Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop infected after "clicking on link"


  • This topic is locked This topic is locked
18 replies to this topic

#1 ChispHandon

ChispHandon

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 28 February 2015 - 09:55 PM

So yeah, long story short, a friend of mine brought me his laptop after he suspected something was wrong. When I asked him what had happened he told me he simply clicked a link.

 

However, as soon as I opened it up programs started to install themselves, default search engines / homepages were changed and the dick usage hanged at 90%. I also noticed that he had a program called Alcohol 120% open which had a disk mounted, so I think he tried to install an illegal game and it borked up his system.

 

It's a Dell Inspiron 5547 running Windows 8.1.

 

I have already laid down the groundwork on cleaning this machine but I think that I'm missing some things, so bear with me;

  • First I removed all the programs that had installed themselves using REVO Uninstaller (which also deletes registry keys).
  • I then did a run with MBAM and Windows Defender (see attached MBAM log Attached File  MBAM Scan 28-2-15.txt   78.67KB   6 downloads  ).
  • Seeing quite a few things in the MBAM log I decided to run Rkill before anything else (see attached log Attached File  Rkill.txt   3.03KB   3 downloads  ).
  • After running Rkill I ran MBAR, GMER and RogueKiller. MBAR pointed out two rootkits, which it said it removed, I can't find the log, but here are the GMER and RogueKiller logs - Attached File  GMER log.txt   9.31KB   3 downloads  and  Attached File  RKreport_SCN_03012015_025853.log   10.67KB   4 downloads
  • After this I ran AnsMBR which kind of got funky (read: I couldn't download the Avast definitions, and at the same time ESET Online Scanner gave me an "Unexpected event 200"), so I don't know if it ran correctly, but it made this log - Attached File  aswMBR.txt   1.91KB   4 downloads
  • And after that I kind of got baffled at how ESET gave me the error, decided to google it, only to find out that the internet had stopped working (my own laptop still worked, so did my phone, but the infected machine didn't). Luckily I have an USB with quite a few tools on there which I update regularly from my own laptop, and one of them was Farbar, which produced these logs - Attached File  FRST.txt   64.15KB   8 downloads  and Attached File  Addition.txt   33.44KB   5 downloads

Alright, so to shoot down the obvious things that might get noticed;

  • He has a pirated Adobe SC6 suite and some CC programs. I confronted him with this but he told me that he needs those for his uni, so he can't delete them.
  • He uses both FF and Chrome, and both of those have onmibox stuck as their default search engine. He told me that he uses Google so I guess that the infection changed it. I can't, however, for the life of me change them back.

     

     

  • His drive is partitioned in two parts, C and D. He uses C for all sorts of stuff and D for uni / work / minsk.
  • Ofcourse he didn't make any backups or anything, but there are a few restore points (most of which I made today).

Oh, I also noticed that this laptop doesn't have a CD/DVD drive, so I can't simply reinstall the OS (which, if my hunch that this is a rootkit is correct, might be the better idea) or do anything that requires a CD or DVD.

Any help would be highly appreciated folks!

Cheers!

 



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:10 PM

Posted 05 March 2015 - 10:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/568673 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 ChispHandon

ChispHandon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 07 March 2015 - 06:59 AM

I still need help :)

My problems remains the same - a rootkit infection on my friends machine. I haven't tried anything after I made the post above, but I heard from my friend that he ran Junkware Removal Tool in an attempt to clean the machine up.

I currently don't have the machine with me (this is my own Ubuntu laptop), but I'll have it on Sunday, will run a new Farbar scan then :)


Cheers!



