Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

plz help me with this new virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 saurav99990

saurav99990

  • Banned
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 08 February 2015 - 09:37 PM

recently..i encountered with a file named
autoexec.bat....i saw the code....it was cd\
dir *.rar /b /s >> system.bin .....and there
was system.bin file which was eating my all
apps present in that drive
it is not being detected by any
antivirus...when i del...it comes again after
some time....when i checked task
manager ...it was being run by a file named
issass.exe....i deleted that too...but somehow
it comes again...please help me...my all
softwares have become unuseful.


no reply comes after running any
program....nothing comes....but in the task
manager...there is that process running....
cpu speed is normal...
plzz tell me what to do...i've lost all the exe
files....none of them run

now..it is taking up my disk space....unknown
rar files are present there....of size 1 gb -2
gb.....and in all the rar files only keygen.exe
is present...i've run many antiviruses....but
nothing works

BC AdBot (Login to Remove)

 


#2 saurav99990

saurav99990
  • Topic Starter

  • Banned
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 10 February 2015 - 08:22 AM

These are the log files.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-02-2015
Ran by Incredible Saurav (administrator) on INTRUDER on 10-02-2015 18:49:49
Running from C:\Users\Incredible Saurav\Downloads
Loaded Profiles: Incredible Saurav (Available profiles: Incredible Saurav)
Platform: Microsoft Windows 8 Pro (X86) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Intel Corporation) C:\Windows\System32\IntelCpHeciSvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Apache Software Foundation) C:\wamp\bin\apache\apache2.4.9\bin\httpd.exe
(Apache Software Foundation) C:\wamp\bin\apache\apache2.4.9\bin\httpd.exe
() C:\wamp\bin\mysql\mysql5.6.17\bin\mysqld.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Google Inc.) C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-01-03] (Adobe Systems Incorporated)
HKU\S-1-5-21-3185081287-2641024247-1746883677-1001\...\Run: [Microsoft] => C:\Users\Incredible Saurav\AppData\Roaming\lssass.exe [161705846 2015-02-05] ()
HKU\S-1-5-21-3185081287-2641024247-1746883677-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6699800 2015-01-22] (SUPERAntiSpyware)
HKU\S-1-5-21-3185081287-2641024247-1746883677-1001\...\Run: [Google Update] => C:\Users\Incredible Saurav\AppData\Local\Google\Update\GoogleUpdate.exe [107848 2015-02-08] (Google Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.43.1
 
