Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Accidently downloaded a virus!


  • This topic is locked This topic is locked
37 replies to this topic

#1 kaitlyn19

kaitlyn19

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 18 February 2015 - 08:30 AM

Hello and good morning, my bleeping computer. A few days ago I accidently downloaded a virus. I clicked on the download button, instead of the download link. The download button was a virus, when I opened the file, it proceeded to download many unwanted programs to my computer. Some of the symptoms my computer is having are:

 

-File keeps popping up on my desktop named, "Continue Live Installation"

-That same file opens on its on several times while im on the computer. I Close It and do not continue with the installation

-Almost everything I click on makes ads pop up in new windows.

-Their are ads all over websites that would normally not have ads (ex. Youtube, facebook)

-Computer is generally slower

 

 

Those are my problems. Things I have done so far are:

-Immediately uninstalled unwanted programs via control panel

-Ran Malwarebytes Anti-Malware and got rid of anything it found

-Ran RKill and JRT

-Ran Hitman Pro and got rid of anything it found

 

After this I am still having all the problems listed above. I hope someone can help me out. Thanks!!

 



BC AdBot (Login to Remove)

 


#2 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 20 February 2015 - 08:58 AM

Can anyone help me please? This is a work computer and I haven't been able to work all week now :(



#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 20 February 2015 - 03:06 PM

Hello kaitlyn19 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

 

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
 

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.

 

  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks

---------------------------------------------------------------------------------------------------------

 

Please do the following.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Have a nice day.

:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 20 February 2015 - 03:43 PM

Thank you for helping me, Yılmaz. I will do as you say. After running malwarebytes this morning and restarting my computer, it seems to be running a lot better. But lets proceed with the tests to make sure the virus or virus's aren't lingering around.

#5 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 20 February 2015 - 03:49 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-02-2015 01
Ran by Kaitlyn (administrator) on KAITLYNS-PC on 20-02-2015 15:43:48
Running from C:\Users\Kaitlyn\Desktop
Loaded Profiles: Kaitlyn (Available profiles: Kaitlyn & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
() C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\alg.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe
(DT Soft Ltd) C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(brother) C:\Program Files (x86)\Brownie\BrStsW64.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(brother) C:\Program Files (x86)\Brownie\brpjp04a.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFIWmxSvcs64.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_305_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 7510 series\Bin\HPNetworkCommunicator.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [307768 2009-11-19] ()
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [505696 2009-11-06] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [913720 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [SmartFaceVWatcher] => C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-19] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-03-15] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [TWebCamera] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [ToshibaServiceStation] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1294136 2009-10-06] (TOSHIBA Corporation)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
HKLM-x32\...\Run: [BrStsWnd] => C:\Program Files (x86)\Brownie\BrstsW64.exe [3695928 2009-08-19] (brother)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM-x32\...\Run: [DBAgent] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1518664 2014-09-17] (Seagate Technology LLC)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\...\Run: [HP Photosmart 7510 series (NET)] => C:\Program Files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe [2676584 2011-06-08] (Hewlett-Packard Co.)
HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\...\Run: [DAEMON Tools Pro Agent] => C:\Program Files (x86)\DAEMON Tools Pro\DTAgent.exe [3111744 2012-04-26] (DT Soft Ltd)
HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\...\Run: [Uploader] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [127080 2014-09-17] (Seagate Technology LLC)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
SearchScopes: HKLM -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSCA
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSCA
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3838072084-2198307700-2964809338-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll (<TOSHIBA>)
Toolbar: HKU\S-1-5-21-3838072084-2198307700-2964809338-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {1D082E71-DF20-4AAF-863B-596428C49874} http://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: HKLM-x32 {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} http://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
DPF: HKLM-x32 {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} http://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: HKLM-x32 {C345E174-3E87-4F41-A01C-B066A90A49B4} http://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - C:\Program Files (x86)\TurboTax 2013\ic2013pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Kaitlyn\AppData\Roaming\Mozilla\Firefox\Profiles\bdicloww.default
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @oberon-media.com/ONCAdapter -> C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin-x32: @protectdisc.com/NPMPDRM -> C:\Program Files (x86)\Common Files\mpDRM\NPMPDRM.dll ( )
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\6\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3838072084-2198307700-2964809338-1000: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF Extension: Firefox Old Version Update Hotfix - C:\Users\Kaitlyn\AppData\Roaming\Mozilla\Firefox\Profiles\bdicloww.default\Extensions\firefox-hotfix@mozilla.org.xpi [2014-08-01]
FF HKLM-x32\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Kaitlyn\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (ProxFlow) - C:\Users\Kaitlyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aakchaleigkohafkfjfjbblobjifikek [2014-07-15]
CHR Extension: (Docs) - C:\Users\Kaitlyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-16]
CHR Extension: (Google Drive) - C:\Users\Kaitlyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-12-16]
CHR Extension: (YouTube) - C:\Users\Kaitlyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-12-16]
CHR Extension: (Google Search) - C:\Users\Kaitlyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-12-16]
CHR Extension: (Google Wallet) - C:\Users\Kaitlyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-16]
CHR Extension: (Gmail) - C:\Users\Kaitlyn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-12-16]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2015-02-17] (SurfRight B.V.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1910128 2015-02-14] (Electronic Arts)
R2 Seagate Dashboard Services; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16000 2014-09-17] (Seagate Technology LLC)
R2 Seagate MobileBackup Service; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [157776 2014-09-17] (Seagate Technology LLC)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 4261c3f1; "C:\windows\system32\rundll32.exe" "c:\Program Files (x86)\IncrementGeneration\IncrementGeneration.dll",serv

