Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect pop-ups in chrome, fake processes (see screenshot), malware/rootkit?


  • This topic is locked This topic is locked
6 replies to this topic

#1 will123456

will123456

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 04 March 2015 - 08:11 PM

Hi,

 

I would really appreciate any help or advice on the next steps for removal of this malware. Thanks in advance!

 

I'm experiencing pop-up redirects and I noticed there are many processes and services that are fake. I've tried a variety of solutions and tools (Malwarebytes, CCleaner etc.) but unfortunately I'm having no luck in solving the problem. 

 

I attached a screenshot(processes.png) as an example to show some of these fake processes and I also attached the Addition.txt log.

 

Attached File  processes.png   81.31KB   0 downloads

Attached File  Addition.txt   34.46KB   1 downloads

 

EDIT: Added screenshot example of pop-up

 

Attached File  chrome_update_popup.png   36.13KB   0 downloads

 

Here is my FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-03-2015 01
Ran by william (administrator) on IDEA-PC on 04-03-2015 18:42:04
Running from C:\Users\william\Downloads
Loaded Profiles: william (Available profiles: UpdatusUser & william)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\LVPrS64H.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\NLSSRV32.EXE
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
() C:\Program Files\Realtek\Audio\HDA\FMAPP.exe
() C:\Program Files\Realtek\Audio\HDA\FMAPP.exe
(Synaptics) C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe
(Lenovo) C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
() C:\Program Files\Plantronics\GameCom780\GameCom780.exe
(Flux Software LLC) C:\Users\william\AppData\Local\FluxSoftware\Flux\flux.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe
(CyberLink) C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe
(Microsoft) C:\Program Files (x86)\Lenovo\Intelligent Touchpad\IntelligentTouchpad.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12921488 2012-09-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1214608 2012-09-13] (Realtek Semiconductor)
HKLM\...\Run: [SynLenovoGestureMgr] => C:\Program Files\Synaptics\SynTP\SynLenovoGestureMgr.exe [665400 2012-08-26] (Synaptics)
HKLM\...\Run: [OnekeyStudio] => C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe [4196432 2012-08-10] (Lenovo)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [17080376 2013-02-14] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [191544 2013-02-14] (Lenovo(beijing) Limited)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2916152 2012-08-26] (Synaptics Incorporated)
HKLM\...\Run: [GamecomSound] => C:\Program Files\Plantronics\GameCom780\GameCom780.exe [777448 2011-12-01] ()
HKLM-x32\...\Run: [RzWizard] => C:\Program Files (x86)\Razer\RzWizard\RzWizard.exe [254464 2014-05-20] (Razer Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [277504 2012-08-16] (Intel Corporation)
HKLM-x32\...\Run: [Dolby Home Theater v4] => C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe [508656 2012-07-25] (Dolby Laboratories Inc.)
HKLM-x32\...\Run: [YouCam Mirage] => C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe [136488 2012-07-27] (CyberLink)
HKLM-x32\...\Run: [YouCam Tray] => C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe [167024 2012-07-27] (CyberLink Corp.)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe [91432 2012-03-28] (CyberLink Corp.)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-12] (Intel Corporation)
HKLM-x32\...\Run: [IntellingentTouchpad] => C:\Program Files (x86)\Lenovo\Intelligent Touchpad\IntelligentTouchpad.exe [673336 2012-07-23] (Microsoft)
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [585560 2014-06-23] (Razer Inc.)
HKLM-x32\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-2932342156-2347494728-3291926447-1002\...\Run: [f.lux] => C:\Users\william\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-2932342156-2347494728-3291926447-1002\...\Run: [Gyazo] => C:\Program Files (x86)\Gyazo\GyStation.exe [3095840 2014-10-27] (Nota Inc.)
HKU\S-1-5-21-2932342156-2347494728-3291926447-1002\...\Run: [Lync] => C:\Program Files\Microsoft Office 15\root\office15\lync.exe [19053720 2015-02-27] (Microsoft Corporation)
AppInit_DLLs-x32: C:\WINDOWS\SysWOW64\nvinit.dll => C:\WINDOWS\SysWOW64\nvinit.dll [156256 2013-12-26] (NVIDIA Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
ShortcutTarget: vpngui.exe.lnk -> C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe ()
Startup: C:\Users\william\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\william\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-2932342156-2347494728-3291926447-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.msn.com/
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: No Name -> {4671dc37-1bf7-4c26-8d4d-b3d843442ad6} ->  No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: No Name -> {bed3f755-e8b1-4104-913e-3692901aaa2c} ->  No File
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {4FF78044-96B4-4312-A5B7-FDA3CB328095} 
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
 