FireFox:
========
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3185081287-2641024247-1746883677-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-3185081287-2641024247-1746883677-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\pdf.dll ()
CHR Profile: C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Docs) - C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-06]
CHR Extension: (Google Drive) - C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-06]
CHR Extension: (YouTube) - C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-06]
CHR Extension: (Google Search) - C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-06]
CHR Extension: (Gmail) - C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-06]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [142648 2014-07-22] (SUPERAntiSpyware.com)
R3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [279000 2014-01-29] (Intel Corporation)
R3 wampapache; c:\wamp\bin\apache\apache2.4.9\bin\httpd.exe [22016 2014-05-01] (Apache Software Foundation) [File not signed]
R3 wampmysqld; c:\wamp\bin\mysql\mysql5.6.17\bin\mysqld.exe [10959360 2014-05-01] () [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [13864 2012-07-25] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-07-25] (Microsoft Corporation)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63.sys [4704256 2012-06-02] (Broadcom Corporation)
R3 MEI; C:\Windows\System32\drivers\HECI.sys [41088 2010-10-19] (Intel Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-10 18:49 - 2015-02-10 18:50 - 00006706 _____ () C:\Users\Incredible Saurav\Downloads\FRST.txt
2015-02-10 18:49 - 2015-02-10 18:49 - 01124352 _____ (Farbar) C:\Users\Incredible Saurav\Downloads\FRST.exe
2015-02-10 18:49 - 2015-02-10 18:49 - 00000000 ____D () C:\FRST
2015-02-10 18:46 - 2015-02-10 18:46 - 11834264 _____ () C:\Users\Incredible Saurav\Downloads\tweaking.com_windows_repair_aio_setup.exe
2015-02-10 18:40 - 2015-02-10 18:40 - 00000117 _____ () C:\Windows\system32\netcfg-70368031.txt
2015-02-10 06:48 - 2015-02-10 06:48 - 00001375 _____ () C:\Users\Incredible Saurav\Desktop\as.htm
2015-02-10 06:44 - 2015-02-10 06:44 - 01437876 _____ () C:\Users\Incredible Saurav\Desktop\How to create Facebook Style popup with CSS.htm
2015-02-10 06:44 - 2015-02-10 06:44 - 00000117 _____ () C:\Windows\system32\netcfg-27406171.txt
2015-02-10 06:44 - 2015-02-10 06:44 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\How to create Facebook Style popup with CSS_files
2015-02-10 06:43 - 2015-02-10 06:43 - 01038630 _____ () C:\Users\Incredible Saurav\Desktop\How to create Drop Down Menu with jQuery and CSS.htm
2015-02-10 06:43 - 2015-02-10 06:43 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\How to create Drop Down Menu with jQuery and CSS_files
2015-02-10 06:41 - 2015-02-10 06:41 - 00086540 _____ () C:\Users\Incredible Saurav\Desktop\How to create Login and Signup form in PHP   PGPGang.com.htm
2015-02-10 06:41 - 2015-02-10 06:41 - 00000117 _____ () C:\Windows\system32\netcfg-27206828.txt
2015-02-10 06:16 - 2015-02-10 06:41 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\How to create Login and Signup form in PHP   PGPGang.com_files
2015-02-10 06:15 - 2015-02-10 06:15 - 00000117 _____ () C:\Windows\system32\netcfg-25665187.txt
2015-02-10 06:14 - 2015-02-10 06:14 - 00000117 _____ () C:\Windows\system32\netcfg-25633875.txt
2015-02-10 05:27 - 2015-02-10 05:27 - 00001127 _____ () C:\Users\Incredible Saurav\Downloads\db.sql
2015-02-10 05:26 - 2015-02-10 05:26 - 00001127 _____ () C:\Users\Incredible Saurav\Downloads\phpgang.sql
2015-02-10 05:09 - 2015-02-10 05:09 - 00000117 _____ () C:\Windows\system32\netcfg-21734953.txt
2015-02-10 05:07 - 2015-02-10 05:07 - 01700750 _____ () C:\Users\Incredible Saurav\Desktop\How to create Login and Signup System in PHP.htm
2015-02-10 05:07 - 2015-02-10 05:07 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\How to create Login and Signup System in PHP_files
2015-02-10 04:58 - 2015-02-10 04:58 - 00000117 _____ () C:\Windows\system32\netcfg-21037218.txt
2015-02-10 04:07 - 2015-02-10 04:07 - 00022850 _____ () C:\Users\Incredible Saurav\Desktop\Create database, table and managing MySQL database using phpMyAdmin.htm
2015-02-10 04:07 - 2015-02-10 04:07 - 00000117 _____ () C:\Windows\system32\netcfg-18011484.txt
2015-02-10 04:07 - 2015-02-10 04:07 - 00000117 _____ () C:\Windows\system32\netcfg-17985796.txt
2015-02-10 04:07 - 2015-02-10 04:07 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\Create database, table and managing MySQL database using phpMyAdmin_files
2015-02-10 04:03 - 2015-02-10 04:03 - 00028119 _____ () C:\Users\Incredible Saurav\Desktop\PHP Login script tutorial.htm
2015-02-10 04:03 - 2015-02-10 04:03 - 00000117 _____ () C:\Windows\system32\netcfg-17750265.txt
2015-02-10 04:03 - 2015-02-10 04:03 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\PHP Login script tutorial_files
2015-02-10 04:02 - 2015-02-10 04:02 - 00000117 _____ () C:\Windows\system32\netcfg-17692500.txt
2015-02-10 03:33 - 2015-02-10 03:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WampServer
2015-02-10 03:32 - 2015-02-10 03:33 - 00000000 ____D () C:\wamp