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2014-08-22] (DT Soft Ltd)
S3 HTCAND64; C:\Windows\System32\Drivers\ANDROIDUSB.sys [33736 2009-11-02] (HTC, Corporation) [File not signed]
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [74240 2011-02-16] (Research In Motion Limited)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [560184 2012-08-30] (Duplex Secure Ltd.)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [51712 2010-09-28] (Apple, Inc.) [File not signed]
U3 at8cwfnu; C:\Windows\System32\Drivers\at8cwfnu.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 massfilter; system32\drivers\massfilter.sys [X]
S1 MpKslc8e50077; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys [X]
S3 ZTEusbmdm6k; system32\DRIVERS\ZTEusbmdm6k.sys [X]
S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [X]
S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-20 15:43 - 2015-02-20 15:44 - 00021060 _____ () C:\Users\Kaitlyn\Desktop\FRST.txt
2015-02-20 15:43 - 2015-02-20 15:43 - 02086912 _____ (Farbar) C:\Users\Kaitlyn\Desktop\FRST64.exe
2015-02-20 14:01 - 2015-02-20 14:01 - 00046401 _____ () C:\Users\Kaitlyn\Documents\Addition.txt
2015-02-20 13:58 - 2015-02-20 15:43 - 00000000 ____D () C:\FRST
2015-02-20 13:58 - 2015-02-20 14:01 - 00047898 _____ () C:\Users\Kaitlyn\Documents\FRST.txt
2015-02-20 13:57 - 2015-02-20 13:57 - 02086912 _____ (Farbar) C:\Users\Kaitlyn\Documents\FRST64.exe
2015-02-20 13:54 - 2015-02-20 13:54 - 00013932 _____ () C:\Users\Kaitlyn\Documents\fixlist.txt
2015-02-20 13:48 - 2015-02-20 13:48 - 05611903 _____ (Swearware) C:\Users\Kaitlyn\Documents\ComboFix.exe
2015-02-20 13:45 - 2015-02-20 13:45 - 02126848 _____ () C:\Users\Kaitlyn\Documents\AdwCleaner.exe
2015-02-20 13:43 - 2015-02-20 13:43 - 01388274 _____ (Thisisu) C:\Users\Kaitlyn\Documents\JRT.exe
2015-02-18 13:59 - 2015-02-18 13:59 - 00000000 _____ () C:\autoexec.bat
2015-02-18 13:58 - 2015-02-18 13:59 - 06824304 _____ (ParetoLogic, Inc.) C:\Users\Kaitlyn\Documents\RegCureProSetup.exe
2015-02-18 13:15 - 2015-02-18 13:15 - 598867038 _____ () C:\windows\MEMORY.DMP
2015-02-18 13:15 - 2015-02-18 13:15 - 00275104 _____ () C:\windows\Minidump\021815-30295-01.dmp
2015-02-18 13:14 - 2015-02-18 13:14 - 00076692 _____ () C:\Users\Kaitlyn\Documents\HitmanPro_20150218_1314.log
2015-02-17 14:13 - 2015-02-18 13:12 - 00001058 _____ () C:\windows\system32\.crusader
2015-02-17 13:48 - 2015-02-17 13:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-02-17 13:48 - 2015-02-17 13:48 - 00000000 ____D () C:\Program Files\HitmanPro
2015-02-17 13:46 - 2015-02-17 13:47 - 10995632 _____ (SurfRight B.V.) C:\Users\Kaitlyn\Downloads\HitmanPro_x64.exe
2015-02-17 12:27 - 2015-02-20 14:15 - 00000000 ____D () C:\AdwCleaner
2015-02-15 13:54 - 2015-02-15 13:54 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Local\DOSBox
2015-02-15 13:37 - 2015-02-15 13:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Theme Hospital
2015-02-15 12:15 - 2015-02-15 12:16 - 00000000 ____D () C:\Users\Kaitlyn\Desktop\Nintendo64
2015-02-14 22:01 - 2015-02-14 22:01 - 00036100 _____ () C:\ComboFix.txt
2015-02-14 21:28 - 2011-06-26 01:45 - 00256000 _____ () C:\windows\PEV.exe
2015-02-14 21:28 - 2010-11-07 12:20 - 00208896 _____ () C:\windows\MBR.exe
2015-02-14 21:28 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\windows\NIRCMD.exe
2015-02-14 21:28 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\windows\SWREG.exe
2015-02-14 21:28 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\windows\SWSC.exe
2015-02-14 21:28 - 2000-08-30 19:00 - 00098816 _____ () C:\windows\sed.exe
2015-02-14 21:28 - 2000-08-30 19:00 - 00080412 _____ () C:\windows\grep.exe
2015-02-14 21:28 - 2000-08-30 19:00 - 00068096 _____ () C:\windows\zip.exe
2015-02-14 21:26 - 2015-02-14 22:01 - 00000000 ____D () C:\Qoobox
2015-02-14 21:23 - 2015-02-14 21:58 - 00000000 ____D () C:\windows\erdnt
2015-02-14 21:22 - 2015-02-14 21:22 - 05611771 ____R (Swearware) C:\Users\Kaitlyn\Downloads\ComboFix.exe
2015-02-14 20:19 - 2015-02-17 14:13 - 00000000 ____D () C:\Program Files (x86)\SEO Website Analysis
2015-02-14 20:17 - 2015-02-17 14:13 - 00000000 ____D () C:\ProgramData\{93912aaf-8b08-3ac9-9391-12aaf8b0aabe}
2015-02-14 20:16 - 2015-02-17 14:13 - 00000000 ____D () C:\ProgramData\{ce87c3e7-245d-c064-ce87-7c3e72450f9c}
2015-02-14 19:55 - 2015-02-14 19:55 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Roaming\Opera Software
2015-02-14 19:55 - 2015-02-14 19:55 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Local\Opera Software
2015-02-14 19:54 - 2015-02-14 20:07 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-02-14 19:53 - 2015-02-14 20:08 - 00000000 ____D () C:\Program Files (x86)\GoPcPro
2015-02-14 19:53 - 2015-02-14 19:53 - 00003280 _____ () C:\windows\System32\Tasks\GlobalUpdate-ywy0y2jxzmtibth
2015-02-14 19:53 - 2015-02-14 19:53 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth
2015-02-14 19:52 - 2015-02-14 19:52 - 00000000 ____D () C:\ProgramData\SearchModulePlus
2015-02-14 19:51 - 2015-02-20 15:35 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Roaming\E058D61B-1423943482-DF11-831F-00266C4F9986
2015-02-14 19:46 - 2015-02-14 19:46 - 00003572 _____ () C:\windows\System32\Tasks\OQTSX
2015-02-14 19:45 - 2015-02-14 19:45 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Local\Zeoinsight
2015-02-14 19:45 - 2015-02-14 19:45 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Local\ZBAnalyticsCore
2015-02-14 19:45 - 2015-02-07 21:45 - 00364024 _____ (Over the Rainbow Tech) C:\windows\system32\ColorMedia64.dll
2015-02-14 19:33 - 2015-02-14 19:37 - 00000000 ____D () C:\Program Files (x86)\Project64 1.6
2015-02-14 19:33 - 2015-02-14 19:33 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\project64 1.6
2015-02-12 10:32 - 2015-01-22 23:42 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2015-02-12 10:32 - 2015-01-22 23:41 - 06041600 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2015-02-12 10:32 - 2015-01-22 22:43 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2015-02-12 10:32 - 2015-01-22 22:17 - 04300800 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2015-02-11 08:44 - 2015-02-03 22:16 - 00894976 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2015-02-11 08:44 - 2015-02-03 22:16 - 00762368 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2015-02-11 08:44 - 2015-02-03 22:16 - 00609280 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2015-02-11 08:44 - 2015-02-03 22:16 - 00414720 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2015-02-11 08:44 - 2015-02-03 22:16 - 00227328 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2015-02-11 08:44 - 2015-02-03 22:16 - 00192000 _____ (Microsoft Corporation) C:\windows\system32\aepic.dll
2015-02-11 08:44 - 2015-02-03 22:13 - 01098752 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2015-02-11 08:44 - 2015-01-27 18:36 - 01239720 _____ (Microsoft Corporation) C:\windows\system32\aitstatic.exe