#4 ChispHandon

ChispHandon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 09 March 2015 - 07:20 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-02-2015
Ran by Gebruiker (administrator) on LAPTOP--STEFAN on 09-03-2015 13:12:25
Running from C:\Users\Gebruiker\Desktop
Loaded Profiles: Gebruiker (Available profiles: Gebruiker)
Platform: Windows 8.1 (X64) OS Language: Dutch (Netherlands)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Fork Ltd.) C:\Prey\platform\windows\cronsvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(ReviverSoft) C:\Program Files\ReviverSoft\Start Menu Reviver\StartMenuReviverService.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Dell Inc.) C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7506648 2013-12-28] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374424 2014-01-10] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2806512 2013-12-30] (Synaptics Incorporated)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [5789512 2014-01-15] (Dell Inc.)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-30] (Intel Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Monitor] => C:\Windows\PixArt\PAC207\Monitor.exe [319488 2006-11-03] (PixArt Imaging Incorporation)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-01-12] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCEPServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe [1039240 2013-05-16] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2694040 2014-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2011-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [2904984 2011-09-05] (Adobe Systems Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\Run: [FileHippo.com] => C:\Program Files (x86)\FileHippo.com\FileHippo.AppManager.exe [1435136 2014-10-03] ()
Startup: C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
ShortcutTarget: Rainmeter.lnk -> C:\Program Files\Rainmeter\Rainmeter.exe ()
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files\WOT\WOT.dll ()
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files (x86)\WOT\WOT.dll ()
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()
Toolbar: HKU\S-1-5-21-761435834-2810594181-3668824124-1001 -> WOT - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com/bin/srldetect_intel_4.5.24.0.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
Handler-x32: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll ()
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.254 195.241.77.55 195.241.77.58
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default
FF SelectedSearchEngine: omniboxes
FF Homepage: hxxp://google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1215155.dll (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
FF Extension: United States English Spellchecker - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\en-US@dictionaries.addons.mozilla.org [2014-11-15]
FF Extension: Woordenboek Nederlands - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\nl-NL@dictionaries.addons.mozilla.org [2014-10-22]
FF Extension: New Tab Plus - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\weidunewtab@gmail.com [2014-07-16]
FF Extension: Toolbar Autohide - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\fullscreentoolbarhover@com.sppad.xpi [2014-07-16]
FF Extension: Thumbnail Zoom Plus - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\thumbnailZoom@dadler.github.com.xpi [2014-07-16]
FF Extension: Stylish - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi [2014-07-16]
FF Extension: YouTube High Definition - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\{7b1bf0b6-a1b9-42b0-b75d-252036438bdc}.xpi [2014-11-10]
FF Extension: Adblock Plus - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-07-16]
FF Extension: BetterPrivacy - C:\Users\Gebruiker\AppData\Roaming\Mozilla\Firefox\Profiles\2bxcua85.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2014-07-16]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2014-09-10]
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HomePage: Default -> hxxp://google.com/
CHR StartupUrls: Default -> "hxxp://www.omniboxes.com/?type=hp&ts=1425134360&from=obw&uid=ST1000LM024XHN-M101MBB_S314J90F325096325096"
CHR DefaultSearchKeyword: Default -> omniboxes
CHR DefaultSuggestURL: Default ->
CHR Profile: C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (HD for YouTube™) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\akjbfncbadcmnkopckegnmjgihagponf [2014-11-26]
CHR Extension: (Google Docs) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-16]
CHR Extension: (Google Drive) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-16]
CHR Extension: (YouTube) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-16]
CHR Extension: (Google Search) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-16]
CHR Extension: (No Name) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjfiaeaopgmgbenipljajjipecobmbni [2015-02-28]
CHR Extension: (Stylish) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe [2015-01-03]
CHR Extension: (AdBlock) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-07-16]
CHR Extension: (Auto HD For YouTube™) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\koiaokdomkpjdgniimnkhgbilbjgpeak [2014-11-26]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2014-12-10]
CHR Extension: (EXIF Viewer) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\nafpfdcmppffipmhcpkbplhkoiekndck [2015-01-07]
CHR Extension: (Google Wallet) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-16]
CHR Extension: (Hover Zoom) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2015-01-16]
CHR Extension: (Gmail) - C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-16]
StartMenuInternet: Google Chrome - Chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 CronService; C:\Prey\platform\windows\cronsvc.exe [23552 2014-04-30] (Fork Ltd.) [File not signed]
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2552528 2015-01-30] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [201424 2015-01-30] (Dell Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-30] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [314696 2014-05-20] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-18] (Intel Corporation)
R2 My Dell Client Framework; C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe [168960 2014-01-10] (Dell Inc.) [File not signed]
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-05-29] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R2 StartMenuReviverService; C:\Program Files\ReviverSoft\Start Menu Reviver\StartMenuReviverService.exe [765048 2014-09-17] (ReviverSoft)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [19288 2015-02-19] (Dell Inc.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-22] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3816176 2014-05-29] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-04-28] (Microsoft Corporation)
S3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [140600 2013-07-22] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1408824 2013-10-18] (Motorola Solutions, Inc.)
R3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [23760 2015-01-30] (Dell Computer Corporation)
