Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Infection, having difficulty removing


  • This topic is locked This topic is locked
8 replies to this topic

#1 Bluestrings

Bluestrings

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Arizona
  • Local time:08:01 PM

Posted 18 February 2015 - 05:10 AM

Working on this for a co-worker... and I'm lead to believe there's a rootkit based on the info I've found in Roguekiller and my rather unsuccessful research on it or attempts to remove it.

 

 

MK0JRhF.jpg

 

 

Dell Inspirion 1018 Netbook

Windows 7 Starter with Service pack 1, 32 bit

1 GB of RAM

 

AVG Free and Spybot 2.0 have been disabled while using an updated Combofix, although Combofix was previously run before those programs were installed as this computer had a ton of infections that have since been removed.
 
I've tried using Malwarebyte's Anti-Malware, Spybot Search and Destroy, AVG Free scan (including rootkit scan), RogueKiller, Combofix, TDSSkiller, BitDefender Rootkit Removal Tool, ESET PoweliksCleaner, and finally Malwarebyte's Anti-Rootkit, I will include any desired logs from infections I have already removed, if desired.
 
-------------------------------------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-02-2015
Ran by gary saleh (administrator) on HACKER on 18-02-2015 02:15:39
Running from C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\Log Generation
Loaded Profiles: gary saleh (Available profiles: gary saleh)
Platform: Microsoft Windows 7 Starter  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Stardock Corporation) C:\Program Files\Dell\DellDock\DockLogin.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe
(Symantec Corporation) C:\Program Files\Norton Identity Safe\Engine\2014.7.8.23\NST.exe
(Dell, Inc.) C:\Program Files\Dell\Dell Datasafe Online\NOBuAgent.exe
(SoftThinks SAS) C:\Program Files\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Symantec Corporation) C:\Program Files\Norton Identity Safe\Engine\2014.7.8.23\NST.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Oceanis) C:\Program Files\Oceanis\SystemSetting\WallPaperAgent.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
() C:\Program Files\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(SoftThinks - Dell) C:\Program Files\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Dell) C:\Program Files\Battery Meter\BTMeter.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Dell) C:\Program Files\WSED\WSED.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Symantec Corporation) C:\Program Files\Norton Identity Safe\Engine\2014.7.8.23\coNatHst.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Dropbox, Inc.) C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\Dropbox.exe
() C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\GMER\1qly6usq.exe
() C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\Anti Virus\Log Generation\FRST.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9288296 2010-06-14] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1725736 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [BTMeter] => C:\Program Files\Battery Meter\BTMeter.exe [632176 2010-06-02] (Dell)
HKLM\...\Run: [CapsLKNotify] => C:\Program Files\CapsLKNotify\CapsLKNotify.exe [320880 2009-06-09] (Compal Electronics, Inc)
HKLM\...\Run: [Dell DataSafe Online] => C:\Program Files\Dell\Dell Datasafe Online\NOBuClient.exe [927576 2010-08-25] (Dell, Inc.)
HKLM\...\Run: [WSED] => C:\Program Files\WSED\WSED.exe [247152 2010-06-07] (Dell)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3667472 2014-12-18] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-10-26] (Microsoft Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\gary saleh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\gary saleh\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
BootExecute: autocheck autochk * sdnclean.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2286267775-3561164608-4066395544-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2286267775-3561164608-4066395544-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {F02A9CE5-B3A6-4FE9-8DC6-8BB65ADB988F} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {F02A9CE5-B3A6-4FE9-8DC6-8BB65ADB988F} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> Comcast URL = http://search.xfinity.com/?cat=subweb&con=mmchrome&q={searchTerms}&cid=xfstart_tech_search
SearchScopes: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> {131B573A-C00D-82EC-098E-145BB127FA4F} URL = http://www.bing.com/search?q={searchTerms}&pc=Z037&form=ZGAIDF
SearchScopes: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> {645701DB-0A59-AE3F-8D62-BAA040AFB663} URL = http://www.bing.com/search?q={searchTerms}&pc=Z007&form=ZGAIDF
SearchScopes: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> {894E167C-E7E6-43BA-AB96-159AE534657C} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=IDSSLB&chn=retail&geo=US&ver=2014&locale=en_US&gct=sb&qsrc=2869
SearchScopes: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> {F02A9CE5-B3A6-4FE9-8DC6-8BB65ADB988F} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110313133528.dll (McAfee, Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files\Norton Identity Safe\Engine\2014.7.8.23\coIEPlg.dll (Symantec Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO: Windows 7 Starter Helper -> {D381FF29-7CFB-4D4E-B92A-C4EDDC696614} -> C:\Program Files\Oceanis\SystemSetting\StarterHelper.dll (Oceanis)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2014.7.8.23\coIEPlg.dll (Symantec Corporation)
Toolbar: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> Norton Identity Safe Toolbar - {A13C2648-91D4-4BF3-BC6D-0079707C4389} - C:\Program Files\Norton Identity Safe\Engine\2014.7.8.23\coIEPlg.dll (Symantec Corporation)
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Winsock: Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1216156.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.7.8.23\coFFPlgn
FF Extension: Norton Identity Safe Toolbar - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.7.8.23\coFFPlgn [2015-02-17]
 