2015-02-11 08:44 - 2015-01-10 01:48 - 00728064 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2015-02-11 08:44 - 2015-01-10 01:48 - 00341504 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2015-02-11 08:44 - 2015-01-10 01:48 - 00314880 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2015-02-11 08:44 - 2015-01-10 01:48 - 00309760 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2015-02-11 08:44 - 2015-01-10 01:48 - 00210944 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2015-02-11 08:44 - 2015-01-10 01:48 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2015-02-11 08:44 - 2015-01-10 01:48 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2015-02-11 08:44 - 2015-01-10 01:27 - 00550912 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2015-02-11 08:44 - 2015-01-10 01:27 - 00259584 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2015-02-11 08:44 - 2015-01-10 01:27 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2015-02-11 08:44 - 2015-01-10 01:27 - 00221184 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2015-02-11 08:44 - 2015-01-10 01:27 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2015-02-11 08:44 - 2015-01-10 01:27 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2015-02-11 08:44 - 2015-01-10 01:27 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2015-02-11 08:43 - 2015-01-14 00:47 - 00389808 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2015-02-11 08:43 - 2015-01-14 00:09 - 00342712 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2015-02-11 08:43 - 2015-01-11 22:05 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2015-02-11 08:43 - 2015-01-11 22:05 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2015-02-11 08:43 - 2015-01-11 21:49 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2015-02-11 08:43 - 2015-01-11 21:48 - 02885632 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2015-02-11 08:43 - 2015-01-11 21:48 - 00584192 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2015-02-11 08:43 - 2015-01-11 21:48 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2015-02-11 08:43 - 2015-01-11 21:47 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2015-02-11 08:43 - 2015-01-11 21:40 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2015-02-11 08:43 - 2015-01-11 21:39 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2015-02-11 08:43 - 2015-01-11 21:36 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2015-02-11 08:43 - 2015-01-11 21:34 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2015-02-11 08:43 - 2015-01-11 21:34 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2015-02-11 08:43 - 2015-01-11 21:25 - 19740160 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2015-02-11 08:43 - 2015-01-11 21:25 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2015-02-11 08:43 - 2015-01-11 21:21 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2015-02-11 08:43 - 2015-01-11 21:21 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2015-02-11 08:43 - 2015-01-11 21:13 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2015-02-11 08:43 - 2015-01-11 21:08 - 00503296 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2015-02-11 08:43 - 2015-01-11 21:08 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2015-02-11 08:43 - 2015-01-11 21:07 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2015-02-11 08:43 - 2015-01-11 21:07 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2015-02-11 08:43 - 2015-01-11 21:07 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2015-02-11 08:43 - 2015-01-11 21:05 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2015-02-11 08:43 - 2015-01-11 21:04 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2015-02-11 08:43 - 2015-01-11 21:02 - 02277888 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2015-02-11 08:43 - 2015-01-11 21:00 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2015-02-11 08:43 - 2015-01-11 20:59 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2015-02-11 08:43 - 2015-01-11 20:57 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2015-02-11 08:43 - 2015-01-11 20:55 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2015-02-11 08:43 - 2015-01-11 20:48 - 00801280 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2015-02-11 08:43 - 2015-01-11 20:48 - 00718848 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2015-02-11 08:43 - 2015-01-11 20:46 - 02125824 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2015-02-11 08:43 - 2015-01-11 20:46 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2015-02-11 08:43 - 2015-01-11 20:45 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2015-02-11 08:43 - 2015-01-11 20:43 - 14401024 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2015-02-11 08:43 - 2015-01-11 20:40 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-02-11 08:43 - 2015-01-11 20:36 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2015-02-11 08:43 - 2015-01-11 20:35 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2015-02-11 08:43 - 2015-01-11 20:33 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2015-02-11 08:43 - 2015-01-11 20:27 - 02358272 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2015-02-11 08:43 - 2015-01-11 20:23 - 02052608 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2015-02-11 08:43 - 2015-01-11 20:23 - 00688640 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2015-02-11 08:43 - 2015-01-11 20:22 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2015-02-11 08:43 - 2015-01-11 20:14 - 12829184 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2015-02-11 08:43 - 2015-01-11 20:14 - 01548288 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2015-02-11 08:43 - 2015-01-11 20:02 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2015-02-11 08:43 - 2015-01-11 20:00 - 01888256 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2015-02-11 08:43 - 2015-01-11 19:56 - 01307136 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2015-02-11 08:43 - 2015-01-11 19:55 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2015-02-11 08:42 - 2015-01-11 22:09 - 25056256 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2015-02-11 08:40 - 2015-01-15 03:14 - 00155072 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2015-02-11 08:40 - 2015-01-15 03:14 - 00095680 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2015-02-11 08:40 - 2015-01-15 03:09 - 01461760 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2015-02-11 08:40 - 2015-01-15 03:09 - 00136192 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2015-02-11 08:40 - 2015-01-15 03:09 - 00031232 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2015-02-11 08:40 - 2015-01-15 03:09 - 00029184 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2015-02-11 08:40 - 2015-01-15 03:09 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2015-02-11 08:40 - 2015-01-15 03:08 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2015-02-11 08:40 - 2015-01-15 03:06 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2015-02-11 08:40 - 2015-01-15 03:06 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2015-02-11 08:40 - 2015-01-15 03:04 - 00686080 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2015-02-11 08:40 - 2015-01-15 02:42 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2015-02-11 08:40 - 2015-01-15 02:42 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2015-02-11 08:40 - 2015-01-15 02:41 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2015-02-11 08:40 - 2015-01-15 02:39 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2015-02-11 08:40 - 2015-01-15 02:39 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2015-02-11 08:40 - 2015-01-15 02:37 - 00686080 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2015-02-11 08:40 - 2015-01-14 23:22 - 00458824 _____ (Microsoft Corporation) C:\windows\system32\Drivers\cng.sys