R3 DellProf; C:\Windows\system32\drivers\DellProf.sys [23312 2015-01-30] (Dell Computer Corporation)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-25] (OSR Open Systems Resources, Inc.)
R3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-10-02] (Intel Corporation)
R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [99320 2013-10-02] (Intel Corporation)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [142280 2013-10-19] (Intel Corporation)
R3 ManyCam; C:\Windows\system32\DRIVERS\mcvidrv.sys [49776 2014-07-25] (Visicom Media Inc.)
R3 mcaudrv_simple; C:\Windows\system32\drivers\mcaudrv_x64.sys [35440 2014-05-13] (Visicom Media Inc.)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100824 2013-12-18] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3446240 2014-06-18] (Intel Corporation)
S3 PAC207; C:\Windows\system32\DRIVERS\PFC027.SYS [571904 2006-11-20] (PixArt Imaging Inc.)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [386680 2015-02-28] (Duplex Secure Ltd.)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [41200 2013-12-30] (Synaptics Incorporated)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-03-01] ()
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-22] (Microsoft Corporation)
U3 aswMBR; \??\C:\Users\GEBRUI~1\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\GEBRUI~1\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-01 18:07 - 2015-03-01 18:07 - 00005156 _____ () C:\Users\Gebruiker\Desktop\AdwCleaner[R0].txt
2015-03-01 18:04 - 2015-03-01 18:05 - 00000000 ____D () C:\AdwCleaner
2015-03-01 18:03 - 2015-03-01 18:04 - 00002170 _____ () C:\Users\Gebruiker\Desktop\JRT.txt
2015-03-01 03:15 - 2015-03-01 03:15 - 00100990 _____ () C:\Users\Gebruiker\Desktop\Shortcut.txt
2015-03-01 03:14 - 2015-03-09 13:12 - 00023157 _____ () C:\Users\Gebruiker\Desktop\FRST.txt
2015-03-01 03:14 - 2015-03-01 03:15 - 00034242 _____ () C:\Users\Gebruiker\Desktop\Addition.txt
2015-03-01 03:13 - 2015-03-09 13:12 - 00000000 ____D () C:\FRST
2015-03-01 03:11 - 2015-03-01 03:11 - 00001959 _____ () C:\Users\Gebruiker\Desktop\aswMBR.txt
2015-03-01 03:00 - 2015-03-01 03:00 - 00010927 _____ () C:\Users\Gebruiker\Desktop\RKreport_SCN_03012015_025853.log
2015-03-01 02:53 - 2015-03-01 02:53 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-01 02:53 - 2015-03-01 02:53 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-03-01 02:45 - 2015-03-01 02:46 - 00003100 _____ () C:\Users\Gebruiker\Desktop\Rkill.txt
2015-03-01 02:43 - 2015-03-01 02:43 - 05198336 _____ (AVAST Software) C:\Users\Gebruiker\Desktop\aswMBR.exe
2015-03-01 02:39 - 2015-03-01 02:39 - 00380416 _____ () C:\Users\Gebruiker\Desktop\lcyi8in1.exe
2015-03-01 02:38 - 2015-03-01 02:39 - 09741664 _____ (SurfRight B.V.) C:\Users\Gebruiker\Desktop\HitmanPro_x64.exe
2015-03-01 02:38 - 2015-03-01 02:38 - 15536728 _____ () C:\Users\Gebruiker\Desktop\RogueKiller.exe
2015-03-01 02:37 - 2015-03-01 02:37 - 02092544 _____ (Farbar) C:\Users\Gebruiker\Desktop\FRST64.exe
2015-03-01 02:30 - 2015-03-01 02:30 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\Gebruiker\Desktop\tdsskiller.exe
2015-03-01 02:30 - 2015-03-01 02:30 - 02126848 _____ () C:\Users\Gebruiker\Desktop\AdwCleaner.exe
2015-03-01 02:30 - 2015-03-01 02:30 - 01388274 _____ (Thisisu) C:\Users\Gebruiker\Desktop\JRT.exe
2015-03-01 02:25 - 2015-03-01 02:25 - 00688992 _____ (Swearware) C:\Users\Gebruiker\Desktop\dds.com
2015-03-01 02:15 - 2015-03-01 02:15 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-03-01 01:29 - 2015-03-01 02:06 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-03-01 01:28 - 2015-03-01 02:06 - 00000000 ____D () C:\Users\Gebruiker\Desktop\mbar
2015-03-01 01:27 - 2015-03-01 01:27 - 16502728 _____ (Malwarebytes Corp.) C:\Users\Gebruiker\Downloads\mbar-1.09.1.1004.exe
2015-02-28 16:02 - 2015-02-28 16:02 - 00080563 _____ () C:\Users\Gebruiker\Desktop\MBAM Scan 28-2-15.txt
2015-02-28 15:45 - 2015-02-28 15:45 - 00000124 _____ () C:\Users\Gebruiker\Documents\ax_files.xml
2015-02-28 15:37 - 2015-02-28 15:42 - 00000000 ____D () C:\Users\Gebruiker\AppData\Local\4C4C4544-1425137834-4310-8030-B1C04F545A31
2015-02-28 15:36 - 2015-03-01 01:22 - 00000000 ____D () C:\Program Files (x86)\CinemaP-1.8cV28.02
2015-02-28 15:36 - 2015-02-28 15:36 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\4C4C4544-1425137774-4310-8030-B1C04F545A31
2015-02-28 15:27 - 2015-02-28 15:27 - 00386680 _____ (Duplex Secure Ltd.) C:\Windows\system32\Drivers\sptd.sys
2015-02-26 22:38 - 2015-02-26 22:38 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\dvdcss
2015-02-26 20:29 - 2015-02-26 20:29 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-26 16:44 - 2015-02-26 16:44 - 00000000 ____D () C:\Users\Gebruiker\Desktop\Kamers
2015-02-26 15:36 - 2015-02-26 16:16 - 123164530 _____ () C:\Users\Gebruiker\Downloads\BTTTTTTT.rar
2015-02-24 16:54 - 2015-02-24 17:44 - 00000627 _____ () C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\osu!.lnk
2015-02-24 16:53 - 2015-02-24 16:53 - 03231304 _____ (ppy) C:\Users\Gebruiker\Downloads\osu!install.exe
2015-02-22 16:26 - 2015-02-22 16:28 - 00000000 ____D () C:\Users\Gebruiker\Downloads\Elbow-The_Seldom_Seen_Kid-2008-KzT
2015-02-21 15:49 - 2015-02-21 15:50 - 00000000 ____D () C:\Users\Gebruiker\Desktop\SummerSchool Hong Kong application
2015-02-19 22:54 - 2015-02-19 22:54 - 00000000 _____ () C:\Users\Gebruiker\Desktop\Red Mars - page 10.txt
2015-02-14 15:36 - 2015-02-21 16:52 - 00000000 ____D () C:\Users\Gebruiker\cv
2015-02-12 15:50 - 2015-02-26 20:51 - 00000426 _____ () C:\Windows\Tasks\Dell SupportAssistAgent AutoUpdate.job
2015-02-12 15:50 - 2015-02-26 20:51 - 00000000 ____D () C:\ProgramData\SupportAssistAgent
2015-02-12 15:50 - 2015-02-12 15:50 - 00003230 _____ () C:\Windows\System32\Tasks\Dell SupportAssistAgent AutoUpdate
2015-02-12 15:50 - 2015-02-12 15:50 - 00000000 __HDC () C:\ProgramData\{7417E72F-E156-403E-9DFA-EB0ED1DB06F1}
2015-02-11 10:42 - 2015-02-11 10:42 - 00004048 _____ () C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask
2015-02-11 10:42 - 2015-02-11 10:42 - 00003484 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2015-02-11 10:42 - 2015-02-11 10:42 - 00003238 _____ () C:\Windows\System32\Tasks\SystemToolsDailyTest
2015-02-11 10:42 - 2015-02-11 10:42 - 00000000 ____D () C:\ProgramData\PC-Doctor for Windows
2015-02-11 10:42 - 2015-02-11 10:42 - 00000000 ____D () C:\Program Files\Dell Support Center
2015-02-10 17:41 - 2015-02-10 17:41 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\LibreOffice
2015-02-10 17:40 - 2015-02-10 17:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LibreOffice 4.4
2015-02-10 17:38 - 2015-02-10 17:40 - 00000000 ____D () C:\Program Files (x86)\LibreOffice 4
2015-02-10 16:38 - 2015-02-10 16:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pictures Thumbnails Maker
2015-02-08 22:20 - 2015-02-08 22:19 - 00478772 _____ () C:\Users\Gebruiker\rtmpdump.exe
2015-02-07 00:56 - 2015-02-07 00:56 - 00000000 ____D () C:\Windows\LastGood.Tmp
2015-02-07 00:55 - 2015-02-28 15:51 - 00000000 ____D () C:\Windows\PAC207
2015-02-07 00:41 - 2015-02-07 00:41 - 00000000 ____D () C:\Windows\PixArt
2015-02-07 00:36 - 2015-02-07 00:54 - 00000000 ____D () C:\Windows\Downloaded Installations