Chrome: 
=======
CHR Profile: C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-08]
CHR Extension: (Google Docs) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-08]
CHR Extension: (Google Drive) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-08]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-08]
CHR Extension: (YouTube) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-08]
CHR Extension: (Google Search) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-08]
CHR Extension: (Google Sheets) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-08]
CHR Extension: (Norton Identity Safe) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2015-02-08]
CHR Extension: (Skype Click to Call) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2015-02-08]
CHR Extension: (Google Wallet) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-08]
CHR Extension: (Norton Security Toolbar) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\nppllibpnmahfaklnpggkibhkapjkeob [2015-02-08]
CHR Extension: (Gmail) - C:\Users\gary saleh\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-08]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files\Norton Identity Safe\Engine\2014.7.8.23\Exts\Chrome.crx [2014-10-25]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3432976 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [298080 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]
S3 GamesAppIntegrationService; C:\Program Files\WildTangent Games\App\GamesAppIntegrationService.exe [254016 2014-10-07] (WildTangent)
S3 GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe [16680 2010-12-13] (Citrix Online, a division of Citrix Systems, Inc.)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.)
R2 NCO; C:\Program Files\Norton Identity Safe\Engine\2014.7.8.23\NST.exe [130104 2014-09-20] (Symantec Corporation)
R2 NOBU; C:\Program Files\Dell\Dell Datasafe Online\NOBuAgent.exe [2075480 2010-08-25] (Dell, Inc.)
S3 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S3 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 SftService; C:\Program Files\Dell DataSafe Local Backup\sftservice.EXE [1692480 2011-08-18] (SoftThinks SAS)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [121624 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208152 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [154904 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [192792 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [230680 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [98584 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27416 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [200984 2014-10-10] (AVG Technologies CZ, s.r.o.)
R1 ccSet_NST; C:\Windows\system32\drivers\NST\7DE07080.017\ccSetx86.sys [127064 2013-09-27] (Symantec Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.)
R0 EMSC; C:\Windows\System32\DRIVERS\EMSC.SYS [13680 2009-06-26] (Windows ® Win 7 DDK provider)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.)
R3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210608 2013-02-19] (McAfee, Inc.)
R3 RTL8192Ce; C:\Windows\System32\DRIVERS\rtl8192Ce.sys [853536 2010-06-10] (Realtek Semiconductor Corporation                           )
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
U3 catchme; \??\C:\Users\GARYSA~1\AppData\Local\Temp\catchme.sys [X]
U3 mbr; \??\C:\ComboFix\mbr.sys [X]
U3 ufldipoc; \??\C:\Users\GARYSA~1\AppData\Local\Temp\ufldipoc.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-18 02:15 - 2015-02-18 02:15 - 00000000 ____D () C:\FRST
2015-02-17 11:54 - 2015-02-17 11:54 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\CrashDumps
2015-02-17 04:11 - 2015-02-17 11:48 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-02-17 04:09 - 2015-02-17 11:48 - 00000000 ____D () C:\Users\gary saleh\Desktop\mbar
2015-02-17 01:59 - 2015-01-22 20:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-02-17 01:59 - 2015-01-22 20:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-17 01:27 - 2015-02-17 01:27 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\Apple
2015-02-17 01:25 - 2015-01-08 19:48 - 00635904 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll
2015-02-17 01:25 - 2015-01-08 19:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll
2015-02-17 01:25 - 2015-01-08 19:48 - 00027136 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll
2015-02-12 02:48 - 2015-01-15 00:46 - 00136640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-12 02:48 - 2015-01-15 00:46 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-12 02:48 - 2015-01-15 00:43 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-02-12 02:48 - 2015-01-15 00:43 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-02-12 02:48 - 2015-01-15 00:42 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-12 02:48 - 2015-01-15 00:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-02-12 02:48 - 2015-01-15 00:42 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-02-12 02:48 - 2015-01-15 00:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-02-12 02:48 - 2015-01-15 00:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-12 02:48 - 2015-01-15 00:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-02-12 02:48 - 2015-01-15 00:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-12 02:48 - 2015-01-14 21:21 - 00369968 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-12 02:48 - 2015-01-08 18:45 - 02380288 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-12 02:46 - 2015-01-13 22:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-02-12 02:46 - 2015-01-13 22:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-12 02:45 - 2015-02-03 19:54 - 00482304 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-02-12 02:45 - 2015-02-03 19:53 - 00767488 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-02-12 02:45 - 2015-02-03 19:53 - 00621056 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-02-12 02:45 - 2015-02-03 19:53 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-02-12 02:45 - 2015-02-03 19:53 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-02-12 02:45 - 2015-02-03 19:53 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-02-12 02:45 - 2015-02-03 19:49 - 00886784 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-02-12 02:45 - 2015-01-27 16:36 - 01167520 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2015-02-12 02:45 - 2015-01-09 23:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-02-12 02:45 - 2015-01-09 23:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-02-12 02:45 - 2015-01-09 23:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-12 02:45 - 2015-01-09 23:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-02-12 02:45 - 2015-01-09 23:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-02-12 02:45 - 2015-01-09 23:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-02-12 02:45 - 2015-01-09 23:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-02-12 02:45 - 2014-11-25 20:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-12 02:44 - 2015-01-13 22:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-12 02:44 - 2015-01-11 19:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-12 02:44 - 2015-01-11 19:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-02-12 02:44 - 2015-01-11 19:21 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-02-12 02:44 - 2015-01-11 19:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-02-12 02:44 - 2015-01-11 19:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-02-12 02:44 - 2015-01-11 19:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-12 02:44 - 2015-01-11 19:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-12 02:44 - 2015-01-11 19:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-02-12 02:44 - 2015-01-11 18:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-02-12 02:44 - 2015-01-11 18:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-02-12 02:44 - 2015-01-11 18:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-02-12 02:44 - 2015-01-11 18:55 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-02-12 02:44 - 2015-01-11 18:48 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-02-12 02:44 - 2015-01-11 18:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-12 02:44 - 2015-01-11 18:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-02-12 02:44 - 2015-01-11 18:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-02-12 02:44 - 2015-01-11 18:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-12 02:44 - 2015-01-11 18:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-02-12 02:44 - 2015-01-11 18:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-12 02:44 - 2015-01-11 18:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-12 02:44 - 2015-01-11 18:23 - 00684544 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-12 02:44 - 2015-01-11 18:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-02-12 02:44 - 2015-01-11 18:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-12 02:44 - 2015-01-11 18:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-12 02:44 - 2015-01-11 17:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-12 02:44 - 2015-01-11 17:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-12 02:43 - 2015-01-11 19:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-12 02:43 - 2014-12-11 22:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-02-12 02:43 - 2014-07-06 18:40 