2015-02-11 08:40 - 2015-01-12 22:10 - 01424384 _____ (Microsoft Corporation) C:\windows\system32\WindowsCodecs.dll
2015-02-11 08:40 - 2015-01-12 21:49 - 01230336 _____ (Microsoft Corporation) C:\windows\SysWOW64\WindowsCodecs.dll
2015-02-11 08:39 - 2014-12-12 00:31 - 01480192 _____ (Microsoft Corporation) C:\windows\system32\crypt32.dll
2015-02-11 08:39 - 2014-12-12 00:07 - 01174528 _____ (Microsoft Corporation) C:\windows\SysWOW64\crypt32.dll
2015-02-11 08:39 - 2014-11-25 22:53 - 00861696 _____ (Microsoft Corporation) C:\windows\system32\oleaut32.dll
2015-02-11 08:39 - 2014-11-25 22:32 - 00571904 _____ (Microsoft Corporation) C:\windows\SysWOW64\oleaut32.dll
2015-02-11 08:38 - 2015-01-14 01:09 - 05554112 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-02-11 08:38 - 2014-12-07 22:09 - 00406528 _____ (Microsoft Corporation) C:\windows\system32\scesrv.dll
2015-02-11 08:38 - 2014-12-07 21:46 - 00308224 _____ (Microsoft Corporation) C:\windows\SysWOW64\scesrv.dll
2015-02-11 08:37 - 2015-01-14 01:05 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-02-11 08:37 - 2015-01-14 01:05 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-02-11 08:37 - 2015-01-14 01:04 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-02-11 08:37 - 2015-01-14 00:44 - 03972544 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-02-11 08:37 - 2015-01-14 00:44 - 03917760 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-02-11 08:37 - 2015-01-14 00:41 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-02-11 08:36 - 2015-01-08 21:03 - 03201536 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-20 15:44 - 2010-06-04 14:27 - 01848665 _____ () C:\windows\WindowsUpdate.log
2015-02-20 15:37 - 2012-02-21 10:25 - 00000345 _____ () C:\windows\Brownie.ini
2015-02-20 15:36 - 2010-09-06 01:17 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-20 15:36 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-02-20 15:36 - 2009-07-13 23:51 - 00245857 _____ () C:\windows\setupact.log
2015-02-20 15:35 - 2010-06-04 14:56 - 03785092 _____ () C:\windows\PFRO.log
2015-02-20 15:35 - 2010-03-23 01:57 - 00000000 ____D () C:\windows\Panther
2015-02-20 15:21 - 2013-10-31 10:49 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-02-20 15:13 - 2012-03-15 17:14 - 00000328 _____ () C:\windows\Tasks\HP Photo Creations Communicator.job
2015-02-20 15:04 - 2010-09-06 01:17 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-20 14:39 - 2009-07-13 23:45 - 00019248 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-20 14:39 - 2009-07-13 23:45 - 00019248 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-20 14:23 - 2014-07-01 07:20 - 00129752 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-20 13:46 - 2014-11-14 09:43 - 00205827 _____ () C:\Users\Kaitlyn\Downloads\SirimodernII.zip
2015-02-19 08:40 - 2011-07-13 07:28 - 00000000 ____D () C:\ProgramData\Origin
2015-02-19 08:39 - 2011-07-13 07:27 - 00000000 ____D () C:\Program Files (x86)\Origin
2015-02-18 13:15 - 2011-02-04 20:42 - 00000000 ____D () C:\windows\Minidump
2015-02-17 15:17 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\system32\NDF
2015-02-17 14:13 - 2013-10-24 07:58 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-02-17 13:46 - 2012-10-15 14:30 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-17 12:31 - 2014-06-06 11:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Online Weather
2015-02-17 12:31 - 2010-08-31 22:58 - 00000000 ____D () C:\Users\Kaitlyn
2015-02-17 09:00 - 2009-07-14 00:13 - 00788704 _____ () C:\windows\system32\PerfStringBackup.INI
2015-02-15 13:37 - 2009-07-14 00:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-02-15 13:34 - 2011-07-13 07:28 - 00000000 ____D () C:\Program Files (x86)\Origin Games
2015-02-15 12:47 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\Branding
2015-02-14 21:56 - 2009-07-13 21:34 - 00000215 _____ () C:\windows\system.ini
2015-02-14 20:08 - 2013-10-25 10:16 - 00001134 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-02-14 20:08 - 2010-08-31 23:00 - 00001440 _____ () C:\Users\Kaitlyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-02-14 20:05 - 2010-11-29 21:47 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Local\Adobe
2015-02-14 19:54 - 2009-07-13 22:20 - 00000000 ____D () C:\Program Files\Common Files\System
2015-02-14 19:53 - 2014-08-18 10:03 - 00000000 ____D () C:\ProgramData\PogoDGC
2015-02-14 19:53 - 2014-08-18 10:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pogo Games
2015-02-13 20:30 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\rescache
2015-02-11 17:28 - 2009-07-13 23:45 - 00422656 _____ () C:\windows\system32\FNTCACHE.DAT
2015-02-11 17:24 - 2014-12-11 08:46 - 00000000 ____D () C:\windows\system32\appraiser
2015-02-11 17:24 - 2014-05-06 15:10 - 00000000 ___SD () C:\windows\system32\CompatTel
2015-02-11 16:26 - 2010-06-04 15:02 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-11 16:24 - 2011-05-03 10:21 - 00001945 _____ () C:\windows\epplauncher.mif
2015-02-11 16:24 - 2011-05-03 10:20 - 00002128 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-02-11 16:23 - 2013-07-23 15:16 - 00000000 ____D () C:\windows\system32\MRT
2015-02-11 16:23 - 2012-04-25 09:40 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2015-02-11 16:23 - 2011-05-03 10:20 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-02-11 16:10 - 2010-09-15 12:18 - 116773704 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-02-10 15:42 - 2011-01-15 20:20 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Roaming\uTorrent
2015-02-05 12:21 - 2013-10-31 10:49 - 00701616 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-02-05 12:21 - 2013-10-31 10:49 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-05 12:21 - 2013-10-31 10:49 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2015-01-31 19:29 - 2011-04-22 12:23 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Local\PokerStars
2015-01-24 18:27 - 2010-12-21 16:37 - 00000000 ____D () C:\Program Files (x86)\WildTangent Games
2015-01-23 09:01 - 2015-01-09 09:46 - 00000217 _____ () C:\Users\Kaitlyn\Documents\Passwords.txt
2015-01-23 08:26 - 2013-10-25 09:37 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-23 08:18 - 2014-10-16 11:13 - 00098216 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2015-01-23 08:17 - 2014-10-16 11:12 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-22 13:29 - 2014-12-29 18:26 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Roaming\PortForward.com
2015-01-22 13:29 - 2014-09-05 14:33 - 00000233 _____ () C:\Users\Kaitlyn\BullseyeCoverageError.txt
2015-01-22 13:29 - 2013-11-29 12:31 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Local\Unity
2015-01-22 11:22 - 2014-07-01 07:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-22 11:22 - 2014-07-01 07:18 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

