Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible router / dns / mitm / malware problem. Please help


  • This topic is locked This topic is locked
4 replies to this topic

#1 Patrick_Michael

Patrick_Michael

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 PM

Posted 01 March 2015 - 04:54 AM

Hey all, haign a terrible time in last 2days with laptops, hope someone can help, have my final exams starting i mornign and need peace of midn + laptop...

 

Ok, There are 2 laptop on home network.

 

Device 1: My laptop

Device 2: Brand new, a week old and only used for Word and Facebook. Parent owns it.

 

I was online 2days ago, and was on some sites probably led to this.. looking up about malware etc. Learning.

 

I was then on just on google and got a popup notification.

.i4MDpzl.png

 

 

I left this and it disappeared after 20seconds. it had adobe Flash icon on the button in taskbar,, i done full scans and deleted all programs did not use.. i done scans with a good few software and seemed to be some malware for httpserver and dns. Even though it said i was connected to the net, all my pages were not loading, saying dns wrong etc...

 

I also sent my friend a privnote message on facebook, which destructs after its read.. he came onto me 25minutes after and asked did i read it as someone had..my messages to people showed up on facebook then were gone.. then i was getting peoples comments in mail twice.. i done an update on windows, and when i restarted i was asked twice for certificates for websites, i've never been asked that before, and said remote desktop something.  So I worried it MITM attack..

 

That is Device one. That laptop is not as concern now as  I have formatted the HD as I want to use the disk for new laptp I am ettign next week.

 

 

So Device Two:

As device 1 was now fully formatted i was using device two the following day (yesterday) I rang my ISP to reset the router to factory settings which they did. And I was able to log on to the router. The only sites i was on were router /isp / facebook and sme news channels.

 

At roughly the same time as the night before I got the popup i showed above but this time n the parents laptop.. again it disappered after 20seconds...when i went back Facebook and clicked, i was taken to facebook log in screen, i was flickign back n forth through facebookall dy and was not logged out and it happen immediately after this popup..

 

I am wondering could there be a problem with the router?

Does this sound strange to you?

 

Here is wat I have since done... I just went off the net immediately...

 

Device two is a packard bell, i only had about 30documnts on it.. so I went to an option and completely reinstalled the OS. Took about 5hrs to complete. I pressed 'reset' on the router, and also flushed the DNS on device two once i booed it up.

 

My main concern is that i cnt change the password to log into the router via http until tomorrow when the ISP company is open.. i dont knw how this works really so not sure if person might still be able access router... even though i reset it, he will have password if seen it from last time it was entered...

Could someone give me advice on that, and also check my new logs of device 2? Rem i just done these logs 1hr after reinstall and puttin ruter back n after reset...Im paranoid now later on it will be same again.Any help is great. peace of mind as I have my final exams next week :(

 

I used FarBar and RogueKiller for Scans.

 

ROGUE

Mentioned something about rootkits / registries and suspicious paths...

RogueKiller V10.4.3.0 (x64) [Feb 23 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : martha [Administrator]
Mode : Scan -- Date : 03/01/2015  09:49:54

¤¤¤ Processes : 3 ¤¤¤
[Suspicious.Path] StartMenuIndexer.exe(3292) -- C:\Users\martha\AppData\Local\Pokki\Engine\StartMenuIndexer.exe[7] -> Killed [TermProc]
[Suspicious.Path] HostAppService.exe(5048) -- C:\Users\martha\AppData\Local\Pokki\Engine\HostAppService.exe[7] -> Killed [TermProc]
[Suspicious.Path] HostAppService.exe(4384) -- C:\Users\martha\AppData\Local\Pokki\Engine\HostAppService.exe[7] -> Killed [TermThr]

¤¤¤ Registry : 9 ¤¤¤
[PUP] (X64) HKEY_USERS\S-1-5-21-2769397640-272711212-1721135954-1001\Software\Microsoft\Windows\CurrentVersion\Run | Pokki : C:\Windows\system32\rundll32.exe "%LOCALAPPDATA%\Pokki\Engine\Launcher.dll",RunLaunchPlatform  -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2769397640-272711212-1721135954-1001\Software\Microsoft\Windows\CurrentVersion\Run | Pokki : C:\Windows\system32\rundll32.exe "%LOCALAPPDATA%\Pokki\Engine\Launcher.dll",RunLaunchPlatform  -> Found
[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EraserUtilRebootDrv (\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2769397640-272711212-1721135954-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com/?pc=APJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2769397640-272711212-1721135954-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://acer13.msn.com/?pc=APJB  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (firefox.exe) icuuc52.dll - uprv_tzset_52 : C:\Program Files (x86)\Mozilla Firefox\MSVCR120.dll @ 0x74a9f703 (jmp dword near [0x723a8160])