FireFox:
========
FF ProfilePath: C:\Users\william\AppData\Roaming\Mozilla\Firefox\Profiles\r6c8kwsd.default
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_13_0_0_214.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @raidcall.en/RCplugin -> C:\Users\william\AppData\Roaming\raidcall\plugins\nprcplugin.dll (Raidcall)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: enlite -> C:\Program Files (x86)\myitlab\plugin\npenlite.dll (Zeus Learning Pvt. Ltd.)
FF Plugin HKU\S-1-5-21-2932342156-2347494728-3291926447-1002: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\william\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Extension: Firebug - C:\Users\william\AppData\Roaming\Mozilla\Firefox\Profiles\r6c8kwsd.default\Extensions\firebug@software.joehewitt.com.xpi [2014-05-17]
FF Extension: Tamper Data - C:\Users\william\AppData\Roaming\Mozilla\Firefox\Profiles\r6c8kwsd.default\Extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}.xpi [2014-05-17]
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\william\AppData\Local\Google\Chrome\User Data\Profile 2
CHR Profile: C:\Users\william\AppData\Local\Google\Chrome\User Data\Profile 3
CHR Extension: (Google Drive) - C:\Users\william\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\william\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-20]
CHR Extension: (YouTube) - C:\Users\william\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-13]
CHR Extension: (Google Search) - C:\Users\william\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-13]
CHR Extension: (Xfinity) - C:\Users\william\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\hemjgdpngmhbimofcicjfhibkdbigdmb [2015-02-13]
CHR Extension: (Google Wallet) - C:\Users\william\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-20]
CHR HKLM-x32\...\Chrome\Extension: [hemjgdpngmhbimofcicjfhibkdbigdmb] - C:\ProgramData\comcastModemRelease\shortcuts\chrome\xfinity.crx [2013-02-08]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2252504 2013-09-04] (Broadcom Corporation.)
S3 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [957304 2012-09-06] (Broadcom Corporation.)
S4 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2711736 2015-01-13] (Microsoft Corporation)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [10571056 2014-07-09] (DisplayLink Corp.)
R2 IAStorDataMgrSvc; C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [7168 2012-08-16] (Intel Corporation) [File not signed]
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [314696 2014-05-20] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [272176 2012-07-18] ()
S3 RzWizardService; C:\Program Files (x86)\Razer\RzWizard\RzWizardService.exe [367616 2014-05-20] (Razer Inc.) [File not signed]
S3 wampapache64; c:\wamp\bin\apache\apache2.4.9\bin\httpd.exe [24576 2014-05-01] (Apache Software Foundation) [File not signed]
S3 wampmysqld64; c:\wamp\bin\mysql\mysql5.6.17\bin\mysqld.exe [12942848 2014-05-01] () [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2699568 2012-07-18] (Intel® Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [170712 2013-09-04] (Broadcom Corporation.)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
S3 CVPNDRVA; C:\windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
S3 DisplayLinkUsbIo_x64; C:\Windows\system32\DRIVERS\DisplayLinkUsbIo_x64_7.6.56275.0.sys [46384 2014-07-10] ()
R4 KProcessHacker2; C:\Program Files\Process Hacker 2\kprocesshacker.sys [39576 2013-11-13] (wj32)
R3 LVPr2M64; C:\Windows\system32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()
R3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew00.sys [3344352 2013-07-08] (Intel Corporation)