2015-02-10 02:55 - 2015-02-10 02:55 - 00001273 _____ () C:\Users\Incredible Saurav\Desktop\download.zip
2015-02-10 00:52 - 2015-02-10 00:53 - 00000343 _____ () C:\Users\Incredible Saurav\Desktop\new  1.txt
2015-02-10 00:51 - 2015-02-10 00:51 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\Notepad++
2015-02-10 00:51 - 2015-02-10 00:51 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad++
2015-02-10 00:51 - 2015-02-10 00:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
2015-02-10 00:51 - 2015-02-10 00:51 - 00000000 ____D () C:\Program Files\Notepad++
2015-02-10 00:50 - 2015-02-10 00:50 - 07764894 _____ () C:\Users\Incredible Saurav\Desktop\npp.6.7.4.Installer.rar
2015-02-10 00:49 - 2015-02-10 00:50 - 07965917 _____ () C:\Users\Incredible Saurav\Desktop\npp.6.7.4.Installer.exe
2015-02-10 00:29 - 2015-02-10 00:30 - 00000000 ____D () C:\Windows\system32\appmgmt
2015-02-10 00:28 - 2015-02-10 00:29 - 01801216 _____ (Microsoft Corporation) C:\Users\Incredible Saurav\iis 8.EXE
2015-02-10 00:23 - 2015-02-10 00:23 - 46161780 _____ () C:\Users\Incredible Saurav\Desktop\wamp.rar
2015-02-10 00:06 - 2015-02-10 00:06 - 00000000 ____D () C:\ProgramData\Package Cache
2015-02-09 22:59 - 2015-02-09 22:59 - 00000117 _____ () C:\Windows\system32\netcfg-137876343.txt
2015-02-09 22:54 - 2015-02-10 02:47 - 00000000 ____D () C:\Users\Incredible Saurav\Documents\My Web Sites
2015-02-09 22:54 - 2015-02-09 22:54 - 00000000 ____D () C:\Users\Incredible Saurav\Documents\IISExpress
2015-02-09 22:54 - 2015-02-09 22:54 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft Corporation
2015-02-09 22:54 - 2015-02-09 22:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft WebMatrix
2015-02-09 22:54 - 2015-02-09 22:54 - 00000000 ____D () C:\Program Files\Microsoft WebMatrix
2015-02-09 22:35 - 2015-02-10 00:29 - 00000000 ____D () C:\Program Files\IIS
2015-02-09 22:21 - 2015-02-09 22:21 - 00007605 _____ () C:\Users\Incredible Saurav\AppData\Local\Resmon.ResmonCfg
2015-02-09 22:06 - 2015-02-09 22:06 - 00000000 ____D () C:\Program Files\Microsoft SQL Server
2015-02-09 22:06 - 2015-02-09 22:06 - 00000000 ____D () C:\Program Files\Microsoft SDKs
2015-02-09 22:00 - 2015-02-09 22:00 - 00116384 _____ (Microsoft Corporation) C:\Users\Incredible Saurav\Downloads\WebMatrixWeb.exe
2015-02-09 21:58 - 2015-02-09 21:58 - 00000117 _____ () C:\Windows\system32\netcfg-134188968.txt
2015-02-09 21:53 - 2015-02-09 21:53 - 00000117 _____ () C:\Windows\system32\netcfg-133885531.txt
2015-02-09 21:52 - 2015-02-09 21:52 - 00002104 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Web Platform Installer.lnk
2015-02-09 21:49 - 2015-02-09 21:49 - 00116384 _____ (Microsoft Corporation) C:\Users\Incredible Saurav\Downloads\WebMatrix.exe
2015-02-09 21:46 - 2015-02-09 21:46 - 00000117 _____ () C:\Windows\system32\netcfg-133480906.txt
2015-02-09 21:45 - 2015-02-09 21:45 - 00116384 _____ (Microsoft Corporation) C:\Users\Incredible Saurav\Desktop\WebMatrixWeb.exe
2015-02-09 21:15 - 2015-02-09 21:44 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\demoweb
2015-02-08 19:19 - 2015-02-09 19:29 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\Recovered data 02-08-2015 at 19_19_56
2015-02-08 15:08 - 2015-02-08 15:08 - 00000636 _____ () C:\Users\Public\Desktop\EaseUS Data Recovery Wizard 8.6.lnk
2015-02-08 14:12 - 2015-02-08 14:12 - 00000117 _____ () C:\Windows\system32\netcfg-19844296.txt
2015-02-08 14:08 - 2015-02-10 08:14 - 00000974 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3185081287-2641024247-1746883677-1001UA.job
2015-02-08 14:08 - 2015-02-09 14:48 - 00000922 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3185081287-2641024247-1746883677-1001Core.job
2015-02-08 14:01 - 2015-02-08 14:01 - 00000117 _____ () C:\Windows\system32\netcfg-19193250.txt
2015-02-08 12:33 - 2015-02-08 12:33 - 00000117 _____ () C:\Windows\system32\netcfg-13900203.txt
2015-02-08 12:30 - 2015-02-08 12:30 - 00000000 ____D () C:\Program Files\Intel
2015-02-08 12:30 - 2015-02-08 12:30 - 00000000 ____D () C:\Intel
2015-02-08 12:17 - 2015-02-08 12:17 - 00000117 _____ () C:\Windows\system32\netcfg-12924015.txt
2015-02-08 12:15 - 2015-02-08 12:15 - 00000117 _____ () C:\Windows\system32\netcfg-12819937.txt
2015-02-08 12:12 - 2015-02-08 12:12 - 00000117 _____ () C:\Windows\system32\netcfg-12623218.txt
2015-02-08 12:12 - 2015-02-08 12:12 - 00000117 _____ () C:\Windows\system32\netcfg-12620828.txt
2015-02-08 11:19 - 2015-02-08 11:19 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\skyrim
2015-02-08 11:19 - 2015-02-08 11:19 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\robocop
2015-02-08 10:23 - 2015-02-05 23:06 - 161705846 _____ () C:\Users\Incredible Saurav\AppData\Roaming\lssass.exe
2015-02-08 07:07 - 2015-02-08 07:07 - 00001131 _____ () C:\Windows\system32\netcfg-27625.txt
2015-02-08 06:37 - 2015-02-08 07:13 - 00000824 __RSH () C:\ProgramData\ntuser.pol
2015-02-08 06:16 - 2015-02-10 18:42 - 00318245 _____ () C:\Windows\WindowsUpdate.log
2015-02-08 06:11 - 2015-02-10 02:08 - 00000000 ____D () C:\Program Files\BSQL Hacker
2015-02-08 06:11 - 2015-02-08 06:11 - 01544807 _____ () C:\Users\Incredible Saurav\Desktop\BSQL Hacker.7z