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-22V0TT0 +++++
--- User ---
[MBR] 79f764f224413beab329619544558265
[BSP] a54a7d51029eeed027cf622ad55dcd64 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 600 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1230848 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1845248 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2107392 | Size: 459837 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 943853568 | Size: 16074 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03012015_072907.log

Farbar FRST

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-02-2015
Ran by martha (administrator) on mar on 01-03-2015 08:23:40
Running from C:\Users\martha\Downloads
Loaded Profiles: martha (Available profiles: martha)
Platform: Windows 8.1 Connected (X64) OS Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(Intel(R) Corporation) C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe
(Acer Incorporate) C:\Program Files\Packard Bell\Packard Bell Launch Manager\LMSvc.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(TODO: <Company name>) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Acer Incorporate) C:\Program Files\Packard Bell\Packard Bell Launch Manager\LMEvent.exe
(Acer Incorporate) C:\Program Files\Packard Bell\Packard Bell Quick Access\QASvc.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Acer Incorporate) C:\Program Files\Packard Bell\Packard Bell Launch Manager\LMTray.exe
(Acer Incorporate) C:\Program Files\Packard Bell\Packard Bell Quick Access\QAEvent.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe
(Acer Incorporated) C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe
(Acer Incorporate) C:\Program Files\Packard Bell\Packard Bell Quick Access\RMSvc.exe
(Acer Incorporate) C:\Program Files\Packard Bell\Packard Bell Quick Access\QAMsg.exe
(Acer Incorporate) C:\Program Files\Packard Bell\Packard Bell Quick Access\QuickAccess.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Users\martha\Downloads\RogueKillerX64.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\AOP Framework\CCDMonitorService.exe
(Acer Cloud Technology) C:\Program Files (x86)\Acer\AOP Framework\acer\ccd.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\AOP Framework\BackgroundAgent.exe
() C:\Program Files (x86)\Acer\abDocs\abDocsDllLoader.exe
() C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe
(Acer Incorporated) C:\Users\martha\AppData\Local\clear.fi\Portal\AcerPortalSetup.exe
(Acer Incorporated) C:\Windows\Temp\7zS2F2C.tmp\AcerPortalSetup.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13672304 2014-03-21] (Realtek Semiconductor)
HKLM-x32\...\Run: [Adobe ARM] => c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BacKGround Agent] => C:\Program Files (x86)\Acer\AOP Framework\BackgroundAgent.exe [62208 2014-12-19] (Acer Incorporated)
HKLM-x32\...\Run: [abDocsDllLoader] => C:\Program Files (x86)\Acer\abDocs\abDocsDllLoader.exe [90880 2014-12-19] ()
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [134784 2014-02-25] ( (Qualcomm®Atheros®))
HKU\S-1-5-21-2769397640-272711212-1721135954-1001\...\Run: [Pokki] => C:\Windows\system32\rundll32.exe "%LOCALAPPDATA%\Pokki\Engine\Launcher.dll",RunLaunchPlatform
HKU\S-1-5-21-2769397640-272711212-1721135954-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2769397640-272711212-1721135954-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer13.msn.com/?pc=APJB
HKU\S-1-5-21-2769397640-272711212-1721135954-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com/?pc=APJB
SearchScopes: HKLM -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = http://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKLM-x32 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = http://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2769397640-272711212-1721135954-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?PC=WCUG&FORM=WCUGDF&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2769397640-272711212-1721135954-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?PC=WCUG&FORM=WCUGDF&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2769397640-272711212-1721135954-1001 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = http://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\martha\AppData\Roaming\Mozilla\Firefox\Profiles\7oiibfvb.default
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> c:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\IPSFF [2015-03-01]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn [2015-03-01]