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-02-12 02:43 - 2014-07-06 18:40 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-02-12 02:42 - 2014-12-07 19:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-12 02:33 - 2015-01-12 19:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-12 02:06 - 2014-12-11 10:47 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-02-12 02:04 - 2014-08-28 18:44 - 02744320 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2015-02-12 02:03 - 2014-09-04 18:52 - 05703168 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-02-09 10:51 - 2014-05-08 02:06 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2015-02-08 20:57 - 2015-02-08 20:57 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2015-02-08 20:55 - 2015-02-08 20:56 - 00145736 _____ () C:\Windows\Minidump\020815-46956-01.dmp
2015-02-08 20:55 - 2015-02-08 20:55 - 166690540 _____ () C:\Windows\MEMORY.DMP
2015-02-08 18:44 - 2015-02-08 18:44 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_point32_01011.Wdf
2015-02-08 18:44 - 2015-02-08 18:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mouse and Keyboard Center
2015-02-08 18:43 - 2015-02-08 18:43 - 00000000 ____D () C:\Program Files\Microsoft Mouse and Keyboard Center
2015-02-08 18:22 - 2015-02-08 18:22 - 00000000 ____D () C:\Windows\system32\x64
2015-02-08 18:20 - 2012-08-23 07:48 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2015-02-08 18:20 - 2012-08-23 07:44 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys
2015-02-08 18:20 - 2012-08-23 04:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll
2015-02-08 18:19 - 2015-02-08 18:19 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_dc3d_01011.Wdf
2015-02-08 18:01 - 2015-02-12 03:27 - 00000000 ____D () C:\Windows\system32\MRT
2015-02-08 18:01 - 2015-02-12 03:10 - 113756392 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-02-08 17:59 - 2013-10-01 17:42 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2015-02-08 17:59 - 2013-10-01 17:32 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2015-02-08 17:59 - 2013-10-01 17:30 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2015-02-08 17:59 - 2013-10-01 17:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2015-02-08 17:59 - 2013-10-01 17:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2015-02-08 17:59 - 2013-10-01 16:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2015-02-08 17:59 - 2013-10-01 16:45 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2015-02-08 17:59 - 2013-10-01 16:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2015-02-08 17:59 - 2013-10-01 15:53 - 00350208 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2015-02-08 17:59 - 2013-10-01 15:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2015-02-08 17:57 - 2015-02-08 17:57 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_dc3d_01009.Wdf
2015-02-08 17:32 - 2015-02-08 17:32 - 00002010 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oceanis Change Background W7.lnk
2015-02-08 17:32 - 2015-02-08 17:32 - 00001998 _____ () C:\Users\Public\Desktop\Oceanis Change Background W7.lnk
2015-02-08 17:32 - 2015-02-08 17:32 - 00000000 ____D () C:\Program Files\Oceanis
2015-02-08 17:28 - 2015-02-08 17:28 - 00001266 _____ () C:\Users\gary saleh\Desktop\Windows Update.lnk
2015-02-08 17:23 - 2015-02-08 00:08 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts.20150208-172303.backup
2015-02-08 06:16 - 2015-02-08 06:16 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\SoftGrid Client
2015-02-08 06:01 - 2015-02-08 06:01 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\VirtualStore
2015-02-08 05:16 - 2015-02-08 05:16 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\AVG2015
2015-02-08 05:14 - 2015-02-08 05:14 - 00000937 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2015-02-08 05:14 - 2015-02-08 05:14 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\TuneUp Software
2015-02-08 05:14 - 2015-02-08 05:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-02-08 05:08 - 2015-02-08 05:15 - 00000000 ____D () C:\ProgramData\AVG2015
2015-02-08 05:08 - 2015-02-08 05:08 - 00000000 ____D () C:\$AVG
2015-02-08 05:06 - 2015-02-08 05:06 - 00000000 ____D () C:\Program Files\AVG
2015-02-08 05:05 - 2015-02-17 01:18 - 00000000 ____D () C:\ProgramData\MFAData
2015-02-08 05:05 - 2015-02-08 12:41 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\Avg2015
2015-02-08 05:05 - 2015-02-08 05:05 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\MFAData
2015-02-08 05:03 - 2015-02-08 05:04 - 00098488 _____ (pdfforge GmbH) C:\Windows\system32\pdfcmon.dll
2015-02-08 05:03 - 2015-02-08 05:04 - 00000000 ____D () C:\Program Files\PDFCreator