2015-02-08 06:11 - 2015-02-08 06:11 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\BSQL Hacker
2015-02-08 06:11 - 2015-02-08 06:11 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BSQL Hacker
2015-02-08 05:37 - 2015-02-08 05:37 - 00000020 ___SH () C:\Users\.NET v4.5\ntuser.ini
2015-02-08 05:37 - 2015-02-08 05:37 - 00000020 ___SH () C:\Users\.NET v4.5 Classic\ntuser.ini
2015-02-08 05:37 - 2015-02-08 05:37 - 00000000 ____D () C:\Users\.NET v4.5 Classic
2015-02-08 05:37 - 2015-02-08 05:37 - 00000000 ____D () C:\Users\.NET v4.5
2015-02-08 05:37 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\.NET v4.5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-02-08 05:37 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\.NET v4.5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-02-08 05:37 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\.NET v4.5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-02-08 05:37 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\.NET v4.5 Classic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-02-08 05:37 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\.NET v4.5 Classic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-02-08 05:37 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\.NET v4.5 Classic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-02-08 05:37 - 2012-07-25 22:53 - 00000000 ____D () C:\Users\.NET v4.5\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-02-08 05:37 - 2012-07-25 22:53 - 00000000 ____D () C:\Users\.NET v4.5 Classic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-02-07 00:31 - 2015-02-07 00:31 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Local\Adobe
2015-02-07 00:21 - 2015-02-07 00:21 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-02-07 00:21 - 2015-02-07 00:21 - 00001989 _____ () C:\Users\Public\Desktop\Adobe Reader X.lnk
2015-02-07 00:20 - 2015-02-07 00:20 - 00000000 ____D () C:\ProgramData\Adobe
2015-02-07 00:20 - 2015-02-07 00:20 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2015-02-07 00:20 - 2015-02-07 00:20 - 00000000 ____D () C:\Program Files\Adobe
2015-02-06 23:23 - 2015-02-06 23:23 - 00000007 _____ () C:\Users\Incredible Saurav\data.x.dat
2015-02-06 23:18 - 2015-02-08 14:08 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Local\Google
2015-02-06 23:18 - 2015-02-06 23:18 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-02-06 22:55 - 2015-02-10 06:55 - 00000552 _____ () C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 7d595112-375b-4d8d-966d-9f8143fda49a.job
2015-02-06 22:55 - 2015-02-10 02:00 - 00000552 _____ () C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 020e421f-e6f0-480b-9e33-c9dc6d647e9f.job
2015-02-06 22:55 - 2015-02-06 22:55 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\SUPERAntiSpyware.com
2015-02-06 22:53 - 2015-02-09 22:55 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-02-06 22:53 - 2015-02-06 22:53 - 00001965 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Professional.lnk
2015-02-06 22:53 - 2015-02-06 22:53 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2015-02-06 22:53 - 2015-02-06 22:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-02-06 22:48 - 2015-02-06 22:50 - 21194080 _____ (SUPERAntiSpyware) C:\Users\Incredible Saurav\Desktop\SUPERAntiSpywarePro.exe
2015-02-06 21:41 - 2015-02-06 21:41 - 00000020 ___SH () C:\Users\DefaultAppPool\ntuser.ini
2015-02-06 21:41 - 2015-02-06 21:41 - 00000000 ____D () C:\Users\DefaultAppPool
2015-02-06 21:41 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\DefaultAppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-02-06 21:41 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\DefaultAppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-02-06 21:41 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\DefaultAppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-02-06 21:41 - 2012-07-25 22:53 - 00000000 ____D () C:\Users\DefaultAppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-02-06 21:33 - 2015-02-06 21:33 - 11298287 _____ () C:\Users\Incredible Saurav\Desktop\W3Schools Offline 2015 -ARSDK.zip
2015-02-06 20:56 - 2015-02-09 23:08 - 00119250 _____ () C:\Windows\iis.log
2015-02-06 20:56 - 2015-02-09 23:07 - 00000000 ____D () C:\inetpub
2015-02-06 20:33 - 2015-02-06 20:33 - 00000000 ____D () C:\dell
2015-02-06 20:32 - 2015-02-06 20:32 - 00000000 _RSHD () C:\Windows Activation Technologies
2015-02-06 20:31 - 2012-10-21 15:48 - 00092160 _____ (KJ inside) C:\Windows\system32\SLCHook.dll
2015-02-06 20:30 - 2015-02-06 20:30 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\K.J_130301
2015-02-06 20:27 - 2015-02-06 20:29 - 32146532 _____ () C:\Users\Incredible Saurav\Desktop\K.J_130301.7z
2015-02-06 20:01 - 2015-02-06 20:01 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2015-02-06 20:00 - 2015-02-06 20:00 - 24405809 _____ () C:\Users\Incredible Saurav\Documents\drive c_02-06-2015 at 20_00_06.rsf
2015-02-06 19:30 - 2015-02-06 23:17 - 00000000 ____D () C:\Program Files\WinRAR
2015-02-06 19:30 - 2015-02-06 19:30 - 01760216 _____ () C:\Users\Incredible Saurav\Desktop\wrar521b2.exe