==================== Files in the root of some directories =======

2012-10-15 14:28 - 2012-10-15 14:28 - 0099384 _____ () C:\Users\Kaitlyn\AppData\Roaming\inst.exe
2012-10-29 12:28 - 2012-10-29 12:28 - 0154283 ____H () C:\Users\Kaitlyn\AppData\Roaming\Kaitlynv1.18.0 - Trial version.dll
2005-04-07 21:16 - 2012-11-14 16:43 - 0347214 ____H () C:\Users\Kaitlyn\AppData\Roaming\Kaitlynv1.18.0 - Trial versionlog.dat
2011-07-10 14:51 - 2011-07-10 20:01 - 0000011 _____ () C:\Users\Kaitlyn\AppData\Roaming\log.txt
2012-10-15 14:28 - 2012-10-15 14:28 - 0007859 _____ () C:\Users\Kaitlyn\AppData\Roaming\pcouffin.cat
2012-10-15 14:28 - 2012-10-15 14:28 - 0001167 _____ () C:\Users\Kaitlyn\AppData\Roaming\pcouffin.inf
2012-10-15 14:28 - 2012-10-15 14:28 - 0000055 _____ () C:\Users\Kaitlyn\AppData\Roaming\pcouffin.log
2012-10-15 14:28 - 2012-10-15 14:28 - 0082816 _____ (VSO Software) C:\Users\Kaitlyn\AppData\Roaming\pcouffin.sys
2012-10-15 14:24 - 2012-10-15 14:26 - 0001057 _____ () C:\Users\Kaitlyn\AppData\Roaming\vso_ts_preview.xml
2012-04-19 07:18 - 2012-05-01 17:18 - 0000064 _____ () C:\Users\Kaitlyn\AppData\Roaming\wklnhst.dat
2011-10-15 11:15 - 2014-11-15 17:30 - 0008192 _____ () C:\Users\Kaitlyn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-10-05 09:57 - 2012-10-05 09:57 - 0000017 _____ () C:\Users\Kaitlyn\AppData\Local\resmon.resmoncfg
2012-03-15 08:47 - 2012-03-15 08:47 - 0000057 _____ () C:\ProgramData\Ament.ini
2010-12-21 10:13 - 2010-12-21 10:13 - 0000056 ____H () C:\ProgramData\ezsidmv.dat

Some content of TEMP:
====================
C:\Users\Kaitlyn\AppData\Local\temp\Quarantine.exe
C:\Users\Kaitlyn\AppData\Local\temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-13 20:19

==================== End Of Log ============================

#6 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 20 February 2015 - 03:51 PM

And here is the Addition text

Attached Files



#7 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 21 February 2015 - 07:30 AM

Hi kaitlyn19,

 

Please don't install or uninstall software during the cleanup unless you are told to do so.

 

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

 

 

Step 1:

  • Download and extract Malwarebytes Anti-Rootkit from here mbar-1.07.0.1009.zip and save it to your desktop.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Double-click mbar.exe inside the mbar folder then click 'Next'.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.
  • Click 'Update'.
  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
    • 'Could not load protection driver'. Click 'OK'.
    • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please zip and attach the two log files created by the tool within the folder from which it was run.

The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

 

Step 2:

 

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)


Edited by olgun52, 21 February 2015 - 07:36 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 21 February 2015 - 04:19 PM

Attached File  mbar-log-2015-02-21 (15-15-16).zip   824bytes   0 downloads

 

The system log test was still too big to attach after zipping.

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.17633

File system is: NTFS
Disk drives: A:\ DRIVE_FIXED, C:\ DRIVE_FIXED
CPU speed: 2.094000 GHz
Memory total: 4021182464, free: 1770512384

Downloaded database version: v2015.02.21.07
Downloaded database version: v2015.02.20.01
Downloaded database version: v2014.12.06.01
=======================================
Initializing...
------------ Kernel report ------------
     02/21/2015 15:14:57
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\sptd.sys
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\system32\DRIVERS\TVALZ_O.SYS
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\AtiPcie.sys
\SystemRoot\system32\DRIVERS\dtsoftbus01.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\System32\Drivers\SCDEmu.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\FwLnk.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atipmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\DRIVERS\tdcmdpst.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\System32\Drivers\abcvn7v4.SYS
\SystemRoot\System32\Drivers\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\serscan.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\CHDRT64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\pgeffect.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\drivers\ipnat.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\??\C:\windows\system32\drivers\mbamchameleon.sys
\??\C:\windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\comdlg32.dll
\Windows\System32\normaliz.dll
\Windows\System32\psapi.dll
\Windows\System32\lpk.dll
\Windows\System32\setupapi.dll
\Windows\System32\iertutil.dll
\Windows\System32\nsi.dll
\Windows\System32\kernel32.dll
\Windows\System32\advapi32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\Wldap32.dll
\Windows\System32\sechost.dll
\Windows\System32\msctf.dll
\Windows\System32\msvcrt.dll
\Windows\System32\oleaut32.dll
\Windows\System32\difxapi.dll
\Windows\System32\usp10.dll
\Windows\System32\wininet.dll
\Windows\System32\clbcatq.dll
\Windows\System32\shell32.dll
\Windows\System32\gdi32.dll
\Windows\System32\imm32.dll
\Windows\System32\user32.dll
\Windows\System32\urlmon.dll
\Windows\System32\ws2_32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\ole32.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\userenv.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\comctl32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\devobj.dll
\Windows\System32\profapi.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
IRP handler 0 of \Driver\atapi points to an unknown module
Unhooking enabled.

Scan started
Database versions:
  main:    v2015.02.21.07
  rootkit: v2015.02.20.01

<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800434b790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa80042c9060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800434b790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800434b2c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800434b790, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80042c9060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xfffff8a00d4838b0, 0xfffffa800434b790, 0xfffffa80063bf090
Lower DeviceData: 0xfffff8a00db2abb0, 0xfffffa80042c9060, 0xfffffa800415b390
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C8F45358

Partition information:

    Partition 0 type is Other (0x27)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3072000
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3074048  Numsec = 913258496

    Partition 2 type is HIDDEN (0x17)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 916332544  Numsec = 38049792
    Partition is not bootable
Hidden partition VBR is not infected.