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-09 13:11 - 2013-08-22 16:36 - 00000000 ____D () C:\Windows\system32\sru
2015-03-01 18:02 - 2014-04-28 10:24 - 00000000 ____D () C:\ProgramData\PCDr
2015-03-01 17:47 - 2014-07-16 14:26 - 00001094 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-01 17:46 - 2014-04-28 10:01 - 01826596 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-01 17:46 - 2013-08-22 23:58 - 00807742 _____ () C:\Windows\system32\perfh013.dat
2015-03-01 17:46 - 2013-08-22 23:58 - 00162706 _____ () C:\Windows\system32\perfc013.dat
2015-03-01 14:28 - 2014-04-28 10:16 - 01806088 _____ () C:\Windows\WindowsUpdate.log
2015-03-01 03:08 - 2013-08-22 16:36 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-01 02:07 - 2014-07-10 01:33 - 00000000 ____D () C:\Users\Gebruiker\AppData\Local\Adobe
2015-03-01 01:46 - 2014-07-10 00:49 - 00003598 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-761435834-2810594181-3668824124-1001
2015-03-01 01:29 - 2014-07-10 04:13 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-01 01:28 - 2014-07-10 04:12 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-01 01:23 - 2014-07-16 15:42 - 00000000 __RDO () C:\Users\Gebruiker\OneDrive
2015-03-01 01:23 - 2014-07-16 14:26 - 00001090 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-01 01:22 - 2014-04-28 09:44 - 00037034 _____ () C:\Windows\PFRO.log
2015-03-01 01:22 - 2013-08-22 15:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-28 16:02 - 2014-04-28 10:22 - 00000000 ____D () C:\Program Files (x86)\AMD AVT
2015-02-28 15:53 - 2014-04-28 10:16 - 00000000 ____D () C:\ProgramData\Package Cache
2015-02-28 15:51 - 2014-04-28 10:28 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-02-28 15:51 - 2013-08-22 14:25 - 00000133 _____ () C:\Windows\win.ini
2015-02-28 15:50 - 2015-01-04 01:15 - 00000000 ____D () C:\ProgramData\TechSmith
2015-02-28 15:39 - 2014-07-16 13:35 - 00001383 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-02-28 15:39 - 2014-07-10 00:43 - 00001666 _____ () C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-02-28 15:33 - 2013-08-22 15:46 - 00029211 _____ () C:\Windows\setupact.log
2015-02-28 15:28 - 2014-07-16 13:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-28 15:28 - 2013-08-22 16:36 - 00000000 ____D () C:\Windows\System
2015-02-28 01:42 - 2014-11-17 13:28 - 00000000 ____D () C:\Users\Gebruiker\AppData\Local\Popcorn-Time
2015-02-26 23:33 - 2014-07-16 14:41 - 00000000 ___RD () C:\Users\Gebruiker\Dropbox
2015-02-26 23:33 - 2014-07-16 14:40 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-02-26 23:33 - 2014-07-16 13:34 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\Dropbox
2015-02-26 22:47 - 2014-07-17 17:48 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\vlc
2015-02-26 22:32 - 2015-01-04 01:39 - 00000000 ____D () C:\Users\Gebruiker\AppData\Local\CrashDumps
2015-02-26 21:49 - 2014-07-17 10:34 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\uTorrent
2015-02-26 17:04 - 2014-07-23 18:47 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\Spotify
2015-02-26 16:29 - 2014-07-23 18:47 - 00000000 ____D () C:\Users\Gebruiker\AppData\Local\Spotify
2015-02-26 14:04 - 2014-04-28 18:47 - 00000000 ____D () C:\DELL
2015-02-26 09:34 - 2013-08-22 14:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-02-25 06:35 - 2014-10-15 00:22 - 00000000 ____D () C:\Users\Gebruiker\AppData\Local\ManyCam
2015-02-24 16:41 - 2014-08-27 18:41 - 00000000 ____D () C:\Users\Gebruiker\AppData\Roaming\Skype
2015-02-23 19:52 - 2013-08-22 15:44 - 05321584 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-22 01:13 - 2014-11-17 13:27 - 00000000 ____D () C:\Users\Gebruiker\AppData\Local\Popcorn Time
2015-02-18 01:15 - 2014-10-05 00:01 - 00000000 ____D () C:\Users\Gebruiker\Reaction images
2015-02-16 19:10 - 2014-07-17 12:05 - 00000132 _____ () C:\Users\Gebruiker\AppData\Roaming\Adobe PNG Format CC Prefs
2015-02-16 00:16 - 2013-08-22 16:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-02-14 15:36 - 2014-07-10 00:42 - 00000000 ____D () C:\Users\Gebruiker
2015-02-12 15:50 - 2014-04-28 10:30 - 00000000 ____D () C:\Program Files (x86)\Dell
2015-02-12 15:50 - 2014-04-28 10:15 - 00000000 ____D () C:\Program Files\Dell
2015-02-11 10:42 - 2014-04-28 10:15 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2015-02-10 14:14 - 2014-07-10 01:05 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-10 14:12 - 2014-04-28 18:48 - 00000000 ____D () C:\Program Files (x86)\MSBuild
2015-02-10 14:12 - 2013-08-23 00:00 - 00000000 ____D () C:\Windows\ShellNew
2015-02-10 14:11 - 2013-08-22 16:36 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-02-07 00:48 - 2014-07-10 00:43 - 00000000 ____D () C:\Users\Gebruiker\AppData\Local\VirtualStore