2015-02-08 05:03 - 2015-02-08 05:03 - 00000995 _____ () C:\Users\Public\Desktop\PDFCreator.lnk
2015-02-08 05:03 - 2015-02-08 05:03 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\pdfforge
2015-02-08 05:03 - 2015-02-08 05:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
2015-02-08 04:59 - 2015-02-08 04:59 - 00001190 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2015-02-08 04:59 - 2015-02-08 04:59 - 00001178 _____ () C:\Users\Public\Desktop\paint.net.lnk
2015-02-08 04:56 - 2015-02-08 04:58 - 00000000 ____D () C:\Program Files\paint.net
2015-02-08 04:54 - 2015-02-08 04:54 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\paint.net
2015-02-08 04:19 - 2015-02-08 05:01 - 00000000 ____D () C:\9d6a408571674003d28553277138
2015-02-08 04:18 - 2015-02-08 04:18 - 00001817 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2015-02-08 04:18 - 2015-02-08 04:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-02-08 04:18 - 2015-02-08 04:18 - 00000000 ____D () C:\Program Files\QuickTime
2015-02-08 04:17 - 2015-02-08 04:17 - 00001070 _____ () C:\Users\Public\Desktop\OpenOffice 4.1.1.lnk
2015-02-08 04:17 - 2015-02-08 04:17 - 00000000 ___SD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice 4.1.1
2015-02-08 04:16 - 2015-02-08 04:16 - 00000000 ____D () C:\Program Files\OpenOffice 4
2015-02-08 04:11 - 2015-02-08 04:11 - 00001755 _____ () C:\Users\Public\Desktop\iTunes.lnk
2015-02-08 04:11 - 2015-02-08 04:11 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\Apple Computer
2015-02-08 04:11 - 2015-02-08 04:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-02-08 04:09 - 2015-02-08 04:11 - 00000000 ____D () C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2015-02-08 04:09 - 2015-02-08 04:11 - 00000000 ____D () C:\Program Files\iTunes
2015-02-08 04:09 - 2015-02-08 04:09 - 00000000 ____D () C:\Program Files\iPod
2015-02-08 04:01 - 2015-02-08 04:01 - 00001053 _____ () C:\Users\Public\Desktop\GIMP 2.lnk
2015-02-08 04:01 - 2015-02-08 04:01 - 00001053 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
2015-02-08 03:56 - 2015-02-08 04:01 - 00000000 ____D () C:\Program Files\GIMP 2
2015-02-08 03:55 - 2015-02-08 03:55 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-02-08 03:55 - 2015-02-08 03:55 - 00001991 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2015-02-08 03:54 - 2015-02-08 03:54 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2015-02-08 03:47 - 2015-02-08 03:47 - 00002685 _____ () C:\Users\Public\Desktop\Skype.lnk
2015-02-08 03:47 - 2015-02-08 03:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-02-08 03:47 - 2015-02-08 03:47 - 00000000 ____D () C:\Program Files\Common Files\Skype
2015-02-08 03:46 - 2015-02-08 03:46 - 00001155 _____ () C:\Users\Public\Desktop\Media Player Classic.lnk
2015-02-08 03:46 - 2015-02-08 03:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\K-Lite Codec Pack
2015-02-08 03:46 - 2015-02-08 03:46 - 00000000 ____D () C:\Program Files\K-Lite Codec Pack
2015-02-08 03:46 - 2014-12-02 07:10 - 00218712 _____ () C:\Windows\system32\unrar.dll
2015-02-08 03:45 - 2015-02-08 03:45 - 00001030 _____ () C:\Users\Public\Desktop\VLC media player.lnk
2015-02-08 03:45 - 2015-02-08 03:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-02-08 03:45 - 2015-02-08 03:45 - 00000000 ____D () C:\Program Files\VideoLAN
2015-02-08 03:44 - 2015-02-08 03:44 - 00000983 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2015-02-08 03:44 - 2015-02-08 03:44 - 00000971 _____ () C:\Users\Public\Desktop\Audacity.lnk
2015-02-08 03:44 - 2015-02-08 03:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CutePDF
2015-02-08 03:44 - 2015-02-08 03:44 - 00000000 ____D () C:\Program Files\Audacity
2015-02-08 03:44 - 2015-02-08 03:44 - 00000000 ____D () C:\Program Files\Acro Software
2015-02-08 03:44 - 2013-10-23 15:23 - 00089136 _____ () C:\Windows\system32\cpwmon2k.dll
2015-02-08 03:43 - 2015-02-08 03:44 - 00000000 ____D () C:\Program Files\GPLGS
2015-02-08 03:43 - 2015-02-08 03:43 - 00001829 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn.lnk
2015-02-08 03:43 - 2015-02-08 03:43 - 00001817 _____ () C:\Users\Public\Desktop\ImgBurn.lnk
2015-02-08 03:43 - 2015-02-08 03:43 - 00001171 _____ () C:\Users\Public\Desktop\FileZilla.lnk
2015-02-08 03:43 - 2015-02-08 03:43 - 00000999 _____ () C:\Users\Public\Desktop\WinRAR.lnk
2015-02-08 03:43 - 2015-02-08 03:43 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-02-08 03:43 - 2015-02-08 03:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-02-08 03:43 - 2015-02-08 03:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn
2015-02-08 03:43 - 2015-02-08 03:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2015-02-08 03:43 - 2015-02-08 03:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-02-08 03:43 - 2015-02-08 03:43 - 00000000 ____D () C:\Program Files\ImgBurn