R3 PlantronicsGC; C:\Windows\system32\drivers\PLTGC.sys [1327104 2011-11-04] (C-Media Electronics Inc)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [41272 2012-08-26] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [43832 2012-08-26] (Synaptics Incorporated)
R3 usb3Hub; C:\Windows\System32\drivers\usb3Hub.sys [47072 2012-10-09] (Windows ® Win 7 DDK provider)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
R3 XHCIPort; C:\Windows\System32\drivers\XHCIPort.sys [188896 2012-10-09] (Windows ® Win 7 DDK provider)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-04 18:41 - 2015-03-04 18:42 - 00020322 _____ () C:\Users\william\Downloads\FRST.txt
2015-03-04 18:14 - 2015-03-04 18:14 - 00080427 _____ () C:\Users\william\Downloads\Shortcut.txt
2015-03-04 18:13 - 2015-03-04 18:14 - 00031815 _____ () C:\Users\william\Downloads\Addition.txt
2015-03-04 18:12 - 2015-03-04 18:42 - 00000000 ____D () C:\FRST
2015-03-04 18:12 - 2015-03-04 18:12 - 02092544 _____ (Farbar) C:\Users\william\Downloads\FRST64.exe
2015-03-04 18:12 - 2015-03-04 18:12 - 00001490 _____ () C:\Users\william\Desktop\FRST64 - Shortcut.lnk
2015-03-04 18:11 - 2015-03-04 18:11 - 00001186 _____ () C:\Users\william\Desktop\puppies - Shortcut.lnk
2015-03-04 18:09 - 2015-03-04 18:09 - 00001564 _____ () C:\Users\william\Desktop\AdwCleaner (1) - Shortcut.lnk
2015-03-04 18:09 - 2015-03-04 18:09 - 00001470 _____ () C:\Users\william\Desktop\cats - Shortcut.lnk
2015-03-04 18:09 - 2015-03-04 18:09 - 00001459 _____ () C:\Users\william\Desktop\JRT - Shortcut.lnk
2015-03-04 18:08 - 2015-03-04 18:08 - 01132544 _____ (Farbar) C:\Users\william\Downloads\FRST.exe
2015-03-04 18:03 - 2015-03-04 18:03 - 02126848 _____ () C:\Users\william\Downloads\AdwCleaner (1).exe
2015-03-04 18:02 - 2015-03-04 18:02 - 01388333 _____ (Thisisu) C:\Users\william\Downloads\JRT.exe
2015-03-04 17:58 - 2015-03-04 17:58 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\william\Downloads\touchdown.exe
2015-03-04 17:56 - 2015-03-04 17:56 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\william\Downloads\rkill.exe
2015-03-04 17:48 - 2015-03-04 17:48 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\william\Downloads\puppies.exe
2015-03-04 17:42 - 2015-03-04 17:42 - 05612482 _____ (Swearware) C:\Users\william\Downloads\cats.exe
2015-03-03 21:59 - 2015-03-03 21:59 - 00000000 ____D () C:\Users\william\AppData\Roaming\Process Hacker 2
2015-03-03 21:40 - 2015-03-03 21:40 - 909800593 _____ () C:\WINDOWS\MEMORY.DMP
2015-03-03 21:40 - 2015-03-03 21:40 - 00295496 _____ () C:\WINDOWS\Minidump\030315-26515-01.dmp
2015-03-03 21:40 - 2015-03-03 21:40 - 00000000 ____D () C:\WINDOWS\Minidump
2015-03-03 21:30 - 2015-03-03 21:30 - 00001864 _____ () C:\Users\william\Desktop\Process Hacker 2.lnk
2015-03-03 21:30 - 2015-03-03 21:30 - 00000000 ____D () C:\Program Files\Process Hacker 2
2015-03-03 21:29 - 2015-03-03 21:29 - 01932448 _____ (wj32 ) C:\Users\william\Downloads\processhacker-2.33-setup.exe
2015-03-01 22:27 - 2015-03-04 17:39 - 00010180 _____ () C:\WINDOWS\PFRO.log
2015-03-01 22:27 - 2015-03-01 22:28 - 00469896 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-02-27 19:17 - 2015-03-04 17:39 - 00002349 _____ () C:\WINDOWS\setupact.log
2015-02-27 19:17 - 2015-02-27 19:17 - 00000000 _____ () C:\WINDOWS\setuperr.log
2015-02-27 19:08 - 2015-03-04 18:02 - 00694812 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-27 18:50 - 2015-02-27 18:50 - 00002431 _____ () C:\Users\william\Desktop\PowerPoint 2013.lnk
2015-02-27 18:50 - 2015-02-27 18:50 - 00002395 _____ () C:\Users\william\Desktop\Access 2013.lnk
2015-02-27 18:49 - 2015-02-27 18:49 - 00002432 _____ () C:\Users\william\Desktop\Word 2013.lnk