2015-02-06 19:30 - 2015-02-06 19:30 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\WinRAR
2015-02-06 19:30 - 2015-02-06 19:30 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-02-06 19:30 - 2015-02-06 19:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-02-06 19:22 - 2015-02-06 19:22 - 00088995 _____ () C:\Users\Incredible Saurav\Desktop\Keygen.rar
2015-02-06 18:35 - 2015-02-06 18:35 - 00000117 _____ () C:\Windows\system32\netcfg-4527078.txt
2015-02-06 17:26 - 2015-02-08 15:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EaseUS Data Recovery Wizard 8.6
2015-02-06 17:23 - 2015-02-06 17:24 - 10759696 _____ (EaseUS ) C:\Users\Incredible Saurav\Desktop\drw_trial.exe
2015-02-06 17:22 - 2015-02-10 18:41 - 00889364 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-06 17:21 - 2015-02-10 00:29 - 00000000 ____D () C:\Users\Incredible Saurav
2015-02-06 17:21 - 2015-02-07 00:31 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\Adobe
2015-02-06 17:21 - 2015-02-06 17:22 - 00000000 ____D () C:\ProgramData\PRICache
2015-02-06 17:21 - 2015-02-06 17:21 - 00001434 _____ () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-02-06 17:21 - 2015-02-06 17:21 - 00000117 _____ () C:\Windows\system32\netcfg-112750.txt
2015-02-06 17:21 - 2015-02-06 17:21 - 00000020 ___SH () C:\Users\Incredible Saurav\ntuser.ini
2015-02-06 17:21 - 2015-02-06 17:21 - 00000000 ____D () C:\Windows\CSC
2015-02-06 17:21 - 2015-02-06 17:21 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Local\VirtualStore
2015-02-06 17:21 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-02-06 17:21 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-02-06 17:21 - 2012-07-25 22:53 - 00000000 ___RD () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-02-06 17:21 - 2012-07-25 22:53 - 00000000 ____D () C:\Users\Incredible Saurav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-02-06 17:20 - 2015-02-06 17:20 - 00000000 __SHD () C:\Recovery
2015-02-06 17:18 - 2015-02-06 17:18 - 00001128 _____ () C:\Windows\system32\netcfg-79796.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00001127 _____ () C:\Windows\system32\netcfg-88625.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00001094 _____ () C:\Windows\system32\netcfg-96171.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000188 _____ () C:\Windows\system32\netcfg-89265.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000177 _____ () C:\Windows\system32\netcfg-77828.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000156 _____ () C:\Windows\system32\netcfg-74734.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000155 _____ () C:\Windows\system32\netcfg-95484.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000153 _____ () C:\Windows\system32\netcfg-77546.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000152 _____ () C:\Windows\system32\netcfg-77140.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000152 _____ () C:\Windows\system32\netcfg-76625.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000152 _____ () C:\Windows\system32\netcfg-74031.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000151 _____ () C:\Windows\system32\netcfg-76156.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000149 _____ () C:\Windows\system32\netcfg-76875.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000149 _____ () C:\Windows\system32\netcfg-75609.txt
2015-02-06 17:18 - 2015-02-06 17:18 - 00000142 _____ () C:\Windows\system32\netcfg-75031.txt
2015-02-06 17:17 - 2015-02-06 17:17 - 00000428 _____ () C:\Windows\PFRO.log
2015-02-06 17:15 - 2015-02-06 17:21 - 00000000 ____D () C:\Windows\Panther
2015-02-06 17:15 - 2015-02-06 17:15 - 00008192 __RSH () C:\BOOTSECT.BAK
2015-01-24 20:53 - 2015-02-06 21:35 - 00000000 ____D () C:\Users\Incredible Saurav\Desktop\W3Schools Offline 2015 -ARSDK
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-10 18:39 - 2012-07-25 22:53 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-10 16:19 - 2012-07-25 22:53 - 00000000 ____D () C:\Windows\system32\sru
2015-02-10 04:49 - 2012-07-25 22:53 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-02-10 03:11 - 2012-07-25 22:43 - 00000000 ____D () C:\Windows\CbsTemp
2015-02-09 23:08 - 2012-07-25 22:53 - 00000000 ____D () C:\Windows\Registration
2015-02-09 23:07 - 2012-07-25 22:04 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-09 23:07 - 2012-07-25 20:17 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-02-09 23:06 - 2012-07-25 22:53 - 00000000 ____D () C:\Windows\system32\inetsrv
2015-02-08 06:35 - 2012-07-25 22:53 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2015-02-06 20:55 - 2012-07-25 22:53 - 00000000 ____D () C:\Windows\system32\restore
2015-02-06 20:17 - 2012-07-25 22:03 - 00012858 _____ () C:\Windows\setupact.log
2015-02-06 17:21 - 2012-07-25 22:53 - 00000000 ___RD () C:\Windows\ImmersiveControlPanel
2015-02-06 17:21 - 2012-07-25 22:53 - 00000000 ____D () C:\Windows\WinStore
2015-02-06 17:20 - 2012-07-25 22:53 - 00000000 ____D () C:\Windows\system32\Recovery
2015-02-06 17:18 - 2012-07-25 22:54 - 00001720 _____ () C:\Windows\DtcInstall.log
2015-02-06 17:15 - 2012-07-25 22:53 - 00262144 _____ () C:\Windows\system32\config\BCD-Template
 
