD8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.100     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.100    276
    192.168.1.100  255.255.255.255         On-link     192.168.1.100    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.100    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.100    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.100    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  8    276 fe80::/64                On-link
  8    276 fe80::2da3:d14f:a1f9:62d7/128
                                    On-link
  1    306 ff00::/8                 On-link
  8    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48640] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

**** End of log ****



#7 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:05 AM

Posted 14 February 2015 - 08:05 AM

Let's have a look into fresh logs...

Step 1

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:05 AM

Posted 19 February 2015 - 01:54 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users