2015-02-27 18:49 - 2015-02-27 18:49 - 00002394 _____ () C:\Users\william\Desktop\Excel 2013.lnk
2015-02-27 18:35 - 2015-02-27 18:35 - 00000000 ____D () C:\Program Files (x86)\Microsoft Office
2015-02-27 18:34 - 2015-02-27 18:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-02-27 18:32 - 2015-02-27 18:32 - 01062064 _____ (Microsoft Corporation) C:\Users\william\Downloads\Setup.X86.en-US_O365ProPlusRetail_8ca695c8-2641-4772-9796-74fa59fe5df4_TX_PR_b_0_.exe
2015-02-27 18:32 - 2015-02-27 18:32 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2015-02-21 00:31 - 2015-02-21 00:31 - 00000000 ____D () C:\Users\william\Tracing
2015-02-13 17:42 - 2015-03-03 22:45 - 00000020 _____ () C:\Users\william\AppData\Roaming\appdataFr3.bin
2015-02-13 17:28 - 2015-01-22 22:41 - 06041600 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-02-13 17:28 - 2015-01-22 21:17 - 04300800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-02-12 20:32 - 2015-02-12 20:33 - 00000000 ____D () C:\ProgramData\16602934377430468760
2015-02-11 21:04 - 2015-01-15 16:43 - 00563504 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2015-02-11 21:04 - 2015-01-15 16:43 - 00177984 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2015-02-11 21:04 - 2015-01-13 22:22 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-02-11 21:04 - 2015-01-13 21:53 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-02-11 21:04 - 2015-01-13 16:11 - 01762840 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowsCodecs.dll
2015-02-11 21:04 - 2015-01-13 16:04 - 01489072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WindowsCodecs.dll
2015-02-11 21:04 - 2015-01-11 21:09 - 25056256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-02-11 21:04 - 2015-01-11 20:25 - 19740160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-02-11 21:04 - 2015-01-11 19:43 - 14401024 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-02-11 21:04 - 2015-01-10 03:10 - 07472960 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-02-11 21:04 - 2015-01-10 03:10 - 01733440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-02-11 21:04 - 2015-01-10 02:28 - 01498360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-02-11 21:04 - 2015-01-10 01:00 - 00430080 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2015-02-11 21:04 - 2015-01-10 00:38 - 00359424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2015-02-11 21:04 - 2014-12-08 21:45 - 00393728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\scesrv.dll
2015-02-11 21:04 - 2014-12-08 19:56 - 00538624 _____ (Microsoft Corporation) C:\WINDOWS\system32\scesrv.dll
2015-02-11 21:04 - 2014-10-28 20:51 - 00154112 _____ (Microsoft Corporation) C:\WINDOWS\system32\msaudite.dll
2015-02-11 21:04 - 2014-10-28 20:50 - 00736768 _____ (Microsoft Corporation) C:\WINDOWS\system32\adtschema.dll
2015-02-11 21:04 - 2014-10-28 20:06 - 00736768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\adtschema.dll
2015-02-11 21:04 - 2014-10-28 20:06 - 00154112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msaudite.dll
2015-02-11 21:04 - 2014-10-28 20:02 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2015-02-11 21:04 - 2014-10-28 20:02 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
2015-02-11 21:04 - 2014-10-28 19:57 - 00016896 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntvdm64.dll
2015-02-11 21:04 - 2014-10-28 19:31 - 01441792 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2015-02-11 21:04 - 2014-10-28 19:15 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntvdm64.dll
2015-02-11 21:04 - 2014-10-28 19:15 - 00005632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wow32.dll