==================== Files in the root of some directories =======
 
2015-02-08 10:23 - 2015-02-05 23:06 - 161705846 _____ () C:\Users\Incredible Saurav\AppData\Roaming\lssass.exe
2015-02-09 22:21 - 2015-02-09 22:21 - 0007605 _____ () C:\Users\Incredible Saurav\AppData\Local\Resmon.ResmonCfg
 
Files to move or delete:
====================
C:\Users\Incredible Saurav\data.x.dat
C:\Users\Incredible Saurav\iis 8.EXE
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-06 17:17
 
==================== End Of Log ============================
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 08-02-2015
Ran by Incredible Saurav at 2015-02-10 18:50:36
Running from C:\Users\Incredible Saurav\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Reader X (10.1.2) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.2 - Adobe Systems Incorporated)
EaseUS Data Recovery Wizard 8.6 (HKLM\...\EaseUS Data Recovery Wizard 8.6_is1) (Version:  - EaseUS)
Google Chrome (HKU\S-1-5-21-3185081287-2641024247-1746883677-1001\...\Google Chrome) (Version: 27.0.1425.2 - Google Inc.)
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3347 - Intel Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM\...\{FBA6F90E-36EC-4FC9-9B25-3834E3BD46A8}) (Version: 11.0.2316.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{CD920828-2B95-49A4-8BFD-1D34BCBF5A27}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM\...\{E2082604-4BA5-44BB-BBFB-AF0F3CB8C6AB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Web Platform Installer 5.0 (HKLM\...\{1D39E015-C3D2-45DE-B070-A69C5F2FB309}) (Version: 5.0.50430.0 - Microsoft Corporation)
Microsoft WebMatrix 3 (HKLM\...\{4C1CB8FA-89A5-476A-89B6-C69BDC668A9F}) (Version: 2.0.1932 - Microsoft Corporation)
Notepad++ (HKLM\...\Notepad++) (Version: 6.7.4 - Notepad++ Team)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1170 - SUPERAntiSpyware.com)
WampServer 2.5 (HKLM\...\WampServer 2_is1) (Version:  - Hervé Leclerc (HeL))
WinRAR 5.21 beta 2 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.2 - win.rar GmbH)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{38216570-5DB1-45F8-A344-B0C4E252B14B}\InprocServer32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.7\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\delegate_execute.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3185081287-2641024247-1746883677-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Incredible Saurav\AppData\Local\Google\Update\1.3.26.9\psuser.dll (Google Inc.)
 
==================== Restore Points  =========================
 
06-02-2015 20:55:58 Windows Modules Installer
08-02-2015 05:34:57 Windows Modules Installer
09-02-2015 21:52:03 Installed Microsoft Web Platform Installer 5.0
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2012-07-25 20:17 - 2015-02-10 03:33 - 00000906 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1       techbuzz
127.0.0.1       localhost
 