2015-02-08 03:43 - 2015-02-08 03:43 - 00000000 ____D () C:\Program Files\FileZilla FTP Client
2015-02-08 03:43 - 2015-02-08 03:43 - 00000000 ____D () C:\Program Files\7-Zip
2015-02-08 03:31 - 2015-02-08 03:31 - 00001599 _____ () C:\Users\gary saleh\Desktop\Team Viewer.lnk
2015-02-08 03:31 - 2015-02-08 03:31 - 00001188 _____ () C:\Users\gary saleh\Desktop\Wade Fix It - Shortcut.lnk
2015-02-08 03:30 - 2015-02-08 17:29 - 00000000 ____D () C:\Users\gary saleh\Downloads\Software
2015-02-08 03:23 - 2015-02-08 03:24 - 00000000 ____D () C:\Windows\system32\Adobe
2015-02-08 03:23 - 2015-02-08 03:23 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\Stardock_Corporation
2015-02-08 03:22 - 2015-02-08 03:21 - 00272808 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2015-02-08 03:21 - 2015-02-08 03:37 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-02-08 03:21 - 2015-02-08 03:21 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2015-02-08 03:21 - 2015-02-08 03:21 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2015-02-08 03:20 - 2015-02-08 03:53 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\Adobe
2015-02-08 03:20 - 2015-02-08 03:20 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Macromedia
2015-02-08 03:20 - 2015-02-08 03:20 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Macromedia
2015-02-08 03:20 - 2015-02-08 03:20 - 00000000 ____D () C:\Program Files\Common Files\Adobe AIR
2015-02-08 03:14 - 2015-02-08 03:14 - 00002166 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-08 03:14 - 2015-02-08 03:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-02-08 03:13 - 2015-02-18 01:18 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-08 03:13 - 2015-02-17 03:18 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-08 03:13 - 2015-02-08 03:15 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\Google
2015-02-08 03:05 - 2015-02-08 04:53 - 00064024 _____ () C:\Users\gary saleh\AppData\Local\GDIPFONTCACHEV1.DAT
2015-02-08 03:05 - 2015-02-08 03:05 - 00000000 __SHD () C:\Users\gary saleh\AppData\Local\EmieUserList
2015-02-08 03:05 - 2015-02-08 03:05 - 00000000 __SHD () C:\Users\gary saleh\AppData\Local\EmieSiteList
2015-02-08 03:05 - 2015-02-08 03:05 - 00000000 __SHD () C:\Users\gary saleh\AppData\Local\EmieBrowserModeList
2015-02-08 03:02 - 2015-02-08 03:02 - 00000000 ____D () C:\Users\gary saleh\AppData\Local\SoftThinks
2015-02-08 00:58 - 2015-02-17 02:29 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-08 00:58 - 2015-02-08 00:58 - 00002137 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-02-08 00:58 - 2015-02-08 00:58 - 00002125 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-02-08 00:58 - 2015-02-08 00:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-02-08 00:58 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-02-08 00:57 - 2015-02-08 01:04 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2015-02-08 00:29 - 2015-02-08 05:59 - 00002886 _____ () C:\Windows\PFRO.log
2015-02-08 00:28 - 2015-02-08 00:28 - 00000000 _____ () C:\Windows\system32\sho3B4B.tmp
2015-02-07 23:34 - 2011-06-25 23:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-02-07 23:34 - 2010-11-07 10:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-02-07 23:34 - 2009-04-19 21:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-02-07 23:34 - 2000-08-30 17:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-02-07 23:34 - 2000-08-30 17:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-02-07 23:34 - 2000-08-30 17:00 - 00098816 _____ () C:\Windows\sed.exe
2015-02-07 23:34 - 2000-08-30 17:00 - 00080412 _____ () C:\Windows\grep.exe
2015-02-07 23:34 - 2000-08-30 17:00 - 00068096 _____ () C:\Windows\zip.exe
2015-02-07 23:33 - 2015-02-17 03:36 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-02-07 23:33 - 2015-02-17 03:11 - 00000000 ____D () C:\Qoobox
2015-02-07 23:33 - 2015-02-07 23:33 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-07 23:32 - 2015-02-08 00:10 - 00000000 ____D () C:\Windows\erdnt
2015-02-07 21:46 - 2015-02-17 01:33 - 00002911 _____ () C:\Windows\setupact.log
2015-02-07 21:46 - 2015-02-07 21:46 - 00000000 _____ () C:\Windows\setuperr.log
2015-02-07 21:35 - 2015-02-07 21:35 - 00000971 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-02-07 21:35 - 2015-02-07 21:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-02-07 21:35 - 2015-02-07 21:35 - 00000000 ____D () C:\Program Files\CCleaner
2015-02-07 17:48 - 2015-02-07 17:48 - 00000000 _____ () C:\Windows\system32\shoBE8E.tmp