==================== Files in the root of some directories =======

2014-07-17 12:05 - 2015-02-16 19:10 - 0000132 _____ () C:\Users\Gebruiker\AppData\Roaming\Adobe PNG Format CC Prefs
2015-01-04 01:10 - 2015-01-04 01:10 - 0000046 _____ () C:\Users\Gebruiker\AppData\Roaming\Camdata.ini
2015-01-04 01:10 - 2015-01-04 01:10 - 0000408 _____ () C:\Users\Gebruiker\AppData\Roaming\CamLayout.ini
2015-01-04 01:10 - 2015-01-04 01:10 - 0000408 _____ () C:\Users\Gebruiker\AppData\Roaming\CamShapes.ini
2015-01-04 01:10 - 2015-01-04 01:10 - 0004535 _____ () C:\Users\Gebruiker\AppData\Roaming\CamStudio.cfg
2015-01-25 17:12 - 2015-01-25 17:12 - 0002086 _____ () C:\Users\Gebruiker\AppData\Roaming\DYVDOG
2015-01-25 17:12 - 2015-01-25 17:12 - 0001248 _____ () C:\Users\Gebruiker\AppData\Roaming\INOFVH
2015-01-04 01:07 - 2015-01-04 01:07 - 0000096 _____ () C:\Users\Gebruiker\AppData\Roaming\version2.xml
2014-04-28 09:48 - 2014-04-28 09:48 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Files to move or delete:
====================
C:\ProgramData\StartMenuReviver.exe
C:\Users\Gebruiker\rtmpdump.exe


Some content of TEMP:
====================
C:\Users\Gebruiker\AppData\Local\Temp\14DD8C1F-06D7-1426-BF1C-B172FB775CAA.dll
C:\Users\Gebruiker\AppData\Local\Temp\14DD8C1F-06D7-1426-BF1C-B172FB775CAA.exe
C:\Users\Gebruiker\AppData\Local\Temp\8B541C6E-2B0D-DD6F-2619-AA6D957A0908.exe
C:\Users\Gebruiker\AppData\Local\Temp\AAMHelper.exe
C:\Users\Gebruiker\AppData\Local\Temp\AdobeApplicationManager.exe
C:\Users\Gebruiker\AppData\Local\Temp\core.exe
C:\Users\Gebruiker\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Gebruiker\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpmac0q1.dll
C:\Users\Gebruiker\AppData\Local\Temp\installapi.exe
C:\Users\Gebruiker\AppData\Local\Temp\start.exe
C:\Users\Gebruiker\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Gebruiker\AppData\Local\Temp\Uninstall.exe
C:\Users\Gebruiker\AppData\Local\Temp\update.exe
C:\Users\Gebruiker\AppData\Local\Temp\Vlc media player.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-09 13:11

==================== End Of Log ============================

 

Attached File  Addition.txt   22.46KB   0 downloads



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:10 PM

Posted 11 March 2015 - 08:52 AM

Hello,

My apologies for the delay. Can you please tell me what problems the computer is having at this point?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 ChispHandon

ChispHandon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 11 March 2015 - 12:25 PM

Hello,

No problem :) The laptop is currently not being used, but when I turn it on and plug a USB / external HDD in it, it is automatically removed before I can access it. When I first got it a few programs were also being installed on it while I was running scans with MBAM - all without my permission while UAC is set to high, I had this happen a few days ago as well while checking up on the machine. Plus the default search engine / startup page of all browsers seems to be stuck on the omnibox page, which I can't change via browser settings at all.

 

Apart from that I'm just a little suspicious that there might be remnants of an infection left, or that there might still be an infection.


Cheers!



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:10 PM

Posted 12 March 2015 - 06:14 AM

Hello,

Can you start a browser by launching its executable directly, not via a shortcut? You can do this for Chrome for example by navigating to: c:\users\gebruiker\appdata\local\google\chrome\application and double click on chrome.exe

 

Can you please rerun FRST, check Addition.txt and run the scan, post the addition.txt log (no need for the frst.txt log).


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 ChispHandon

ChispHandon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 13 March 2015 - 05:41 AM

I currently don't have the machine with me, will do it Sunday :)


Cheers and thanks for the help so far!



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:10 PM

Posted 13 March 2015 - 08:21 AM

Okay, I'll wait for that. 


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 ChispHandon

ChispHandon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 15 March 2015 - 08:48 AM

Alright. I've launched Chrome and Firefox from their directories, and they seem to work fine from there. Would removing and then recreating the shortcut in the 8.1 menu solve the omnibox issue?