    Partition 3 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 954382336  Numsec = 22388736

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================

 

 

 



#9 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 21 February 2015 - 04:38 PM

RogueKiller V10.4.1.0 [Feb 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Kaitlyn [Administrator]
Mode : Scan -- Date : 02/21/2015  16:36:20

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpKslc8e50077 (\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpKslc8e50077 (\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MpKslc8e50077 (\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys) -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 4 ¤¤¤
[Suspicious.Path] HP Photo Creations Communicator.job -- C:\ProgramData\HP Photo Creations\MessageCheck.exe -> Found
[Suspicious.Path] \\GlobalUpdate-ywy0y2jxzmtibth -- C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe -> Found
[Suspicious.Path] \\HP Photo Creations Communicator -- C:\ProgramData\HP Photo Creations\MessageCheck.exe -> Found
[Suspicious.Path] \\OQTSX -- "C:\ProgramData\1328c26929594f9ea7bc119a80331eae\1328c26929594f9ea7bc119a80331eae.exe" -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS ATA Device +++++
--- User ---
[MBR] e4a3184828357e58bedd8a0097eed175
[BSP] 5a4c3d43d7384e0c7ac9b3c9859f7e22 : HP MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_02212015_162803.log



#10 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 21 February 2015 - 05:08 PM

  • Close all the running processes
  • Double click the RogueKiller icon to run the program again.
    Vista/Win7 users should right click the icon and select Run as Administrator.
  • Wait for the Prescan to finish.
  • Make sure only the following lines are checked:-
[Suspicious.Path] \\GlobalUpdate-ywy0y2jxzmtibth -- C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe -> Found
[Suspicious.Path] \\OQTSX -- "C:\ProgramData\1328c26929594f9ea7bc119a80331eae\1328c26929594f9ea7bc119a80331eae.exe" -> Found
  • Now click the Delete button.
  • Please copy and paste the report in your next reply. A copy of the RKreport.txt can be found on your desktop.

 

Let me know when you get that done and send me the log

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 21 February 2015 - 06:20 PM

RogueKiller V10.4.1.0 [Feb 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Kaitlyn [Administrator]
Mode : Delete -- Date : 02/21/2015  18:19:24

¤¤¤ Processes : 1 ¤¤¤
[Suspicious.Path] MessageCheck.exe(7284) -- C:\ProgramData\HP Photo Creations\MessageCheck.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 7 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpKslc8e50077 (\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpKslc8e50077 (\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys) -> Not selected
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MpKslc8e50077 (\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys) -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected

¤¤¤ Tasks : 4 ¤¤¤
[Suspicious.Path] HP Photo Creations Communicator.job -- C:\ProgramData\HP Photo Creations\MessageCheck.exe -> Not selected
[Suspicious.Path] \\GlobalUpdate-ywy0y2jxzmtibth -- C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe -> Deleted
[Suspicious.Path] \\HP Photo Creations Communicator -- C:\ProgramData\HP Photo Creations\MessageCheck.exe -> Not selected
[Suspicious.Path] \\OQTSX -- "C:\ProgramData\1328c26929594f9ea7bc119a80331eae\1328c26929594f9ea7bc119a80331eae.exe" -> Deleted

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS ATA Device +++++
--- User ---
[MBR] e4a3184828357e58bedd8a0097eed175
[BSP] 5a4c3d43d7384e0c7ac9b3c9859f7e22 : HP MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_02212015_162803.log - RKreport_SCN_02212015_163620.log - RKreport_SCN_02212015_181745.log



#12 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 21 February 2015 - 06:59 PM

Hi kaitlyn19,
 
OK. They deleted. Thank you.

[Suspicious.Path] \\GlobalUpdate-ywy0y2jxzmtibth -- C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe -> Deleted
[Suspicious.Path] \\OQTSX -- "C:\ProgramData\1328c26929594f9ea7bc119a80331eae\1328c26929594f9ea7bc119a80331eae.exe" -> Deleted

 
Step 1:
FRST Script:
Please download this attached txt.gif  fixlist.txt   4.51KB   0 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.

 

Step 2:

Please be sure to run our tools with administrator rights.

 

ComboFix run:

 

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.

 

Attached Files


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 21 February 2015 - 08:17 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-02-2015 01
Ran by Kaitlyn at 2015-02-21 19:55:52 Run:1
Running from C:\Users\Kaitlyn\Desktop
Loaded Profiles: Kaitlyn (Available profiles: Kaitlyn & Guest)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
CloseProcesses:
C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe
2015-02-14 19:53 - 2015-02-14 19:53 - 00003280 _____ () C:\windows\System32\Tasks\GlobalUpdate-ywy0y2jxzmtibth
2015-02-14 19:53 - 2015-02-14 19:53 - 00000000 ____D () C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth
2015-02-13 22:05 - 2015-02-13 22:05 - 01016832 _____ () C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - No Path
S2 4261c3f1; "C:\windows\system32\rundll32.exe" "c:\Program Files (x86)\IncrementGeneration\IncrementGeneration.dll",serv
U3 at8cwfnu; C:\Windows\System32\Drivers\at8cwfnu.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero size file/folder)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
2015-02-14 20:17 - 2015-02-17 14:13 - 00000000 ____D () C:\ProgramData\{93912aaf-8b08-3ac9-9391-12aaf8b0aabe}
2015-02-14 20:16 - 2015-02-17 14:13 - 00000000 ____D () C:\ProgramData\{ce87c3e7-245d-c064-ce87-7c3e72450f9c}
C:\Users\Kaitlyn\AppData\Roaming\E058D61B-1423943482-DF11-831F-00266C4F9986
C:\Users\Kaitlyn\AppData\Roaming\inst.exe
2012-10-29 12:28 - 2012-10-29 12:28 - 0154283 ____H () C:\Users\Kaitlyn\AppData\Roaming\Kaitlynv1.18.0 - Trial version.dll
2005-04-07 21:16 - 2012-11-14 16:43 - 0347214 ____H () C:\Users\Kaitlyn\AppData\Roaming\Kaitlynv1.18.0 - Trial versionlog.dat
 C:\Users\Kaitlyn\AppData\Roaming\vso_ts_preview.xml
2012-03-15 08:47 - 2012-03-15 08:47 - 0000057 _____ () C:\ProgramData\Ament.ini
2010-12-21 10:13 - 2010-12-21 10:13 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
C:\Users\Kaitlyn\AppData\Local\temp\Quarantine.exe
C:\Users\Kaitlyn\AppData\Local\temp\sqlite3.dll
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
Toolbar: HKU\S-1-5-21-3838072084-2198307700-2964809338-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
SearchScopes: HKU\S-1-5-21-3838072084-2198307700-2964809338-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
SearchScopes: HKLM -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSCA
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSCA
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Task: {86749F03-E67E-4C46-948F-69B9989142D0} - System32\Tasks\OQTSX => C:\ProgramData\1328c26929594f9ea7bc119a80331eae\1328c26929594f9ea7bc119a80331eae.exe
Task: {52A20892-4D28-41B9-9E3B-8674202DB625} - System32\Tasks\Games\UpdateCheck_S-1-5-21-3838072084-2198307700-2964809338-1000
Task: {AD373520-3641-45DF-AE1C-EA572BAFE2D9} - System32\Tasks\GlobalUpdate-ywy0y2jxzmtibth => C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe [2015-02-13] () <==== ATTENTION
Task: {AF568050-169F-4766-BE8A-80EE9C7F996E} - \RDReminder No Task File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:9DB67071
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:

*****************

Restore point was successfully created.
Processes closed successfully.
C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe => Moved successfully.
"C:\windows\System32\Tasks\GlobalUpdate-ywy0y2jxzmtibth" => File/Directory not found.
C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth => Moved successfully.
"C:\Users\Kaitlyn\AppData\Roaming\ywy0y2jxzmtibth\ywy0y2jxzmtibth.exe" => File/Directory not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
CHR dev: Chrome dev build detected! <======= ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk" => Key deleted successfully.
4261c3f1 => Service deleted successfully.
at8cwfnu => Service not found.
catchme => Service deleted successfully.
C:\ProgramData\{93912aaf-8b08-3ac9-9391-12aaf8b0aabe} => Moved successfully.
C:\ProgramData\{ce87c3e7-245d-c064-ce87-7c3e72450f9c} => Moved successfully.
C:\Users\Kaitlyn\AppData\Roaming\E058D61B-1423943482-DF11-831F-00266C4F9986 => Moved successfully.
C:\Users\Kaitlyn\AppData\Roaming\inst.exe => Moved successfully.
C:\Users\Kaitlyn\AppData\Roaming\Kaitlynv1.18.0 - Trial version.dll => Moved successfully.
C:\Users\Kaitlyn\AppData\Roaming\Kaitlynv1.18.0 - Trial versionlog.dat => Moved successfully.
C:\Users\Kaitlyn\AppData\Roaming\vso_ts_preview.xml => Moved successfully.
C:\ProgramData\Ament.ini => Moved successfully.
C:\ProgramData\ezsidmv.dat => Moved successfully.
C:\Users\Kaitlyn\AppData\Local\temp\Quarantine.exe => Moved successfully.
C:\Users\Kaitlyn\AppData\Local\temp\sqlite3.dll => Moved successfully.
C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll => Moved successfully.
HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
"HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key deleted successfully.
HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => Key not found.
HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key deleted successfully.
HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64} => Key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value deleted successfully.
"HKU\S-1-5-21-3838072084-2198307700-2964809338-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86749F03-E67E-4C46-948F-69B9989142D0} => Key not found.
C:\Windows\System32\Tasks\OQTSX not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OQTSX => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{52A20892-4D28-41B9-9E3B-8674202DB625}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{52A20892-4D28-41B9-9E3B-8674202DB625}" => Key deleted successfully.
C:\Windows\System32\Tasks\Games\UpdateCheck_S-1-5-21-3838072084-2198307700-2964809338-1000 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Games\UpdateCheck_S-1-5-21-3838072084-2198307700-2964809338-1000" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD373520-3641-45DF-AE1C-EA572BAFE2D9} => Key not found.
C:\Windows\System32\Tasks\GlobalUpdate-ywy0y2jxzmtibth not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GlobalUpdate-ywy0y2jxzmtibth => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{AF568050-169F-4766-BE8A-80EE9C7F996E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AF568050-169F-4766-BE8A-80EE9C7F996E}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RDReminder => Key not found.
C:\ProgramData\TEMP => ":9DB67071" ADS removed successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh winsock reset all =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Reseting Route, OK!
Restart the computer to complete this action.

========= End of CMD: =========

=========  netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.

========= End of CMD: =========

EmptyTemp: => Removed 5.1 GB temporary data.

The system needed a reboot.

==== End of Fixlog 20:09:24 ====



#14 kaitlyn19

kaitlyn19
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 21 February 2015 - 08:49 PM