2015-02-11 21:04 - 2014-10-28 19:14 - 00004096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user.exe
2015-02-11 21:04 - 2014-10-28 19:13 - 00025600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\setup16.exe
2015-02-11 21:04 - 2014-10-28 19:13 - 00008704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\instnm.exe
2015-02-11 21:03 - 2015-01-11 20:48 - 02885632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-02-11 21:03 - 2015-01-11 20:48 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-02-11 21:03 - 2015-01-11 20:47 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-02-11 21:03 - 2015-01-11 20:34 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-02-11 21:03 - 2015-01-11 20:21 - 00490496 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtmsft.dll
2015-02-11 21:03 - 2015-01-11 20:08 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-02-11 21:03 - 2015-01-11 20:07 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-02-11 21:03 - 2015-01-11 20:05 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-02-11 21:03 - 2015-01-11 20:02 - 02277888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-02-11 21:03 - 2015-01-11 19:58 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-02-11 21:03 - 2015-01-11 19:55 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-02-11 21:03 - 2015-01-11 19:51 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-02-11 21:03 - 2015-01-11 19:48 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-02-11 21:03 - 2015-01-11 19:48 - 00718848 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-02-11 21:03 - 2015-01-11 19:48 - 00374272 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-02-11 21:03 - 2015-01-11 19:46 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-02-11 21:03 - 2015-01-11 19:45 - 00418304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtmsft.dll
2015-02-11 21:03 - 2015-01-11 19:34 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-02-11 21:03 - 2015-01-11 19:30 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-02-11 21:03 - 2015-01-11 19:27 - 02865152 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2015-02-11 21:03 - 2015-01-11 19:27 - 02358272 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-02-11 21:03 - 2015-01-11 19:25 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-02-11 21:03 - 2015-01-11 19:23 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-02-11 21:03 - 2015-01-11 19:23 - 00688640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-02-11 21:03 - 2015-01-11 19:23 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-02-11 21:03 - 2015-01-11 19:14 - 12829184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-02-11 21:03 - 2015-01-11 19:14 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-02-11 21:03 - 2015-01-11 19:02 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-02-11 21:03 - 2015-01-11 19:00 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-02-11 21:03 - 2015-01-11 18:56 - 01307136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-02-11 21:03 - 2015-01-11 18:55 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-02-11 21:03 - 2015-01-10 02:22 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-02-10 20:52 - 2015-02-10 20:52 - 00001569 _____ () C:\Users\william\Desktop\FastStone.lnk
2015-02-07 17:52 - 2015-02-07 22:22 - 00070144 _____ () C:\Users\william\Downloads\Lab 3.xls
2015-02-07 14:23 - 2015-02-07 15:58 - 00000000 ____D () C:\Program Files (x86)\Hearthstone
2015-02-07 14:23 - 2015-02-07 14:23 - 00001208 _____ () C:\Users\Public\Desktop\Hearthstone.lnk
2015-02-07 14:23 - 2015-02-07 14:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hearthstone