Here is the addition.txt -

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015
Ran by Gebruiker at 2015-03-15 14:47:39
Running from C:\Users\Gebruiker\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKLM-x32\...\uTorrent) (Version: 2.0.2 - )
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.1 - Adobe Systems)
Adobe After Effects CC (HKLM-x32\...\{317243C1-6580-4F43-AED7-37D4438C3DD5}) (Version: 12 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 2.7.1.418 - Adobe Systems Incorporated)
Adobe Creative Suite 6 Master Collection (HKLM-x32\...\{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}) (Version: 6 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Photoshop CC (HKLM-x32\...\{2D99B50E-431D-4AA8-85C1-172A6F8BCF09}) (Version: 14.0 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) - Nederlands (HKLM-x32\...\{AC76BA86-7AD7-1043-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.5.155 - Adobe Systems, Inc.)
Adobe Update Management Tool (HKLM-x32\...\{534A7A1A-7102-4AF6-23EA-7CD279C7B625}_is1) (Version: 6.2 - PainteR)
AMD Catalyst Install Manager (HKLM\...\{7E6ACD66-B207-217A-4D56-070D89395CED}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
Dell Data Vault (Version: 4.1.9.0 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{BC8233D8-59BA-4D40-92B9-4FDE7452AA8B}) (Version: 3.0.3999.0 - Dell Products, LP)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.0.6584.52 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{287348C8-8B47-4C36-AF28-441A3B7D8722}) (Version: 1.0.1.56462 - Dell)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 18.0.5.1 - Synaptics Incorporated)
Dropbox (HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\Dropbox) (Version: 3.2.6 - Dropbox, Inc.)
EPSON BX620FWD Series Printer Uninstall (HKLM\...\EPSON BX620FWD Series) (Version:  - SEIKO EPSON Corporation)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
FileHippo App Manager (HKLM-x32\...\FileHippo.com) (Version:  - FileHippo.com)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 42.0.2311.22 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.22.1760 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3621 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology(patch version 3.0.1342.2) (HKLM\...\{302600C1-6BDF-4FD1-1311-148929CC1385}) (Version: 3.1.1311.0402 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.2.1000 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{85b9d34f-7397-4e39-8600-07942ef6ca04}) (Version: 17.0.5 - Intel Corporation)
K-Lite Codec Pack 6.5.0 (Basic) (HKLM-x32\...\KLiteCodecPack_is1) (Version: 6.5.0 - )
Last.fm Scrobbler 2.1.36 (HKLM-x32\...\LastFM_is1) (Version:  - Last.fm)
League of Legends (HKLM-x32\...\League of Legends 3.0.1) (Version: 3.0.1 - Riot Games)
League of Legends (x32 Version: 3.0.1 - Riot Games) Hidden
LibreOffice 4.4.0.3 (HKLM-x32\...\{8BEE1CDD-F95D-4759-952D-6B38DF99D1F0}) (Version: 4.4.0.3 - The Document Foundation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
ManyCam 4.0.110 (HKLM-x32\...\ManyCam) (Version: 4.0.110 - Visicom Media Inc.)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 36.0 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 36.0 (x86 en-GB)) (Version: 36.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)
My Dell Client Framework (HKLM-x32\...\InstallShield_{05F1B866-2372-4E82-9AA8-C64FB11CEF8B}) (Version: 1.0.0.3 - Dell)
My Dell Client Framework (x32 Version: 1.0.0.3 - Dell) Hidden
OEM Application Profile (HKLM-x32\...\{70D5F822-F4C4-33D9-7EEC-2A4AF4EA7BDC}) (Version: 1.00.0000 - Uw bedrijfsnaam)
osu! (HKLM-x32\...\{d980e6fc-d562-40d7-9c4d-d509e056b59f}) (Version: latest - ppy Pty Ltd)
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
Pictures Thumbnails Maker by Scorp (remove only) (HKLM-x32\...\Pictures Thumbnails Maker) (Version:  - )
PX Profile Update (x32 Version: 1.00.1. - AMD) Hidden
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 10.16.007 - Dell Inc.)
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Rainmeter (HKLM-x32\...\Rainmeter) (Version: 3.1 r2290 - )
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7152 - Realtek Semiconductor Corp.)
Replay Video Capture 6 (HKLM-x32\...\Replay Video Capture6.0.6) (Version: 6.0.6 - Applian Technologies Inc.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Spotify (HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\Spotify) (Version: 0.9.15.27.g87efe634 - Spotify AB)
Start Menu Reviver (HKLM-x32\...\Start Menu Reviver) (Version: 2.5.0.18 - ReviverSoft)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
System Requirements Lab for Intel (HKLM-x32\...\{04C4B49D-45D9-4A28-9ED1-B45CBD99B8C7}) (Version: 4.5.24.0 - Husdawg, LLC)
VLC media player 2.1.3 (HKLM\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Winamp (HKLM-x32\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
WOT for Internet Explorer (HKLM\...\{373B90E1-A28C-434C-92B6-7281AFA6115A}) (Version: 13.9.2.0 - WOT Services Oy)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-761435834-2810594181-3668824124-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Gebruiker\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)

==================== Restore Points  =========================

10-02-2015 14:08:55 Revo Uninstaller's restore point - Microsoft Office Professional Plus 2010
18-02-2015 21:21:51 Gepland controlepunt
27-02-2015 04:13:15 Gepland controlepunt
28-02-2015 15:26:43 SPTD setup V1.86
01-03-2015 02:05:52 Malwarebytes Anti-Rootkit Restore Point

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2014-07-17 11:49 - 2014-07-17 11:49 - 00000308 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1                   activate.adobe.com
127.0.0.1                   practivate.adobe.com
127.0.0.1                   lmlicenses.wip4.adobe.com
127.0.0.1                   lm.licenses.adobe.com
127.0.0.1                   na1r.services.adobe.com
127.0.0.1                   hlrcv.stage.adobe.com