Chrome: 
=======
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\Exts\Chrome.crx [2014-05-06]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [319104 2014-02-25] (Windows (R) Win 7 DDK provider) [File not signed]
R2 CCDMonitorService; C:\Program Files (x86)\Acer\AOP Framework\CCDMonitorService.exe [2713856 2014-12-19] (Acer Incorporated)
R3 ePowerSvc; C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe [2573544 2014-03-21] (Acer Incorporated)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [235008 2013-07-16] (TODO: <Company name>) [File not signed]
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282096 2014-03-18] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-01] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-01] (Intel(R) Corporation)
R2 LMSvc; C:\Program Files\Packard Bell\Packard Bell Launch Manager\LMSvc.exe [459496 2014-03-17] (Acer Incorporate)
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\NIS.exe [275696 2013-10-08] (Symantec Corporation)
R3 QASvc; C:\Program Files\Packard Bell\Packard Bell Quick Access\QASvc.exe [457960 2014-03-21] (Acer Incorporate)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [254512 2012-04-24] ()
R3 RMSvc; C:\Program Files\Packard Bell\Packard Bell Quick Access\RMSvc.exe [449768 2014-03-21] (Acer Incorporate)
S2 SymSilent; C:\Program Files (x86)\SymSilent\SymSilent.exe [1061296 2014-05-06] (Symantec Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2014-06-25] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-06-25] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3888640 2014-02-14] (Qualcomm Atheros Communications, Inc.)
S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [8536752 2013-07-01] (Broadcom Corporation)
R1 BHDrvx64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20131002.001\BHDrvx64.sys [1525848 2013-09-26] (Symantec Corporation)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-02-25] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1501000.012\ccSetx64.sys [162392 2013-09-26] (Symantec Corporation)
R3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2015-02-28] (Symantec Corporation)
U3 EraserUtilDrv11411; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11411.sys [142640 2015-02-28] (Symantec Corporation)
S3 GPIO; C:\Windows\System32\drivers\iaiogpioe.sys [31232 2013-11-11] (Intel Corporation)
R3 iaioi2c; C:\Windows\System32\drivers\iaioi2ce.sys [67584 2013-11-11] (Intel Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20130930.001\IDSVia64.sys [520280 2013-09-24] (Symantec Corporation)
R3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-07-17] (Acer Incorporated)
R3 NAVENG; C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20150228.001\ENG64.SYS [129752 2015-02-28] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20150228.001\EX64.SYS [2137304 2015-02-28] (Symantec Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [36600 2014-08-19] (Riverbed Technology, Inc.)
R3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [14680 2013-07-17] (Acer Incorporated)
R3 SRTSP; C:\Windows\system32\drivers\NISx64\1501000.012\SRTSP64.SYS [858200 2013-09-27] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1501000.012\SRTSPX64.SYS [36952 2013-09-10] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NISx64\1501000.012\SYMDS64.SYS [493656 2013-09-10] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1501000.012\SYMEFA64.SYS [1147480 2013-09-27] (Symantec Corporation)
S0 SymELAM; C:\Windows\System32\drivers\NISx64\1501000.012\SymELAM.sys [23568 2013-09-10] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-05-06] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NISx64\1501000.012\Ironx64.SYS [264280 2013-09-27] (Symantec Corporation)
R1 SymNetS; C:\Windows\system32\drivers\NISx64\1501000.012\SYMNETS.SYS [590936 2013-09-26] (Symantec Corporation)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [42224 2014-02-19] (Synaptics Incorporated)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-03-01] ()