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-04 17:52 - 2013-12-26 19:07 - 00000922 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-04 17:41 - 2013-12-26 19:07 - 00000918 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-04 17:40 - 2014-10-06 19:28 - 00000000 __RDO () C:\Users\william\OneDrive
2015-03-04 17:39 - 2014-10-06 18:44 - 00000000 _____ () C:\WINDOWS\system32\Drivers\lvuvc.hs
2015-03-04 17:39 - 2013-08-22 08:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-03-04 17:26 - 2014-10-06 18:52 - 00000000 ____D () C:\Users\william
2015-03-03 23:11 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-03-03 22:02 - 2014-09-16 14:55 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-03-03 21:39 - 2013-08-22 07:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-03-03 20:48 - 2013-08-30 21:34 - 00000000 ____D () C:\Users\william\AppData\Roaming\Skype
2015-03-03 07:17 - 2013-11-07 23:34 - 00295552 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2015-03-02 23:23 - 2013-08-30 21:29 - 00000000 ____D () C:\Users\william\AppData\Roaming\Spotify
2015-03-02 21:08 - 2013-08-30 21:30 - 00000000 ____D () C:\Users\william\AppData\Local\Spotify
2015-02-28 02:57 - 2013-08-21 19:58 - 00003600 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2932342156-2347494728-3291926447-1002
2015-02-27 20:55 - 2014-09-06 22:55 - 00000000 ____D () C:\Users\william\Documents\Outlook Files
2015-02-27 18:21 - 2013-08-29 19:09 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-27 18:20 - 2014-10-06 21:19 - 00000000 ____D () C:\Program Files (x86)\MSBuild
2015-02-27 18:20 - 2014-03-18 03:45 - 00000000 ____D () C:\WINDOWS\ShellNew
2015-02-27 18:20 - 2012-07-25 23:26 - 00000076 _____ () C:\WINDOWS\win.ini
2015-02-27 18:19 - 2013-08-22 09:36 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-02-24 20:10 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\Web
2015-02-24 10:27 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\Performance
2015-02-22 20:31 - 2013-08-21 19:51 - 00000000 ____D () C:\Users\william\AppData\Local\Packages
2015-02-20 17:53 - 2013-12-26 19:08 - 00002214 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-18 21:01 - 2014-02-27 22:07 - 00000000 ___RD () C:\Program Files (x86)\Skype
2015-02-18 21:01 - 2013-08-30 21:34 - 00000000 ____D () C:\ProgramData\Skype
2015-02-14 01:42 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\rescache
2015-02-13 19:32 - 2012-07-26 01:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-02-12 20:17 - 2013-08-31 02:09 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-12 20:11 - 2013-08-31 02:09 - 116773704 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-08 20:53 - 2014-03-18 04:03 - 00865408 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-02-08 17:34 - 2015-01-03 17:47 - 00000000 ____D () C:\Users\william\AppData\Roaming\TS3Client
2015-02-08 17:24 - 2013-12-25 21:12 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-02-07 23:52 - 2015-01-25 14:49 - 00000000 ____D () C:\Users\william\Documents\PHYS 2125 LAB Spring 2015
2015-02-07 15:59 - 2013-11-14 02:39 - 00000000 ____D () C:\Users\william\AppData\Local\Battle.net
2015-02-07 14:21 - 2014-03-17 21:40 - 00000000 ____D () C:\Program Files (x86)\Diablo III
2015-02-07 14:17 - 2013-11-14 02:39 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2015-02-04 22:47 - 2013-12-26 19:07 - 00003894 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-04 22:47 - 2013-12-26 19:07 - 00003658 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-03 13:31 - 2014-10-15 19:39 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-02-03 13:31 - 2014-10-15 19:39 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
 