==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {1D49DA12-79A5-4745-B785-A727804E8B91} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\Dell\SupportAssist\uaclauncher.exe [2015-02-03] (PC-Doctor, Inc.)
Task: {5E30FFE6-CEF4-4D96-B8D5-D33A66CF98E0} - System32\Tasks\PCDoctorBackgroundMonitorTask-Delay => C:\Program Files\Dell\SupportAssist\uaclauncher.exe [2015-02-03] (PC-Doctor, Inc.)
Task: {5F3BD4E6-616B-4180-9890-B45643CB1E57} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\Dell\SupportAssist\sessionchecker.exe [2015-02-03] (PC-Doctor, Inc.)
Task: {667F545C-9C5D-4B10-92E0-B33D09A0CA19} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-stefan_smulders@live.nl => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2014-02-27] (Adobe Systems Incorporated)
Task: {6F6A24FA-E206-4EA3-9AF4-EE7E2A84CE39} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2015-02-19] (Microsoft)
Task: {88993363-2547-4396-B94C-FD42F54CE208} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {B04279C3-5E12-4D52-B820-C34DA89BCA4E} - System32\Tasks\ReviverSoft Start Menu Run once task => C:\Program Files\ReviverSoft\Start Menu Reviver\StartMenuReviver.exe [2014-09-17] (ReviverSoft)
Task: {B9850DD1-BF87-489D-9007-51B078F59979} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {C2257AEB-140B-486F-8B3A-7725076CB876} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-16] (Google Inc.)
Task: {C3C6A3F7-5AFD-4A0C-9585-C0516EC32FC3} - System32\Tasks\Aviata\PowerRegister\Dell Reminder (Gebruiker) => C:\Program Files (x86)\Dell Product Registration\prodreg.exe
Task: {D8BE0ADD-98CA-4B72-8016-4DCA86A5EB6E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-16] (Google Inc.)
Task: C:\Windows\Tasks\Dell SupportAssistAgent AutoUpdate.job => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2014-01-10 13:53 - 2014-01-10 13:53 - 00016384 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.Interfaces.dll
2014-01-10 13:53 - 2014-01-10 13:53 - 00081408 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.Objects.dll
2014-01-10 13:53 - 2014-01-10 13:53 - 00815616 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.Resources.dll
2014-01-10 14:24 - 2014-01-10 14:24 - 00052736 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.Client.Pulse.Agent.Plugins.SelfUpdate.dll
2014-01-10 14:24 - 2014-01-10 14:24 - 00019968 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.Client.Pulse.Agent.Common.dll
2014-07-16 10:06 - 2014-07-16 10:06 - 00672416 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
2014-11-24 11:39 - 2014-11-24 11:39 - 00155528 _____ () C:\Program Files (x86)\Dell Digital Delivery\ServiceTagPlusPlus.dll
2014-04-28 10:15 - 2013-12-18 18:53 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
2015-03-15 14:45 - 2015-03-15 14:45 - 00011264 _____ () C:\Users\Gebruiker\AppData\Local\Temp\nsm5C54.tmp\System.dll
2015-03-15 14:45 - 2015-03-15 14:45 - 00030208 _____ () C:\Users\Gebruiker\AppData\Local\Temp\nsm5C54.tmp\UAC.dll
2015-03-15 14:45 - 2015-03-15 14:45 - 00068096 _____ () C:\Users\Gebruiker\AppData\Local\Temp\nsm5C54.tmp\DropboxNSISTools.dll
2015-03-15 14:46 - 2015-03-15 14:46 - 06196304 _____ () C:\Program Files (x86)\Google\Update\Install\{6F726527-37C8-4DA7-B70B-185A255DC88A}\43.0.2327.5_42.0.2311.22_chrome64_updater.exe

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Gebruiker\Cookies:32Tt0sBzTgFl6qwT5Vn9qmQD
AlternateDataStreams: C:\Users\Gebruiker\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Gebruiker\AppData\Local\i79PrG1N5slR:3k4sXyJzrZ2KIAdnlU0Pv

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-761435834-2810594181-3668824124-1001\Control Panel\Desktop\\Wallpaper -> D:\002. Wallpapers\Applicable\2880x1800.jpg
DNS Servers: 192.168.2.254 - 195.241.77.55

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: BDESVC => 3
HKLM\...\StartupApproved\Run: => "BTMTrayAgent"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run: => "Monitor"
HKLM\...\StartupApproved\Run32: => "Adobe ARM"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "BCSSync"
HKLM\...\StartupApproved\Run32: => "AdobeCEPServiceManager"
HKLM\...\StartupApproved\Run32: => "Acrobat Assistant 8.0"
HKLM\...\StartupApproved\Run32: => "Adobe Acrobat Speed Launcher"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "AdobeCS6ServiceManager"
HKLM\...\StartupApproved\Run32: => "QuickTime Task"
HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\StartupApproved\StartupFolder: => "Dropbox.lnk"
HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\StartupApproved\StartupFolder: => "Rainmeter.lnk"
HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\StartupApproved\Run: => "FileHippo.com"
HKU\S-1-5-21-761435834-2810594181-3668824124-1001\...\StartupApproved\Run: => "AlcoholAutomount"

==================== Accounts: =============================

Administrator (S-1-5-21-761435834-2810594181-3668824124-500 - Administrator - Disabled)
Gast (S-1-5-21-761435834-2810594181-3668824124-501 - Limited - Disabled)
Gebruiker (S-1-5-21-761435834-2810594181-3668824124-1001 - Administrator - Enabled) => C:\Users\Gebruiker

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============
Error: (03/15/2015 02:48:00 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP--STEFAN)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}

Error: (03/15/2015 02:47:30 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP--STEFAN)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}

Error: (03/15/2015 02:47:00 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP--STEFAN)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}

Error: (03/15/2015 02:46:30 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP--STEFAN)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}

Error: (03/15/2015 02:46:00 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP--STEFAN)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}

Error: (03/15/2015 02:45:30 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP--STEFAN)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}

Error: (03/15/2015 02:45:00 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP--STEFAN)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}

Error: (03/15/2015 02:44:30 PM) (Source: DCOM) (EventID: 10010) (User: LAPTOP--STEFAN)
Description: {9AA46009-3CE0-458A-A354-715610A075E6}

Error: (03/15/2015 02:44:20 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (03/15/2015 02:44:07 PM) (Source: bowser) (EventID: 8016) (User: )
Description: The browser driver has received too many illegal datagrams from the remote computer EXPERIA to name LAPTOP--STEFAN on transport NetBT_Tcpip_{7C4B0DB6-CDDF-43FD-BEC1-1AD45CEE1E98}.  The data is the datagram.
No more events will be generated until the reset frequency has expired.