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {43786444-8FE6-4DE3-8388-F7AAE38D39FC} - System32\Tasks\SUPERAntiSpyware Scheduled Task 7d595112-375b-4d8d-966d-9f8143fda49a => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {56C33284-C254-4C41-A7B5-5240A08B8EE3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3185081287-2641024247-1746883677-1001Core => C:\Users\Incredible Saurav\AppData\Local\Google\Update\GoogleUpdate.exe [2015-02-08] (Google Inc.)
Task: {7998CDD4-57DB-426F-A476-75AD2D87DCD0} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\WatTask => C:\Windows Activation Technologies\wat.exe [2006-04-20] ()
Task: {7C85D4B5-EEB4-460E-91E6-EFA92E040A78} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3185081287-2641024247-1746883677-1001UA => C:\Users\Incredible Saurav\AppData\Local\Google\Update\GoogleUpdate.exe [2015-02-08] (Google Inc.)
Task: {DD8B9A78-23D8-47DB-B131-90FBA2158E4F} - System32\Tasks\SUPERAntiSpyware Scheduled Task 020e421f-e6f0-480b-9e33-c9dc6d647e9f => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {FC15B9D1-3D8F-4D80-8627-6BF8225BFF35} - System32\Tasks\{9B231EA6-C19E-4EF3-90B1-A2F4E79281F1} => pcalua.exe -a "E:\New folder\R302514.exe" -d "E:\New folder"
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3185081287-2641024247-1746883677-1001Core.job => C:\Users\Incredible Saurav\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3185081287-2641024247-1746883677-1001UA.job => C:\Users\Incredible Saurav\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 020e421f-e6f0-480b-9e33-c9dc6d647e9f.job => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 7d595112-375b-4d8d-966d-9f8143fda49a.job => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2015-02-10 03:32 - 2014-05-01 09:50 - 00217600 _____ () c:\wamp\bin\apache\apache2.4.9\bin\pcre.dll
2015-02-10 03:32 - 2014-05-01 09:50 - 00068608 _____ () c:\wamp\bin\apache\apache2.4.9\bin\zlib1.dll
2015-02-10 03:32 - 2014-05-01 09:50 - 00217600 _____ () C:\wamp\bin\apache\apache2.4.9\bin\pcre.dll
2015-02-10 03:32 - 2014-05-01 09:50 - 00068608 _____ () C:\wamp\bin\apache\apache2.4.9\bin\zlib1.dll
2015-02-10 03:32 - 2014-05-01 09:06 - 10959360 _____ () c:\wamp\bin\mysql\mysql5.6.17\bin\mysqld.exe
2014-01-29 23:12 - 2014-01-29 23:12 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2015-02-06 23:18 - 2013-02-28 11:56 - 00598992 _____ () C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\libglesv2.dll
2015-02-06 23:18 - 2013-02-28 11:56 - 00124368 _____ () C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\libegl.dll
2015-02-06 23:18 - 2013-02-28 11:57 - 04050896 _____ () C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\pdf.dll
2015-02-06 23:18 - 2013-02-28 11:57 - 00389584 _____ () C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\ppGoogleNaClPluginChrome.dll
2015-02-06 23:18 - 2013-02-28 11:56 - 01606096 _____ () C:\Users\Incredible Saurav\AppData\Local\Google\Chrome\Application\27.0.1425.2\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Registry Areas =====================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3185081287-2641024247-1746883677-1001\Control Panel\Desktop\\Wallpaper -> D:\New folder\1st_rainmeter_wallpaper_by_monsterervin-d5kguz3.jpg
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
HKLM\...\StartupApproved\Run: => "Adobe ARM"
HKU\S-1-5-21-3185081287-2641024247-1746883677-1001\...\StartupApproved\Run: => "Microsoft"
HKU\S-1-5-21-3185081287-2641024247-1746883677-1001\...\StartupApproved\Run: => "SUPERAntiSpyware"
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3185081287-2641024247-1746883677-500 - Administrator - Disabled)
Guest (S-1-5-21-3185081287-2641024247-1746883677-501 - Limited - Enabled)
Incredible Saurav (S-1-5-21-3185081287-2641024247-1746883677-1001 - Administrator - Enabled) => C:\Users\Incredible Saurav
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/10/2015 03:28:51 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> AH00112: Warning: DocumentRoot [C:/Apache24/docs/dummy-host.example.com] does not exist     .
 
Error: (02/10/2015 00:29:28 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> AH00015: Unable to open logs     .
 
Error: (02/10/2015 00:29:28 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> AH00451: no listening sockets available, shutting down     .
 
Error: (02/10/2015 00:29:28 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> (OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions.  : AH00072: make_sock: could not bind to address 0.0.0.0:80     .
 
Error: (02/10/2015 00:29:28 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> (OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions.  : AH00072: make_sock: could not bind to address [::]:80     .
 
Error: (02/10/2015 00:12:43 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> AH00015: Unable to open logs     .
 
Error: (02/10/2015 00:12:43 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> AH00451: no listening sockets available, shutting down     .
 
Error: (02/10/2015 00:12:43 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> (OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions.  : AH00072: make_sock: could not bind to address 0.0.0.0:80     .
 
Error: (02/10/2015 00:12:43 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> (OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions.  : AH00072: make_sock: could not bind to address [::]:80     .
 
Error: (02/10/2015 00:11:27 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service named  reported the following error:
>>> AH00015: Unable to open logs     .
 
 
System errors:
=============
Error: (02/10/2015 00:29:28 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The wampapache service terminated with the following service-specific error: 
%%1
 
Error: (02/10/2015 00:12:43 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The wampapache service terminated with the following service-specific error: 
%%1
 
Error: (02/10/2015 00:11:27 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The wampapache service terminated with the following service-specific error: 
%%1
 
Error: (02/10/2015 00:10:21 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The wampapache service terminated with the following service-specific error: 
%%1
 
Error: (02/10/2015 00:09:43 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The wampapache service terminated with the following service-specific error: 
%%1
 
Error: (02/09/2015 11:07:13 PM) (Source: FTPSVC) (EventID: 39) (User: )
Description: 
 
Error: (02/09/2015 11:07:11 PM) (Source: FTPSVC) (EventID: 39) (User: )
Description: 
 
Error: (02/09/2015 11:07:10 PM) (Source: APPHOSTSVC) (EventID: 9006) (User: )
Description: 
 