2015-02-07 15:32 - 2015-02-17 04:11 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-07 15:31 - 2015-02-07 15:31 - 00001066 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-07 15:31 - 2015-02-07 15:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-07 15:30 - 2015-02-17 04:09 - 00082648 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-07 15:30 - 2015-02-07 15:31 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-07 15:30 - 2015-02-07 15:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-07 15:30 - 2014-11-21 06:54 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-07 15:30 - 2014-11-21 06:53 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-02-07 15:17 - 2015-02-07 15:17 - 00000000 ____D () C:\Windows\pss
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-18 02:08 - 2014-10-21 11:19 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-18 01:18 - 2010-12-13 22:28 - 01916695 _____ () C:\Windows\WindowsUpdate.log
2015-02-17 23:51 - 2009-07-13 21:34 - 00016160 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-17 23:51 - 2009-07-13 21:34 - 00016160 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-17 06:09 - 2009-07-13 19:37 - 00000000 ____D () C:\Windows\rescache
2015-02-17 04:06 - 2014-10-19 15:34 - 00000000 ___RD () C:\Users\gary saleh\Dropbox
2015-02-17 04:06 - 2014-10-19 15:30 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\Dropbox
2015-02-17 03:02 - 2009-07-13 19:04 - 00000215 _____ () C:\Windows\system.ini
2015-02-17 01:38 - 2010-12-13 22:31 - 00000000 ____D () C:\Program Files\Dell DataSafe Local Backup
2015-02-17 01:37 - 2010-12-13 22:35 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2015-02-17 01:37 - 2010-12-13 22:35 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2015-02-17 01:34 - 2009-07-13 21:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-17 01:31 - 2009-07-13 19:37 - 00000000 ____D () C:\Windows\tracing
2015-02-17 01:03 - 2009-07-13 21:33 - 00287200 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-17 01:00 - 2014-12-17 03:55 - 00000000 ____D () C:\Windows\system32\appraiser
2015-02-17 01:00 - 2014-10-22 05:12 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-02-12 01:55 - 2014-10-19 15:34 - 00000996 _____ () C:\Users\gary saleh\Desktop\Dropbox.lnk
2015-02-12 01:55 - 2014-10-19 15:32 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-02-08 20:55 - 2011-11-03 12:52 - 00000000 ____D () C:\Windows\Minidump
2015-02-08 18:55 - 2009-07-13 19:37 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-02-08 17:34 - 2011-03-07 15:07 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\SoftGrid Client
2015-02-08 12:40 - 2014-11-22 12:36 - 00000000 ____D () C:\ProgramData\Browser
2015-02-08 06:28 - 2009-07-13 19:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-02-08 04:37 - 2010-06-24 02:47 - 00775270 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-08 04:09 - 2014-12-16 23:46 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-02-08 03:54 - 2010-06-24 02:50 - 00000000 ____D () C:\ProgramData\Adobe
2015-02-08 03:54 - 2010-06-24 02:50 - 00000000 ____D () C:\Program Files\Adobe
2015-02-08 03:47 - 2010-06-24 02:51 - 00000000 ___RD () C:\Program Files\Skype
2015-02-08 03:47 - 2010-06-24 02:51 - 00000000 ____D () C:\ProgramData\Skype
2015-02-08 03:43 - 2011-03-10 21:22 - 00000000 ____D () C:\Program Files\WinRAR
2015-02-08 03:35 - 2013-09-22 19:47 - 00000000 ____D () C:\ProgramData\Oracle
2015-02-08 03:35 - 2013-09-22 19:45 - 00000000 ____D () C:\Program Files\Java
2015-02-08 03:21 - 2013-09-22 19:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-02-08 03:20 - 2011-03-07 13:49 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\Adobe
2015-02-08 03:14 - 2014-10-19 15:23 - 00000000 ____D () C:\Program Files\Google
2015-02-08 02:54 - 2011-03-07 13:46 - 00002173 _____ () C:\Users\gary saleh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-02-08 00:16 - 2009-07-13 19:37 - 00000000 __RHD () C:\Users\Default
2015-02-08 00:16 - 2009-07-13 19:37 - 00000000 ___RD () C:\Users\Public
2015-02-07 21:38 - 2012-01-29 10:18 - 00000000 ____D () C:\Users\gary saleh\AppData\Roaming\Skype
2015-02-07 21:37 - 2010-06-24 03:22 - 00000000 ____D () C:\Windows\Panther
2015-02-07 17:11 - 2014-12-30 00:42 - 00000000 ____D () C:\Users\gary saleh\Documents\ProPCCleaner
2015-02-07 17:07 - 2014-12-30 00:33 - 00000000 ____D () C:\Program Files\StormWatch
2015-02-07 17:07 - 2014-11-21 11:31 - 00000000 ____D () C:\ProgramData\ovqwOVRk
2015-02-07 16:59 - 2014-11-22 12:48 - 00000000 ____D () C:\Program Files\speed browser
2015-02-07 16:57 - 2009-07-13 19:04 - 00000537 _____ () C:\Windows\win.ini
2015-02-07 15:27 - 2015-01-18 19:17 - 00001024 _____ () C:\.rnd
2015-02-06 00:08 - 2013-01-21 19:05 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-02-06 00:08 - 2013-01-21 19:05 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
 