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-01-15] (Intel Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124760 2014-06-25] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-01 12:07 - 2015-03-01 12:07 - 00000000 _____ () C:\Recovery.txt
2015-03-01 08:24 - 2015-03-01 08:24 - 00003334 _____ () C:\Windows\System32\Tasks\AcerCloud
2015-03-01 08:24 - 2015-03-01 08:24 - 00002036 _____ () C:\Users\Public\Desktop\Acer Portal.lnk
2015-03-01 08:23 - 2015-03-01 08:24 - 00013072 _____ () C:\Users\martha\Downloads\FRST.txt
2015-03-01 08:23 - 2015-03-01 08:23 - 00000000 ____D () C:\FRST
2015-03-01 08:22 - 2015-03-01 08:23 - 00002009 _____ () C:\Users\Public\Desktop\abMedia.lnk
2015-03-01 08:22 - 2015-03-01 08:22 - 02092544 _____ (Farbar) C:\Users\martha\Downloads\frst64.exe
2015-03-01 08:21 - 2015-03-01 08:21 - 00001007 _____ () C:\Users\Public\Desktop\abPhoto.lnk
2015-03-01 08:20 - 2015-03-01 08:21 - 00000000 ____D () C:\Program Files (x86)\Nmap
2015-03-01 08:20 - 2015-03-01 08:20 - 00001977 _____ () C:\Users\Public\Desktop\abDocs.lnk
2015-03-01 08:20 - 2015-03-01 08:20 - 00000000 ____D () C:\Program Files\WinPcap
2015-03-01 08:19 - 2015-03-01 08:19 - 27111830 _____ (Insecure.org) C:\Users\martha\Downloads\nmap-6.47-setup.exe
2015-03-01 08:19 - 2015-03-01 08:19 - 00000000 ____D () C:\Users\martha\AppData\Local\AOP SDK
2015-03-01 08:17 - 2015-03-01 08:17 - 00000000 ____D () C:\Users\Public\OEM
2015-03-01 08:17 - 2015-03-01 08:17 - 00000000 ____D () C:\Users\martha\Documents\clear.fi
2015-03-01 08:15 - 2015-03-01 08:15 - 00000000 ____D () C:\Users\martha\Documents\nmap-6.47-win32
2015-03-01 08:08 - 2015-03-01 08:08 - 05325696 _____ (Piriform Ltd) C:\Users\martha\Downloads\ccsetup503.exe
2015-03-01 08:08 - 2015-03-01 08:08 - 00002774 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-03-01 08:08 - 2015-03-01 08:08 - 00000846 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-03-01 08:08 - 2015-03-01 08:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-03-01 08:08 - 2015-03-01 08:08 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-01 08:04 - 2015-03-01 08:04 - 00639912 _____ (Oracle Corporation) C:\Users\martha\Downloads\jxpiinstall.exe
2015-03-01 07:44 - 2015-03-01 07:44 - 00019762 _____ () C:\Windows\SysWOW64\Result.txt
2015-03-01 07:43 - 2015-03-01 07:43 - 02020788 _____ () C:\Users\martha\Downloads\ipscan-win64-3.3.2.exe
2015-03-01 07:42 - 2015-03-01 07:42 - 00401920 _____ (Farbar) C:\Users\martha\Downloads\MiniToolBox.exe
2015-03-01 07:23 - 2015-03-01 07:23 - 00000000 ____D () C:\Users\martha\AppData\Roaming\Macromedia
2015-03-01 07:20 - 2015-03-01 07:20 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-01 07:20 - 2015-03-01 07:20 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-03-01 07:19 - 2015-03-01 07:19 - 18687064 _____ () C:\Users\martha\Downloads\RogueKillerX64.exe
2015-03-01 07:16 - 2015-03-01 07:17 - 00000000 ____D () C:\Users\martha\AppData\Roaming\Mozilla
2015-03-01 07:16 - 2015-03-01 07:17 - 00000000 ____D () C:\Users\martha\AppData\Local\Mozilla
2015-03-01 07:16 - 2015-03-01 07:16 - 00001183 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-03-01 07:16 - 2015-03-01 07:16 - 00001171 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-03-01 07:16 - 2015-03-01 07:16 - 00000000 ____D () C:\ProgramData\Mozilla
2015-03-01 07:16 - 2015-03-01 07:16 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-03-01 07:16 - 2015-03-01 07:16 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-03-01 06:14 - 2015-03-01 06:14 - 00003910 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{8B332FAB-417A-4E72-9672-134F788F1F5E}
2015-03-01 06:14 - 2015-03-01 06:14 - 00000000 __SHD () C:\Users\martha\AppData\Local\EmieUserList
2015-03-01 06:14 - 2015-03-01 06:14 - 00000000 __SHD () C:\Users\martha\AppData\Local\EmieSiteList
2015-03-01 06:14 - 2015-03-01 06:14 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_LocationProvider_01_11_00.Wdf
2015-03-01 05:00 - 2015-03-01 08:23 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2769397640-272711212-1721135954-1001