Error: (02/09/2015 11:07:10 PM) (Source: APPHOSTSVC) (EventID: 9000) (User: )
Description: 
 
Error: (02/06/2015 05:18:28 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error: 
%%21
 
 
Microsoft Office Sessions:
=========================
Error: (02/10/2015 03:28:51 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>AH00112: Warning: DocumentRoot [C:/Apache24/docs/dummy-host.example.com] does not exist
 
Error: (02/10/2015 00:29:28 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>AH00015: Unable to open logs
 
Error: (02/10/2015 00:29:28 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>AH00451: no listening sockets available, shutting down
 
Error: (02/10/2015 00:29:28 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>(OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions.  : AH00072: make_sock: could not bind to address 0.0.0.0:80
 
Error: (02/10/2015 00:29:28 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>(OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions.  : AH00072: make_sock: could not bind to address [::]:80
 
Error: (02/10/2015 00:12:43 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>AH00015: Unable to open logs
 
Error: (02/10/2015 00:12:43 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>AH00451: no listening sockets available, shutting down
 
Error: (02/10/2015 00:12:43 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>(OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions.  : AH00072: make_sock: could not bind to address 0.0.0.0:80
 
Error: (02/10/2015 00:12:43 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>(OS 10013)An attempt was made to access a socket in a way forbidden by its access permissions.  : AH00072: make_sock: could not bind to address [::]:80
 
Error: (02/10/2015 00:11:27 AM) (Source: Apache Service) (EventID: 3299) (User: )
Description: The Apache service namedreported the following error:
>>>AH00015: Unable to open logs
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-2310M CPU @ 2.10GHz
Percentage of memory in use: 41%
Total physical RAM: 1950.27 MB
Available physical RAM: 1139.33 MB
Total Pagefile: 3934.27 MB
Available Pagefile: 2431.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1852.31 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:98.54 GB) (Free:83.31 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Hell Boy) (Fixed) (Total:195.43 GB) (Free:30.18 GB) NTFS
Drive e: () (Fixed) (Total:171.69 GB) (Free:122.97 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1BAF0215)
Partition 1: (Active) - (Size=98.5 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=195.4 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=171.7 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

Attached Files


Edited by xXToffeeXx, 14 February 2015 - 08:45 AM.
Posted logs for ease~


#3 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:01:26 PM

Posted 12 February 2015 - 10:46 AM

Hello saurav99990 and welcome to BleepingComputer!     :)

 

My name is Sirawit and I'm here to help you.

 

Please note that I'm currently in training and my fixes need to be approved first, that may delay our fix a bit, but I will normally reply back in 24 hours.

 

If I don't reply after 2 days, feel free to PM me.      :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

 

 

i encountered with a file named
autoexec.bat....i saw the code....it was cd\
dir *.rar /b /s >> system.bin .....and there
was system.bin file which was eating my all
apps present in that drive

 

Where autoexec.bat and system.bin are located?

 

 

 

now..it is taking up my disk space....unknown
rar files are present there....of size 1 gb -2
gb.....and in all the rar files only keygen.exe
is present

 

You mean keygen.rar just appeared there and no one place it?

 

Also, when do you start to have this problem? Did you do something before it happen?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#4 saurav99990

saurav99990
  • Topic Starter

  • Banned
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 12 February 2015 - 04:49 PM

the files are located in the E: drive....and yes...unknown.rar file automatically comes and has keygen.exe in it....no one placed it...i dont remember how it happened.

#5 saurav99990

saurav99990
  • Topic Starter

  • Banned
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 13 February 2015 - 07:08 AM

sorry....i forgot to mention one thing....many of the exe files in that drive are affected...whenever i run these it opens a command prompt n a message is there: program is too big to fit into memory.

#6 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:01:26 PM

Posted 14 February 2015 - 11:24 PM

Hi saurav99990.

 

What is the path to that autoexec.bat?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#7 saurav99990

saurav99990
  • Topic Starter

  • Banned
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 15 February 2015 - 04:13 AM

d:/ or e:/ ...when ever i see them.i del them...i always see them.in the root folder of e and d drive

#8 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:01:26 PM

Posted 17 February 2015 - 12:12 AM

Hi saurav99990.

 

Important!---> if your D and E drives are removable, please connect them to your machine before proceeding.

 

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

 

 

 

Please download Malwarebytes Anti-Malware (MBAM) to your desktop.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the Scan tab.
  • Select Custom Scan, and click the 'Scan Now >>' button.
  • Select your D: and E: drive and then click the Start Scan button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

-------------------

After the fix was completed, please create new FRST log for me.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#9 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:01:26 PM

Posted 20 February 2015 - 11:57 AM

It had been threee days since my last reply. Are you still there?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#10 saurav99990

saurav99990
  • Topic Starter

  • Banned
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 22 February 2015 - 04:24 PM

i threw my computer from terrace. Leave it....close the topic

Edited by saurav99990, 22 February 2015 - 04:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users