ComboFix 15-02-16.01 - Kaitlyn 21/02/2015  20:24:45.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3835.1453 [GMT -5:00]
Running from: c:\users\Kaitlyn\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Disabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2015-01-22 to 2015-02-22  )))))))))))))))))))))))))))))))
.
.
2015-02-22 01:42 . 2015-02-22 01:42 -------- d-----w- c:\users\Guest\AppData\Local\temp
2015-02-15 01:19 . 2015-02-17 19:13 -------- d-----w- c:\program files (x86)\SEO  Website Analysis
2015-02-15 00:55 . 2015-02-15 00:55 -------- d-----w- c:\users\Kaitlyn\AppData\Roaming\Opera Software
2015-02-15 00:55 . 2015-02-15 00:55 -------- d-----w- c:\users\Kaitlyn\AppData\Local\Opera Software
2015-02-15 00:54 . 2015-02-15 01:07 -------- d-----w- c:\program files (x86)\Opera
2015-02-15 00:53 . 2015-02-15 01:08 -------- d-----w- c:\program files (x86)\GoPcPro
2015-02-15 00:52 . 2015-02-15 00:52 -------- d-----w- c:\programdata\SearchModulePlus
2015-02-15 00:45 . 2015-02-08 02:45 364024 ----a-w- c:\windows\system32\ColorMedia64.dll
2015-02-15 00:45 . 2015-02-15 00:45 -------- d-----w- c:\users\Kaitlyn\AppData\Local\Zeoinsight
2015-02-15 00:45 . 2015-02-15 00:45 -------- d-----w- c:\users\Kaitlyn\AppData\Local\ZBAnalyticsCore
2015-02-15 00:33 . 2015-02-15 00:33 40960 ----a-r- c:\users\Kaitlyn\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2015-02-15 00:33 . 2015-02-15 00:33 40960 ----a-r- c:\users\Kaitlyn\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2015-02-15 00:33 . 2015-02-15 00:37 -------- d-----w- c:\program files (x86)\Project64 1.6
2015-02-13 10:57 . 2015-02-13 10:57 821096 ----a-w- c:\program files\Common Files\System\SysMenu64.dll
2015-02-13 10:57 . 2015-02-13 10:57 651112 ----a-w- c:\program files\Common Files\System\SysMenu.dll
2015-02-12 15:32 . 2015-01-23 03:43 620032 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2015-02-12 15:32 . 2015-01-23 04:42 814080 ----a-w- c:\windows\system32\jscript9diag.dll
2015-02-12 15:32 . 2015-01-23 04:41 6041600 ----a-w- c:\windows\system32\jscript9.dll
2015-02-12 15:32 . 2015-01-23 03:17 4300800 ----a-w- c:\windows\SysWow64\jscript9.dll
2015-02-11 13:43 . 2015-01-12 02:07 47616 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2015-02-11 13:42 . 2015-01-12 02:07 1016832 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2015-02-11 13:42 . 2015-01-12 03:09 25056256 ----a-w- c:\windows\system32\mshtml.dll
2015-02-11 13:42 . 2015-01-12 02:59 10949120 ----a-w- c:\program files\Internet Explorer\F12Resources.dll
2015-02-11 13:39 . 2014-12-12 05:31 1480192 ----a-w- c:\windows\system32\crypt32.dll
2015-02-11 13:39 . 2014-12-12 05:07 1174528 ----a-w- c:\windows\SysWow64\crypt32.dll
2015-02-11 13:39 . 2014-11-26 03:53 861696 ----a-w- c:\windows\system32\oleaut32.dll
2015-02-11 13:39 . 2014-11-26 03:32 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2015-02-11 13:38 . 2014-12-08 03:09 406528 ----a-w- c:\windows\system32\scesrv.dll
2015-02-11 13:38 . 2014-12-08 02:46 308224 ----a-w- c:\windows\SysWow64\scesrv.dll
2015-02-11 13:38 . 2015-01-14 06:09 5554112 ----a-w- c:\windows\system32\ntoskrnl.exe
2015-02-11 13:37 . 2015-01-14 05:44 3972544 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2015-02-11 13:37 . 2015-01-14 05:44 3917760 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2015-02-11 13:37 . 2015-01-14 06:05 503808 ----a-w- c:\windows\system32\srcore.dll
2015-02-11 13:37 . 2015-01-14 06:04 296960 ----a-w- c:\windows\system32\rstrui.exe
2015-02-11 13:37 . 2015-01-14 06:05 50176 ----a-w- c:\windows\system32\srclient.dll
2015-02-11 13:37 . 2015-01-14 05:41 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2015-02-11 13:36 . 2015-01-09 02:03 3201536 ----a-w- c:\windows\system32\win32k.sys
2015-01-23 13:19 . 2015-01-23 13:19 -------- d-----w- c:\program files (x86)\Common Files\Java
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-21 20:14 . 2014-07-01 12:20 136408 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-02-21 20:13 . 2014-07-01 12:18 107736 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-02-11 21:10 . 2010-09-15 17:18 116773704 ----a-w- c:\windows\system32\MRT.exe
2015-02-05 17:21 . 2013-10-31 15:49 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-05 17:21 . 2013-10-31 15:49 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-01-23 13:18 . 2014-10-16 16:13 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-12-31 11:14 . 2010-11-29 22:19 298120 ------w- c:\windows\system32\MpSigStub.exe
2014-12-19 03:06 . 2015-01-14 13:30 210432 ----a-w- c:\windows\system32\profsvc.dll
2014-12-19 01:46 . 2015-01-14 13:30 141312 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2014-12-11 17:47 . 2015-01-14 13:30 62976 ----a-w- c:\windows\system32\TSWbPrxy.exe
2014-12-06 04:17 . 2015-01-14 13:30 303616 ----a-w- c:\windows\system32\nlasvc.dll
2014-12-06 03:50 . 2015-01-14 13:30 52224 ----a-w- c:\windows\SysWow64\nlaapi.dll
2014-12-06 03:50 . 2015-01-14 13:30 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Photosmart 7510 series (NET)"="c:\program files\HP\HP Photosmart 7510 series\Bin\ScanToPCActivationApp.exe" [2011-06-08 2676584]
"DAEMON Tools Pro Agent"="c:\program files (x86)\DAEMON Tools Pro\DTAgent.exe" [2012-04-26 3111744]
"Uploader"="c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe" [2014-09-17 127080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-15 98304]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"BrStsWnd"="c:\program files (x86)\Brownie\BrstsW64.exe" [2009-08-19 3695928]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"DBAgent"="c:\program files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe" [2014-09-17 1518664]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-12-18 508800]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKslc8e50077;MpKslc8e50077;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D9F331B0-D0FB-4D0B-8390-B7BAB92961BE}\MpKslc8e50077.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys;c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys;c:\windows\SYSNATIVE\drivers\massfilter.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 Origin Client Service;Origin Client Service;c:\program files (x86)\Origin\OriginClientService.exe;c:\program files (x86)\Origin\OriginClientService.exe [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys;c:\windows\SYSNATIVE\DRIVERS\ssadserd.sys [x]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [x]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe;c:\program files\HitmanPro\hmpsched.exe [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [x]
S2 Seagate MobileBackup Service;Seagate MobileBackup Service;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys;c:\windows\SYSNATIVE\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-06-13 13:00 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-31 17:21]
.
2015-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-06 01:05]
.
2015-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-06 01:05]
.
2015-02-22 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\programdata\HP Photo Creations\MessageCheck.exe [2012-03-15 22:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2015-01-30 1332296]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3651976D-F790-45CF-986B-294F60E13939}\25F4E4D20534F5E4564777F627B6: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3651976D-F790-45CF-986B-294F60E13939}\443374E4F53535944403: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3651976D-F790-45CF-986B-294F60E13939}\C496D6560516E64616: DhcpNameServer = 64.71.255.198
TCP: Interfaces\{3651976D-F790-45CF-986B-294F60E13939}\E49636B6B2C496E646375697: DhcpNameServer = 64.71.255.198
Handler: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - c:\program files (x86)\TurboTax 2013\ic2013pp.dll
FF - ProfilePath - c:\users\Kaitlyn\AppData\Roaming\Mozilla\Firefox\Profiles\bdicloww.default\
.
.
------- File Associations -------
.
inifile="%SystemRoot%\system32\NOTEPAD.EXE" %1
txtfile="%SystemRoot%\system32\NOTEPAD.EXE" %1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3838072084-2198307700-2964809338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-3838072084-2198307700-2964809338-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.eml.14"
.
[HKEY_USERS\S-1-5-21-3838072084-2198307700-2964809338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3838072084-2198307700-2964809338-1000)
@Denied: (2) (LocalSystem)
"Progid"="Outlook.File.vcf.14"
.
[HKEY_USERS\S-1-5-21-3838072084-2198307700-2964809338-1000\Software\SecuROM\License information*]
"datasecu"=hex:a1,b7,c1,ea,c8,b0,8f,ec,17,cd,1b,20,32,8c,e6,e9,ec,6b,1d,53,35,
   29,5e,ac,4a,7c,a3,1a,32,a8,a5,91,62,64,f4,13,64,a3,39,a2,89,87,60,5b,d5,42,\
"rkeysecu"=hex:99,25,d5,b7,6d,ab,81,40,6e,11,4e,16,77,9b,06,2b
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-02-21  20:46:16
ComboFix-quarantined-files.txt  2015-02-22 01:46
ComboFix2.txt  2015-02-15 03:01
.
Pre-Run: 106,122,461,184 bytes free
Post-Run: 106,084,368,384 bytes free
.
- - End Of File - - FB9CC6E2170B34693718D1D644B72803
5B5E648D12FCADC244C1EC30318E1EB9
 



#15 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 AM

Posted 22 February 2015 - 09:52 AM

Hi kaitlyn19,
 
Step 1:
Run combofix script:
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Download the attached CFScript.txt and save it to the location where Combofix is.

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 
Step 2:
Scan with Malwarebytes Antimalware:
Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 3:

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Attached Files


Edited by olgun52, 22 February 2015 - 09:54 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users