2015-03-01 04:59 - 2015-03-01 04:59 - 00000000 ____D () C:\Users\Public\Pokki
2015-03-01 04:58 - 2015-03-01 04:58 - 00002303 _____ () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
2015-03-01 04:58 - 2015-03-01 04:58 - 00002132 _____ () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pokki Start Menu.lnk
2015-03-01 04:56 - 2015-03-01 08:23 - 00000000 ____D () C:\Users\martha\AppData\Local\clear.fi
2015-03-01 04:56 - 2015-03-01 04:56 - 00000000 ____D () C:\Users\martha\PicStream
2015-03-01 04:55 - 2015-03-01 04:55 - 00001284 _____ () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HD Audio Manager.lnk
2015-03-01 04:55 - 2015-03-01 04:55 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2015-03-01 04:55 - 2015-03-01 04:55 - 00000000 ____D () C:\Windows\System32\Tasks\Norton Internet Security
2015-03-01 04:55 - 2015-03-01 04:55 - 00000000 ____D () C:\Users\martha\AppData\Roaming\Atheros
2015-03-01 04:55 - 2015-03-01 04:55 - 00000000 ____D () C:\Users\martha\AppData\Roaming\Adobe
2015-03-01 04:55 - 2015-03-01 04:55 - 00000000 ____D () C:\ProgramData\OEM_YAHOO
2015-03-01 04:55 - 2015-03-01 04:55 - 00000000 ____D () C:\Program Files (x86)\OEM
2015-03-01 04:54 - 2015-03-01 04:56 - 00000000 ____D () C:\Users\martha\AppData\Local\Packages
2015-03-01 04:54 - 2015-03-01 04:55 - 00001454 _____ () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-03-01 04:54 - 2015-03-01 04:54 - 00000180 _____ () C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2015-03-01 04:54 - 2015-03-01 04:54 - 00000020 ___SH () C:\Users\martha\ntuser.ini
2015-03-01 04:54 - 2015-03-01 04:54 - 00000000 ____D () C:\Users\martha\AppData\Local\VirtualStore
2015-03-01 04:53 - 2015-03-01 08:18 - 00202467 _____ () C:\Windows\WindowsUpdate.log
2015-03-01 04:53 - 2015-03-01 04:59 - 00000000 ____D () C:\Users\martha\AppData\Local\Pokki
2015-03-01 04:53 - 2015-03-01 04:56 - 00000000 ____D () C:\Users\martha
2015-03-01 04:53 - 2014-06-25 16:34 - 00000000 ___RD () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-03-01 04:53 - 2014-03-18 10:00 - 00000000 ___RD () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-03-01 04:53 - 2014-03-18 09:49 - 00000369 _____ () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2015-03-01 04:53 - 2014-03-18 09:49 - 00000369 _____ () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2015-03-01 04:53 - 2013-08-22 15:36 - 00000000 ___RD () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-01 04:53 - 2013-08-22 15:36 - 00000000 ____D () C:\Users\martha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2021-10-21 13:36 - 2014-06-25 07:59 - 00000852 _____ () C:\Windows\system32\Drivers\RTKHDRC.DAT
2021-10-04 07:34 - 2014-06-25 07:59 - 00000712 _____ () C:\Windows\system32\Drivers\RTMICEQ0.DAT
2015-03-01 12:07 - 2013-08-22 15:36 - 00262144 _____ () C:\Windows\system32\config\BCD-Template
2015-03-01 08:24 - 2014-06-25 08:27 - 00000000 ____D () C:\ProgramData\OEM
2015-03-01 08:24 - 2014-06-25 08:20 - 00000000 ____D () C:\Program Files (x86)\Acer
2015-03-01 08:24 - 2014-06-25 08:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acer
2015-03-01 08:24 - 2013-08-22 15:36 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-03-01 08:19 - 2014-05-06 04:10 - 00000000 ___HD () C:\OEM
2015-03-01 08:00 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\system32\sru
2015-03-01 06:14 - 2013-08-22 14:46 - 00013696 _____ () C:\Windows\setupact.log
2015-03-01 05:02 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-03-01 04:55 - 2014-05-06 04:15 - 00000000 ____D () C:\Windows\Panther
2015-03-01 04:54 - 2014-05-06 03:45 - 00000000 ____D () C:\ProgramData\Norton
2015-03-01 04:54 - 2013-08-22 13:25 - 00262144 ___SH () C:\Windows\system32\config\ELAM
2015-03-01 04:53 - 2014-03-18 09:47 - 00863592 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-01 03:08 - 2013-08-22 15:36 - 00000000 ____D () C:\Windows\rescache
2015-03-01 03:08 - 2013-08-22 14:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-01 03:07 - 2013-08-22 14:44 - 00344624 _____ () C:\Windows\system32\FNTCACHE.DAT