==================== Files in the root of some directories =======
 
2015-02-13 17:42 - 2015-03-03 22:45 - 0000020 _____ () C:\Users\william\AppData\Roaming\appdataFr3.bin
2014-09-28 19:11 - 2014-09-28 19:11 - 0002024 _____ () C:\Users\william\AppData\Local\1
2014-09-28 19:10 - 2014-09-28 19:10 - 0015173 _____ () C:\Users\william\AppData\Local\introcs.ps1
2014-03-02 20:50 - 2014-03-03 13:43 - 0000600 _____ () C:\Users\william\AppData\Local\PUTTY.RND
2014-10-19 22:10 - 2014-10-19 22:10 - 0007606 _____ () C:\Users\william\AppData\Local\Resmon.ResmonCfg
2014-09-28 19:10 - 2014-09-28 19:10 - 0167936 _____ () C:\Users\william\AppData\Local\unzip.exe
2014-01-23 17:14 - 2014-01-23 17:14 - 0017408 _____ () C:\Users\william\AppData\Local\WebpageIcons.db
2013-02-14 23:06 - 2013-02-14 23:06 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-03 23:27
 
==================== End Of Log ============================

Edited by will123456, 05 March 2015 - 12:11 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,175 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:51 AM

Posted 09 March 2015 - 08:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

ShellIconOverlayIdentifiers: [SugarSyncBackedUp] -> {0C4A258A-3F3B-4FFF-80A7-9B3BEC139472} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncPending] -> {62CCD8E3-9C21-41E1-B55E-1E26DFC68511} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncRoot] -> {A759AFF6-5851-457D-A540-F4ECED148351} =>  No File
ShellIconOverlayIdentifiers: [SugarSyncShared] -> {1574C9EF-7D58-488F-B358-8B78C1538F51} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
BHO: No Name -> {4671dc37-1bf7-4c26-8d4d-b3d843442ad6} ->  No File
BHO: No Name -> {bed3f755-e8b1-4104-913e-3692901aaa2c} ->  No File
C:\WINDOWS\MEMORY.DMP

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

If the problem persists.
Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

Please post the Fixlog.txt log.
Include also the addition.txt log that was created when you ran the Farbar tool.

====

Let me know what problem persists.

#3 will123456

will123456
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 09 March 2015 - 09:50 PM

Hi nasdaq,

 

Thank you for the help.

 

I attached the Fixlog.txt, Addition.txt, and AdwCleaner[S1].txt:

 

Attached File  Fixlog.txt   2.63KB   2 downloads

Attached File  Addition.txt   40.98KB   3 downloads

Attached File  AdwCleanerS1.txt   1.21KB   1 downloads

 

I think the core issue has to do with some deep infection. There are processes and services running that I am unable to stop (they are fake and should not be there). For example, Microsoft Office is not functioning properly, and Windows Defender has been replaced by a fake one. There are some other questionable programs installed that have disguised themselves under "Intel", "Microsoft" and other very common names.

 

Please see this screenshot for an example:

 

Attached File  processes.png   92.75KB   0 downloads

 

Thank you again.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,175 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:51 AM

Posted 10 March 2015 - 09:13 AM

MsMpEng.exe is protected by the Operating system.
You should never remove something unless that you are not 100% sure that it's not required.
===


I checked your error messages from the Addition.txt file. I suggest you run this fix.

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Click Next at the Welcome Screen, Click Next on Step 1 Screen
  • Click Next on Step 2 Screen, Click Do it on Step 3 Screen, After is has completed click Next
  • On Step 4 Under System Restore Click Create, Then under registry back-up Click Backup When you have completed this click Next
  • Click on Repairs
  • Click Open repairs - Icon in the bottom right corner
  • Click the Unselect All button then select just the item(s) below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    14 - Removed Temp Files
    19 - Repair Volume Shadow Copy Service
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  • p.s.
    If the SecurityCheck program fails to run for any reason, run it as an Administrator.

    If the site is busy or not available use this mirror site:
    http://www.bleepingcomputer.com/download/securitycheck/

    How is the computer running now?

    ======

    Please post the logs and let me know what issues are still pending.





#5 will123456

will123456
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 11 March 2015 - 08:43 PM

Hi nasdaq,
 
Here's the Checkup.txt:
 
Attached File  checkup.txt   1.06KB   1 downloads
 
I believe the tweaking.com - windows repair fixed a majority of the issues. Thank you so much for your help!

Results of screen317's Security Check version 0.99.97
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Defender
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Java 8 Update 25
Java version 32-bit out of Date!
Java 64-bit 8 Update 31
Adobe Flash Player 13.0.0.214 Flash Player out of Date!
Adobe Reader XI
Mozilla Firefox 29.0.1 Firefox out of Date!
Google Chrome (40.0.2214.111)
Google Chrome (40.0.2214.115)
Google Chrome (GoogleUpdate.dll..)
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSMpEng.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````

Edited by nasdaq, 12 March 2015 - 08:08 AM.
log posted.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,175 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:51 AM

Posted 12 March 2015 - 08:13 AM

Using the Add/Remove progams appler delete this old version of Java 8 Update 25
===

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine
===

I suggest you set your Firewall to ON.

How to:
http://windows.microsoft.com/en-CA/windows-8/windows-firewall-from-start-to-finish

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,175 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:51 AM

Posted 17 March 2015 - 08:48 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users