Some content of TEMP:
====================
C:\Users\gary saleh\AppData\Local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5mc9y6.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-17 06:01
 

==================== End Of Log ============================ 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Bluestrings

Bluestrings
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Arizona
  • Local time:08:01 PM

Posted 21 February 2015 - 03:54 AM

I think somehow I accidentally deleted logs without meaning to, after accidentally posting this topic multiple times.... kept getting an error message about the host being down and realized after the third attempt it was already up.

 

Whelp, without further ado, here is the logs.

 

Since TDSSkiller log is so large, I'll post it from my dropbox.

 

https://www.dropbox.com/s/y8dmrrkklfool5s/TDSSKiller.3.0.0.44_08.02.2015_21.08.21_log.txt?dl=0

 

I can provide the MBAM log if needed.

Attached Files



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 PM

Posted 22 February 2015 - 11:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I do not see anything wrong with the Tdsskiller log.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

() C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\GMER\1qly6usq.exe
() C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\Anti Virus\Log Generation\FRST.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2286267775-3561164608-4066395544-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
U3 catchme; \??\C:\Users\GARYSA~1\AppData\Local\Temp\catchme.sys [X]
U3 mbr; \??\C:\ComboFix\mbr.sys [X]
U3 ufldipoc; \??\C:\Users\GARYSA~1\AppData\Local\Temp\ufldipoc.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

How is the computer running now?

#4 Bluestrings

Bluestrings
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Arizona
  • Local time:08:01 PM

Posted 22 February 2015 - 07:52 PM

Still pretty terrible. I cannot type in real time in Google Chrome's search box, loading up pages seems to take 30 seconds plus at times ... other times relatively fast, within 10 seconds and responds to typing well. Then at times it gets so bad that even the mouse cursor lags. If you still don't see anything wrong at this point, I think I'll just reinstall the OS just to be on the safe side of things. I can make a backup drive image in the event we wanted to go back to it as well... for further exploration into the problem if you're curious.

 

As an FYI (not important), Dell Local Datasafe backup gives a pop up message every time it restarts saying that it has stopped working. I also just got this message (again, not important per my google searches, simply providing this information as an FYI).

 

2syPpGz.jpg

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 15-02-2015
Ran by gary saleh at 2015-02-22 17:10:02 Run:1
Running from C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\Log Generation
Loaded Profiles: gary saleh (Available profiles: gary saleh)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CloseProcesses:

() C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\GMER\1qly6usq.exe
() C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\Anti Virus\Log Generation\FRST.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2286267775-3561164608-4066395544-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-2286267775-3561164608-4066395544-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
U3 catchme; \??\C:\Users\GARYSA~1\AppData\Local\Temp\catchme.sys [X]
U3 mbr; \??\C:\ComboFix\mbr.sys [X]
U3 ufldipoc; \??\C:\Users\GARYSA~1\AppData\Local\Temp\ufldipoc.sys [X]

End
*****************

Processes closed successfully.
C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\GMER\1qly6usq.exe => No running process found
C:\Users\gary saleh\Downloads\Software\Wade Fix It\Anti Virus and Anti Spyware Apps\Anti Virus\Log Generation\FRST.exe => No running process found
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2286267775-3561164608-4066395544-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. 
HKU\S-1-5-21-2286267775-3561164608-4066395544-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found. 
"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => Key deleted successfully.
catchme => Service deleted successfully.
mbr => Service deleted successfully.
ufldipoc => Service deleted successfully.


The system needed a reboot. 

==== End of Fixlog 17:10:13 ====

Attached File  Fixlog.txt   2.91KB   0 downloads



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 PM

Posted 23 February 2015 - 09:50 AM

What I suggest first is that you remove Chrome and reinstall the application.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Reinstall Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

If that fails to clear the problem it might just be that you have a wrong version of the comctl32.dll file.

Please run the Farbar Recovery Scan Tool. Enter comctl32.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>

#6 Bluestrings

Bluestrings
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southern Arizona
  • Local time:08:01 PM

Posted 24 February 2015 - 04:27 AM

I moved the Chrome Users folder to the desktop, uninstalled Chrome, reinstalled. Problem still exists. 

 

Rather than search for that specific file you mentioned, I decided to go to the source to redownload it. Went to the link...

http://www.dell.com/support/contents/us/en/19/category/Product-Support/Self-support-Knowledgebase/software-and-downloads

 

Selected "Dell Datasafe Local". Downloaded the file on the right by selecting the hyperlink under step 1. Uninstalled the software, restarted the computer, ran the software from step 1 as previously mentioned. Once it gave me the green light for being eligible, I downloaded the main program. Installed that, restarted the computer again. 

 

Chrome seems to be running much better as well as the system in general. Still seems a bit slow, but maybe I'm just spoiled running my desktop and SSD. Unless you have any further suggestions, I think that's about it....



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 PM

Posted 24 February 2015 - 09:21 AM

Good work.

Run the computer for a few days and let me know if you have other issues.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 PM

Posted 02 March 2015 - 10:04 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:01 PM

Posted 08 March 2015 - 09:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users