==================== Files in the root of some directories =======

2014-06-25 07:59 - 2014-06-25 07:59 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some content of TEMP:
====================
C:\Users\martha\AppData\Local\Temp\dllnt_dump.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-05-06 03:16

==================== End Of Log ============================

Farbar Addition

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 29-02-2015
Ran by martha at 2015-03-01 08:25:46
Running from C:\Users\martha\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Internet Security (Enabled - Up to date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Enabled - Up to date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security (Enabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

abDocs (HKLM-x32\...\{CA4FE8B0-298C-4E5D-A486-F33B126D6A0A}) (Version: 1.05.2005 - Acer Incorporated)
abDocs Office AddIn (HKLM-x32\...\{DCBF3379-246B-47E1-8173-639B63940838}) (Version: 3.01.2006 - Acer Incorporated)
abMedia (HKLM-x32\...\{E9AF1707-3F3A-49E2-8345-4F2D629D0876}) (Version: 2.06.2003.0 - Acer Incorporated)
Acer Photo (HKLM-x32\...\{b5ad89f2-03d3-4206-8487-018298007dd0}) (Version: 2.04.2006.0 - Acer Incorporated)
Acer Portal (HKLM-x32\...\{A5AD0B17-F34D-49BE-A157-C8B3D52ACD13}) (Version: 3.04.2002 - Acer Incorporated)
Acer Remote Files (HKLM\...\{13885028-098C-4799-9B71-27DAC96502D5}) (Version: 1.02.2003 - Acer Incorporated)
Acer Video Player (HKLM-x32\...\{B6846F20-4821-11E3-8F96-0800200C9A66}) (Version: 1.00.2001.4 - Acer Incorporated)
Adobe Reader XI (11.0.04)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.04 - Adobe Systems Incorporated)
Aloha TriPeaks (x32 Version: 2.2.0.98 - WildTangent) Hidden
AOP Framework (HKLM-x32\...\{4A37A114-702F-4055-A4B6-16571D4A5353}) (Version: 3.04.2001.2 - Acer Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 5.03 - Piriform)
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
CyberLink PhotoDirector 3 (HKLM-x32\...\InstallShield_{39337565-330E-4ab6-A9AE-AC81E0720B10}) (Version: 3.0.1.4917 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.3721 - CyberLink Corp.)
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.3914.57 - CyberLink Corp.)
eBay Worldwide (HKLM-x32\...\{91589413-6675-4C27-8AFC-EFB9103B90A5}) (Version: 2.4.0105 - OEM)
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.8101 - Packard Bell)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3496 - Intel Corporation)
Intel(R) Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 - Intel Corporation)
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.8100 - Packard Bell)
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Magic Academy (x32 Version: 2.2.0.98 - WildTangent) Hidden
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mozilla Firefox 36.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 36.0 (x86 en-US)) (Version: 36.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 36.0 - Mozilla)
Nmap 6.47 (HKLM-x32\...\Nmap) (Version:  - )
Norton Internet Security (HKLM-x32\...\NIS) (Version: 21.1.0.18 - Symantec Corporation)
Packard Bell Explorer Agent (HKLM\...\{4D0F42CF-1693-43D9-BDC8-19141D023EE0}) (Version: 2.00.3000 - Packard Bell)
Packard Bell Launch Manager (HKLM\...\{C18D55BD-1EC6-466D-B763-8EEDDDA9100E}) (Version: 8.00.8105 - Packard Bell)
Packard Bell Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.8104 - Packard Bell)
Packard Bell Quick Access (HKLM\...\{C1FA525F-D701-4B31-9D32-504FC0CF0B98}) (Version: 1.01.3012 - Packard Bell)
Packard Bell Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.8106 - Packard Bell)
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Pokki Start Menu (HKU\S-1-5-21-2769397640-272711212-1721135954-1001\...\Pokki) (Version: 0.269.2.261 - Pokki)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.318 - Qualcomm Atheros Communications)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 12.29 - Qualcomm Atheros)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9600.39054 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.24.1218.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7209 - Realtek Semiconductor Corp.)
Spotify (HKLM-x32\...\Spotify) (Version: 0.9.6.81.gd359a796 - Spotify AB)
The Chronicles of Emerland Solitaire (x32 Version: 3.0.2.32 - WildTangent) Hidden
Trinklit Supreme (x32 Version: 2.2.0.98 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (x32 Version: 4.0.10.20 - WildTangent) Hidden
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - CACE Technologies)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 13:25 - 2013-08-22 13:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {149E68D0-8CBC-40DC-85A9-413C1DF5C609} - System32\Tasks\FUB => C:\Program Files (x86)\Packard Bell\Identity Card\FUB.bat [2012-05-29] ()
Task: {2B9B397C-EAA9-4085-8C26-98D1B351669E} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\WSCStub.exe [2013-10-08] (Symantec Corporation)
Task: {2C9D53C4-587B-4B32-AFBE-C15A7A496C3E} - System32\Tasks\Recovery Management\Notification => C:\Program Files\Packard Bell\Packard Bell Recovery Management\Notification\Notification.exe [2014-03-18] (Acer Incorporated)
Task: {34AF29F8-ED8E-4F52-A8F8-8C76265FB136} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-02-19] (Piriform Ltd)
Task: {3932CA4E-8BA2-44D8-BA76-43A5F72451BF} - System32\Tasks\ALU => C:\Program Files (x86)\Packard Bell\Live Updater\updater.exe [2013-07-08] ()
Task: {9D135637-8C78-4978-8A0C-49AFD6250075} - System32\Tasks\AcerCloud => C:\Program Files (x86)\Acer\Acer Portal\AcerPortal.exe [2014-12-19] (Acer)
Task: {A3D3B833-F275-4ADB-8C2E-179CFE0EC922} - System32\Tasks\ALUAgent => C:\Program Files (x86)\Packard Bell\Live Updater\liveupdater_agent.exe [2013-01-22] ()
Task: {A6944643-AEB6-49A9-89A6-3F43EB1E51EF} - System32\Tasks\Power Management => C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerTrayLauncher.exe [2014-03-21] (Acer Incorporated)
Task: {A94E22FE-4191-4DFA-96CA-357E960E6B9B} - System32\Tasks\Launch Manager => C:\Program Files\Packard Bell\Packard Bell Launch Manager\LMLauncher.exe [2014-03-17] (Acer Incorporate)
Task: {C07A65D1-2153-4CB8-93F6-6AF11FB47F9F} - System32\Tasks\Quick Access => C:\Program Files\Packard Bell\Packard Bell Quick Access\QALauncher.exe [2014-03-21] (Acer Incorporate)
Task: {D623BCFB-1358-46EA-A18A-66CACC90EF1A} - System32\Tasks\Quick Access Quick Launcher => C:\Program Files\Packard Bell\Packard Bell Quick Access\QALauncher.exe [2014-03-21] (Acer Incorporate)
Task: {D9CDF485-1B84-4FB8-B67E-CE1DCC2B082F} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\SymErr.exe [2013-08-01] (Symantec Corporation)
Task: {DFD3BB54-28E2-4139-BCF8-C5EAB2C14625} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\21.1.0.18\SymErr.exe [2013-08-01] (Symantec Corporation)