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2015-03-01 01:54:28.936
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-26 14:21:40.331
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-24 14:04:48.223
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-07 23:45:49.593
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-07 23:45:49.496
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-02 03:06:45.875
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-02-02 03:06:45.813
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-01-14 18:17:40.219
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-01-14 18:17:40.055
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2015-01-13 00:47:34.386
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\amdhdl64.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: Intel® Core™ i7-4510U CPU @ 2.00GHz
Percentage of memory in use: 38%
Total physical RAM: 8072.96 MB
Available physical RAM: 4995.17 MB
Total Pagefile: 9352.96 MB
Available Pagefile: 6704.85 MB
Total Virtual: 131072 MB
Available Virtual: 131071.85 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:461.94 GB) (Free:363.29 GB) NTFS
Drive d: (GFX) (Fixed) (Total:457.97 GB) (Free:414.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 287A80D3)

Partition: GPT Partition Type.

==================== End Of Log ============================

 

 

Cheers!



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:10 PM

Posted 15 March 2015 - 12:54 PM

You can just right click the shortcut and select Properties. Look at the Target box, what is present there?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 ChispHandon

ChispHandon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 15 March 2015 - 03:26 PM

Firefox has this in it;
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.omniboxes.com/?type=sc&ts=1425134360&from=obw&uid=ST1000LM024XHN-M101MBB_S314J90F325096325096

And Chrome this:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.omniboxes.com/?type=sc&ts=1425134360&from=obw&uid=ST1000LM024XHN-M101MBB_S314J90F325096325096

 

I guess I can remove the site from there to get Google back as default start page / search engine?

Is there anything in the addition.txt log to worry about? There are a few things in the log that strike me as weird/I don't recognise:
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
PX Profile Update (x32 Version: 1.00.1. - AMD) Hidden

Task: {88993363-2547-4396-B94C-FD42F54CE208} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
 

I also see that there are a lot of instances of Visual C++ installed, can I remove the older versions or does Windows need them all to work properly?

 

 

Cheers!



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:10 PM

Posted 15 March 2015 - 04:21 PM

Yes, just remove everything after the last "
 
For Visual C, better leave them there, a program may need a specific version of the runtime environment. 
 
As for the other two, you can just uninstall the programs.


Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search and when the scan is done on Report.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 ChispHandon

ChispHandon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:10 PM

Posted 17 March 2015 - 07:02 AM

After removing the link from Chrome it still opens in the omniboxes page rather than google..

 

Adwcleaner log:

 

# AdwCleaner v4.111 - Logfile created 17/03/2015 at 13:01:48
# Updated 18/02/2015 by Xplode
# Database : 2015-03-15.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Gebruiker - LAPTOP--STEFAN
# Running from : C:\Users\Gebruiker\Desktop\Malware programs\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\GEBRUI~1\AppData\Local\Temp\Uninstall.exe
File Found : C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage
File Found : C:\Users\Gebruiker\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\CheckMeUp
Key Found : HKCU\Software\GlobalUpdate
Key Found : HKCU\Software\InstalledBrowserExtensions
Key Found : HKCU\Software\Mozilla\Extends
Key Found : HKCU\Software\onekit
Key Found : HKCU\Software\TutoTag
Key Found : [x64] HKCU\Software\GlobalUpdate
Key Found : [x64] HKCU\Software\InstalledBrowserExtensions
Key Found : [x64] HKCU\Software\onekit
Key Found : [x64] HKCU\Software\TutoTag
Key Found : HKLM\SOFTWARE\Classes\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
Key Found : HKLM\SOFTWARE\Classes\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}
Key Found : HKLM\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine
Key Found : HKLM\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoCreateAsync
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoCreateAsync.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreClass
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreClass.1
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreMachineClass
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreMachineClass.1
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.ProcessLauncher
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.ProcessLauncher.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3COMClassService
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3COMClassService.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachine
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachine.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback.1.0
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebSvc
Key Found : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebSvc.1.0
Key Found : HKLM\SOFTWARE\Driver-Soft
Key Found : HKLM\SOFTWARE\GlobalUpdate
Key Found : HKLM\SOFTWARE\InstalledBrowserExtensions
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
Key Found : [x64] HKLM\SOFTWARE\InstalledBrowserExtensions

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17239


-\\ Mozilla Firefox v36.0.1 (x86 en-GB)


-\\ Google Chrome v43.0.2327.5

*************************

AdwCleaner[R0].txt - [5156 bytes] - [01/03/2015 18:04:56]
AdwCleaner[R1].txt - [5242 bytes] - [17/03/2015 13:01:48]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [5301 bytes] ##########
 

 

 

Cheers!


Edited by ChispHandon, 17 March 2015 - 07:03 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,200 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:10 PM

Posted 17 March 2015 - 07:23 AM

Please rerun AdwCleaner and click the Clean button. Let me know if the problem still persists afterwards.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users