==================== Loaded Modules (whitelisted) ==============

2014-06-25 08:30 - 2012-04-24 10:43 - 00254512 _____ () C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
2014-02-25 21:14 - 2014-02-25 21:14 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2014-02-25 21:11 - 2014-02-25 21:11 - 00086016 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll
2014-02-25 21:17 - 2014-02-25 21:17 - 00012928 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
2015-03-01 07:19 - 2015-03-01 07:19 - 18687064 _____ () C:\Users\martha\Downloads\RogueKillerX64.exe
2014-12-19 21:59 - 2014-12-19 21:59 - 00090880 _____ () C:\Program Files (x86)\Acer\abDocs\abDocsDllLoader.exe
2014-12-19 21:59 - 2014-12-19 21:59 - 00089344 _____ () C:\Program Files (x86)\Acer\abDocs\abDocsDllLoaderMonitor.exe
2014-12-19 22:00 - 2014-12-19 22:00 - 00279296 _____ () C:\Program Files (x86)\Acer\abDocs\libcurl.dll
2015-01-07 18:09 - 2015-01-07 18:09 - 00203008 _____ () C:\Program Files (x86)\Acer\abMedia\curllib.dll
2015-01-07 18:09 - 2015-01-07 18:09 - 00654552 _____ () C:\Program Files (x86)\Acer\abMedia\sqlite3.dll
2015-01-07 18:10 - 2015-01-07 18:10 - 00630528 _____ () C:\Program Files (x86)\Acer\abMedia\tag.dll
2015-01-07 18:09 - 2015-01-07 18:09 - 00119552 _____ () C:\Program Files (x86)\Acer\abMedia\OpenLDAP.dll
2015-03-01 08:19 - 2015-03-01 08:19 - 00015616 _____ () C:\Windows\assembly\GAC_MSIL\MyService\1.0.0.1__2dfa3f50f0bed57d\MyService.dll
2014-12-19 21:16 - 2014-12-19 21:16 - 00013568 _____ () C:\Program Files (x86)\Acer\AOP Framework\ServiceInterface.dll
2014-12-19 21:10 - 2014-12-19 21:10 - 00277096 _____ () C:\Program Files (x86)\Acer\AOP Framework\libcurl.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iaioi2ce.sys => ""="Driver"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2769397640-272711212-1721135954-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\PackardBell01.jpg
DNS Servers: 192.168.1.254

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Administrator (S-1-5-21-2769397640-272711212-1721135954-500 - Administrator - Disabled)
Guest (S-1-5-21-2769397640-272711212-1721135954-501 - Limited - Disabled)
martha (S-1-5-21-2769397640-272711212-1721135954-1001 - Administrator - Enabled) => C:\Users\martha

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/01/2015 07:52:22 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005


System errors:
=============
Error: (03/01/2015 08:19:16 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The CCDMonitorService service terminated unexpectedly. It has done this 1 time(s).

Error: (03/01/2015 07:19:47 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.

Error: (03/01/2015 03:07:38 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

Error: (06/25/2014 08:58:37 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable


Microsoft Office Sessions:
=========================
Error: (03/01/2015 07:52:22 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005


==================== Memory info =========================== 

Processor: Intel(R) Celeron(R) CPU N2830 @ 2.16GHz
Percentage of memory in use: 74%
Total physical RAM: 3979.2 MB
Available physical RAM: 1011.98 MB
Total Pagefile: 5387.2 MB
Available Pagefile: 2975.49 MB
Total Virtual: 131072 MB
Available Virtual: 131071.84 MB

==================== Drives ================================

Drive c: (Packard Bell) (Fixed) (Total:449.06 GB) (Free:423.22 GB) NTFS

==================== MBR & Partition Table ==================

==================== End Of Log ============================

Any help would be great, sorry for the long post, I wanted to be clear and give as much info as possible for you to understand,

 

Any advice on steps to take with router be great too, has me worried paranoid. Strange once that popup happend i was again ogged out of sites like paypal, facebook, ebay.

 

nmap on my own device says all ports states are unknown and below this is results for router.. re ports 53 and 5381 meant be open, i read there dns and upnp

Not shown: 993 closed ports

PORT     STATE    SERVICE     VERSION

21/tcp   filtered ftp

22/tcp   filtered ssh

23/tcp   filtered telnet

53/tcp   open     domain      dnsmasq 2.48

80/tcp   filtered http

443/tcp  filtered https

5431/tcp open     park-agent?

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

Edited by Patrick_Michael, 01 March 2015 - 08:19 AM.


BC AdBot (Login to Remove)

 


#2 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:10:02 AM

Posted 02 March 2015 - 06:56 PM

Hello Patrick_Michael-

 

My name is Johnny Computer and I will be helping you clean up your system. 

 

PLEASE NOTE:  Logs are often long, complicated, and time consuming to analyze

 

Please give me some time to look over your logs and I will be back with further instructions A.S.A.P.     :) 


Edited by Johnny Computer, 02 March 2015 - 08:05 PM.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#3 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:10:02 AM

Posted 03 March 2015 - 02:52 PM

 
Hi Patrick_Michael-
 

Hello and     :welcome:       to BLEEPING COMPUTER

My name is Johnny Computer and I will be helping you with your malware related computer issues today    

Before we move on, please read the following points carefully.

 

 

 

IMPORTANT-----> Post all logfiles as a reply rather than as an attachment. If you can not post all log files in one reply, feel free to use more posts.

 

 

- First, I would like to inform you that most of us here at Bleeping Computer are volunteers. The logs you will be asked to submit can take time to analyze. Please try to match our   commitment to you with your patience toward us. 
 
-  Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.

-  Perform everything in the correct order. Sometimes one step requires the previous one.

-  If you have any problems while following my instructions, Stop and ask any questions you may have.

-  Please stay with me until I have notified you that your system is All Clean. Absence of symptoms does not necessarily mean your machine is clean. 

-  If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.


IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

IMPORTANT NOTE:  DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
  -----------------------------------------------------------------------
 

Im paranoid now later on it will be same again.Any help is great. peace of mind as I have my final exams next week

 
You have found the right helper….I’ve got you Patrick_Michael.  You can breathe.  We will do our best to get this cleaned up for you. :)
 
  --------------------------------------------------------------------------------------------------------------------------
 
First, we will work on one computer at a time.  Let’s address the computer you have posted the logs for.  We will also address any issues you may be concerned about in regards to your router.
 
  -----------------------------------------------------------------------------------------------
 

Running from C:\Users\martha\Downloads

 
   :step1:  Your Running your FRST executable from C:\Users\martha\Downloads.  Please move this file to your desktop as it’s location is important when running fixes.  In the future please save and run any tools you are asked to download to and from the desktop.

 
  ----------------------------------------------------------------------------
 
   :step2:  Please download AdwCleaner by Xplode and save to your Desktop.

 
-  Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator

-  The tool will start to update the database, please wait a bit.
-  Click on I agree button.
-  Click on the Scan button.
-  AdwCleaner will begin...be patient as the scan may take some time to complete.
-  After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
-  The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
-  Copy and paste the contents of that logfile in your next reply.
-  A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
 
  --------------------------------------------------------------------------------------------------------------
 
IN YOUR NEXT REPLY I NEED:
 
1.)  Confirmation that you have moved your FRST executable to the desktop
2.)  Your ADWCleaner log
 
 
Thanks  :)


avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#4 Johnny Computer

Johnny Computer

  • Malware Response Team
  • 1,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:10:02 AM

Posted 06 March 2015 - 03:14 PM

Hello Patrick_Michael-

As stated in my Welcome Speech all topics will be closed after three days of no correspondence. It has been three days since my last post. Are you still with me? Do you still need help? If so please follow the instructions in my previous post and post the appropriate logs.

Thanks.  :)


Edited by Johnny Computer, 06 March 2015 - 04:29 PM.

avatar591802_2.gif"DO OR DO NOT. THERE IS NO TRY."


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,926 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:02 PM

Posted 08 March 2015 - 03:05 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users